PDA

View Full Version : Possible to remove spyware Windows registry files w/Knoppix?



adkmom
01-08-2005, 08:20 PM
Hi all-

What I'm up against is some bad spyware that has defeated all attempts to remove. I see them in the registry but am not allowed access (locked out by the spyware itself).

Can I access & delete them from a Knoppix CD?

System is XP Home/NTFS, 1.8Ghz, 256mb DDR.

It was brought to me by a college girl (what ARE they teaching?)- I have no CD's to reinstall it or I would have done that in the beginning...

Tracy

baz132
01-08-2005, 09:14 PM
Hi Tracy,

I had a similar encounter with my computer. However my problem was not only spyware, but my the boot-sector of my hard-drive was pooched as well. I think your best strategy - and if I'm wrong I'm sure someone in more of the know will let us both know - is to use knoppix to back-up all your documents.

This can be done quite easily, provided you have a CD-burner. Simply go to KDE(the k with gear behind it (right beside the penguin))>Multimedia>K3b on the tool-bar. K3b is a cdrecord front end - just open it and in the bottom click on new Data CD. Your documents will be stored on "likely" hda1 (you may have to mount it first by clicking the hda1 icon on the desktop). Now hda1 will contain what is on you C: drive under XP. To find your My Documents folders go to the folder called <Documents and Settings> and look for your username, with a little bit of searching in that directory, you should be able to find all your important documents. Drag the files or directories from the top pane to the bottom pane. There is a reference meter to ensure you don't over-fill the CD.

If you don't have a CD burner, you may want to transfer the files to a web-based file-storage system i.e. http://www.xdrive.com/

Anyway, to remove the Spyware. I suggest starting XP in safe-mode with Network support. And downloading the following free software for Windows:
Adaware: www.lavasoftusa.com/software/adaware/
Spybot Search and Destroy: http://www.safer-networking.org/en/spybotsd/

Also make sure your Windows is uptodate.

Update them, and run them. I found turning off system restore in Windows is often helpful for removal. You can turn it back on when your finished. Also there maybe some persistent malwares that have to be removed manually, if this is the case, you can usually find full directions using your friendly neighbourhood Google.

If push comes to shove, you can just scrap Windows all together - you know join the rebels in fighting the evil empire. Anyway, If anyone knows of way to do the spybot removal in Knoppix, I for interest sake would be interested.

Cheers and Best of Luck,
BZ

Harry Kuhman
01-08-2005, 09:33 PM
What I'm up against is some bad spyware that has defeated all attempts to remove. I see them in the registry but am not allowed access (locked out by the spyware itself).
You might want to give more details about the specific software in question. You're likely to get help for someone who knows about it that way.

Once you know it's there I don't see how spyware would stop you from deleting the spyware files, even if it could stop you from removing the registery entries. Then, after the spyware itself is gone, on the next boot you should have no problem removing the registery entries. There are also programs like Start/Stop and StartUpCop that will let you control which progams start at boot time, even if there is a registery entry to start them.

adkmom
01-08-2005, 11:19 PM
Many thanks to those replying:

Here's what I see in the registry. MS/Giant beta has actually found MANY more.

CoolWeb Search
CB.UrlCatcher
Ezula
ATLEvents(1)
Webcom.Webbar

As I say, MS/Giant sees others but stalls at the Webcom one. At that point, it reports "low on virtual memory" & locks up.

I have tried turning VM off & then restarting- turning it on & setting the max at 2000mb's. Plenty of room on this drive. It still locks up. It only has 256mb- I may drop another of my own sticks in if necessary. This is a favor for a friend's daughter.

Had she brought along the CD's- I'd have done a reinstall from the get-go, you know it! It had 453 spyware & 89 viri to start!

The ones now in the registry will not allow me to do anything with them...I was even hoping I could boot to a Knoppix CD & access/delete them from there.

I will post a new HijackThis this evening to Castlecops. More to follow...

Tracy
PS- all the typicals followed: restore off/safe mode/etc...Adaware, Spybot, Housecall, Pest Patrol, a2,...makes no difference.

sakiZ
01-24-2005, 08:55 PM
I use Regseeker to strip unwanted registry items.

A must have utility!!!

It's a windows program. Hope you can run it.

sakiZ

rcook
01-24-2005, 10:07 PM
Peter Nordahl has a boot floppy or boot cd using linux which can be used to edit any or all of the registry.

