Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a userinit.exe trojan


  • Please log in to reply
9 replies to this topic

#1 Mourdsoe

Mourdsoe

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:06 AM

Posted 27 February 2009 - 09:47 PM

I am trying to heal a friends computer and have tried everything but cannot get everything off

I have searched through the topics and have tried various fixes, here are the programs I have used:



Malwarebytes' Anti-Malware
SUPERAntiSpyware Free Edition
AntiVir PE Classic
ATF_Cleaner
RSIT
Spybot
Adaware
Avg Free
SDFix

These programs have cleared alot of the problems but I still get "My computer online scan' and 'Virus Remover 2009' popups and everytime I run MBAM I get these 2 infections and no matter what I do I always get these 2 (Even after I fix them):



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Here is the DDS.txt log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Larry at 19:41:13.10 on 27/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.306 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Larry\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7c5c0f58-e061-457d-9033-77307f5ed00c} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [EPSON Stylus Photo R280 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticka.exe /fu "c:\windows\temp\E_SFD.tmp" /EF "HKCU"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-25 11840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-13 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-13 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-13 107272]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-14 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-2-12 394952]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-25 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-25 151297]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-13 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-13 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-25 52032]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-02-27 19:34 7,680 ac-sh--- c:\windows\Thumbs.db
2009-02-26 22:21 <DIR> -cd----- c:\windows\ERUNT
2009-02-26 22:14 <DIR> -cd----- C:\SDFix
2009-02-25 22:33 <DIR> -cd----- c:\program files\Avira
2009-02-25 22:33 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-25 21:55 <DIR> -cd----- c:\program files\trend micro
2009-02-25 20:18 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-25 20:18 <DIR> -cd----- c:\program files\SUPERAntiSpyware
2009-02-25 20:18 <DIR> -cd----- c:\docume~1\larry\applic~1\SUPERAntiSpyware.com
2009-02-25 18:39 <DIR> -cd----- c:\docume~1\larry\applic~1\Malwarebytes
2009-02-25 18:39 15,504 ac------ c:\windows\system32\drivers\mbam.sys
2009-02-25 18:39 38,496 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 18:39 <DIR> -cd----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 18:39 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 12:37 410,984 ac------ c:\windows\system32\deploytk.dll
2009-02-24 16:07 54,156 ac--h--- c:\windows\QTFont.qfn
2009-02-24 16:07 1,409 ac------ c:\windows\QTFont.for
2009-02-20 15:46 71 ac------ c:\windows\EPSONCD.INI

==================== Find3M ====================

2009-02-27 19:41 30,052,384 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-26 22:44 341,840 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-02-25 12:08 54,272 ac------ c:\windows\system32\userinit.exe
2009-02-06 10:44 325,128 ac------ c:\windows\system32\drivers\avgldx86.sys
2009-02-06 10:44 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-06 10:44 107,272 ac------ c:\windows\system32\drivers\avgtdix.sys

============= FINISH: 19:41:48.87 ===============

Attached Files


Edited by Mourdsoe, 27 February 2009 - 09:48 PM.


BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 04 March 2009 - 04:08 PM

Mourdsoe

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 Mourdsoe

Mourdsoe
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:06 AM

Posted 04 March 2009 - 08:06 PM

Ok ran Combofix. The ComboFix.txt is below, however there were a couple of problems.

I wasnt connected to the internet and simply plugging in the ethernet cord was not working so I went ahead with the scan anyway.

Upon reboot, it seems explorer.exe isnt starting (Or maybe im just impatient) I have to start the explorer.exe task myself

I tried closing all teh AVG proccesses I had, but it still said I had AVG Running

Here is the log, let me know what to do next.

Thanks for your help

ComboFix 09-03-03.01 - Larry 2009-03-04 18:47:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.495 [GMT -6:00]
Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\init32.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-02-27 19:34 . 2009-02-27 19:34 7,680 --ahsc--- c:\windows\Thumbs.db
2009-02-26 22:21 . 2009-02-26 22:21 <DIR> d----c--- c:\windows\ERUNT
2009-02-26 22:16 . 2009-02-26 22:16 <DIR> d----c--- c:\documents and settings\Administrator
2009-02-26 22:14 . 2009-02-26 22:57 <DIR> d----c--- C:\SDFix
2009-02-25 22:33 . 2009-02-25 22:33 <DIR> d----c--- c:\program files\Avira
2009-02-25 22:33 . 2009-02-25 22:33 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Avira
2009-02-25 21:55 . 2009-02-25 21:55 <DIR> d----c--- C:\rsit
2009-02-25 21:55 . 2009-02-25 21:55 <DIR> d----c--- c:\program files\trend micro
2009-02-25 20:18 . 2009-02-25 21:18 <DIR> d----c--- c:\program files\SUPERAntiSpyware
2009-02-25 20:18 . 2009-02-25 20:18 <DIR> d----c--- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com
2009-02-25 20:18 . 2009-02-25 20:18 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\documents and settings\Larry\Application Data\Malwarebytes
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 18:39 . 2009-02-11 10:19 38,496 --a--c--- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 18:39 . 2009-02-11 10:19 15,504 --a--c--- c:\windows\system32\drivers\mbam.sys
2009-02-25 12:37 . 2009-02-25 12:37 410,984 --a--c--- c:\windows\system32\deploytk.dll
2009-02-24 16:07 . 2009-02-25 09:56 54,156 --ah-c--- c:\windows\QTFont.qfn
2009-02-24 16:07 . 2009-02-24 16:07 1,409 --a--c--- c:\windows\QTFont.for
2009-02-20 15:46 . 2009-02-20 15:48 71 --a--c--- c:\windows\EPSONCD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 00:50 30,865,440 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-05 00:30 362,792 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-28 02:51 --------- dc----w c:\program files\RegScrubXP
2009-02-27 04:16 --------- dc----w c:\program files\Conduit
2009-02-26 02:18 --------- dc----w c:\program files\Common Files\Wise Installation Wizard
2009-02-26 01:55 7,381,978 -c--a-w c:\windows\Internet Logs\tvDebug.zip
2009-02-25 18:37 --------- dc----w c:\program files\Java
2009-02-25 18:08 54,272 -c--a-w c:\windows\system32\userinit.exe
2009-02-24 16:18 --------- dc-h--w c:\program files\InstallShield Installation Information
2009-02-18 22:14 --------- dc----w c:\program files\Common Files\Adobe
2009-02-06 16:44 325,128 -c--a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-06 16:44 107,272 -c--a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-06 16:44 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-06 16:44 --------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-01-23 19:15 --------- dc----w c:\program files\BitLord
.

------- Sigcheck -------

2009-02-25 12:08 54272 94a91e7235a21f35d0d6bef41c485efe c:\windows\system32\userinit.exe
2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-30 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-30 86016]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-04-26 12288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2006-10-30 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-04-02 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-06 10:44 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-13 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-13 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-13 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 298264]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-02-28 c:\windows\Tasks\At1.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At10.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At11.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At12.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At13.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At14.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At15.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At16.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At17.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At18.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At19.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At2.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At20.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At21.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At22.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At23.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At24.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At3.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At4.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At5.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At6.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At7.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At8.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At9.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 18:49:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-04 18:51:19
ComboFix-quarantined-files.txt 2009-03-05 00:51:16

Pre-Run: 6,111,600,640 bytes free
Post-Run: 6,100,029,440 bytes free

186 --- E O F --- 2008-06-20 23:24:32

Edited by Mourdsoe, 04 March 2009 - 08:07 PM.


#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 05 March 2009 - 03:40 PM

Mourdsoe

The c:\windows\system32\userinit.exe is corrupted. This is a windows system file, and needs to be replaced. It will have to be replaced manually. I am going to give you instructions on how to do it, but I recommend that you print out these instructions so they can be easily followed.

Log in as Administrator

1. Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and open the following folderc:\windows\system32
With the folder open in Windows explorer, at the top toolbar Select View ->> Arrange Icons by ->> Name
This will make it easier for you to find and keep track of the file we are after.
The icons will shuffle. Then scroll down in the folder window and locate the file

C:\Windows\System32\userinit.exe

Rt Click and delete that file. After a few seconds, less than a minute, windows should automatically replace that file in the same location, with the one from the DLLcache. Once that file has been replaced, close the open explorer window ->> Reboot your PC ->> Rerun Combofix and post a fresh Combofix log.

If Windows does not automatically replace the file, then retreive the one you deleted from the recycle bin. To do that open the recycle bin->> Rt click userinit.exe ->> Select Restore ->> And it will return to the system32 folder.

