W32/IRCBot-PE might have started it...

[mnkutreva]

Hello and thank you in advance!

* Laptop (rarely used online) became infected with various Trojans (stopped counting which ones)

* NOD32 uninstalled (all scans insisted system is clean)

* Online scan @ kaspersky.com > 45 items detected (Trojans etc)

* KAV 6.0 installed > 45 items detected & treated

* System showed clean, however a few times a day KAV detected various Trojans

* AdAware SE detected & cleaned msdnxp.exe (apparently Trojan Downloader IRCBot-PE copies itself into msdnxp.exe)

* msdnxp.exe appeared again after each cleanup

* KAV 6.0 ininstalled and Sophos Anvivirus installed (only their website had info on msdnxp.exe) > detected & cleaned various items including a bad app called CommAd

* System showed clean, however:

- Computer sluggish at startup

- KAV woudn't run on startup despite being set to do so

- Opening apps & directories hung the machine

- Task Manager showed all the repeated instances I'd tried to open the apps

* Occasionally (could be when connected to the Internet) KAV intercepted Trojans:

- Trojan.Win32.Crypt.d

- Trojan.Win32.vb.asv

- Trojan-downloader.win32.vb.anb

==================================================================

This is where I was advised to come along to your forum. Started on the list suggested in the Pre-Posting Instructions, however now I can't even log in anymore B)

Here some details:

* Add/Remove Programs shows some 'Search Toolbar'(?), which cannot be uninstalled

* IE Tools > 'Manage Add-ons' is missing

* eScan > found & renamed/deleted 34 instances of 'BKCln.UnKnown' virus in various files (incl bmp & jpeg?)

* SUPERAntiVirus won't install in Safe Mode > so restarted in Normal

* Computer very slow at startup, when I logged on & saw 'Loading your personal settings' the screen flashed & the message changed to 'Saving your settings.. Logging you off..' and took me back to the welcome screen. And again and again.

I wonder if anyone has any ideas? I will then probably try to run a Windows repair and hope I can at least save my data if a complete reinstall is unavoidable.

No hijackthis log unfortunately. I had one on a flash memory stick, however it seems to have died with the laptop (it was connected to it while trying to install SUPERAntiVirus)

Thanks again!

Mariya

[SirJon]

Hello mnkutreva and Welcome!

Sorry you are having malware trouble.

I read your posts over on the Kaspersky forum and I see you manually edited the registry. I also see where Don Pelotas advised you to reinstall Windows after you made the registry changes. After reading your latest symptoms here on this forum, a reinstall may be the quickest solution to your problem. However, lets try a couple of steps. You'll need a Windows XP Installation CD to enter Recovery Console. You'll probably want to print out these instructions beforehand.

How to get into the Recovery Console:

1.) Boot the system using the Windows XP Installation CD-ROM.

2.) Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.

3.) When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

4.) When the Recovery Console menu is displayed, a numbered list of the Windows installations on the computer is displayed (usually C:\Windows). Press the number (1) before you press ENTER, even when only one entry appears.

(If you press ENTER first without pressing the number, the computer restarts and begins the process again.)

5.) When you are prompted to do so, type the Administrator password. If the Administrator password is blank, just press ENTER.

6.) At the C:\Windows prompt, type the following command and press <Enter>.

CD SYSTEM32 <Enter>

(There is a space between CD and SYSTEM32)

7.) Now type in this command and press <Enter>.

COPY USERINIT.EXE WSAUPDATER.EXE

(There is a space between COPY and USERINIT.EXE and WSAUPDATER.EXE)

8.) Now quit Recovery Console by typing EXIT and restart Windows.

Now you should be able to login successfully as you've created the wsaupdater.exe file.

9.) At the desktop, copy the contents of the Code Box to Notepad. Name the file as RegFix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word CODE when saving the file.

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]"EnableDCOM"="Y"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"=-"Shell"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,""Shell"="Explorer.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]"lmcompatibilitylevel"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]"restrictanonymous"=dword:00000000

10.) Double-click on the RegFix.reg file, and when it prompts to merge say Yes.

11.) Please reboot the PC and try to logon normally.

12.) From the HijackThis instructions you read earlier, try and post a HJT log here for review.

[mnkutreva]

SirJon,

Thank you for taking the time to read through my problem!!

My b-day tomorrow so leaving the city. Will try to forget my sad dead laptop, (sitting accusingly and silently on the bed) for the weekend and will b back Monday. Will follow your instructions asap and post back results.

Hope all you guys enjoy the wknd!

Mariya

[mnkutreva]

Hello!

Couldn't wait so did it today.

I got a confirmation (1 file copied) after copying wsaupdater.exe.

However still cannot log in. Same thing - screen blinks and logs me off right after I click 'log in'.

I will willingly try any other suggestions!

Thanks again,

Mariya

[SirJon]

Those steps usually do it for me. I'm pretty sure it's the Winlogon key and the userinit value that got corrupted. I wish they hadn't suggested that you manually edit the registry that way. Do you have a floppy drive on that laptop?

I think at this point because of all you've been through I would go ahead and use the Repair option on the Windows XP Installation CD. It hasn't always helped me for this type of symptom (I'm not much of a fan of the Repair option), but it's worth a try.

If I was working on your laptop in a shop at this point, I would back up anything you wanted on the drive and do it right by blowing everything away and starting over from scratch with a fresh install. I am not a fan of 'bandaid' fixes especially when the registry has been corrupted. Then, I would install ERUNT. It's a free, alternative registry backup that will run independently of Windows.

[mnkutreva]

Hey again,

I think if the laptop was in a tech shop, the reinstall would have happened a lot earlier Perhaps it would have been safer this way too.

But I was just not sure - was there an infection or not??? It was all done in super-stealth mode.

If you have time, another question - should I try to load an operating system from a boot cd for ex, in order to backup the data? Or take the laptop to professionals and have the drive taken out so it can be attached to something as an external drive?

Asking from the point of view of a user with an "inbetween" level of understanding of computers Sorry if the question is stupid!

Thanks again!

Take care,

Mariya

PS After the backup I will definitely go with a fresh reinstall!

[SirJon]

But I was just not sure - was there an infection or not???

There was in the beginning over at the other forum. I'm not sure what's left on the hard drive now since I can't see anything from a HJT log.

Should I try to load an operating system from a boot cd for ex, in order to backup the data? Or take the laptop to professionals and have the drive taken out so it can be attached to something as an external drive?

What?

Do you mean bootup with some kind of LiveCD or a BartPE CD to copy and paste the backup files and folders to an external source? That's one way of doing it, I don't know if you've got USB 1.1 or 2.0, depending on what you want saved it might take a while, but they might just take out your HD and slave it to another box (hopefully a very fast diagnostic test box) and copy everything that way.

[mnkutreva]

Yes, I meant loading an operating system temporarily in order to access the data (my brother has the details, he is more knowledgeable with comps). Do you think this will be messy?

Simply trying to avoid gutting the laptop, I am not excited over the possibility of having it opened up in a tech shop. People are not careful enough with other people's stuff, have lots of examples. (Could be just my country, sure.)

Anyway, from your words I gather the safest way might be to let professionals do it all?

Thank you so much for all the advice and your personal time!

Mariya

[SirJon]

Yes, I meant loading an operating system temporarily in order to access the data (my brother has the details, he is more knowledgeable with comps). Do you think this will be messy?

No.

Anyway, from your words I gather the safest way might be to let professionals do it all?

Not necessarily. It sounds like your brother can guide you through.