No HKLM or HKCU in front of SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Microsoft Windows

This is a discussion on No HKLM or HKCU in front of SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Microsoft Windows ; Hi there all, I am having another major problem. On Sunday, May 8, 2005, I recieved a porn pop-up. Nortans Virus alert had popped up about 20 times, but I wasn't paying attentention to the specific virus because it said ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: No HKLM or HKCU in front of SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  1. No HKLM or HKCU in front of SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Hi there all,
    I am having another major problem. On Sunday, May 8, 2005, I recieved a
    porn pop-up. Nortans Virus alert had popped up about 20 times, but I
    wasn't paying attentention to the specific virus because it said that
    the virus was automatically deleted. So I just kept on clicking ok
    until the virus alert window went away. About 10 minutes later my
    computer just started auto generating emails. I knew this when Nortan's
    had started popping up an email proxy scan. I tried reading what the
    Nortan scan pop-ups where saying but I couldn't read them fast enough
    before one scanner window would opened after another. In addition,
    moving the Nortan's email scanner pop-up window off to the side didn't
    allow me to read it them fast enough either. This was because even if I
    moved the window to the very bottom, the next email proxy window would
    overlay the previous window that I have just moved. Though I did catch
    a glimsp of a couple of them saying somthing like "soandso@yahoo.com
    was not sent because the internet was interupted.", or
    "soandso@yahoo.com was not sent because that name doesn't exist
    anymore.".

    Anywho, I had gave up clicking ok and I did a force reboot, by holding
    the alt+del+ctrl key down, and went to shutdown->reboot. And you know
    what? That was the worst thing I could ever do!!!! After rebooting, my
    desktop was replaced as it appeared to look like an internet explorer
    browser without the menu bar, caption bar, and the address bar, which
    was overlaying my desktop background image theme, but I could still see
    my icons and there was an ad in the middle of the desktop. I could tell
    that my desktop was being used as an Internet Explorer browser because
    when I right clicked on the desktop, thinkng at first that my desktop
    theme was changed to a different image, I didn't get the default right
    click desktop submenu. Instead I got the default IE browser submenu.
    Though I clicked on properties anyways, and in the property dialog box
    it said that the file was called c:\windows\web\desktop.htm. In
    addition to this, the damb email thingy started popping up agian, and
    it was popping up faster then when it first happened. So I rebooted
    again but this time I started in safe mode and imediately ran a Nortans
    scan. When Nortans was finished it had found 9 viruses. These 9 virus
    names where as follows....

    3 Downloader.trojan
    1 Downloader.Psyme
    2 Backdoor.Jeem
    3 Download.trojan

    ... 8 of these files where *.exe files, and one html file. 3 of these
    infected *.exe files where Windows Media Player, winos.exe, and
    web.exe, and the html file was desktop.htm which was the same file that
    said it was being used as my desktop. So Thinking that the system was
    cleaned, and because nortan did not have any of these files marked that
    they couldn't be deleted, I rebooted the computer to normal state.
    AHHHH!!!!!!!!!!!!!! HOLY CRAP, you NO GOOD DAMB PIECE OF you know what
    of a Nortans AV detector you are; the damb infection is still
    here!!!!!!!!!!!!!!!!!!!!!!! So back to rebooting in safe mode I said
    the heck with it and I just started going "hog wild" deleting files and
    disabled everything in the startup except for Nortans AntiVirus, and
    rebooted. After rebooting, the system seemed pretty stable and I was
    able to start removing the startup keys that where infected by opening
    regedit, and following there locations that msconfig says they're
    located in. However, as I was working down the list in msconfig, I
    noticed that a bunch of the startups have no HKLM or HKCU in front of
    the \software\windows\CurrentVersion\Run\. Meaning here is what the
    winos.exe startup says in the msconfig startup tab...


    startUp Item: winos.exe, Command: C:\Windows\winos.exe Location:
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    .... so which root key is this startup key located at? I have opend
    every root key meaning HKLM, HKCU, HKEY_CLASSES_ROOT, HKEY_USER, as
    well as HKEY_CURENT_CONFIG but none of these rootkeys had this startup
    key. Also after deleting desktop.html, this too didn't resolve much
    considering that my desktop is still running like a IE browser, but
    yet, nothing is loaded because I have deleted the file. So it seems
    that I only did half of the cleanup that is necessory to resolve this
    issue, and this is where I am left at. So how can I find where these
    \SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys are located so that
    I can delete them as well as getting my desktop back?


