[Dinofish]

I've got an idea

Because I have backups of my registry (prior to getting the virus), is there any way to create a system hive from a registry (.reg) file? I'm thinking that there must be a way to use those .reg file to either create new hives or to bootup directly into it.

I think this might work if I could convert those files.

Let me know what you and your techs think.

[Advertisements]

Is that a full backup of the registry?

Regards,

[Metallica]

Is that a full backup of the registry?

Regards,

[Dinofish]

I checked it out. It contains the 5 hives plus the users. Can we use it?

[Metallica]

I think so, but we have to figure out a way to activate it before winlogon starts.

The most logical way would be to use autoexec.bat

The command to import a regsitry file without a prompt is

regedit /s fileTOimport.reg


If you copy the line above into autoexec.bat and save it together with the fileTOimport.reg in the C:\ directory it should import that file.

If you are able to get into Windows sucessfully, please do not reboot untill we have had a chance to asses the damage.

Regards,

[Dinofish]

I tried what you asked and it did not work. The autoexec never kicked in. The XP screen appeared and then rebooted.

Upon further review of my registry backups, the security section does not get backed up. I told you it did but it does not. Sorry . Do you know where this info is kept? The only place I could find is in the System Volume Information folders.

Have your techs come up with anything?

[Metallica]

Have your techs come up with anything?

I'll ask them to have another look.

Regards,

[Metallica]

I just saw the post where the user says he did'nt follow the instrcutions in the following artilce, because he was missing the system hive in the c:\windows\repair in Part1:
http://support.micro...kb;en-us;307545

But Part1 was just to make the system ready to boot in safe-mode only, so that he could do the rest of the instructions.
Since the user already has a seperate installtion on another partition, he can directly start of with Part2 in the article.

[Dinofish]

I'll give it another try and try to boot into safe mode.

Thanks.

[Dinofish]

It failed again and again. The repair folder is missing the system hive so I copied one from the latest snapshot folder; failed. I then copied the 5 hives from the lastest snapshot folder; failed. It will not let me bootup into safemode.

What do you suggest now?

[darth_ash]

Hi Dinofish,
The hives in the repair folder are the default\fresh copies of the hives (same as the time when you just installed your Windows). Their purpose is just to get you into safe-mode.
Since I saw from your previous posts, you already have a installtion of WinXP on another partition, you don't need the hives in the repair folder.
You can start of from Part2 in the article from inside your other installtion of WinXP, which shows how to copy the hives from a system-restore snapshot.

I can see that you already tries copying hives from a snapshot, but did you rename it.
If not, I suggest you follow the instructions in Part2 of the article.

[Dinofish]

Hello Darth Ash,

To be exact I installed XP Pro (with a different keycode) within the same partition and on a different HDD. I did that as I was hoping not to have to reinstall everything.

I have copied the restore hives over and was able to get into safemode. But because it looked to much like my good side, I got out. I'll do this again Once inside, what should I do.

[Dinofish]

Darth Ash,

I was successful getting into safemode using the XP Pro hives. When I activated the system restore it crashed. So this avenue seems to be closed?

Knowing I can always get back, I then restored (thru regedit) a registry backup file (.reg) prior to getting this virus. Although I had a couple error messages, it did restore but took a good hour to bootup. I'm not sure how all this should work. Bootup is very slow, no internet and the screen res is unchangable at 640 x 480. I don't know where to go with this. What do you think I should do?

[Dinofish]

Great news!! I got in. By upgrading to Pro it seemed to have fixed things. So now we're back in business.

Please check out my Hijackthis log and maybe we can find what started this thing.

Thanks guys...

Attached Files

•  hijackthis.txt   5.93KB   138 downloads

[Metallica]

Excellent job. Thanks for your assistance darth_ash.

I'm adding your HijackThis log here, so I can read everything in one window.

Logfile of HijackThis v1.99.1
Scan saved at 8:24:35 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator.STARROOM.002\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [5F9g3nl] jscla.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [KoqmRhJ7Q] lmfhept.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.atarionde...es/ExentCtl.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Cad\AutoCad 2002 Mech\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Cad\AutoCad 2002 Mech\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Cad\AutoCad 2002 Mech\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Cad\AutoCad 2002 Mech\AcPreview.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Metallica]

Before you follow the instructions below, make sure AdWatch is set to Active and NOT on automatic.
I think Regrun will prom,pt you as well to some of the changes. make sure to read them well and allow the changes we want to make.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [5F9g3nl] jscla.exe

O4 - HKCU\..\Run: [KoqmRhJ7Q] lmfhept.exe

Then reboot and do a Find Files for jscla.exe and lmfhept.exe
I think you will find they are both already gone, but if they are present, delete them.

Regards,