My Laptop was Hijack by several virus-worms, I was not able to use most of the shortcuts in the Control Panel and most of the services would not work i.e. windows updated, add and remove programs, about 90% of the controls were hijack.
csrsc.exe – was clean using:
Autorun-virus-removal tool
Registry Easy
RegGenie
At this point some of the services and control panel works, still on the system:
“idvbwt.exe, cuvgmt.exe, fsgwyq.exe and worse of all, “cftu.exe”, still running on the Laptop”
Most Commercial AV were unable to detect and clean the above, only ClamWin found all 4 virus-worms and some others –“ this is where the boot problem “May” have started”, ClamWin was set to remove – my mistake – not to quarantine the virus – at this point it may have remove some entries of the registry or files, its only my suspicion, at the same time I was following all the advice possible in how to remove the virus, base on the previous experience with the removal of the csrsc.exe, which it keep coming back, until entries in the registry were delete.
From ClamWin log:
C:\WINDOWS\system32\autorun.in: Worm.Autorun-1792 FOUND C:\WINDOWS\system32\autorun.i: Worm.Autorun-1792 FOUND C:\WINDOWS\system32\cftu.exe: Trojan.Autoit-72 FOUND
C:\Program Files\ftprush_ansi\ftprush.exe: Trojan.PcClient-2361 FOUND
Keeping that in mind, I also delete one entry in the register with may have contributed to the problem, base on the advice of the following site: h***://www.pcthreat.com/parasitebyid-7831en.html, their advice was to check and delete the following entries in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ HotKeysCmds
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Msmsgs
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ cftu
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\USERINIT\ userinit
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Yahoo Messengger
I only found and delete:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\USERINIT\ userinit
At this point I am not sure if it was the same as above or something that may have look a like… big mistake on my part, I think…
By the way, during the above process I have set to “Off” the system restore, as most advice to do, during the scan and removal of the virus-worms.
Once I restart the system I found the next problem:
The Laptop, an IBM T23, ThinkPad, Pentium III, Fat32 would start normally
The welcome screen came on
I log as: Administrator, put my password…
Loading your personal setting screen…
The windows desktop theme came on, nothing else…
Then the Logging off blue screen came on
And then back to the welcome blue screen where I have started
I try to start on a safe mode – same situation as above
I try the different menus on the safe mode, command prompts, last known section – nothing will work.
I figure the boot record may get screwed during the cleaning process– I figure I would repair the boot records using the Win XP CD with the R, Repair option:
Check first the bootcfg – did not work
Fixboot - did not work
Fixmbr, which is not recommended
Writing a new master boot record on physical drive
\device\harddisk0\partition0
The new master boot record has been successfully written
It did not work either, and then I check again
Bootcfg
1 “Microsoft Windows XP Professional”
Load Option: /fast detect /NoExecute =Opt In
Os Location: C:\windows
Then I remember what happen when I try to use the fixmbr:
“This compute appear to a non-standard or invalid master boot record
Also checking with the command “map”
\devese\harddisk0\partition1
No wonder, why the fixmbr did not work:
Writing a new master boot record on physical drive
\device\harddisk0\partition0
Which is different than the computer is using to start.
This is where I am now
I know or think, that some entries got screw that relay directly to the boot record: : /fast detect /NoExecute =Opt In
I have no idea how to fix the problem, I can not access the regedit, since the boot process would not I allow me in to check the last entry that I delete, it may be or it may look like:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\USERINIT\ userinit
But I can not be sure
Please help…
I know all the files and program are on the hard drive since I also run the chkdsk with the XP CD – I also run XP Live CD to make sure the files and programs were in fact on the hard disk…
simple reformat/reinstall job would work
ReplyDeleteIt may be that simple. call who you purchased the laptop off. The software is all hidden in a partition on the HDD. There is a way to get it to reinstall and that info you can get from the company who develop that laptop.
ReplyDeleteAnother way is to download windows and reinstall with a copy and use your key at the bottom of the laptop.
YOu are going to lose what you have on there uless you can share it via network and copy the stuff.
ext time, always check with HIJACK THIS, and send in log..to find out the best methods for hijacking registry changes....
ReplyDeletehttp://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
also you may want to look into and consider calling your Manufacturer and having them send you hard copies of the OS and important programs.
ReplyDeleteI also highly recommend hijack this.
It looks as though your system is infected with several different trojans that spontaniously create copies of itself in the registry. Your best bet is to not connect to the internet with your PC and get all your important data off of it and reformat it right away.
for you I would reccomend always running a zone alarm product or spybot S&D(freeware) As they will both notify you of any changes to your registry and i believe zone alarm will notify you for programs accessing the internet.
I was not able to restore the system from IBM recory disk - I dont have a diskette unit - try mounting on a CD and boot from there, after several other trials I was able to recover my files, as advice by you guys.
ReplyDeleteAt this point I notice that there were some major changes on the HHD, so I figure, best, do a clean install, as some of you advice me to do so from the get go.
The important part was to recover my data which I was able to do.
I do thank you all, for your help and support.