Reply with the results
Posted Image
Microsoft MVP - Windows Security

#5 Mourdsoe

Mourdsoe
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:06 AM

Posted 05 March 2009 - 07:37 PM

The new log is below, thank you for your continued help.

ComboFix 09-03-03.01 - Larry 2009-03-05 18:31:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.451 [GMT -6:00]
Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-02-27 19:34 . 2009-02-27 19:34 7,680 --ahsc--- c:\windows\Thumbs.db
2009-02-26 22:21 . 2009-02-26 22:21 <DIR> d----c--- c:\windows\ERUNT
2009-02-26 22:16 . 2009-02-26 22:16 <DIR> d----c--- c:\documents and settings\Administrator
2009-02-26 22:14 . 2009-02-26 22:57 <DIR> d----c--- C:\SDFix
2009-02-25 22:33 . 2009-02-25 22:33 <DIR> d----c--- c:\program files\Avira
2009-02-25 22:33 . 2009-02-25 22:33 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Avira
2009-02-25 21:55 . 2009-02-25 21:55 <DIR> d----c--- C:\rsit
2009-02-25 21:55 . 2009-02-25 21:55 <DIR> d----c--- c:\program files\trend micro
2009-02-25 20:18 . 2009-02-25 21:18 <DIR> d----c--- c:\program files\SUPERAntiSpyware
2009-02-25 20:18 . 2009-02-25 20:18 <DIR> d----c--- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com
2009-02-25 20:18 . 2009-02-25 20:18 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\documents and settings\Larry\Application Data\Malwarebytes
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 18:39 . 2009-02-11 10:19 38,496 --a--c--- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 18:39 . 2009-02-11 10:19 15,504 --a--c--- c:\windows\system32\drivers\mbam.sys
2009-02-25 12:37 . 2009-02-25 12:37 410,984 --a--c--- c:\windows\system32\deploytk.dll
2009-02-24 16:07 . 2009-02-25 09:56 54,156 --ah-c--- c:\windows\QTFont.qfn
2009-02-24 16:07 . 2009-02-24 16:07 1,409 --a--c--- c:\windows\QTFont.for
2009-02-20 15:46 . 2009-02-20 15:48 71 --a--c--- c:\windows\EPSONCD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 00:33 31,039,520 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-06 00:25 364,880 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-28 02:51 --------- dc----w c:\program files\RegScrubXP
2009-02-27 04:16 --------- dc----w c:\program files\Conduit
2009-02-26 02:18 --------- dc----w c:\program files\Common Files\Wise Installation Wizard
2009-02-26 01:55 7,381,978 -c--a-w c:\windows\Internet Logs\tvDebug.zip
2009-02-25 18:37 --------- dc----w c:\program files\Java
2009-02-25 18:08 54,272 -c--a-w c:\windows\system32\userinit.exe.tmp
2009-02-24 16:18 --------- dc-h--w c:\program files\InstallShield Installation Information
2009-02-18 22:14 --------- dc----w c:\program files\Common Files\Adobe
2009-02-06 16:44 325,128 -c--a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-06 16:44 107,272 -c--a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-06 16:44 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-06 16:44 --------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-01-23 19:15 --------- dc----w c:\program files\BitLord
.

((((((((((((((((((((((((((((( SnapShot@2009-03-04_18.50.25.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-25 18:08:30 54,272 -c--a-w c:\windows\system32\userinit.exe
+ 2004-08-04 12:00:00 24,576 -c--a-w c:\windows\system32\userinit.exe
+ 2009-03-06 00:26:13 16,384 -c--atw c:\windows\Temp\Perflib_Perfdata_664.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-30 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-30 86016]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-04-26 12288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2006-10-30 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-04-02 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-06 10:44 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-13 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-13 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-13 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 298264]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-02-28 c:\windows\Tasks\At1.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At10.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At11.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At12.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At13.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At14.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At15.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At16.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At17.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-27 c:\windows\Tasks\At18.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At19.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At2.job
- c:\windows\system32\Lp682UI7.exe []

2009-03-05 c:\windows\Tasks\At20.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At21.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At22.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At23.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At24.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At3.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At4.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At5.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At6.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At7.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At8.job
- c:\windows\system32\Lp682UI7.exe []

2009-02-28 c:\windows\Tasks\At9.job
- c:\windows\system32\Lp682UI7.exe []

2009-03-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 18:33:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-05 18:34:57
ComboFix-quarantined-files.txt 2009-03-06 00:34:54
ComboFix2.txt 2009-03-05 00:51:21

Pre-Run: 6,047,105,024 bytes free
Post-Run: 6,034,493,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

187 --- E O F --- 2008-06-20 23:24:32

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 06 March 2009 - 09:04 AM

Mourdsoe

You are most welcome.

