Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus got me BAD! [RESOLVED]


  • This topic is locked This topic is locked

#46
Dinofish

Dinofish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I've got an idea :tazz:

Because I have backups of my registry (prior to getting the virus), is there any way to create a system hive from a registry (.reg) file? I'm thinking that there must be a way to use those .reg file to either create new hives or to bootup directly into it.

I think this might work if I could convert those files.

Let me know what you and your techs think.
  • 0

Advertisements


#47
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Is that a full backup of the registry?

Regards,
  • 0

#48
Dinofish

Dinofish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I checked it out. It contains the 5 hives plus the users. Can we use it?
  • 0

#49
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I think so, but we have to figure out a way to activate it before winlogon starts.

The most logical way would be to use autoexec.bat

The command to import a regsitry file without a prompt is

regedit /s fileTOimport.reg


If you copy the line above into autoexec.bat and save it together with the fileTOimport.reg in the C:\ directory it should import that file.

If you are able to get into Windows sucessfully, please do not reboot untill we have had a chance to asses the damage.

Regards,
  • 0

#50
Dinofish

Dinofish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I tried what you asked and it did not work. The autoexec never kicked in. The XP screen appeared and then rebooted.

Upon further review of my registry backups, the security section does not get backed up. I told you it did but it does not. Sorry :tazz: . Do you know where this info is kept? The only place I could find is in the System Volume Information folders.

Have your techs come up with anything?
  • 0

#51
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts

Have your techs come up with anything?

View Post


I'll ask them to have another look.

Regards,
  • 0

#52
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts

I just saw the post where the user says he did'nt follow the instrcutions in the following artilce, because he was missing the system hive in the c:\windows\repair in Part1:
http://support.micro...kb;en-us;307545

But Part1 was just to make the system ready to boot in safe-mode only, so that he could do the rest of the instructions.
Since the user already has a seperate installtion on another partition, he can directly start of with Part2 in the article.

View Post


  • 0

#53
Dinofish

Dinofish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I'll give it another try and try to boot into safe mode.

Thanks. :tazz:
  • 0

#54
Dinofish

Dinofish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
:) It failed again and again. The repair folder is missing the system hive so I copied one from the latest snapshot folder; failed. I then copied the 5 hives from the lastest snapshot folder; failed. It will not let me bootup into safemode. :tazz:

What do you suggest now?
  • 0

#55
darth_ash

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
Hi Dinofish,
The hives in the repair folder are the default\fresh copies of the hives (same as the time when you just installed your Windows). Their purpose is just to get you into safe-mode.
Since I saw from your previous posts, you already have a installtion of WinXP on another partition, you don't need the hives in the repair folder.
You can start of from Part2 in the article from inside your other installtion of WinXP, which shows how to copy the hives from a system-restore snapshot.

I can see that you already tries copying hives from a snapshot, but did you rename it.
If not, I suggest you follow the instructions in Part2 of the article.
  • 0

Advertisements


#56
Dinofish

Dinofish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hello Darth Ash,

To be exact I installed XP Pro (with a different keycode) within the same partition and on a different HDD. I did that as I was hoping not to have to reinstall everything. :tazz:

I have copied the restore hives over and was able to get into safemode. But because it looked to much like my good side, I got out. I'll do this again :) Once inside, what should I do.
  • 0

#57
Dinofish

Dinofish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Darth Ash,

I was successful getting into safemode using the XP Pro hives. When I activated the system restore it crashed. So this avenue seems to be closed? :tazz:

Knowing I can always get back, :) I then restored (thru regedit) a registry backup file (.reg) prior to getting this virus. Although I had a couple error messages, it did restore but took a good hour to bootup. I'm not sure how all this should work. :) Bootup is very slow, no internet and the screen res is unchangable at 640 x 480. I don't know where to go with this. What do you think I should do?
  • 0

#58
Dinofish

Dinofish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
:woot: Great news!! I got in. By upgrading to Pro it seemed to have fixed things. So now we're back in business. :tazz:

Please check out my Hijackthis log and maybe we can find what started this thing. :)

Thanks guys...

Attached Files


  • 0

#59
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Excellent job. Thanks for your assistance darth_ash. :tazz:

I'm adding your HijackThis log here, so I can read everything in one window.

Logfile of HijackThis v1.99.1
Scan saved at 8:24:35 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator.STARROOM.002\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [5F9g3nl] jscla.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [KoqmRhJ7Q] lmfhept.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.atarionde...es/ExentCtl.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Cad\AutoCad 2002 Mech\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Cad\AutoCad 2002 Mech\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Cad\AutoCad 2002 Mech\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Cad\AutoCad 2002 Mech\AcPreview.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


  • 0

#60
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Before you follow the instructions below, make sure AdWatch is set to Active and NOT on automatic.
I think Regrun will prom,pt you as well to some of the changes. make sure to read them well and allow the changes we want to make.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [5F9g3nl] jscla.exe

O4 - HKCU\..\Run: [KoqmRhJ7Q] lmfhept.exe

Then reboot and do a Find Files for jscla.exe and lmfhept.exe
I think you will find they are both already gone, but if they are present, delete them.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP