Spyware problem

[anon]

in msconfig, on startup j.exe and k.exe were selected to start up, but since they were deleted i can uncheck them to start right?

Yes, do that, and check if HiJackThis still reports them afterwards.

[suprafreak6]

what programs would you say are best to put on after i get rid of this?

i cannot get rid of wmpscfgs.exe its got two processes running and i deleted them and such

i cannot get rid of wmpscfgs.exe its got two processes running and i deleted them and such

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:42 PM, on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\nwiz.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
d:\windows\system32\soundman .exe
d:\program files\internet explorer\wmpscfgs.exe
d:\program files\internet explorer\wmpscfgs.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [RemoveIT Pro v7Ent] D:\Program Files\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3581 bytes

hijackthis log looks clean

except for the d:\program files\internet explorer\wmpscfgs.exe

i just scanned with marwarebytes antimalware, it pulls up 4 infections.

trojan.agent -> wmpscfgs.exe
trojan.agent -> wmpscfgs.exe
in two separate folders and categorized as file
trojan.agent -> wmpscfgs.exe
catagorized as a memory process

then this is what worries me,
heuristics.reserved.word.exploit -> rundll32.exe located in D:\Docandsettings\user\rundll32.exe

should i remove all of them, i am worried rundll32.exe is an important process

[anon]

hijackthis log looks clean

except for the d:\program files\internet explorer\wmpscfgs.exe

Agreed. Get a copy of Autoruns and use it to remove any entries related to wmpscfgs.exe:
http://technet.microsoft.com/en-us/s.../bb963902.aspx

[suprafreak6]

couldnt find anything related to wmpscfgs on the program you gave me.

malwarebytes couldnt get rid of it, and your autoruns doesnt have anything i can see named the same

[AdrianPhoto]

Okay, here's some stuff to clean up your computer

Download this (http://www.microsoft.com/downloads/d...3-75B8EB148356) from microsoft
This should be easy, just run and then "Next.. Next.. Finish"


Download this(http://www.yaman-tools.com/jsite/car...l_Removal.rar?) a friend of mine programed it
also easy, extract it, start it, check "fix registry...", hit Start.


Now finally install some good Anti-Virus
I recommend (and actually use) Nod32, you can choose whatever suits you.

[suprafreak6]

i cant get rid of the wmpscfgs.exe tried everything i could

[suprafreak6]

anyone? ideas?

[peat moss]

I would of formatted and reinstalled days ago ..... sorry you can't fix it .

[suprafreak6]

i did format and reinstall but i guess it hooked onto the program i copied over

[AdrianPhoto]

do you have an anti-virus?