Edit Windows startup applications from Linux

9

1

I'm dealing with a Windows 7 that has got a virus that starts immediately on startup, locking the screen. It also runs in safemode (even with command prompt only). Only option is to switch the computer off by press and holding the power button.

The computer also has an Ubuntu installation, so Linux access is easy. I have been searching for a way to edit windows startup applications from Ubuntu, but with no success.

Is such a thing possible? I.e., how can I edit windows registry from Linux? If not possible, what other option do I have?

Shahbaz

Posted 2013-07-09T17:36:39.440

Reputation: 192

Answers

8

You can:

  • mount the windows partition in Ubuntu

  • install chntpw:

    sudo apt-get chntpw

This program will allow you to edit the registry key in Windows. You can then edit the following registry keys in order to edit which programs startup in windows.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

DISCLAIMER: Editing the registry on a windows machine is risky. You can easily make the system inoperable if you edit the wrong keys.

Atari911

Posted 2013-07-09T17:36:39.440

Reputation: 718

1Both answers don't indicate you should not be out right deleting those keys, just specific enteries, malicous enteries within them. – Ramhound – 2013-07-09T19:27:40.053

I was just pointing to the places where the information is stored. I never mentioned to delete the keys, only to 'edit' them. – Atari911 – 2013-07-09T22:24:56.443

12

Boot from the CD windows 7.

enter image description here

Press Shift + F10. In cmd run regedit.

enter image description here

Mount the registry hives from your HDD.

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

Remove startup items.

See too \SOFTWARE\Wow6432Node\ analogy key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\DEFAULT\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon

HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths 
HKLM\Software\Microsoft\Windows\CurrentVersion\Controls Folder 
HKLM\Software\Microsoft\Windows\CurrentVersion\DeleteFiles 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer 
HKLM\Software\Microsoft\Windows\CurrentVersion\Extensions 
HKLM\Software\Microsoft\Windows\CurrentVersion\ExtShellViews 
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings 
НКM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage 
HKLM\Software\Microsoft\Windows\CurrentVersion\RenameFiles 
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup 
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs 
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions 
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\drivers.desc 
HKLMXSoftware\Microsoft\Windows NT\CurrentVersion\Drivers32\0 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Embedding 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Ports 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WOW 
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

cmd autorun:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
AutoRun

HKEY_CURRENT_USER\Software\Microsoft\Command Processor
AutoRun

filesystem.

Powershell autorun:

%ALLUSERSPROFILE%\Documents\Msh\profile.msh
%ALLUSERSPROFILE%\Documents\Msh\Microsoft.Management.Automation.msh_profile.msh

%USERPROFILE%\My Documents\msh\profile.msh
%USERPROFILE%\My Documents\msh\Microsoft.Management.Automation.msh_profile.msh

Init MS-DOS environment 64-bit Windows:

%windir%\SysWOW64\AUTOEXEC.NT
%windir%\SysWOW64\CONFIG.NT

Init MS-DOS environment 32-bit Windows:

%windir%\system32\AUTOEXEC.NT
%windir%\system32\CONFIG.NT

later it will be possible to write a script to automatically remove trojans from the registry and file system ... + 7 days

//TODO: script ...

Measures to prevent virus activity

disable autorun drive command:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f

STTR

Posted 2013-07-09T17:36:39.440

Reputation: 6 180

Nice, could you explain how to "Mount the registry hives from your HDD."? – terdon – 2013-07-09T18:01:26.390

Cool! Didn't know you can start a shell from the setup. How did you take screenshots of the setup, though?! – Shahbaz – 2013-07-09T21:27:44.037

@Shahbaz Virtualbox, Vmware player, Vmware workstation ... and other) – STTR – 2013-07-09T21:33:01.830

@sttr, haha, yeah I came to that conclusion after I wrote the comment. Thanks for the effort, but I'm contemplating whether I should accept the second answer, since while your solution solves my problem, the other answer is probably more fit for future visitors since it matches the question title. – Shahbaz – 2013-07-09T21:41:43.443

@Shahbaz Throw a coin) – STTR – 2013-07-09T21:45:17.337

0

DISCLAIMER: I haven't tried this since I don't use Windows, but it might work.

Windows startup programs are found in the folder C:\Users\(User-Name)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (for user-specific startup programs) or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup for global startup programs. Any program that has a shortcut in one of those folders will be started automatically.

I don't know if this is the only way to define start up programs (and rather suspect it isn't) but if you find a weird program name in there, it may well be your virus. just delete it and try again. You can also remove all startup programs just in case.

Now, if your virus is running as a service this will not work since they are governed differently. Given that the virus also starts when booting into safe mode, this seems quite likely. Still it is probably worth a try.

terdon

Posted 2013-07-09T17:36:39.440

Reputation: 45 216

1Yeah, but that is almost always empty and very few programs install shortcuts there. There are a lot of applications that get themselves in startup (which can be seen for example through msconfig) and I doubt they present themselves as files other than their original .exe file. – Shahbaz – 2013-07-09T21:29:35.920

@Shahbaz yes, I didn't think it would be that easy... – terdon – 2013-07-10T04:16:43.670

easy when you can get in in the first place ;) – Shahbaz – 2013-07-10T08:21:03.037

@Shahbaz you can access the folders through Linux, if the virus had been there, it would have been easy to disable. – terdon – 2013-07-10T18:22:04.273

Asked: 2013-07-09T17:36:39.440

Viewed: 5 116 times

Active: 2013-07-09T22:01:09.053