Virtumonde / userinit.exe Virus

Posted 10 February 2009 - 01:11 AM


After downloading some software on the 09/02/09 from a less than reputable site i have been unable to properly login to Windows. My login has changed from the "Graphical" (sorry for none techy description) Windows XP login interface, into an old school text box login. I can login to Windows fine, but only my Desktop Wallpaper loads, so my Start Menu doesn't, along with all my desktop, clock, taskbar etc etc. The only way i can run programs is thru the Task Manager "run" command.

I have run Spyware doctor (found one virtumonde threat and removed it), Norton (found nothing), and SpyBot (found numerous, Virtumonde, Win32.Delf.uc, Nugache.A@mm) all say they have removed the viruses but i still cant login.

After around 20 seconds of a stalled login i get a windows error message saying userinit.exe failed to initialize (was blocked by Windows).

Any help with this issue is greatly appreciated, i didnt know there was places like this, otherwise i would have signed up years ago before wasting hours of my life in the past removing these damn pests.

Thank you for any replies and help received in advance.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 5:49:55.56 on 10/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rapcentral.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://server.iad.liveperson.net/hc/10973025/?

uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

BHO: {09628AAA-66AD-4FA2-82E2-698185B66463} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [cogad] "c:\documents and settings\administrator\application data\cogad\cogad.exe"

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SDTray] "c:\program files\spyware doctor\SDTrayApp.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\microsoft

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\microsoft

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search &

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
Notify: urqRJCSj - urqRJCSj.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli AsWlnPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\suext21c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rapcentral.co.uk/
FF - plugin: c:\documents and settings\administrator\application



============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-02-10 05:34 69,700 a------- c:\windows\system32\usrshuta.exe
2009-02-10 05:34 69,700 a------- c:\windows\system32\dllcache\usrshuta.exe
2009-02-10 05:33 73,796 a------- c:\windows\system32\slserv.exe
2009-02-10 05:33 73,796 a------- c:\windows\system32\dllcache\slserv.exe
2009-02-10 05:26 <DIR> --d----- c:\program files\ESET
2009-02-10 05:14 <DIR> --d----- C:\!KillBox
2009-02-10 05:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-10 05:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-10 04:26 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-02-09 16:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\Sports Interactive
2009-02-09 15:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\cogad
2009-02-09 15:13 <DIR> --d----- c:\program files\Steam
2009-02-09 15:13 <DIR> --d-h--- c:\program files\Zero G Registry
2009-02-09 15:13 <DIR> --d----- c:\program files\Sports Interactive
2009-02-09 15:10 <DIR> --d-h--- c:\documents and settings\administrator\InstallAnywhere
2009-02-09 14:37 <DIR> --d----- c:\program files\Alex Feinman
2009-02-03 15:31 <DIR> --d----- c:\program files\JRE
2009-01-24 06:36 38 a------- c:\windows\AviSplitter.INI
2009-01-24 06:33 421,888 a------- c:\windows\system32\ac3filter.acm
2009-01-24 06:32 <DIR> --d----- c:\program files\XP Codec Pack

==================== Find3M ====================

2009-01-07 18:55 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 15:15 4,338,246 a------- c:\windows\system32\libavcodec.dll
2008-12-17 17:41 884,237 a------- c:\windows\system32\ff_x264.dll
2008-12-17 17:22 93,184 a------- c:\windows\system32\ff_wmv9.dll
2008-12-17 17:22 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-12-17 17:17 239,247 a------- c:\windows\system32\ff_theora.dll
2008-12-17 16:59 560,802 a------- c:\windows\system32\libmplayer.dll
2008-12-13 06:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-11 00:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 00:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-09 02:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 02:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-08 11:01 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-06 10:40 741,702 a--sh--- c:\windows\system32\gNoYHkkj.ini2
2008-12-01 06:56 408,248 a------- c:\docume~1\admini~1\applic~1\FNTCACHE.BIN
2008-11-29 20:26 991,232 a------- c:\windows\system32\VSFilter.dll
2008-11-28 14:11 585 a------- c:\docume~1\admini~1\applic~1\perfc012.dat
2008-09-17 13:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2007-09-18 01:34 82 a------- c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2007-02-12 19:10 2,682,880 -------- c:\documents and settings\all users\VCREDI~3.EXE

============= FINISH: 5:54:04.01 ===============

Edited by hitemuprobbo, 10 February 2009 - 01:14 AM.

Posted 17 February 2009 - 01:00 PM


If you still need help with this post a fresh dds report making sure that notepad's word wrap is disabled first.

Posted 23 February 2009 - 03:43 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

