Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows NT\CurrentVersion\Winlogon\Userinit trojan/virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 Amandinxia

Amandinxia

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 18 January 2009 - 06:33 PM

Hello. A few weeks ago, I attempted to "clean up" my computer to make more space. I deleted various files and programs which I did not need, and also decided to fix my anti virus software. Previously, I had symantec anti- virus, but something was wrong with the program, it would always tell me it was out of date, and then when I tried to get updates it would never work. I ignored this for a long time, as my computer seemed to be functioning fine anyway, but on this particular day a few weeks back I was in a mood to fix things and decided to uninstall symantec and install something else in the hopes that it would work better.

I installed a version of Avasti that my boyfriend gave me, but unfortunately, that was the start of my problems. It was a while back so I don't remember all the details, but suddenly there were some random porn icons on my desktop, and I believe I got some warnings from Avasti that I was infected. We quickly decided that the Avasti program itself must have been infected, because all the trouble started right after I installed it, so we uninstalled that and I installed AVG free instead. I had my brother look at my computer, and he said I was infected with a rootkit, which is apparently very bad, but he did some things to fix it and all seemed well. However, last week, I started to have more problems.

I got a blue screen a few times while I was working, something I've never had happen to me before, and then, all of a sudden, everything went crazy. I had these stupid little pop ups telling me my computer was infected, but the wording was strange, and I was suspicious that they were fake, and then my desktop changed to a big red box telling me Warning! My computer is infected....but then I knew it was definitely fake. I read up on what was happening on the internet, and saw Malwarebytes often cited as a solution, so I downloaded this and ran it in safemode a few times, and that seemed to take care of the problem.

Now, the pop ups and red warning box on my desktop are gone, but every time I run Malwarebytes, it finds two problems and they are always the same:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

How do I get rid of these items? Are they just lingering residual effects from my previous infection, or are they bad news? Thank-you in advance!

(P.S. Not sure that this is related, but I was also trying to set up a new monitor to my laptop at the same time. I couldn't get the output on the monitor to have the correct resolution/dimensions-probably because the the info was coming from my laptop- and I did try a few things to fix this, including trying to update my driver. I still haven't been able to get my laptop to output to the new monitor, but perhaps messing with the driver did something?)


Here is the dds.txt log:

DDS (Ver_09-01-18.01) - FAT32x86
Run by Amanda at 16:59:30.12 on Sun 01/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.481 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
SVCHOST.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\Amanda\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
mRun: [Auto EPSON Stylus CX4800 Series on DESKTOP] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p42 "auto epson stylus cx4800 series on desktop" /o18 "\\desktop\Printer2" /M "Stylus CX4800"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Auto EPSON Stylus CX4800 Series on DESKTOP1] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p43 "auto epson stylus cx4800 series on desktop1" /o19 "\\desktop1\Printer2" /M "Stylus CX4800"
mRun: [Auto EPSON Stylus CX4800 Series on DESKTOP1 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p52 "auto epson stylus cx4800 series on desktop1 (copy 1)" /o19 "\\desktop1\networkP" /M "Stylus CX4800"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\amanda\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amanda\applic~1\mozilla\firefox\profiles\92bebm9t.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\amanda\application data\mozilla\firefox\profiles\92bebm9t.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {FAB613D4-6868-42DC-A7A1-AA32F7D6F95D} - c:\documents and settings\amanda\local settings\application data\{FAB613D4-6868-42DC-A7A1-AA32F7D6F95D}
FF - HiddenExtension: XUL Cache: {DE0403EF-A5C6-496D-B669-54F6765C8F99} - c:\windows\system32\config\systemprofile\local settings\application data\{de0403ef-a5c6-496d-b669-54f6765c8f99}\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-2 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-2 26824]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-10-10 11113]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-12 38496]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-2 231704]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-1 24652]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-10-10 216459]
S4 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys --> c:\windows\system32\drivers\osanbm.sys [?]