If you know your way through the registry keys, it works quite well.

I locked myself out of a friend's machine while changing the drive letter of the boot drive. I had to change HKML>Software>Microsoft>WindowsNT>CurrentVersion>winlogon userinit to get back into windows.

The registry editor worked like a charm, just follow the directions.

The link is home.eunet.no/~pnordahl/ntpasswd/

dot.hack//infection
01-24-2005, 10:37 PM
They are programs that you can run them at boot to scan your computer for spyware and adware (mainly anti-virus programs). Whenver it becomes next to impossible to boot up windows and run a scan. I boot up in DOS and run the scan there..it generally takes 2 or even 3 full scan to fully remove all the infections. Then, after I'm able to at least boot up into Windows safe mode...run another spyware scanner until everything is clean. Sometimes..even with all the scanners you can do anything 'bout it..I had to reformat but thats always the last choice.

Harry Kuhman
01-24-2005, 11:56 PM
.... Whenver it becomes next to impossible to boot up windows and run a scan......
Perhaps you need to seriously rethink your security issues if you are having this many problems. It's bad enough that you say it becomes next to impossible to boot up windows, but to prefix this with the word Whenver implies that it has happened more than once, maybe even frequently. As a Windows user who now refuses to install the Microsoft "security updates" (see http://www.knoppix.net/forum/viewtopic.php?t=2117&postdays=0&postorder=asc&start=0
and http://www.knoppix.net/forum/viewtopic.php?t=2164&postdays=0&postorder=asc&start=0 if you want to know why), and yet who has absolutely never had any virus instaled on his own computers (home or work), I think I can tell you that such things are not to be so accepted that you should be using words like "Whenever". I have knowingly installed ad-ware. I have many cookies and the like that some software lumps in the spyware category. And I've certainly had viruses show up in my in box (even though I never let any e-mail or virus scanner run in the background, I only scan files when I tell the program to scan a file), or even see files that I suspected were viruses and downloaded then and confirmed that they were. But I've never had (on my own systems) any virus that got installed.

Beyond the simple common sense stuff (don't run it if you don't know the source, don't run or even open e-mail from strangers and don't trust e-mail that supposedly comes from your friends and so on), I would suggest that you consider two things: A hardware firewall (part of a common and inexpensive home DSL/cable router), and also a software firewall (and not that joke of a thing that comes from Microsoft, a software firewall that really works). I use an old copy of Tiny Personal Firewall 2.15 on my desktop and an old version of Kerio Firewall on my notebook and test systems (I like the old version much more than the new version, the new version added "features" that I don't see as being a valid part of a firewall), yet either of these old free software firewalls and the hardware firewall have both kept me safe and given me the comfort in knowing that if something did get into my system it likely would not get out again without my knowing it.

adkmom
01-25-2005, 02:11 AM
I was stuck for a while- the spyware removers froze at removing these reg. files (hard freeze until all memory was used up). I couldn't manually get to them- locked out.

I ended up using RegistrarLite to get the permissions set back- & then I was allowed to delete the files/folders.

RegLite allowed me to delete the offending files/folders in the registry & to then get a full scan to complete by the spyware programs- that was a good start.

I did the best I could- though this PC should be running better. It needs a reinstall of XP- but the college girl who owns it has other things on her mind- & I'm not going to waste my breath talking about antivirus/spyware/more RAM...I went over it all one time & left a text doc on the desktop to remind/guide her on how to keep up the maintenance. It's now out of my hands.

Thanks for all of the replies,

Tracy

rusty
01-25-2005, 05:03 AM
A couple of suggestions , even if it might be too late:

Encourage college girrl to use mozilla firefox instead of ie, and perhaps mozilla thunderbird for email, maybe gaim for chat - all available and easily installable for windows. these apps are somewhat less vulnerable to some of the exploits out there..

You might also try and try something like vnc to perform maintenance from home ( a long shot, I know).

adkmom
01-25-2005, 02:27 PM
Thanks-

I put every customer on Firefox now. I'd hope most tech's/helpers will also. It'll be a little while before that, too, becomes a target.

I haven't used VNC as yet. I have used XP's built-in remote assist & it works well so far (XP only).

Tracy

sk00ter
01-30-2005, 04:34 PM
Off topic (sort of) these must be run in windows, but will detect/cure your problems :)


http://www.spychecker.com/program/hijackthis.html



http://www.pcworld.com/downloads/file_description/0,fid,22262,00.asp