Yes, do that, and check if HiJackThis still reports them afterwards.Quote:
Originally Posted by suprafreak6
Printable View
Yes, do that, and check if HiJackThis still reports them afterwards.Quote:
Originally Posted by suprafreak6
what programs would you say are best to put on after i get rid of this?
i cannot get rid of wmpscfgs.exe its got two processes running and i deleted them and such
i cannot get rid of wmpscfgs.exe its got two processes running and i deleted them and such
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:42 PM, on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\nwiz.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
d:\windows\system32\soundman .exe
d:\program files\internet explorer\wmpscfgs.exe
d:\program files\internet explorer\wmpscfgs.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [RemoveIT Pro v7Ent] D:\Program Files\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
--
End of file - 3581 bytes
hijackthis log looks clean
except for the d:\program files\internet explorer\wmpscfgs.exe
i just scanned with marwarebytes antimalware, it pulls up 4 infections.
trojan.agent -> wmpscfgs.exe
trojan.agent -> wmpscfgs.exe
in two separate folders and categorized as file
trojan.agent -> wmpscfgs.exe
catagorized as a memory process
then this is what worries me,
heuristics.reserved.word.exploit -> rundll32.exe located in D:\Docandsettings\user\rundll32.exe
should i remove all of them, i am worried rundll32.exe is an important process
Agreed. Get a copy of Autoruns and use it to remove any entries related to wmpscfgs.exe:Quote:
Originally Posted by suprafreak6
http://technet.microsoft.com/en-us/s.../bb963902.aspx
couldnt find anything related to wmpscfgs on the program you gave me.
malwarebytes couldnt get rid of it, and your autoruns doesnt have anything i can see named the same
Okay, here's some stuff to clean up your computer
Download this (http://www.microsoft.com/downloads/d...3-75B8EB148356) from microsoft
This should be easy, just run and then "Next.. Next.. Finish"
Download this(http://www.yaman-tools.com/jsite/car...l_Removal.rar?) a friend of mine programed it
also easy, extract it, start it, check "fix registry...", hit Start.
Now finally install some good Anti-Virus
I recommend (and actually use) Nod32, you can choose whatever suits you.
i cant get rid of the wmpscfgs.exe tried everything i could
anyone? ideas?
I would of formatted and reinstalled days ago ..... sorry you can't fix it .
i did format and reinstall but i guess it hooked onto the program i copied over
do you have an anti-virus?
would that get rid of it? and which one would you recommend ill give it a whirl
I'd recommend 2 Anti-Virus I tried
Nod32: been using for 3 months (currently using) LOVING it, fast fast fast.. amazing updates (3 times a day), very happy with it.
Kaspersky: Used it for 2 years, no virus entered my computer EVER, on downside is it's a little slow and makes your computer seem to be a bit slower than usual, nice updates.. intelligent scan, I'd give it 8/10
I was going to post this yesterday :lol:
Boot from the infected Windows, and try using this to wipe the file after a reboot:
http://killbox.net/
nod32 detected nothing =[ ill try killbox.net now
killbox.net didnt work, something else makes a new one itself
i cant find anything on google about it.
have you already tried superantispyware? if none of them work you could try removing it manually. I found this little free detection program at http://prevx.com usually finds all the threats and i just remove them manually. you can download this program called unlocker that can kill the process and any process attatched to it so that it can be deleted.
thats like everything we tried so far
the main reason that it's not loading is a corrupt userinit.exe. It's not actually a virus/malware. Sometimes that file really gets corrupt coz of failed initialization of the desktop. Try to copy it from a good working computer. hth.