Spyware problem

[suprafreak6]

but at least its logging in now. so now what should i do im trying the link that peat posted

and i only copied 2 folders that are not windows affiliated

[anon]

so now what should i do im trying the link that peat posted

Finish running Trojan Remover and that Vundo remover first. If the malware remains there you could post a HiJackThis log.

[suprafreak6]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:20 PM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\nwiz.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\DAEMON Tools Lite\DTLite.exe
D:\windows\temp\k.exe
d:\windows\system32\soundman .exe
d:\documents and settings\home\local settings\application data\google\update\googleupdate .exe
d:\program files\daemon tools lite\dtlite .exe
d:\program files\internet explorer\wmpscfgs.exe
d:\program files\internet explorer\wmpscfgs.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [D9Q071WKGS] D:\WINDOWS\TEMP\j.exe
O4 - HKCU\..\Run: [AAK8K3J4FL] d:\windows\temp\k .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4360 bytes

theres my hijack this.
trojan remover and vundo remover found nothing.

i know something is there cause i see that k.exe and d.exe

[AdrianPhoto]

well I bet you still have something wrong

you have these running and on startup, they just seem so suspicious(I'm 99% sure some kind of malware)

Code:

D:\WINDOWS\TEMP\j.exe
d:\windows\temp\k .exe

this is not right, it's a trojan but I forgot its name, I'll do further checking for you.

Code:

d:\program files\internet explorer\wmpscfgs.exe

now what you have to do is this
go to http://www.virustotal.com/
upload and scan the previous files and let us know the results.

and I suggest waiting for anon-sbi, maybe he has another opinion.

[suprafreak6]

i cut off internet access for that computer so further stuff does not install from web to back it up, will it be okay if i copy and paste them to a flash and upload them from another laptop? as long as i dont open it correct?

[AdrianPhoto]

i cut off internet access for that computer so further stuff does not install from web to back it up, will it be okay if i copy and paste them to a flash and upload them from another laptop? as long as i dont open it correct?

yeah sure

[anon]

You're right, Adrian. Those j, k and wmpscfgs EXE files are definitely suspicious. I wouldn't even bother to upload them to VirusTotal - directly delete them using the Windows install on your laptop. You could also mount the infected XP's Registry there and remove any related entries. Good luck.

[suprafreak6]

but i have noo idea how i would find out the associated files with them, i really think id need something to perform a search

[anon]

Yes, plug the infected drive to your laptop like you've done before, and tell Windows to search it. Or you could open it directly from My Computer, go to the directories the EXEs are, and delete them.

To mount the Registry and find related entries:

1. Go to Start -> Run, type regedit and press ENTER.
   
2. Highlight HKEY_LOCAL_MACHINE in the left panel.
   
3. Go to File -> Load subtree, browse to X:\WINDOWS\system32\config (X being your USB drive's letter), and load the file called simply "software".
   
4. You'll be asked for a name. Enter any and press OK.
   
5. Go to Edit -> Search, and search for j.exe. Delete any entries that may appear.
   
6. When done, scroll all the way up to "My Computer" in the left panel, and repeat step 5 for k.exe and wmpscfgs.exe.
   
7. After you finish, highlight the key with the name you gave in step X, go to File -> Unload subtree, and press OK in the dialog that will appear.
   
8. Repeat steps 2 to 7, but choose the file called "system" instead of "software" in step 3.

When finished, close Regedit, and try to boot from the Windows in the USB drive. Hopefully you should no longer be infected.

[suprafreak6]

http://www.virustotal.com/reanalisis...9c4-1263324967

http://www.virustotal.com/reanalisis...9c4-1263325029

http://www.virustotal.com/reanalisis...9c4-1263325047

there are the three when i uploaded them now what?