Page 1 of 1

How do I edit registry on a removed hard drive?

PostPosted: Wed Mar 13, 2013 7:36 pm
by ed4586
Have a friends hard drive with the FBI Money pack virus. Couldn't get in safe mode..so I removed the sata drive and ran AVG, Stinger, Malwarebytes etc via a laptop using an external USB adapter.

Located/deleted a bunch of malware, tojans etc..but it still has a virus. Can't locate anything in the Start/Startup files. I suspect it's in the registry.

Is there anyway to edit the registry in a slave drive that is not running the OS? Have full access to the files on the drive (as a slave)...just can't get past the virus when used as the Master.

It will be a last resort of course...Windows XP Pro 32 bit on the drive.

Thanks

PostPosted: Thu Mar 14, 2013 12:13 am
by evasive
Complete instructions are here. Malwarebytes in safe mode should take care of this one.

http://botcrawl.com/how-to-remove-the-f ... l/#options

But I fear you have a rootkit in there as well which may or may not include a MBR infection.

http://malwaretips.com/Thread-MBR-check-tools

PostPosted: Thu Mar 14, 2013 5:18 am
by ed4586
The PC will not open in Safe Mode....when selecting Safe Mode or any other options...it defaults to the FBI screen ...can't work in that environment at all. Can't run REGEDIT in the normal Windows environment ..was hoping to locate the registry file with drive as a slave.

PostPosted: Thu Mar 14, 2013 8:58 am
by Karlsweldt
If you cannot get any other start mode other than what is presented, then the MBR has indeed been infected. Try booting directly to the OS install disk recovery console, and command the Fixmbr process. You might be lucky.
Best is to mount the drive as a slave or secondary in a host case, or via a USB external case to a known-clean system.. and scan it with the host's antivirus program. Connect the drive after the OS has settled in, if external. A complete scan should clear up any unwanted entities. But if the virus has "taken root", then it could infect other system files.. and they too might be deleted. For reference, the Registry files are located in the Windows\System32\Config folder. But editing them outside of the parent OS (the one that created them) is near impossible. Only an experienced programmer should attempt it.
Yes, this "FBI Money Pack" virus is really nasty! Microsoft's Forum has hints on what to do. But don't expect a full recovery. You may have to rebuild the OS installation.

PostPosted: Thu Mar 14, 2013 10:03 am
by Mr T
Are you booting into SAFE MODE via pressing F8 before the windows splash screen? Should get there to SAFE MODE and then use CTRL+ALT+DELETE to close processes down....

BUT.....

Before hand when the FBI warning screen is up in Normal mode, CTRL +ALT+DELETE and using task manager close it down virus process down. Then go to user accounts and create a new account with ADMIN status and password protect it. Set the other account to standard user then reboot into the new account and install Malwarebytes. From there you can reboot into SAFE MODE using the new Admin account run Malwarebytes to remove the nasty.

I highly recommend once the nasty is off, to remove any virus scanners and install Microsoft Security essentials, update and run it. Also download and run CCleaner using the registry fixer tool as well.

All these programs are free and can be down loaded from Filehippo.com.

PostPosted: Thu Mar 14, 2013 11:23 am
by Hardware Junkie
How to edit the registry offline.

http://4sysops.com/archives/regedit-as- ... ry-editor/

The only difference is you will need to specify full paths to the slave drive.

Here is the step by step instructions to remove FBI Virus!

PostPosted: Mon May 13, 2013 6:11 am
by securityguy
Norton Power Eraser does the job for me!