Go Back   Steve's Digicams Forums > Misc Forums > Computers and Operating Systems

Reply
 
Thread Tools Search this Thread
Old Sep 13, 2010, 12:39 AM   #1
Junior Member
 
Join Date: Jul 2010
Posts: 1
Default Cant logon to WindowsXP, deleted some registry keys

I use Malwarebytes Antimalware regularly

http://www.malwarebytes.org/mba
m
and havent had an infection found

in about a year.
Yesterday i scanned after about a month and i saw 12 infections !

MBAM said it could not clean a few infections:

==============
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer Unknown

9/11/2010 11:19:49 PM
mbam-log-2010-09-11 (23-19-49).txt

Scan type: Quick Scan
Objects scanned: 94917
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

(Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo rer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

(Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\mp3_audio_codec (Spyware.Zbot) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and

deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:

\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data:

system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:

\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32 \sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted

successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
=======================

So i thought of manually removing the infected Registry keys. (Something i've done many times before)

While I was at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
I saw a key named 'Special Accounts', it looked fishy to my paranoid eyes. Had some 'strange' values in it, None

corresponding to my Username (Administrator) or Guest. 3 were somewhat random letters with a ~, and one was '

search assistant'. Looked like malware remains of some kind, so, i deleted them all.

After that i rebooted, the welcome screen showed up (usually straightaway shows me desktop since there is just one

user 'Administrator') with the only user 'Administrator'. When i click it, it shows 'loading your personal

settings' for a second. Then it reads 'saving your settings' and stays at the logon screen. Repeated it for 10

times. Restarted and repeated. Shut Down and repeated. Always same result.

Then i tried the 'Last Know good configuration' in statup options. Still same result.
Tried 'Safe Mode' starts loading then breaks at 'unable to load NTFS.dll'
'Safe mode with networking' same logon screen and same one second login and return to logon screen.

I dont know how to login. Can someone please help. Is there a way to remotely add the keys back to my registry. Or

some way to correct this problem?

Thanks and Regards

guptavis
chloec42 is offline   Reply With Quote
Sponsored Links
Old Sep 13, 2010, 4:29 AM   #2
Senior Member
 
TCav's Avatar
 
Join Date: Sep 2005
Location: Washington, DC, Metro Area, Maryland
Posts: 13,534
Default

Do you have the original disks that came with your computer? Often, you can reinstall Windows with these disks without losing any of your data or applications, though you'll need to go online and download the Windows Updates and any drivers for devices that Windows doesn't immediately recognize.
__________________
  • The lens is the thing.
  • 'Full Frame' is the new 'Medium Format'.
  • "One good test is worth a thousand expert opinions." - Tex Johnston, Boeing 707 test pilot.
TCav is offline   Reply With Quote
Old Sep 13, 2010, 10:12 AM   #3
Senior Member
 
Join Date: Jun 2002
Posts: 491
Default

If worse comes to worst, you could always do a Windows "repair". Repair just replaces critical system files yet leaves programs, data & most settings intact (eg, http://www.geekstogo.com/forum/topic...ir-windows-xp/ )
sdromel is offline   Reply With Quote
Old Sep 13, 2010, 10:48 AM   #4
Senior Member
 
TCav's Avatar
 
Join Date: Sep 2005
Location: Washington, DC, Metro Area, Maryland
Posts: 13,534
Default

Quote:
Originally Posted by sdromel View Post
If worse comes to worst, you could always do a Windows "repair". Repair just replaces critical system files yet leaves programs, data & most settings intact (eg, http://www.geekstogo.com/forum/topic...ir-windows-xp/ )
This is exactly what I was going to suggest. It sounds drastic, but it's quite simple and quite effective for dealing with problems like chloec42 is describing. Thtere are two important things need a user needs to do, however. You need to make sure you have an up-to-date driver for your ethernet adapter (if you use it to connect to the internet.) And once you're done with the repair procedure, you need to go to the Microsoft Update website and start the process of downloading and installing the service packs and other updates your computer will need.
__________________
  • The lens is the thing.
  • 'Full Frame' is the new 'Medium Format'.
  • "One good test is worth a thousand expert opinions." - Tex Johnston, Boeing 707 test pilot.
TCav is offline   Reply With Quote
Old Sep 13, 2010, 11:05 AM   #5
Senior Member
 
Join Date: Feb 2010
Location: tr
Posts: 224
Default

If you believe the reason is a virus or something like that.
Please boot up your computer with a live cd linux distro.
Then go to online scanners like kaspersky or nod32 and do a scan. Clean your computer and try to boot up.
Or simply you can try dr.web live cd for this.
Quote:
unable to load NTFS.dll
This can be a file infector and need to be replaced.
imut is offline   Reply With Quote
Old Sep 13, 2010, 3:22 PM   #6
Senior Member
 
TCav's Avatar
 
Join Date: Sep 2005
Location: Washington, DC, Metro Area, Maryland
Posts: 13,534
Default

If a computer has a virus or other malware, repairing Windows will remove whatever causes the virus to run. Your computer can contain a virus, but if the virus never runs, then it doesn't matter.
__________________
  • The lens is the thing.
  • 'Full Frame' is the new 'Medium Format'.
  • "One good test is worth a thousand expert opinions." - Tex Johnston, Boeing 707 test pilot.
TCav is offline   Reply With Quote
Old Sep 13, 2010, 3:36 PM   #7
Senior Member
 
Join Date: Feb 2010
Location: tr
Posts: 224
Default

TCav, windows system restore option is really a good idea but viruses have ability to infect that too, if you have a system infected with viruses, expacially like backdoors, anyone who use that computer should immediately stop the banking things and change current passwords. After cleaning the computer, users should reset their system restore points too.

Some of the viruses can be impressive like bootkits, rootkits and expecially viruts. There could be only one option to format current OS. Expacially with virut infections this can be a must.

MBAM is a good choice for regular scanning of computer also i recommend cureit from dr.web but that is not all.

Quote:
If a computer has a virus or other malware, repairing Windows will remove whatever causes the virus to run. Your computer can contain a virus, but if the virus never runs, then it doesn't matter.
repairing is not always a good solution. Some of the malwares can write themselves into the MBR of an HDD and you can't detect and erase them easly. There are a lot of security advices to prevent you to be infected with them.

A criminal can be in your house, but if it doesn't harm you can it be stay at your house? Of course not, because viruses is not a single file anymore. There are many types of them.
imut is offline   Reply With Quote
Old Sep 13, 2010, 4:24 PM   #8
Senior Member
 
TCav's Avatar
 
Join Date: Sep 2005
Location: Washington, DC, Metro Area, Maryland
Posts: 13,534
Default

Seperate issue. Once you get the computer started again (in Windows), you can check the "Run" Registry keys (with "MSConfig", removing anything that shouldn't be there with "RegEdit",) remove any suspect applications in the "Add/Remove Programs" Control Panel, and run a malware scan. You don't need to boot up into Linux to do it.
__________________
  • The lens is the thing.
  • 'Full Frame' is the new 'Medium Format'.
  • "One good test is worth a thousand expert opinions." - Tex Johnston, Boeing 707 test pilot.

Last edited by TCav; Sep 13, 2010 at 4:27 PM.
TCav is offline   Reply With Quote
Old Sep 13, 2010, 4:50 PM   #9
Senior Member
 
Join Date: Feb 2010
Location: tr
Posts: 224
Default

Simply, if a malware prevent windows to bootup, there is a way to boot up your computer and run virus scans even rescue your files from hdd, that can be achieved by booting with a live cd.

Nearly all famous antivirus softwares also has a rescue cd for this purpose. Scan and clean system which doens't boot up with windows.

Novice users shouldn't be encouraged to use regedit imo. Because it is the main component of OS which has a lot of configurations.

Add/Remove programs is good for removing normal installation, if a virus copy itself into the add/remove program, you must be sure it also copy itself to any other part of your computer and these files can't be deleted easly.
imut is offline   Reply With Quote
Old Sep 13, 2010, 6:11 PM   #10
Senior Member
 
TCav's Avatar
 
Join Date: Sep 2005
Location: Washington, DC, Metro Area, Maryland
Posts: 13,534
Default

Malware doesn't prevent Windows from booting up; failed attempts to remove malware prevent Windows from booting up.

RegEdit isn't a big deal when removing values or data, and anyone that feels uncertain about doing so can accomplish much the same thing by using the options inside MSConfig if they so choose.

In order for a virus to spread, it has to run. If you keep it from running, it can't spread. That's why you reload Windows, clear the Registry of malware references in the "Run" keys, remove any suspect software with the "Add/Remove Programs" control panel, and then scan for malware.
__________________
  • The lens is the thing.
  • 'Full Frame' is the new 'Medium Format'.
  • "One good test is worth a thousand expert opinions." - Tex Johnston, Boeing 707 test pilot.
TCav is offline   Reply With Quote
 
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -5. The time now is 7:04 AM.