Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Got Spanked by Viruses, Chewed up my Registry, and have bootup probs

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
How it started:
Got a massive attack from a bad case of virus-embedded Nero...
Virtumonde (wow, this was tough to get rid of...even with both the dedicated main Virtumonde removers), BHO trojans, Winlogon, droppers, and a few others. After downloading a new version of HJT, Combofix, Vundofix, VirtumondoBeGone, SuperAntiSpyware, Spybot, AVG, ThreatFire, Spyware Terminator, and a few other online scans, I have it under control...except for one bad day where it seemed I was fighting a losing battle. These viruses are kick-butt in deleting/changing/disabling Spybot, Threatfire, AvastAntivirus, TeaTimer, Quicktime, RealPlayer, Java, everything...that makes it real difficult to delete when they just erased your antivirus!!!

What I did:
After doing all of the above and still having bad registry keys on HJT after reboots, I kind of went berserk and erased things while checking on as a guide to what is a good, valid key and what are listed as bad. But I soon realized that there is so much variation on opinions of what is good and what is bad that I may have erased some things that are needed. I thought was God's gift for what were good and bad keys, and if someone listed one of my keys as bad, I erased it without hesitation, even if half the people said it was good, half bad.

What happens now:
From a cold boot trying to logon normally, it will hang as soon as it get to the black background screen with the Windows XP Professional Logo...as soon as it shows up at that screen so that the Windows XP Pro logo is not even at full brightness.

What I can do:
I have to reboot, start in safe mode (not even safe mode with networking works consistently), and once it loads (safe mode always works), I can push "start", "turn off" and "restart" and now windows will start normally. It's as if loading in safe mode first gets all the necessary keys or something so it will now allow me to start in "normal" mode. Then everything appears to work perfectly.

What I need:
???????? Repair my registry? How do I do this? Or...is something else wrong??? All of those spyware scanners, online scans, and newest AVG, Threatfire, Spyware Terminator, SuperAntiSpyware, AdAware, Spybot, SpywareBlaster, etc, etc...I run them all, and all say I am clean...so I think that is "one" thing I am 95% sure of.
Some of what I erased is below, but there is a chance that what happened isn't completely or only part due to me messing with the registry, maybe it was the viruses.

Here is my current HJT log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:51 PM, on 1/25/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speakeasy.net/speedtest/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198597342296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198597329898
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

End of file - 5790 bytes

Now here are the "backups" from HJT...to tell you the truth, I am not sure if even these were my first logs because the viruses even erased/corrupted HJT at one point, so I uninstalled, reinstalled it, but here they are:
(I am writing these by hand b/c I can't figure out how to put them on a text file without risking possibly reinstalling "or" losing them!!!) Some were deleted at different times, but I fear the main keys I need that I erased, I may have erased even before this!!!)

1/24/2008 9:18:00pm: O4 - HKLM\..\Run:[Quicktime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
" O4 - HKLM]..\Run:[80d5f676]rundll32.exe"C:\Windows\system32\ohcucngf.dll",b
" O2 - BHO: {462c3f5c-eb3d-3c7a-3864-3d5558b05904} - {40950b85-55d3-4683-a7c3-d3bec5f3c264}-C:\Windows\System32\vnhkdjob.dll (file missing)

" another O2:BHO ddccy.dll (obviously one of the viruses)
O16: nbkeyscan.exe (virus from nero)

O16 - DPF:{CAFEEFAC-0015-000-0002-ABCDEDDEDCBA}(Java Plug-in)-
O23 nbservice.exe (another nero virus)
O23 nmindexingservice.exe (another nero virus)
O4 - HKLM\..\Run:[Logitech Utility]Logi_Mwx.Exe (I erased it at one point bc it said it was infected--my infrared mouse?)
O2 - BHO:SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}-C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll(file missing) (I erased it as some scanner said at one point it was infected)
O16 - DPF:{74D05D43-3236-11D4-BDCD-))C04F9A3B61}- (I erased this because, well, why not??? ;-) and it had no description and I was suspicious of everything at this point)
O4 - HKLM\..\Run:[Uninstall_CToolbar]"C:\Windows\Temp\CTun.exe""/remove"
O9 - Extra button: (no name)-{08B0E5C0-4FCB-11CF-AAA5-00401C608501}-C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll(file missing) --I erased this once again because "no name"
O9 - Extra 'Tools' menuitem: Sun Java Console-[08B0E5C0-4FCB-11CF-AAA5-00401C608501}-C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll(file missing) --again, I was pretty desperate
O4-HKLM\..\Run:[SunJavaUpdateSched\"C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" --definitely alterted by another program that it was infected, this I remember
O16 - DPF:{9B03C5F1-F5AB-47EE-937D-A8EDA626F876}- erased it just for kicks, and it had no description
O16 - DPF:[9A9307A0-7DA4-B042-%009F29E09E1]- fun, fun, fun
O16 - DPF:{D27CDB6E-AE6D-11CF-96B8-444553540000}(Shockwave Flash Object)- ----erased because it was there

That's it for this log of "Backups" for HJT

Here's a list of other deletions by many of the various programs (only a partial list):
qttask.exe quicktime
dropper found by avast
rcx29 dropper
rcx2c dropper
agrsmmsg.exe dropper agent-psg what is this file???
jussched.exe sunjava
dxlwyatu.exe adware? avast

Thanks guys
It could always be worse.
I hope there is some MagicFix to fix the registry by patching up the holes that the virus, and I, did.

I did erase all System Restore Points at one time because I did notice that the restore points even got infected at one point...which SUCKS!!!
and I do not have any back up restore points...although I should keep something like this as a backup...any recommendations on the best twoo ways to do this???

Edited by Rorschach112, 27 January 2008 - 05:29 PM.
Live link

  • 0


Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP