Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
53 Posts
Discussion Starter · #1 ·
A little while ago, I toasted my router/firewall and had to connect to the web directly, with just my anti-virus program to stop the nasties. It didn't work.

I got hit with Trojans--that disabled the anti-virus software, hijacked and removed critical registry entries & who knows what else? Plus I was lucky enough to get 2 viruses that neither McAfee nor Norton had seen.

First, I need to retore missing registry keys--througout the entire registry. ugh.

I see all these reg. cleaners/fixer programs, but don't think they will be able to fix anything if it's not there.

My recent backups are corrupt too. The only good one i have is a year old. If I use it, I might as well start from scratch--which I don't want to do.

Does anyone have suggestions on a program or way to restore missing keys?

Hijack this shows no keys at all, where there should be many. It does list a few that are missing, but from looking at my other W2K, SP4 machine, there are many that are just gone.

Once i get the keys/subkeys/ restored (if I can), then I'll try one of the reg. cleaners to see if it will do anygood? Any thoughts on that?

But first I need to get the registry back to where it at least has all the keys it's supposed to have. (I've alread run sfc & fixed the dlls., reinstalled the SP & hotfixes--the system is now crashing--blue screen/black screen/sometimes will boot, sometimes not.)

Thanks,
Bob
 

·
Registered
Joined
·
1,245 Posts
Which "critical registry entries" did you remove?
What was the name of the virus that you removed?

What specific error messages do you receive. What is the STOP error.

The easiest way would be to backup the data and clean install the system. This is the fasted and more reliable way.
 

·
Registered
Joined
·
2,326 Posts
Did you save a backup of the hijack scan,everything you deleted should be there.There could be thousands of keys and sub keys and...? missing from your registry,and you could spend weeks trying to put them all back correctly.

Do yourself a favor,save LOTS of TIME and HAIRPULLING and follow PC_WIZ' advise, "The easiest way would be to backup the data and clean install the system. This is the fasted and more reliable way."
 

·
Registered
Joined
·
53 Posts
Discussion Starter · #5 ·
Thank you.

I feared that.

A fresh install isn't want I wanted. ---so many programs to reinstall, change all the default settings back to what I am using.

It will probably take me close to a week to do that.

I may have mislead.

It was the trojans that got in and took out the reg. files, as they stopped my anti-virus, crashed the system, tried to escape the Java temp files I was lucky enough to hold them in before they could do more damage.

The two viruses I got that weren't in McAfee, CompAssociates, or Norton, --trendmicro picked them up, but I don't remember the names of the Trojans or Viruses. But they weren't the one's currently going around.

The stop errors: both blue screen & black screen, while running and during boot--all varied. After a while I got tired of writing everything down--I did have it set to dump to a log, but I don't know what happened to that.

The last error that stopped windows from finisihing its load was when it should have displayed the desktop. That happened about an hour ago. It was "missing ordinal 175. Not in dll library, userenv.dll."

I noticed at the top of that one that it referred to userinit.exe

For that, since I couldn't get into W2k, I used the recovery program, expanded the dll off the CD, back into the Sys32 folder (hoped that was the right one), rebooted and was back in business, to do the sfc, remove/reinstall SPs.

Hijack this won't help on a restore, since it has nothing in the log that it took out, except some Hijack (lop) stuff from a long time ago. And I certrainly don't want to restore that.

Nor do Ad-aware or SypBotS&D have anything recent, either.

Hijack this does list about five or so keys and what they should be if gone. I'm going to add those back in. :( but like it's been said, there could be 1000s of entries that are blasted--and I imagine there are.

The only logs I could restore would be where I've cleaned out the MRUs, but I don't see that doing any good---they're just MRUs. Cleaning them returns the reg entries that held them to the default level.

It was strange. As soon as I toasted my router and the firewall went down, I got blasted immeidately with at least 7 Trojan attempts and over the next couple of days, many more + the two unknow viruses. I felt like I was a target.

I released and renewed my IP address. Since then, I haven't had anymore hits--maybe I was a target?

I just took off SP4 & Hotfixes, reverted back to SP3, ran sfc, reinstalled SP4 & Hotfixes. Now, I'm going to reinstall IE. Maybe that will help some until I round up all my programs, getting prepared for the clean install of W2K.

I guess a week of setting up all my programs again is better than the hours searching the registry for missing entries. I was just hoping there might be a piece of software that would help.

There is a KB on that, with software from MS. But somewhere I read that MS no longer recommends using it. At this point, I guess I could try it. There's really nothing to loose as long as it only affects my boot & sys/reg entries?

I just don't want to end up with cross-linked files across my HDD.

I haven't checked the last URL that was given to take a look at. I'm going to do that now.

(any general opinions on reg. cleaners? I've never used one--just taken out the orphaned files and restoring entries to a default level, myself.)

I'm glad for all the help :) but sure don't like the answer. :(

Bob
 

·
Registered
Joined
·
53 Posts
Discussion Starter · #6 ·
MOBO, thanks for the ref.
That is the file I had found, that I heard MS is now discouraging use of.

I guess there's nothing left to do, if I want to get it right, but start again.
 

·
Registered
Joined
·
34 Posts
Hi Bob,
You have gotten advice from others that will probably be the best course. I have 2 cents worth of history.
I have Win2k SP4 with cable modem. A few years ago, when I had NT 4, SP 5 or 6 and a modem, I got a virus I could not shake. Got it off a college IT dept web site (if you can imagine that).
It was the kilmonk virus. I had to shut down my machine, crack it open, move jumpers on mobo, reboot and run this removal prog I got off the www. Then, I shut down again, put jumpers back where they were and reboot. Fixed it. like I said, 2 cents.
Tom
 

·
Registered
Joined
·
53 Posts
Discussion Starter · #9 ·
Thanks Tom.

It may be that way here.

On my very first PC, with my very first CD, I put it in and ran it and got the Friday the 13th--Michelangelo virus. This CD came from a magazine that was distributed nationally to financially institutions!

I know that with one of the Trojans I had (or maybe still have), I had a heck of a time getting it off.

Every time I though I had caught it, it would self-replicate under a new name as soon as a delete started.

Now, I think I got everything, you never can be absolutely certain.

I thought to pull the battery, in case something is lurking where there is power after shut-down. I assume that would be in the BIOS?

I just checked HiJackThis again and many of the reg. entries that were missing are back! So the removing all hotfixes, returning to SP3, running sfc, then back to SP4, seems to have done some good. Yay!

But I know that I'm going to have to do a new install and probably a low-level format of the HDDs. Then hope that my backup program data, such as in Office, doesn't have anything going on or if it does, one of my anti-virus programs will pick it up.

Oh, I helped with the development of the Norton Anti-virus. The room we were in was one that once you took any storage media in, of any kind, it didn't come out. Actually, that went for the hardware too.

I understand how things can, unless kept locked down, get out--even if it is thought everything is clean. It doesn't surprise me that some dumb-genuous (I was going to say ingenuous) person could get kicks from infecting a classroom or entire network.

I appreciate your $1.00s worth.

Thanks,
Bob
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top