• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 565
  • Last Modified:

can't logon. xp trojans rootkits

XP Home machine.  Cant log on.  After Windows starts, the icons for user account display.  When any is clicked, the desktop wallpaper for the account disslays, but nothing else:  no tasks bar, no desktop icons.  Ctrl-Alt-Del causes an hourglass to display for a few seconds but nothing else.   SafeMode no different.  

MalwareBytes discovered 11 RootKit.MBR items in the HelpAssistant folder, two in Local Settings for a user accont, a Rogue.Installer in the ProgramFiles\InternetSecurity folder, and a Rogue.Installer in the system32 folder.   The trojans were mainly multippe occurrences of  Generic9.ACDR and Agent2.ADWC.  MalwareBytes seems to have neutralized them, but the damage to the registry remains.

While MalwareBytes was running, AVG also was finding things  including these in the system32 folder:  winupdate86.exe and AVR10.exe

The user reports having reacted to a popup warning of infection and asking for his credit card number, and itt security code on the back, and his ATM number and password.   Not sure what he did (but he didn't enter the information), but the machine was frozen as described above afterwards.

By connecting the drive to another machine via USB (its how I ran MalwareBytes) I deleted tens of thousands of files in the Temp and Temporary Internet Files folders.  (There was one file I couldn't delete except by connecting the drive to a Linux machine)

Any suggetions for the next step in getting past where it is freezing?

Thanks.
0
Ronald Hicks
Asked:
Ronald Hicks
  • 2
  • 2
  • 2
  • +3
2 Solutions
 
Ravi AgrawalCommented:
Backup important data, format & reinstall from scratch.

That's what I would do in your shoes. The system is too messed up. Removal is advisable only when cases of minor infection can be seen. This one seems to be a can of worms that can spill any moment. And Rootkits, I fear them a lot.

For the time being:
Boot into recovery console with the Windows XP CD, perform the following steps.

Taken from http://support.microsoft.com/kb/307545

"At the Recovery Console command prompt, type the following                         lines, pressing ENTER after you type each line:      md tmp
      copy c:\windows\system32\config\system c:\windows\tmp\system.bak
      copy c:\windows\system32\config\software      c:\windows\tmp\software.bak
      copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
      copy c:\windows\system32\config\security      c:\windows\tmp\security.bak
      copy c:\windows\system32\config\default      c:\windows\tmp\default.bak

      delete c:\windows\system32\config\system
      delete c:\windows\system32\config\software
      delete c:\windows\system32\config\sam
      delete c:\windows\system32\config\security
      delete c:\windows\system32\config\default

      copy c:\windows\repair\system c:\windows\system32\config\system
      copy c:\windows\repair\software      c:\windows\system32\config\software
      copy c:\windows\repair\sam c:\windows\system32\config\sam
      copy c:\windows\repair\security      c:\windows\system32\config\security
      copy c:\windows\repair\default      c:\windows\system32\config\default

Type exit to quit Recovery Console.                         Your computer will restart.
Note This procedure assumes that Windows XP is installed to the               C:\Windows folder. Make sure to change C:\Windows to the appropriate               windows_folder if it is a different               location."


this should let you boot without issues. If still unable, see this article:

http://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
http://www.experts-exchange.com/articles/Software/Internet_Email/Anti_Spyware/Virut-Malware-continues-to-evolve.html

Ravi.
0
 
Ravi AgrawalCommented:
If safe mode is not helpful, try using VGA mode only, I have had luck with it plenty of times.

Ravi.
0
 
SStoryCommented:
I agree with grtraders. You could boot into safe mode and run malware bytes. You could connect the drive to another system and run malware bytes.  You would risk infecting the other system. If your registry is hosed, I'd reformat and reinstall.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
optomaCommented:
Sounds like Netsky virus among other nasties were present. System is probably too messed up :(
I'd agree with above posts. Backup data and start fresh in this case.

http://michaelstevenstech.com/cleanxpinstall.html
0
 
senadCommented:
Save yourself time and nerves and do a complete new install.
Format your hard drive completely using a full format option.
Prior to that run FDISK and clear/format the MBR.

However if you want to repair your PC then tell me if you can boot into safe mode?
If not then reinstall is your only option.

0
 
WolfhereCommented:
Rootkits can be removed by running UnHackMe (http://www.greatis.com/unhackme/download.htm). The install requires a reboot, but when the machine is coming back up, it is scanned and choices are made available to remove. There is a free, fully functional version that can be downloaded from the above link. You can run malwarebytes after the rootkit is removed. The rootkit downloads the trojans. UnHackme will scan the registry/fix as will malwarebytes - once the rootkit is removed
0
 
SStoryCommented:
If you go the route of backing up data...I'd copy that somewhere, scan it well on a drive that isn't booted so it can't load on another system or back on the fresh copy. When you do the new fresh install, I'd make an image of that clean install...

Of course there is System Recovery in XP. You could try booting to safe mode and rolling back a long ways before the problem and see what happens.  The registry is actually stored in a couple of files.  One of them is in each user profile...like c:\documents and settings\username\ntuser.dat

Rolling back, I think should get the registry back to a good state if you have a state saved prior to the infection.
0
 
Ronald HicksAuthor Commented:
I decided to go with the first suggestion, using the CD and the recovery console to restore the 5 registry hive files.  Mainly because I just wanted to see if that did it, saving scrub andreinstall as a later resort.  So far, so good.  Its' running and have purged some additional tojans with various malware progs.

Thanks for the tip to unhackme.  I looked at it, but chose not so spend the $30 just yet.
0
 
WolfhereCommented:
the unhackme, fully functional is free. If you register, you can lifetime updates. I have used the free version happily and downloaded another newer free version when needed.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now