How do I edit registry on a removed hard drive?

Help and Discussion

Moderator: The Mod Squad

How do I edit registry on a removed hard drive?

Postby ed4586 » Wed Mar 13, 2013 7:36 pm

Have a friends hard drive with the FBI Money pack virus. Couldn't get in safe mode..so I removed the sata drive and ran AVG, Stinger, Malwarebytes etc via a laptop using an external USB adapter.

Located/deleted a bunch of malware, tojans etc..but it still has a virus. Can't locate anything in the Start/Startup files. I suspect it's in the registry.

Is there anyway to edit the registry in a slave drive that is not running the OS? Have full access to the files on the drive (as a slave)...just can't get past the virus when used as the Master.

It will be a last resort of course...Windows XP Pro 32 bit on the drive.

Thanks
ed4586
Initiate
Initiate
 
Posts: 75
Joined: Tue Nov 14, 2006 12:18 pm
Location: Plattsburgh, NY

Postby evasive » Thu Mar 14, 2013 12:13 am

Complete instructions are here. Malwarebytes in safe mode should take care of this one.

http://botcrawl.com/how-to-remove-the-f ... l/#options

But I fear you have a rootkit in there as well which may or may not include a MBR infection.

http://malwaretips.com/Thread-MBR-check-tools
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 36791
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Postby ed4586 » Thu Mar 14, 2013 5:18 am

The PC will not open in Safe Mode....when selecting Safe Mode or any other options...it defaults to the FBI screen ...can't work in that environment at all. Can't run REGEDIT in the normal Windows environment ..was hoping to locate the registry file with drive as a slave.
ed4586
Initiate
Initiate
 
Posts: 75
Joined: Tue Nov 14, 2006 12:18 pm
Location: Plattsburgh, NY

Postby Karlsweldt » Thu Mar 14, 2013 8:58 am

If you cannot get any other start mode other than what is presented, then the MBR has indeed been infected. Try booting directly to the OS install disk recovery console, and command the Fixmbr process. You might be lucky.
Best is to mount the drive as a slave or secondary in a host case, or via a USB external case to a known-clean system.. and scan it with the host's antivirus program. Connect the drive after the OS has settled in, if external. A complete scan should clear up any unwanted entities. But if the virus has "taken root", then it could infect other system files.. and they too might be deleted. For reference, the Registry files are located in the Windows\System32\Config folder. But editing them outside of the parent OS (the one that created them) is near impossible. Only an experienced programmer should attempt it.
Yes, this "FBI Money Pack" virus is really nasty! Microsoft's Forum has hints on what to do. But don't expect a full recovery. You may have to rebuild the OS installation.
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 19202
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Postby Mr T » Thu Mar 14, 2013 10:03 am

Are you booting into SAFE MODE via pressing F8 before the windows splash screen? Should get there to SAFE MODE and then use CTRL+ALT+DELETE to close processes down....

BUT.....

Before hand when the FBI warning screen is up in Normal mode, CTRL +ALT+DELETE and using task manager close it down virus process down. Then go to user accounts and create a new account with ADMIN status and password protect it. Set the other account to standard user then reboot into the new account and install Malwarebytes. From there you can reboot into SAFE MODE using the new Admin account run Malwarebytes to remove the nasty.

I highly recommend once the nasty is off, to remove any virus scanners and install Microsoft Security essentials, update and run it. Also download and run CCleaner using the registry fixer tool as well.

All these programs are free and can be down loaded from Filehippo.com.
I have been programming on computers since the ZX81.
I am an apprentice trained Electronics Engineer with qualifications to back it up.
I have been repairing computers since 1996.
Yet to some people I still know nothing...
Mr T
Enlightened Master
Enlightened Master
 
Posts: 16794
Joined: Fri Jun 14, 2002 1:03 am
Location: England

Postby Hardware Junkie » Thu Mar 14, 2013 11:23 am

How to edit the registry offline.

http://4sysops.com/archives/regedit-as- ... ry-editor/

The only difference is you will need to specify full paths to the slave drive.
"Imagination is the only weapon in the war against reality." -Jules de Gautier

Image
Hardware Junkie
Mobo-fu Master
Mobo-fu Master
 
Posts: 19404
Joined: Thu Jan 25, 2001 1:01 am
Location: 00000h - 0000Fh

Here is the step by step instructions to remove FBI Virus!

Postby securityguy » Mon May 13, 2013 6:11 am

Norton Power Eraser does the job for me!
securityguy
Pilgrim
Pilgrim
 
Posts: 1
Joined: Mon May 13, 2013 6:08 am


Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 0 guests