Well, my initial reasoning was that if it was Virut, it would have taken
up residence in winlogon.exe and compromised the normal login function.
Why and how the a/v (Comodo /w sandbox) missed the initial appearance
needs to be investigated but it could also have been the a/v itself,
deleting infected files and thereby, breaking the login process (as per the
typical userinit.exe problems)
Due to the change of government in the UK, the crisis has been averted
and I have the luxury of inspecting the damage myself next week. I
would, however still like to access the system remotely and since last
night have Nessus trying to find an opening :-)
--
Peter van Houten
On the 14 May, 2010 15:09, Mike Hoffman wrote the following:
We've seen a number of machines with McAfee on them where the update
killed them and that was not the only issue, it was the userint.exe (as
Tammy suggested). Our solution was to use Autoruns on a WinPE disk and
remove the virus entries sitting in the key.
If you could get someone else trusted to boot into the recovery
console then they could change the registry manually.
Would the "Suit" allow for a more technical user to follow a precise
set of instructions on your behalf? E.g. insert XP Cd, turn on desktop,
open recovery console, read registry line, fix, reboot?
Mike
-----Original Message-----
From: Peter van Houten [mailto:[email protected]]
Sent: 14 May 2010 13:14
To: NT System Admin Issues
Subject: Re: XP Box inaccessible
Thanks Tammy; most of my attempts at remote access were fruitless.
Besides breaking the login process, the code *seems* to have disabled all
access vectors that I know of, with the exception of IPC$ (with null
credentials only) via which I have made a connect/disconnect but nothing more
and was hoping that some bright spark knew of an attack via this route.
It does appear to parse the initial login credentials correctly (and probably
stores them). Have nmap scanned aggressively and shown ports 139& 445 open,
hence the partial netbios access as above.
The suit using this PC won't allow anyone else other than myself within
50 paces but was able to defer the requirement for the important docs on the
system's desktop [say goodbye to his write access to /desktop :-) ], so I have
a weekend reprieve (and more time to hack it).
--
Peter van Houten
On the 14 May, 2010 04:10, Tammy wrote the following:
Can you access the machine's registry from a machine on the network
using remote registry? It has worked for me a few times. (assuming
userinit.exe exists& is intact)
Worth a look to see if the userinit value in registry is hosed.
Key: BrokenMachine\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
Normally the value for userinit is c:\windows\system32\userinit.exe,
Fix the value, disconnect registry& reboot the box.
Just in case they have windows installed to a different
directory/drive etc though might want to check here first:
Brokenmachine\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Sess
ion
Manager\Environment
Regards,
Tammy Stewart (coppertop)
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
