can't logon. xp trojans rootkits
XP Home machine. Cant log on. After Windows starts, the icons for user account display. When any is clicked, the desktop wallpaper for the account disslays, but nothing else: no tasks bar, no desktop icons. Ctrl-Alt-Del causes an hourglass to display for a few seconds but nothing else. SafeMode no different.
MalwareBytes discovered 11 RootKit.MBR items in the HelpAssistant folder, two in Local Settings for a user accont, a Rogue.Installer in the ProgramFiles\InternetSecur
While MalwareBytes was running, AVG also was finding things including these in the system32 folder: winupdate86.exe and AVR10.exe
The user reports having reacted to a popup warning of infection and asking for his credit card number, and itt security code on the back, and his ATM number and password. Not sure what he did (but he didn't enter the information), but the machine was frozen as described above afterwards.
By connecting the drive to another machine via USB (its how I ran MalwareBytes) I deleted tens of thousands of files in the Temp and Temporary Internet Files folders. (There was one file I couldn't delete except by connecting the drive to a Linux machine)
Any suggetions for the next step in getting past where it is freezing?
Thanks.
MalwareBytes discovered 11 RootKit.MBR items in the HelpAssistant folder, two in Local Settings for a user accont, a Rogue.Installer in the ProgramFiles\InternetSecur
While MalwareBytes was running, AVG also was finding things including these in the system32 folder: winupdate86.exe and AVR10.exe
The user reports having reacted to a popup warning of infection and asking for his credit card number, and itt security code on the back, and his ATM number and password. Not sure what he did (but he didn't enter the information), but the machine was frozen as described above afterwards.
By connecting the drive to another machine via USB (its how I ran MalwareBytes) I deleted tens of thousands of files in the Temp and Temporary Internet Files folders. (There was one file I couldn't delete except by connecting the drive to a Linux machine)
Any suggetions for the next step in getting past where it is freezing?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with grtraders. You could boot into safe mode and run malware bytes. You could connect the drive to another system and run malware bytes. You would risk infecting the other system. If your registry is hosed, I'd reformat and reinstall.
Sounds like Netsky virus among other nasties were present. System is probably too messed up :(
I'd agree with above posts. Backup data and start fresh in this case.
http://michaelstevenstech.com/cleanxpinstall.html
I'd agree with above posts. Backup data and start fresh in this case.
http://michaelstevenstech.com/cleanxpinstall.html
Save yourself time and nerves and do a complete new install.
Format your hard drive completely using a full format option.
Prior to that run FDISK and clear/format the MBR.
However if you want to repair your PC then tell me if you can boot into safe mode?
If not then reinstall is your only option.
Format your hard drive completely using a full format option.
Prior to that run FDISK and clear/format the MBR.
However if you want to repair your PC then tell me if you can boot into safe mode?
If not then reinstall is your only option.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you go the route of backing up data...I'd copy that somewhere, scan it well on a drive that isn't booted so it can't load on another system or back on the fresh copy. When you do the new fresh install, I'd make an image of that clean install...
Of course there is System Recovery in XP. You could try booting to safe mode and rolling back a long ways before the problem and see what happens. The registry is actually stored in a couple of files. One of them is in each user profile...like c:\documents and settings\username\ntuser.d
Rolling back, I think should get the registry back to a good state if you have a state saved prior to the infection.
Of course there is System Recovery in XP. You could try booting to safe mode and rolling back a long ways before the problem and see what happens. The registry is actually stored in a couple of files. One of them is in each user profile...like c:\documents and settings\username\ntuser.d
Rolling back, I think should get the registry back to a good state if you have a state saved prior to the infection.
ASKER
I decided to go with the first suggestion, using the CD and the recovery console to restore the 5 registry hive files. Mainly because I just wanted to see if that did it, saving scrub andreinstall as a later resort. So far, so good. Its' running and have purged some additional tojans with various malware progs.
Thanks for the tip to unhackme. I looked at it, but chose not so spend the $30 just yet.
Thanks for the tip to unhackme. I looked at it, but chose not so spend the $30 just yet.
the unhackme, fully functional is free. If you register, you can lifetime updates. I have used the free version happily and downloaded another newer free version when needed.
Ravi.