I have no idea how people do it, but yet another relative has managed to break their computer by doing something stupid and has brought the computer over, asking me to spend a day fixing their computer. "Sure, I'd love to waste a nice sunny day off to do that!"
Anyway, before I become bitter and hateful, I quickly discovered that one of their many problems was that they were infected with a trojan called "Trojan.Mixa.A" or "W32/Autorun-DH".
It probably goes by a few other names, but the following information should be enough to identify it.
It's located at:
- C:\Mixa_i.exe (And the root path of any other writable drives or USB devices)
It is fairly difficult to remove using normal means, as you can't delete the files as they're in use. Trying to kill the task using the task manager will not work because it will log you out whenever it detects the Task Manager.
It also slips itself in as a fake system shell application, which makes Windows load it everytime you log in. To remove it, you will have to do it before Windows loads.
Using the Windows XP setup disc
Use this method if you have access to the Administrator account. If not, use the other method.
Load up the computer with the setup disc and select "Recovery Console" by pressing R once its ready.
Navigate around the console and delete the files if they exist in the given locations. Use the "delete" command to delete files.
delete %WINDOWS%\Mixa.exe delete C:\Mixa_i.exe delete %WINDOWS%\System32\mixa.exe delete %WINDOWS%\System32\systemio.exe
See link below for the next step.
Set up a BartPE startup disc
This will give you access to the harddrive so you can remove the files. See this guide to create the BartPE disc.
Once you've loaded up the computer with BartPE:
- Click "Go"
- Command Prompt (CMD)
- Use the Recovery Console steps above
- Click "Go"
- A43 File Management Utility
- Use the program to delete the files
See next step below.
Fix login screen
Since we've deleted the files, this ensures that the malware can't reinstall itself after we log in.
At this point, I thought it was all fixed and rebooted the machine. However, you should not reboot it yet! The system is still in a broken state!
Windows still expects the missing files to be there and you will not be able to log in properly. To fix the login screen, stay in the command prompt and type "regedit". This will being up the Registry Editor.
I've written the tutorial in another post as it is a common problem when fixing virus/trojan related issues.
Once you've reverted the "Userinit" filename you can reboot and log in as usual.