So another user of the desktop here at home clicked somethign they shouldnt have when browsing the internet and so as usual I was going to install a few programs to take them out, however it wouldnt allow me to boot into safe mode. (i figured it was the spyware.

so then i used a sata to usb converter and connected it to my mac running parallels. used windows xp to use the programs, malwarebytes anti malware and then super antispyware professional. It found stuff after both, i quarantined them and then plugged everything back up.

first boot, tried to load using safe mode, would just restart. second boot, allowed it to go to windows xp (normal boot), it would go to a user login screen (how ever there is no password nor multiple users), clicked the username and it would say loading, and then it cancelled and says logging off.

I really dont know what to do now?
I know malwarebytes picked up a Rootkit.Agent but thats about all i know. I am trying the windows xp repair disk but its asking for a password to administrator. when there was no password to the only username on it. Any help would be greatly appreciated. Also reformat is not an option as there are some programs that do not allow a second install even with the same serial number.

Post your HJT report
(more info http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html)

If we're dealing with a rootkit, chances are it'll try to conceal itself. Do a search for "Rootkit Unhooker", run it, and post anything suspicious you find in the SSDT tab. If you had a Registry backup, that'd be very nice. You could also boot off a live CD and scan your system from there.

I find Trojan Remover helpful but you have to run it a couple of times and finish in safemode . Does n't work for 64 bit . Best thing is its a free 30 day evaluation .

http://www.simplysup.com/

will all this work if i try to do it from my laptop with the hdd connected via usb?

Depending on which live CD you choose, the USB HDD may not be visible, but if you already have Windows installed on your laptop you can scan the drive from there.

yeah i mean do these programs allow for scanning harddrives. such as cccleaner does not allow you to search other drives.

yeah i mean do these programs allow for scanning harddrives.

I think last time I tried Trojan Remover you could scan USB drives. You won't be able do anything with Rootkit Unhooker, since it only "scans" the currently running Windows.

starting scan using trojan remover.

trojan remover found nothing! sorry peat! what happened is before i think when i used the original two programs it deleted things that were infected which were involved in user startup and such. how do i fix this?

just ran malwarebytes, found 2 infections. no rootkit agent just trojan.Vundo and trojan.fakealert in the system volume information folder, they are both .exe's

and also with hijackthis it only checks the current windows so it wont work via usb

Maybe some help here :

http://www.bleepingcomputer.com/virus-removal/remove-vundo-virtumonde

okay, this should be easy, you can use ERD Commander to "mount" your current system and do some clean ups, you can also try the new Hiren's Boot 10

what should i use on the cd to fix my problem?

i am downloading hiren's boot cd 10.1

peat your method probably would have been best had i known about it before i did what i did, now i cant log into the computer remember? so i cant use that program with a designated harddisk

Okay, first of all try the some cleaning tools in the Anti-Virus section.
after you make sure your drives are clean, use Startup Tools to make sure you disable all the processes you're not sure about .
Now use the "RRT - Remove Restrictions Tool 3.0" to enable some stuff (most important here SafeBoot),
(for future reference you can use this tool http://www.shockingsoft.com/soft/EDSafemode.zip)

in case RRT didn't work you can use the Registry editor to import this (http://f.imagehost.org/download/0652/REG)

if non of the above worked for you , you can use any of the DOS tools Hiren's offer and try to create a new user on your system

net user UserNameYouWant /add
net user UserNameYouWant *

and I'm sorry that's all I can help with, I'm sure someone will come up with something more helpful

nothing is going according to plan. now the computer goes into a infinite boot. how would this approach sound,
1. repartition the computer.
2. install fresh copy of XP onto the new partition
3. install the program that is needed
4. copy all contents from the program on old partition to new partition

would that work? i figure if i install the program on the new partition all the registry changes and such will have been done, then whatever is inside the program folder is just settings and accounts correct?

would that work? i figure if i install the program on the new partition all the registry changes and such will have been done, then whatever is inside the program folder is just settings and accounts correct?

Normally, if you format the partition and reinstall Windows, nothing, including the rootkit, should remain. But I'm not sure of what you meant with step 4. Copying your files/music/etc. is OK, but pasting the old Program Files over the fresh one will NOT work.

okay normally i dont say omg, but omg. i reformatted but before i did i saved the program files folders of the programs i needed, i reformatted, installed the programs with the disc. over wrote the new program files with the old...and it worked...i know i am crying with joy too

...and it worked...
You mean all the Libs and DLLs and Registry Values and all the ini files weren't needed at all?
Well.. I really don't know what to say! Congratz my friend!

over wrote the new program files with the old...and it worked...