=============== Created Last 30 ================

2009-01-12 16:03 <DIR> --dsh--- C:\FOUND.000
2009-01-12 14:16 <DIR> --d----- c:\docume~1\amanda\applic~1\Malwarebytes
2009-01-12 14:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-12 14:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-12 14:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 13:50 <DIR> --d----- c:\documents and settings\amanda\DoctorWeb
2009-01-12 11:43 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-12 11:43 111,616 a------- c:\windows\system32\dllcache\userinit.exe
2009-01-12 11:42 1 a------- c:\windows\system32\uniq.tll
2009-01-12 11:42 1 a------- c:\windows\system32\test.ttt
2009-01-05 07:46 268 a---h--- C:\sqmdata18.sqm
2009-01-05 07:46 244 a---h--- C:\sqmnoopt18.sqm
2009-01-04 21:54 268 a---h--- C:\sqmdata17.sqm
2009-01-04 21:54 244 a---h--- C:\sqmnoopt17.sqm
2009-01-04 14:01 268 a---h--- C:\sqmdata16.sqm
2009-01-04 14:01 244 a---h--- C:\sqmnoopt16.sqm
2009-01-04 13:37 268 a---h--- C:\sqmdata15.sqm
2009-01-04 13:37 244 a---h--- C:\sqmnoopt15.sqm
2009-01-04 13:37 61 a------- c:\windows\wininit.ini
2009-01-04 13:20 268 a---h--- C:\sqmdata14.sqm
2009-01-04 13:20 244 a---h--- C:\sqmnoopt14.sqm
2009-01-04 12:47 176,128 -------- c:\windows\system32\SiSApCom.dll
2009-01-04 12:47 110,592 -------- c:\windows\system32\TVMode.dll
2009-01-04 12:47 28,672 -------- c:\windows\system32\SiSHook.dll
2009-01-04 12:47 20,480 -------- c:\windows\system32\LCDMode.exe
2009-01-04 12:46 32,768 a------- c:\windows\system32\Keyhook.exe
2009-01-04 12:46 331,776 a------- c:\windows\system32\sistray.exe
2009-01-04 12:46 83,997 a------- c:\windows\VGAsetup.ini
2009-01-04 12:46 258,048 a------- c:\windows\system32\SiSParse.dll
2009-01-04 12:46 49,152 a------- c:\windows\system32\SiSPower.dll
2009-01-04 12:46 49,152 a------- c:\windows\system32\SiSBase.dll
2009-01-04 12:44 <DIR> --d----- c:\program files\SiS VGA Utilities V3.65f
2009-01-04 12:44 <DIR> --d----- c:\windows\system32\trayres
2009-01-04 12:44 100,839 a------- c:\windows\system32\VGAunistlog.ini
2009-01-04 12:41 28,672 a------- c:\windows\system32\SiSPInst.dll
2009-01-04 12:11 <DIR> --d----- C:\ComboFix
2009-01-04 12:09 <DIR> --d----- C:\cmdcons
2009-01-04 12:07 161,792 a------- c:\windows\SWREG.exe
2009-01-04 12:07 98,816 a------- c:\windows\sed.exe
2009-01-04 11:12 268 a---h--- C:\sqmdata13.sqm
2009-01-04 11:12 244 a---h--- C:\sqmnoopt13.sqm
2009-01-04 11:03 <DIR> --d----- c:\program files\Trend Micro
2009-01-03 16:10 268 a---h--- C:\sqmdata12.sqm
2009-01-03 16:10 244 a---h--- C:\sqmnoopt12.sqm
2009-01-03 00:09 268 a---h--- C:\sqmdata11.sqm
2009-01-03 00:09 244 a---h--- C:\sqmnoopt11.sqm
2009-01-02 22:12 268 a---h--- C:\sqmdata10.sqm
2009-01-02 22:12 244 a---h--- C:\sqmnoopt10.sqm
2009-01-02 21:38 268 a---h--- C:\sqmdata09.sqm
2009-01-02 21:38 244 a---h--- C:\sqmnoopt09.sqm
2009-01-02 21:18 268 a---h--- C:\sqmdata08.sqm
2009-01-02 21:18 244 a---h--- C:\sqmnoopt08.sqm
2009-01-02 18:58 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-02 18:47 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-02 18:47 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-02 18:47 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-02 18:47 <DIR> --d----- c:\program files\AVG
2009-01-02 18:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-02 18:39 268 a---h--- C:\sqmdata07.sqm
2009-01-02 18:39 244 a---h--- C:\sqmnoopt07.sqm
2009-01-02 17:32 <DIR> --d----- c:\windows\system32\LogFiles
2009-01-02 16:47 268 a---h--- C:\sqmdata06.sqm
2009-01-02 16:47 244 a---h--- C:\sqmnoopt06.sqm
2009-01-02 16:13 268 a---h--- C:\sqmdata05.sqm
2009-01-02 16:13 244 a---h--- C:\sqmnoopt05.sqm
2009-01-02 15:54 268 a---h--- C:\sqmdata04.sqm
2009-01-02 15:54 244 a---h--- C:\sqmnoopt04.sqm
2009-01-02 15:50 337,320 a------- c:\windows\difxapi.dll
2009-01-01 23:26 268 a---h--- C:\sqmdata03.sqm
2009-01-01 23:26 244 a---h--- C:\sqmnoopt03.sqm
2009-01-01 10:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-24 06:58 <DIR> --d----- c:\docume~1\amanda\applic~1\Windows Search
2008-12-21 14:48 98,304 a------- c:\windows\system32\CmdLineExt.dll
2008-12-21 14:47 0 a------- c:\windows\vpd.properties

