but at least its logging in now. so now what should i do im trying the link that peat posted
and i only copied 2 folders that are not windows affiliated
but at least its logging in now. so now what should i do im trying the link that peat posted
and i only copied 2 folders that are not windows affiliated
Last edited by suprafreak6; 01-11-2010 at 11:16 PM. Reason: Automerged Doublepost
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:20 PM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\nwiz.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\DAEMON Tools Lite\DTLite.exe
D:\windows\temp\k.exe
d:\windows\system32\soundman .exe
d:\documents and settings\home\local settings\application data\google\update\googleupdate .exe
d:\program files\daemon tools lite\dtlite .exe
d:\program files\internet explorer\wmpscfgs.exe
d:\program files\internet explorer\wmpscfgs.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [D9Q071WKGS] D:\WINDOWS\TEMP\j.exe
O4 - HKCU\..\Run: [AAK8K3J4FL] d:\windows\temp\k .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4360 bytes
theres my hijack this.
trojan remover and vundo remover found nothing.
i know something is there cause i see that k.exe and d.exe
Last edited by suprafreak6; 01-12-2010 at 07:26 AM.
well I bet you still have something wrong
you have these running and on startup, they just seem so suspicious(I'm 99% sure some kind of malware)
this is not right, it's a trojan but I forgot its name, I'll do further checking for you.Code:D:\WINDOWS\TEMP\j.exe d:\windows\temp\k .exe
now what you have to do is thisCode:d:\program files\internet explorer\wmpscfgs.exe
go to http://www.virustotal.com/
upload and scan the previous files and let us know the results.
and I suggest waiting for anon-sbi, maybe he has another opinion.
Last edited by AdrianPhoto; 01-12-2010 at 07:56 AM.
I LOVE Canada
i cut off internet access for that computer so further stuff does not install from web to back it up, will it be okay if i copy and paste them to a flash and upload them from another laptop? as long as i dont open it correct?
yeah surei cut off internet access for that computer so further stuff does not install from web to back it up, will it be okay if i copy and paste them to a flash and upload them from another laptop? as long as i dont open it correct?
I LOVE Canada
You're right, Adrian. Those j, k and wmpscfgs EXE files are definitely suspicious. I wouldn't even bother to upload them to VirusTotal - directly delete them using the Windows install on your laptop. You could also mount the infected XP's Registry there and remove any related entries. Good luck.
"I just remembered something that happened a long time ago."
but i have noo idea how i would find out the associated files with them, i really think id need something to perform a search
Yes, plug the infected drive to your laptop like you've done before, and tell Windows to search it. Or you could open it directly from My Computer, go to the directories the EXEs are, and delete them.
To mount the Registry and find related entries:
- Go to Start -> Run, type regedit and press ENTER.
- Highlight HKEY_LOCAL_MACHINE in the left panel.
- Go to File -> Load subtree, browse to X:\WINDOWS\system32\config (X being your USB drive's letter), and load the file called simply "software".
- You'll be asked for a name. Enter any and press OK.
- Go to Edit -> Search, and search for j.exe. Delete any entries that may appear.
- When done, scroll all the way up to "My Computer" in the left panel, and repeat step 5 for k.exe and wmpscfgs.exe.
- After you finish, highlight the key with the name you gave in step X, go to File -> Unload subtree, and press OK in the dialog that will appear.
- Repeat steps 2 to 7, but choose the file called "system" instead of "software" in step 3.
When finished, close Regedit, and try to boot from the Windows in the USB drive. Hopefully you should no longer be infected.
"I just remembered something that happened a long time ago."
http://www.virustotal.com/reanalisis...9c4-1263324967
http://www.virustotal.com/reanalisis...9c4-1263325029
http://www.virustotal.com/reanalisis...9c4-1263325047
there are the three when i uploaded them now what?
Bookmarks