You appear to have been successful, but not all programs will run so gracefully when you've just copied and pasted your old Program Files folder over the new one. Also, what if the malware has infected some of the EXEs inside? Did you check that?

i only needed one program and now the new partition is infected how did that happen?! i didnt transfer anything but one thing

Some core Windows programs and accessories are stored on Program Files. Probably they were infected, you moved those over the new folder, and are now back to square one.

but at least its logging in now. so now what should i do im trying the link that peat posted

and i only copied 2 folders that are not windows affiliated

so now what should i do im trying the link that peat posted

Finish running Trojan Remover and that Vundo remover first. If the malware remains there you could post a HiJackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:20 PM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\nwiz.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\DAEMON Tools Lite\DTLite.exe
D:\windows\temp\k.exe
d:\windows\system32\soundman .exe
d:\documents and settings\home\local settings\application data\google\update\googleupdate .exe
d:\program files\daemon tools lite\dtlite .exe
d:\program files\internet explorer\wmpscfgs.exe
d:\program files\internet explorer\wmpscfgs.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [D9Q071WKGS] D:\WINDOWS\TEMP\j.exe
O4 - HKCU\..\Run: [AAK8K3J4FL] d:\windows\temp\k .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4360 bytes

theres my hijack this.
trojan remover and vundo remover found nothing.

i know something is there cause i see that k.exe and d.exe

well I bet you still have something wrong

you have these running and on startup, they just seem so suspicious(I'm 99% sure some kind of malware)

D:\WINDOWS\TEMP\j.exe
d:\windows\temp\k .exe
this is not right, it's a trojan but I forgot its name, I'll do further checking for you.

d:\program files\internet explorer\wmpscfgs.exe
now what you have to do is this
go to http://www.virustotal.com/
upload and scan the previous files and let us know the results.

and I suggest waiting for anon-sbi, maybe he has another opinion.

i cut off internet access for that computer so further stuff does not install from web to back it up, will it be okay if i copy and paste them to a flash and upload them from another laptop? as long as i dont open it correct?

i cut off internet access for that computer so further stuff does not install from web to back it up, will it be okay if i copy and paste them to a flash and upload them from another laptop? as long as i dont open it correct?
yeah sure

You're right, Adrian. Those j, k and wmpscfgs EXE files are definitely suspicious. I wouldn't even bother to upload them to VirusTotal - directly delete them using the Windows install on your laptop. You could also mount the infected XP's Registry there and remove any related entries. Good luck.

but i have noo idea how i would find out the associated files with them, i really think id need something to perform a search

Yes, plug the infected drive to your laptop like you've done before, and tell Windows to search it. Or you could open it directly from My Computer, go to the directories the EXEs are, and delete them.

To mount the Registry and find related entries:

Go to Start -> Run, type regedit and press ENTER.

Highlight HKEY_LOCAL_MACHINE in the left panel.

Go to File -> Load subtree, browse to X:\WINDOWS\system32\config (X being your USB drive's letter), and load the file called simply "software".

You'll be asked for a name. Enter any and press OK.

Go to Edit -> Search, and search for j.exe. Delete any entries that may appear.

When done, scroll all the way up to "My Computer" in the left panel, and repeat step 5 for k.exe and wmpscfgs.exe.

After you finish, highlight the key with the name you gave in step X, go to File -> Unload subtree, and press OK in the dialog that will appear.

Repeat steps 2 to 7, but choose the file called "system" instead of "software" in step 3.


When finished, close Regedit, and try to boot from the Windows in the USB drive. Hopefully you should no longer be infected.

http://www.virustotal.com/reanalisis.html?2989b32bc4f5991f8f4ad3686c947b08875b2bce350272583dd3de9fb48379c4-1263324967

http://www.virustotal.com/reanalisis.html?2989b32bc4f5991f8f4ad3686c947b08875b2bce350272583dd3de9fb48379c4-1263325029

http://www.virustotal.com/reanalisis.html?2989b32bc4f5991f8f4ad3686c947b08875b2bce350272583dd3de9fb48379c4-1263325047

there are the three when i uploaded them now what?

Do what I wrote above. :happy:

i dont know how to load windows off a usb drive =[

You don't need to, just plug the drive to your laptop and follow the procedure from the Windows that's installed on it.

but when i plug it to my laptop, it will register as a external harddrive will it not? so you want me to find the files delete them and then continue with the process you are telling me to do? with the registry? im always scared of touching the registry as ive had bad experiences

but when i plug it to my laptop, it will register as a external harddrive will it not?