==================== Find3M ====================

2009-01-12 11:43 111,616 a------- c:\windows\system32\userinit.exe
2008-12-13 00:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-03 11:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100320081004\index.dat

============= FINISH: 17:00:00.70 ===============

Attached Files


Edited by Amandinxia, 18 January 2009 - 06:41 PM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:16 PM

Posted 19 January 2009 - 03:40 AM

Hello Amandinxia and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Amandinxia

Amandinxia
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 19 January 2009 - 09:40 AM

Thank you for such a quick response- I appreciate it.

Here is the Goored Log:

GooredFix v1.83 by jpshortstuff
Log created at 08:11 on 19/01/2009 running Option #2 (Amanda)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{DE0403EF-A5C6-496D-B669-54F6765C8F99}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{DE0403EF-A5C6-496D-B669-54F6765C8F99}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{DE0403EF-A5C6-496D-B669-54F6765C8F99}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{FAB613D4-6868-42DC-A7A1-AA32F7D6F95D}"="C:\Documents and Settings\Amanda\Local Settings\Application Data\{FAB613D4-6868-42DC-A7A1-AA32F7D6F95D}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Amanda\Local Settings\Application Data\{FAB613D4-6868-42DC-A7A1-AA32F7D6F95D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"



And here is the ComboFix log:

ComboFix 09-01-18.03 - Amanda 2009-01-19 8:24:31.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.806 [GMT -6:00]
Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-12 16:03 . 2009-01-12 16:03 <DIR> d--hs---- C:\FOUND.000
2009-01-12 14:16 . 2009-01-12 14:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 14:16 . 2009-01-12 14:16 <DIR> d-------- c:\documents and settings\Amanda\Application Data\Malwarebytes
2009-01-12 14:16 . 2009-01-12 14:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-12 14:16 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 14:16 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-12 13:50 . 2009-01-12 13:50 <DIR> d-------- c:\documents and settings\Amanda\DoctorWeb
2009-01-05 07:46 . 2009-01-05 07:46 268 --ah----- C:\sqmdata18.sqm
2009-01-05 07:46 . 2009-01-05 07:46 244 --ah----- C:\sqmnoopt18.sqm
2009-01-04 21:54 . 2009-01-04 21:54 268 --ah----- C:\sqmdata17.sqm
2009-01-04 21:54 . 2009-01-04 21:54 244 --ah----- C:\sqmnoopt17.sqm
2009-01-04 14:01 . 2009-01-04 14:01 268 --ah----- C:\sqmdata16.sqm
2009-01-04 14:01 . 2009-01-04 14:01 244 --ah----- C:\sqmnoopt16.sqm
2009-01-04 13:37 . 2009-01-04 13:37 268 --ah----- C:\sqmdata15.sqm
2009-01-04 13:37 . 2009-01-04 13:37 244 --ah----- C:\sqmnoopt15.sqm
2009-01-04 13:37 . 2009-01-04 13:37 61 --a------ c:\windows\wininit.ini
2009-01-04 13:20 . 2009-01-04 13:20 268 --ah----- C:\sqmdata14.sqm
2009-01-04 13:20 . 2009-01-04 13:20 244 --ah----- C:\sqmnoopt14.sqm
2009-01-04 12:47 . 2005-01-04 10:50 176,128 --------- c:\windows\system32\SiSApCom.dll
2009-01-04 12:47 . 2005-01-04 10:54 110,592 --------- c:\windows\system32\TVMode.dll
2009-01-04 12:47 . 2005-03-01 18:08 28,672 --------- c:\windows\system32\SiSHook.dll
2009-01-04 12:47 . 2005-01-04 10:54 20,480 --------- c:\windows\system32\LCDMode.exe
2009-01-04 12:46 . 2005-01-04 16:52 331,776 --a------ c:\windows\system32\sistray.exe
2009-01-04 12:46 . 2005-02-25 13:34 258,048 --a------ c:\windows\system32\SiSParse.dll
2009-01-04 12:46 . 2005-03-04 08:51 83,997 --a------ c:\windows\VGAsetup.ini
2009-01-04 12:46 . 2005-02-25 13:35 49,152 --a------ c:\windows\system32\SiSPower.dll
2009-01-04 12:46 . 2005-02-25 13:33 49,152 --a------ c:\windows\system32\SiSBase.dll
2009-01-04 12:46 . 2005-03-04 13:13 32,768 --a------ c:\windows\system32\Keyhook.exe
2009-01-04 12:44 . 2009-01-04 12:44 <DIR> d-------- c:\windows\system32\trayres
2009-01-04 12:44 . 2009-01-04 12:44 <DIR> d-------- c:\program files\SiS VGA Utilities V3.65f
2009-01-04 12:44 . 2009-01-04 12:47 100,839 --a------ c:\windows\system32\VGAunistlog.ini
2009-01-04 12:41 . 2005-02-25 13:34 28,672 --a------ c:\windows\system32\SiSPInst.dll
2009-01-04 11:12 . 2009-01-04 11:12 268 --ah----- C:\sqmdata13.sqm
2009-01-04 11:12 . 2009-01-04 11:12 244 --ah----- C:\sqmnoopt13.sqm
2009-01-04 11:03 . 2009-01-04 11:03 <DIR> d-------- c:\program files\Trend Micro
2009-01-03 16:10 . 2009-01-03 16:10 268 --ah----- C:\sqmdata12.sqm
2009-01-03 16:10 . 2009-01-03 16:10 244 --ah----- C:\sqmnoopt12.sqm
2009-01-03 00:09 . 2009-01-03 00:09 268 --ah----- C:\sqmdata11.sqm
2009-01-03 00:09 . 2009-01-03 00:09 244 --ah----- C:\sqmnoopt11.sqm
2009-01-02 22:12 . 2009-01-02 22:12 268 --ah----- C:\sqmdata10.sqm
2009-01-02 22:12 . 2009-01-02 22:12 244 --ah----- C:\sqmnoopt10.sqm
2009-01-02 21:38 . 2009-01-02 21:38 268 --ah----- C:\sqmdata09.sqm
2009-01-02 21:38 . 2009-01-02 21:38 244 --ah----- C:\sqmnoopt09.sqm
2009-01-02 21:18 . 2009-01-02 21:18 268 --ah----- C:\sqmdata08.sqm
2009-01-02 21:18 . 2009-01-02 21:18 244 --ah----- C:\sqmnoopt08.sqm
2009-01-02 18:58 . 2009-01-02 18:58 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-02 18:47 . 2009-01-02 18:47 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-02 18:47 . 2009-01-02 18:47 <DIR> d-------- c:\program files\AVG
2009-01-02 18:47 . 2009-01-02 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-02 18:47 . 2009-01-02 18:47 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-02 18:47 . 2009-01-02 18:47 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-02 18:39 . 2009-01-02 18:39 268 --ah----- C:\sqmdata07.sqm
2009-01-02 18:39 . 2009-01-02 18:39 244 --ah----- C:\sqmnoopt07.sqm
2009-01-02 17:32 . 2009-01-02 17:32 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-02 16:47 . 2009-01-02 16:47 268 --ah----- C:\sqmdata06.sqm
2009-01-02 16:47 . 2009-01-02 16:47 244 --ah----- C:\sqmnoopt06.sqm
2009-01-02 16:13 . 2009-01-02 16:13 268 --ah----- C:\sqmdata05.sqm
2009-01-02 16:13 . 2009-01-02 16:13 244 --ah----- C:\sqmnoopt05.sqm
2009-01-02 15:54 . 2009-01-02 15:54 268 --ah----- C:\sqmdata04.sqm
2009-01-02 15:54 . 2009-01-02 15:54 244 --ah----- C:\sqmnoopt04.sqm
2009-01-02 15:50 . 2006-03-22 13:53 337,320 --a------ c:\windows\difxapi.dll
2009-01-01 23:26 . 2009-01-01 23:26 268 --ah----- C:\sqmdata03.sqm
2009-01-01 23:26 . 2009-01-01 23:26 244 --ah----- C:\sqmnoopt03.sqm
2009-01-01 10:13 . 2009-01-01 10:13 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-24 06:58 . 2008-12-24 06:58 <DIR> d-------- c:\documents and settings\Amanda\Application Data\Windows Search
2008-12-21 14:48 . 2008-12-21 14:48 <DIR> dr-h----- c:\documents and settings\Amanda\Application Data\SecuROM
2008-12-21 14:48 . 2008-12-21 14:48 98,304 --a------ c:\windows\system32\CmdLineExt.dll
2008-12-21 14:47 . 2008-12-21 14:59 0 --a------ c:\windows\vpd.properties

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-11-07 22:45 2,174,976 ------w c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-03 17:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100320081004\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-04_12.22.05.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-12-11 14:00:28 1,165,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-14 16:43:26 1,165,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-12-11 14:00:28 20,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-14 16:43:28 20,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-11 14:00:28 159,504 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-14 16:43:28 159,504 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-12-11 14:00:28 184,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-14 16:43:28 184,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-12-11 14:00:28 217,864 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-14 16:43:28 217,864 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-11 14:00:28 18,704 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-14 16:43:28 18,704 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-11 14:00:28 35,088 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-14 16:43:28 35,088 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-11 14:00:28 845,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-14 16:43:28 845,584 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-11 14:00:28 922,384 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-14 16:43:28 922,384 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-11 14:00:28 272,648 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-14 16:43:28 272,648 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-11 14:00:28 888,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-14 16:43:28 888,080 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-11 14:00:28 1,172,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-14 16:43:26 1,172,240 ----a-r c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-09-22 11:38:24 12,288 ----a-w c:\windows\InstFunc.dll
+ 2005-02-25 19:32:54 7,168 ----a-w c:\windows\InstFunc.dll
- 2006-04-28 07:56:40 49,152 ----a-w c:\windows\InstFunc.exe
+ 2004-11-24 14:05:54 32,768 ----a-w c:\windows\InstFunc.exe
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2008-09-22 11:37:44 49,152 ----a-w c:\windows\system32\_SiSBase.dll
+ 2008-09-22 11:38:04 258,048 ----a-w c:\windows\system32\_SiSParse.dll
- 2009-01-04 18:16:56 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-12 20:12:30 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-04 18:16:56 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-12 20:12:30 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-12 17:43:02 111,616 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6VW9SN07\lsp[1].exe
- 2009-01-04 18:16:56 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-12 20:12:30 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-22 11:42:32 323,584 ----a-w c:\windows\system32\dllcache\sisgrp.sys
+ 2005-03-02 00:09:02 240,640 ----a-w c:\windows\system32\dllcache\sisgrp.sys
+ 2004-08-04 11:00:00 24,576 ----a-w c:\windows\system32\dllcache\userinit.exe
- 2008-09-22 11:42:32 323,584 ----a-w c:\windows\system32\drivers\sisgrp.sys
+ 2005-03-02 00:09:02 240,640 ----a-w c:\windows\system32\drivers\sisgrp.sys
- 2008-09-22 12:04:00 19,072 ----a-w c:\windows\system32\drivers\srvkp.sys
+ 2005-02-25 19:45:32 13,312 ----a-w c:\windows\system32\drivers\srvkp.sys
+ 2008-04-14 01:12:38 26,112 ----a-w c:\windows\system32\init32.exe
- 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2009-01-04 17:54:42 68,752 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-19 13:44:48 68,752 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-04 17:54:42 423,418 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-19 13:44:48 423,418 ----a-w c:\windows\system32\perfh009.dat
- 2007-12-16 15:10:26 544,544 ------w c:\windows\system32\Restore\rstrlog.dat
+ 2009-01-15 03:41:02 303,180 ----a-w c:\windows\system32\Restore\rstrlog.dat
- 2006-01-19 08:34:04 49,152 ----a-w c:\windows\system32\sis660.bin
+ 2005-01-04 17:00:46 49,152 ----a-w c:\windows\system32\sis660.bin
- 2005-10-07 13:13:36 65,536 ----a-w c:\windows\system32\sis741.bin
+ 2003-11-26 16:10:18 65,536 ----a-w c:\windows\system32\sis741.bin
- 2005-10-07 13:13:36 65,536 ----a-w c:\windows\system32\sis760.bin
+ 2003-11-26 16:10:12 65,536 ----a-w c:\windows\system32\sis760.bin
- 2008-09-22 12:03:42 1,571,001 ----a-w c:\windows\system32\sisgl.dll
+ 2005-02-25 20:23:18 1,740,800 ----a-w c:\windows\system32\sisgl.dll
- 2008-09-22 11:47:04 3,473,920 ----a-w c:\windows\system32\sisgrv.dll
+ 2005-03-01 23:47:32 862,208 ----a-w c:\windows\system32\sisgrv.dll
- 2008-09-22 11:38:14 172,032 ----a-w c:\windows\system32\SiSInst.dll
+ 2005-02-25 19:34:04 184,320 ----a-w c:\windows\system32\SiSInst.dll
- 2008-04-14 01:12:38 26,112 ------w c:\windows\system32\userinit.exe
+ 2004-08-04 11:00:00 24,576 ----a-w c:\windows\system32\userinit.exe
+ 2009-01-19 14:29:22 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_494.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Auto EPSON Stylus CX4800 Series on DESKTOP"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Auto EPSON Stylus CX4800 Series on DESKTOP1"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"Auto EPSON Stylus CX4800 Series on DESKTOP1 (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-02 1261336]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]
"SiSPower"="SiSPower.dll" [2005-02-25 c:\windows\system32\SiSPower.dll]

