> I thought I would ask this considering the level of response > I had on the last thread I started, in the hope that someone > might suggest a technique for this problem. > > When removing malware of one sort or another, I have had the > situation quite a few times where a dodgy dll/exe couldn't be > removed/renamed in normal or any safe mode, and attempts to > remove its links from the registry to stop it from starting > result in the malware recreating those links instantly (for > example, a bit of malware inserts itself into the winlogon > notify list). Normally I will boot off the XP CD to the > recovery console and rename the offending file(s) there, > however, the Windows XP recovery console does not allow you > into the "Documents and Settings" folder (access denied), and > I have had it once or twice where a bit of malware is stored > inside that directory structure and has full privs on the system. > > On one occasion I tried inserting an extra command into the > session manager's BootExecute key, just telling it to delete > the file in question. Admittedly I was hastily trying > multiple strategies, so I don't know whether this particular > strategy worked, but I doubt it did since the delete command > is stored in cmd.exe. Perhaps a batch file could have done > it but I doubt that the BootExecute system would allow > commands to spawn other processes. > > Anyway, any ideas, as I probably will come up against this > scenario again :)
I have had the misfortune of having to remove several rootkits from Windows 2003 servers in the past. I know it isn't exactly what you are referring to, but the concepts are generally the same. Most likely you were dealing with onboot services that are hooking into the Windows API to hide themselves from Windows all together. What you need to do is get a listing of onboot services, and start looking at which ones are not properly signed (most onboot services will be properly signed by a reputable company i.e. MS, Adobe, etc). I recall that I used HiJackThis to get me a list of the onboot services, and then looked at each of them to verify that they were legit. Armed with this list of "questionable" services you can boot into the recovery console and run "disable <service>" to remove the services. The problem with accessing the "Documents and Settings" folder is a tough one to crack, as I didn't have to deal with it in my instance (the files were located in a hidden directory in C:\Windows\). You might want to try liveCD that supports reading and writing to NTFS (if they are using NTFS, or if you are lucky, just access the drive via FAT32). As a different avenue of approach, maybe you can accomplish something with BartPE. That would allow you to boot into windows and run various apps independent of the compromised OS. Good luck, Tom Walsh Express Web Systems, Inc. http://www.expresswebsystems.com/
