Cleaning up after WMF exploit third party boot disc

At this point, I needed to rename or delete some files that windows would not let me touch. I had this winlogon.exe running from a suspect directory c:\windows\inet20001 and windows wouldn’t let me kill it, or remove it’s start entry in the registry. So, I booted my image from a dsl linux cd and opted for command line only. Once booted, I navigated to mount the windows partition and cd’d to /mnt/hda1/windows/inet20001

Here’s what it contained…. 3.00.13.dll (BHO of some sort), mm4.exe, services.exe, alg.exe, mm4.exe.bak, winlogon.exe, alg.exe.bak, I renamed the folder (so the files within would no longer be found and run and moved to windows/system32 which is where some of the other pests were…

vxgame1.exe vxgame2.exe vxgame3.exe vxgame6.exe vxh8jkdq1.exe vxh8jkdq2.exe vxh8jkdq5.exe vxh8jkdq6.exe vxh8jkdq7.exe vxgamet1.exe vxgamet3.exe vxgamet4.exe were all here and got renamed. I also renamed the winstall.exe file which was still in c:\ I later came back to get the kernels64.exe (Which I believe was also in c:\windows\system32 )

   Send article as PDF   

Similar Posts