c:\documents and settings\Amanda\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-01-04 331776]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-02 97928]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-10-10 11113]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-02 231704]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-10-01 24652]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-10-10 216459]
S4 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys --> c:\windows\system32\drivers\osanbm.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47e795ee-77f3-11da-a4c6-00c09febbe12}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\92bebm9t.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\92bebm9t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 08:29:42
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E59814C-B3DE-44FB-94965C0366D98DF0}\{ABEB2D87-DFA0-F53D-992658CC296F0BC9}\{4501FB50-D3D7-43DD-41A9BB47FD107040}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,0e,53,af,dd,aa,
b7,83,a8,c8,28,51,af,b0,29,a3,98,17,1f,67,25,93,f8,60,73,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,6d,99,a8,b6,d5,
d8,51,14,71,3b,04,66,8b,46,0d,96,4b,1b,91,86,f0,bb,18,f4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,c0,c8,39,11,96,
32,dd,a5,25,da,ec,7e,55,20,c9,26,03,ae,ad,f9,01,21,21,91,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,25,41,3d,6b,af,
27,60,7d,3e,1e,9e,e0,57,5a,93,61,5e,27,e7,54,fb,8f,ec,45,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,d5,14,97,ff,da,
cb,c7,90,cd,44,cd,b9,a6,33,6c,cd,85,66,c1,65,85,40,b7,94,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,2d,47,07,bf,2a,
4d,92,41,b0,18,ed,a7,3f,8d,37,a4,48,db,a5,1c,16,12,1f,f7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,92,98,ec,fd,07,
f3,88,6d,31,77,e1,ba,b1,f8,68,02,3a,47,1b,c7,75,bd,ff,69,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ff,cb,32,1f,63,
2e,50,e4,83,6c,56,8b,a0,85,96,ab,a8,1f,02,22,88,92,8b,e3,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,28,4c,0e,52,a1,
e2,3b,74,51,fa,6e,91,28,9e,14,cc,b2,f7,4b,16,b0,a3,7a,76,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ee,df,77,ae,db,
52,a5,26,b1,cd,45,5a,a8,c4,f8,b9,c1,15,df,81,4a,91,2d,b5,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,ad,cc,5f,c2,b8,
60,8d,9f,e3,0e,66,d5,eb,bc,2f,6b,7c,1b,c7,c1,c7,b4,41,e0,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,95,14,09,99,35,
86,0d,1a,fa,ea,66,7f,d4,3b,6b,70,f7,a9,eb,9c,ff,b4,40,7e,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\SYSTEM32\WLTRAY.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\JUNIPER NETWORKS\COMMON FILES\DSNCSERVICE.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\windows\SYSTEM32\SEARCHINDEXER.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-01-19 8:32:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 14:32:34
ComboFix2.txt 2009-01-04 18:22:30

Pre-Run: 7,044,939,776 bytes free
Post-Run: 8,286,601,216 bytes free

362 --- E O F --- 2009-01-14 16:43:34

#4 Amandinxia

Amandinxia
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 19 January 2009 - 11:41 AM

After running ComboFix, and seeing that "Infected copy of c:\windows\system32\userinit.exe was found and disinfected" I ran a full Malwarebytes scan again, and this time it did not find any infections. It seems like ComboFix took care of the problem- I hope this is the case!

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:16 PM

Posted 19 January 2009 - 01:24 PM

Hello Amandinxia,

Your log looks indeed fine now. :thumbup2:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 Amandinxia

Amandinxia
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 19 January 2009 - 03:51 PM

I don't think there are any more problems...everything seems to be working fine, and the anti virus programs can't detect any problems. I did find and remove a Viewpoint program- thanks for noticing that.

I believe all is well, thanks very much, and have a nice day!

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:16 PM

Posted 19 January 2009 - 05:20 PM

Glad we could help, Amandinxia :thumbup2:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users