  2. Re: No HKLM or HKCU in front of SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    roofy wrote:
    [tale of woe starting with a drive-by download]

    Here's what you do. Safe mode and back up all your important data. Wipe
    and reinstall -- physically disconnect your network connection, format
    c:, reinstall windows, turn on machine, turn on windows firewall,
    reboot, connect network, and then go directly to winblows update, do not
    pass go, do not collect $200 worth of viruses and spyware. Followed by
    mozilla.org for your free copy of Firefox, followed by avg and spybot
    s&d and ad-aware (google these once you have firefox running). Do not
    reinstall Norton; it is a piece of ****. Do not use IE ever again for
    anything except Windows Update. Get a personal firewall that isn't from
    M$ (Sygate's seems good), physically disconnect your network connection,
    turn off the M$ WinXP firewall, reboot, install Sygate (or whatever),
    reboot. Now start reloading your other software and your backups, while
    avg keeps a watchful eye. (You may wish to use f-prot instead and
    manually scan everything before installing it. F-prot isn't resident.)

    --
    http://www.gnu.org/philosophy/right-to-read.html
    Palladium? Trusted Computing? DRM? Microsoft? Sauron.
    "One ring to rule them all, one ring to find them
    One ring to bring them all, and in the darkness bind them."


  3. Re: No HKLM or HKCU in front of SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    Twisted One wrote:
    > roofy wrote:
    > [tale of woe starting with a drive-by download]
    >
    > Here's what you do. Safe mode and back up all your important data.

    Wipe
    > and reinstall -- physically disconnect your network connection,

    format
    > c:, reinstall windows, turn on machine, turn on windows firewall,
    > reboot, connect network, and then go directly to winblows update, do

    not
    > pass go, do not collect $200 worth of viruses and spyware. Followed

    by
    > mozilla.org for your free copy of Firefox, followed by avg and spybot


    > s&d and ad-aware (google these once you have firefox running). Do not


    > reinstall Norton; it is a piece of ****. Do not use IE ever again for


    > anything except Windows Update. Get a personal firewall that isn't

    from
    > M$ (Sygate's seems good), physically disconnect your network

    connection,
    > turn off the M$ WinXP firewall, reboot, install Sygate (or whatever),


    > reboot. Now start reloading your other software and your backups,

    while
    > avg keeps a watchful eye. (You may wish to use f-prot instead and
    > manually scan everything before installing it. F-prot isn't

    resident.)
    >
    > --
    > http://www.gnu.org/philosophy/right-to-read.html
    > Palladium? Trusted Computing? DRM? Microsoft? Sauron.
    > "One ring to rule them all, one ring to find them
    > One ring to bring them all, and in the darkness bind them."


    I must be computer illiterate because I just had to do a system recovry
    2 weeks ago. It was my first time I ever had to do so with this
    computer, and yeah I didn't reinstall sp2 this time, but I don't think
    my system can handle all of this blocking crap while running Maya or
    Macromedia Director etc etc... In addition, the pain in the neck thing
    is I am going back to school in the fall and I am definately going to
    need comcast considering that my major will be computer graphic game
    design. Meaning I am too impaitient for dial-up and to keep on dialing
    out every time becuase a homework assignment is to do research on the
    internet, it takes to long to with dial-up. Do you have any suggestion
    on books refering to understanding windows and keeping it secure with
    comcast cable internet?


  4. Re: No HKLM or HKCU in front of SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    roofy wrote:
    > Do you have any suggestion
    > on books refering to understanding windows and keeping it secure with
    > comcast cable internet?


    Yes -- don't waste your money on a book.

    * If your ISP supplies one, a NAT router is very good protection from
    straightforward hacking.
    * Use a personal firewall, such as Sygate. There are several other good,
    free ones too. ZoneAlarm and XP don't get along in my experience,
    however. The other firewalls I often see recommended are Kerio and
    Tiny personal firewall. These can detect and stop spyware/trojans'
    outbound traffic, spamming, DoS, or opening ports, as well as halt
    inbound exploits. A NAT router can halt inbound exploits and stop
    malware opening ports, but that's about it. Combine the two for
    maximum effect!
    * Don't use commercial antivirus products like Norton or McAfee; instead
    use free (maybe quasi-commercial) ones like avg and f-prot personal
    editions. Scan all new downloaded programs or installers.
    * Don't use Outlook. Don't use IE for anything except Windows Update. Do
    update security related items regularly there. Thunderbird and Firefox
    are my recommendations for general purpose web surfing and email and
    that.
    * Periodically run your AV scanning everything. Also get both Ad-aware
    and Spybot Search and Destroy, personal edition, and scan with those
    regularly and immediately after installing any new software and if any
    untoward event occurs that smells like spyware.

    --
    http://www.gnu.org/philosophy/right-to-read.html
    Palladium? Trusted Computing? DRM? Microsoft? Sauron.
    "One ring to rule them all, one ring to find them
    One ring to bring them all, and in the darkness bind them."


+ Reply to Thread