can't logon.  xp  trojans rootkits

Posted on 2009-12-29
Last Modified: 2013-11-22
XP Home machine.  Cant log on.  After Windows starts, the icons for user account display.  When any is clicked, the desktop wallpaper for the account disslays, but nothing else:  no tasks bar, no desktop icons.  Ctrl-Alt-Del causes an hourglass to display for a few seconds but nothing else.   SafeMode no different.  

MalwareBytes discovered 11 RootKit.MBR items in the HelpAssistant folder, two in Local Settings for a user accont, a Rogue.Installer in the ProgramFiles\InternetSecurity folder, and a Rogue.Installer in the system32 folder.   The trojans were mainly multippe occurrences of  Generic9.ACDR and Agent2.ADWC.  MalwareBytes seems to have neutralized them, but the damage to the registry remains.

While MalwareBytes was running, AVG also was finding things  including these in the system32 folder:  winupdate86.exe and AVR10.exe

The user reports having reacted to a popup warning of infection and asking for his credit card number, and itt security code on the back, and his ATM number and password.   Not sure what he did (but he didn't enter the information), but the machine was frozen as described above afterwards.

By connecting the drive to another machine via USB (its how I ran MalwareBytes) I deleted tens of thousands of files in the Temp and Temporary Internet Files folders.  (There was one file I couldn't delete except by connecting the drive to a Linux machine)

Any suggetions for the next step in getting past where it is freezing?

Question by:Ronald Hicks
    LVL 18

    Accepted Solution

    Backup important data, format & reinstall from scratch.

    That's what I would do in your shoes. The system is too messed up. Removal is advisable only when cases of minor infection can be seen. This one seems to be a can of worms that can spill any moment. And Rootkits, I fear them a lot.

    For the time being:
    Boot into recovery console with the Windows XP CD, perform the following steps.

    Taken from

    "At the Recovery Console command prompt, type the following                         lines, pressing ENTER after you type each line:      md tmp
          copy c:\windows\system32\config\system c:\windows\tmp\system.bak
          copy c:\windows\system32\config\software      c:\windows\tmp\software.bak
          copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
          copy c:\windows\system32\config\security      c:\windows\tmp\security.bak
          copy c:\windows\system32\config\default      c:\windows\tmp\default.bak

          delete c:\windows\system32\config\system
          delete c:\windows\system32\config\software
          delete c:\windows\system32\config\sam
          delete c:\windows\system32\config\security
          delete c:\windows\system32\config\default

          copy c:\windows\repair\system c:\windows\system32\config\system
          copy c:\windows\repair\software      c:\windows\system32\config\software
          copy c:\windows\repair\sam c:\windows\system32\config\sam
          copy c:\windows\repair\security      c:\windows\system32\config\security
          copy c:\windows\repair\default      c:\windows\system32\config\default

    Type exit to quit Recovery Console.                         Your computer will restart.
    Note This procedure assumes that Windows XP is installed to the               C:\Windows folder. Make sure to change C:\Windows to the appropriate               windows_folder if it is a different               location."

    this should let you boot without issues. If still unable, see this article:

    LVL 18

    Expert Comment

    by:Ravi Agrawal
    If safe mode is not helpful, try using VGA mode only, I have had luck with it plenty of times.

    LVL 25

    Expert Comment

    I agree with grtraders. You could boot into safe mode and run malware bytes. You could connect the drive to another system and run malware bytes.  You would risk infecting the other system. If your registry is hosed, I'd reformat and reinstall.
    LVL 22

    Expert Comment

    Sounds like Netsky virus among other nasties were present. System is probably too messed up :(
    I'd agree with above posts. Backup data and start fresh in this case.
    LVL 22

    Expert Comment

    Save yourself time and nerves and do a complete new install.
    Format your hard drive completely using a full format option.
    Prior to that run FDISK and clear/format the MBR.

    However if you want to repair your PC then tell me if you can boot into safe mode?
    If not then reinstall is your only option.

    LVL 10

    Assisted Solution

    Rootkits can be removed by running UnHackMe ( The install requires a reboot, but when the machine is coming back up, it is scanned and choices are made available to remove. There is a free, fully functional version that can be downloaded from the above link. You can run malwarebytes after the rootkit is removed. The rootkit downloads the trojans. UnHackme will scan the registry/fix as will malwarebytes - once the rootkit is removed
    LVL 25

    Expert Comment

    If you go the route of backing up data...I'd copy that somewhere, scan it well on a drive that isn't booted so it can't load on another system or back on the fresh copy. When you do the new fresh install, I'd make an image of that clean install...

    Of course there is System Recovery in XP. You could try booting to safe mode and rolling back a long ways before the problem and see what happens.  The registry is actually stored in a couple of files.  One of them is in each user c:\documents and settings\username\ntuser.dat

    Rolling back, I think should get the registry back to a good state if you have a state saved prior to the infection.

    Author Comment

    by:Ronald Hicks
    I decided to go with the first suggestion, using the CD and the recovery console to restore the 5 registry hive files.  Mainly because I just wanted to see if that did it, saving scrub andreinstall as a later resort.  So far, so good.  Its' running and have purged some additional tojans with various malware progs.

    Thanks for the tip to unhackme.  I looked at it, but chose not so spend the $30 just yet.
    LVL 10

    Expert Comment

    the unhackme, fully functional is free. If you register, you can lifetime updates. I have used the free version happily and downloaded another newer free version when needed.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
    It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now