It should appear as another hard drive in My Computer.


so you want me to find the files delete them and then continue with the process you are telling me to do? with the registry?

Correct.


im always scared of touching the registry as ive had bad experiences

You can always make a backup of the files you're going to edit just in case. :)

how do i make a back up of the files

Go to the directory they're located, "copy" them, and paste them on a different folder.

it said error while loading hive

when i did regedit->load "software"

it said error while loading hive

If there isn't more info I'd suggest running a chkdsk on the USB drive. Go to Start -> Run, and type:

chkdsk X: /F
Where X: is the drive's letter.

it says disk is in use and it might work if i dismount, but if i dismount i could lose data or something like that

nvm got it working

the j.exe and k.exe processes are not running however the other one is wmpcfgs.exe

the j.exe and k.exe are still there because hijackthis reported them

in msconfig, on startup j.exe and k.exe were selected to start up, but since they were deleted i can uncheck them to start right?

in msconfig, on startup j.exe and k.exe were selected to start up, but since they were deleted i can uncheck them to start right?

Yes, do that, and check if HiJackThis still reports them afterwards.

what programs would you say are best to put on after i get rid of this?

i cannot get rid of wmpscfgs.exe its got two processes running and i deleted them and such

i cannot get rid of wmpscfgs.exe its got two processes running and i deleted them and such

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:42 PM, on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\nwiz.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
d:\windows\system32\soundman .exe
d:\program files\internet explorer\wmpscfgs.exe
d:\program files\internet explorer\wmpscfgs.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [RemoveIT Pro v7Ent] D:\Program Files\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3581 bytes

hijackthis log looks clean

except for the d:\program files\internet explorer\wmpscfgs.exe

i just scanned with marwarebytes antimalware, it pulls up 4 infections.

trojan.agent -> wmpscfgs.exe
trojan.agent -> wmpscfgs.exe
in two separate folders and categorized as file
trojan.agent -> wmpscfgs.exe
catagorized as a memory process

then this is what worries me,
heuristics.reserved.word.exploit -> rundll32.exe located in D:\Docandsettings\user\rundll32.exe

should i remove all of them, i am worried rundll32.exe is an important process

hijackthis log looks clean

except for the d:\program files\internet explorer\wmpscfgs.exe

Agreed. Get a copy of Autoruns and use it to remove any entries related to wmpscfgs.exe:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

couldnt find anything related to wmpscfgs on the program you gave me.

malwarebytes couldnt get rid of it, and your autoruns doesnt have anything i can see named the same

Okay, here's some stuff to clean up your computer

Download this (http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356) from microsoft
This should be easy, just run and then "Next.. Next.. Finish"


Download this(http://www.yaman-tools.com/jsite/carackeb/General_Removal.rar?) a friend of mine programed it
also easy, extract it, start it, check "fix registry...", hit Start.


Now finally install some good Anti-Virus
I recommend (and actually use) Nod32, you can choose whatever suits you.

i cant get rid of the wmpscfgs.exe tried everything i could

anyone? ideas?

I would of formatted and reinstalled days ago ..... sorry you can't fix it .

i did format and reinstall but i guess it hooked onto the program i copied over

do you have an anti-virus?

would that get rid of it? and which one would you recommend ill give it a whirl

I'd recommend 2 Anti-Virus I tried

Nod32: been using for 3 months (currently using) LOVING it, fast fast fast.. amazing updates (3 times a day), very happy with it.


Kaspersky: Used it for 2 years, no virus entered my computer EVER, on downside is it's a little slow and makes your computer seem to be a bit slower than usual, nice updates.. intelligent scan, I'd give it 8/10

I was going to post this yesterday :lol:

Boot from the infected Windows, and try using this to wipe the file after a reboot:
http://killbox.net/

nod32 detected nothing =[ ill try killbox.net now

killbox.net didnt work, something else makes a new one itself

i cant find anything on google about it.

have you already tried superantispyware (http://www.superantispyware.com/download.html)? if none of them work you could try removing it manually. I found this little free detection program at http://prevx.com (http://prevx.com/) usually finds all the threats and i just remove them manually. you can download this program called unlocker (http://www.filehippo.com/download_unlocker/tech/) that can kill the process and any process attatched to it so that it can be deleted.

thats like everything we tried so far

the main reason that it's not loading is a corrupt userinit.exe. It's not actually a virus/malware. Sometimes that file really gets corrupt coz of failed initialization of the desktop. Try to copy it from a good working computer. hth.