I've never posted here before but I'm hoping someone can help me out. A couple days ago while browsing the internet I got a popup from TeaTimer (Spybot) that the Winlogon value was changed. Old Data = c:\windows\system32\userinit.exe New Data = c:\windows\system32\userinit.exe, c:\windows\system32\oembios.exe. I've been racking my brain trying to figure this out. I obviously click Deny Change whenever it comes up, but my system pretty much stands still. I ran spybot and found the Smitfraud-c.gp and Win32.agent.pz, so I fixed those problems and I think it may have worked as I don't see the svhost.exe in the ...system32\drivers\ folder anymore. After seeing that virus in Spybot and continuing to get the popups from Teatimer I decided I should try closing the svhost files in task manager. I closed a couple of them and then when I closed the tree for the third I got an error message stating there was an error with "DCom server process launcher service", and then a blue screen with unknown hard error. I let it reboot and when Windows finally loaded it went to a blue screen again... same unknown hard error. I went in in Safe Mode and did some checking around. I changed the settings to allow me to choose my logon (admin vs user) and created passwords for both, hoping to stop the virus. That didn't work though. Booting back up I get csrss.exe errors and the teatimer notifies me of Winlogon. I also have a spoolsv process that is running out of control in program manager. Seems to take up a lot of memory and cpu time. There is also a new link in my start menu that says "heal yourself for $8,500" or somewhere around there. I clicked on it to see where it would take me, but it wouldn't load the site. it kept bringing back up the teatimer for the winlogon. I was able to navigate to yahoo and google and other sites, but not that one. Something is seriously wrong with my system. I am keeping the internet connection off until I can hopefully get it fixed out of fear that my personal information may be being swiped. Could someone please give me some direction.
P.s. I'm going to try and do a hjt log, but I don't have hjt installed on the pc and i'm afraid to connect to the internet. Please help. Thanks.
Edited by s3semantic, 17 September 2008 - 11:47 AM.