I thought I would ask this considering the level of response
I had on the last thread I started, in the hope that someone
might suggest a technique for this problem.
When removing malware of one sort or another, I have had the
situation quite a few times where a dodgy dll/exe couldn't be
removed/renamed in normal or any safe mode, and attempts to
remove its links from the registry to stop it from starting
result in the malware recreating those links instantly (for
example, a bit of malware inserts itself into the winlogon
notify list). Normally I will boot off the XP CD to the
recovery console and rename the offending file(s) there,
however, the Windows XP recovery console does not allow you
into the "Documents and Settings" folder (access denied), and
I have had it once or twice where a bit of malware is stored
inside that directory structure and has full privs on the system.
On one occasion I tried inserting an extra command into the
session manager's BootExecute key, just telling it to delete
the file in question. Admittedly I was hastily trying
multiple strategies, so I don't know whether this particular
strategy worked, but I doubt it did since the delete command
is stored in cmd.exe. Perhaps a batch file could have done
it but I doubt that the BootExecute system would allow
commands to spawn other processes.
Anyway, any ideas, as I probably will come up against this
scenario again :)
I have had the misfortune of having to remove several rootkits from Windows
2003 servers in the past. I know it isn't exactly what you are referring to,
but the concepts are generally the same.
Most likely you were dealing with onboot services that are hooking into the
Windows API to hide themselves from Windows all together. What you need to
do is get a listing of onboot services, and start looking at which ones are
not properly signed (most onboot services will be properly signed by a
reputable company i.e. MS, Adobe, etc). I recall that I used HiJackThis to
get me a list of the onboot services, and then looked at each of them to
verify that they were legit.
Armed with this list of "questionable" services you can boot into the
recovery console and run "disable <service>" to remove the services.
The problem with accessing the "Documents and Settings" folder is a tough
one to crack, as I didn't have to deal with it in my instance (the files
were located in a hidden directory in C:\Windows\). You might want to try
liveCD that supports reading and writing to NTFS (if they are using NTFS, or
if you are lucky, just access the drive via FAT32).
As a different avenue of approach, maybe you can accomplish something with
BartPE. That would allow you to boot into windows and run various apps
independent of the compromised OS.
Good luck,
Tom Walsh
Express Web Systems, Inc.
http://www.expresswebsystems.com/