How did that last fix affect the PC operation?

Do you still have to enable explorer manually?

And how about your ability to connect to IE?
Posted Image
Microsoft MVP - Windows Security

#7 Mourdsoe

Mourdsoe
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:06 AM

Posted 06 March 2009 - 09:25 AM

It starts by itself, no need to start explorer.exe

IE works normally so far.

Anything else I should do?

Let me know, thanks.

Edited by Mourdsoe, 06 March 2009 - 11:14 AM.


#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 06 March 2009 - 04:45 PM

Mourdsoe

Good work.

Just a little clean up now.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
c:\windows\system32\userinit.exe.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#9 Mourdsoe

Mourdsoe
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:06 AM

Posted 07 March 2009 - 12:23 PM

Below is the combofix.txt.

Which Anti Virus would you use? AVG Free OR Avira? OR something else?

Let me know your answer to this and if there is anything else you need me to do. Thanks!


ComboFix 09-03-03.01 - Larry 2009-03-07 11:15:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.408 [GMT -6:00]
Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Larry\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\userinit.exe.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-06 09:46 . 2009-03-07 11:18 262,176 --ahsc--- c:\windows\system32\drivers\fidbox.dat
2009-03-06 09:46 . 2009-03-06 10:15 2,372 --ahsc--- c:\windows\system32\drivers\fidbox.idx
2009-03-06 09:43 . 2008-07-09 09:05 75,248 --a--c--- c:\windows\zllsputility.exe
2009-03-06 09:42 . 2009-03-06 09:42 <DIR> d----c--- c:\program files\Zone Labs
2009-02-27 19:34 . 2009-02-27 19:34 7,680 --ahsc--- c:\windows\Thumbs.db
2009-02-26 22:21 . 2009-02-26 22:21 <DIR> d----c--- c:\windows\ERUNT
2009-02-26 22:16 . 2009-02-26 22:16 <DIR> d----c--- c:\documents and settings\Administrator
2009-02-26 22:14 . 2009-02-26 22:57 <DIR> d----c--- C:\SDFix
2009-02-25 22:33 . 2009-02-25 22:33 <DIR> d----c--- c:\program files\Avira
2009-02-25 22:33 . 2009-02-25 22:33 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Avira
2009-02-25 21:55 . 2009-02-25 21:55 <DIR> d----c--- C:\rsit
2009-02-25 21:55 . 2009-02-25 21:55 <DIR> d----c--- c:\program files\trend micro
2009-02-25 20:18 . 2009-02-25 21:18 <DIR> d----c--- c:\program files\SUPERAntiSpyware
2009-02-25 20:18 . 2009-02-25 20:18 <DIR> d----c--- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com
2009-02-25 20:18 . 2009-02-25 20:18 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\documents and settings\Larry\Application Data\Malwarebytes
2009-02-25 18:39 . 2009-02-25 18:39 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 18:39 . 2009-02-11 10:19 38,496 --a--c--- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 18:39 . 2009-02-11 10:19 15,504 --a--c--- c:\windows\system32\drivers\mbam.sys
2009-02-25 12:37 . 2009-02-25 12:37 410,984 --a--c--- c:\windows\system32\deploytk.dll
2009-02-24 16:07 . 2009-02-25 09:56 54,156 --ah-c--- c:\windows\QTFont.qfn
2009-02-24 16:07 . 2009-02-24 16:07 1,409 --a--c--- c:\windows\QTFont.for
2009-02-20 15:46 . 2009-02-20 15:48 71 --a--c--- c:\windows\EPSONCD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 02:51 --------- dc----w c:\program files\RegScrubXP
2009-02-27 04:16 --------- dc----w c:\program files\Conduit
2009-02-26 02:18 --------- dc----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 18:37 --------- dc----w c:\program files\Java
2009-02-24 16:18 --------- dc-h--w c:\program files\InstallShield Installation Information
2009-02-18 22:14 --------- dc----w c:\program files\Common Files\Adobe
2009-02-06 16:44 325,128 -c--a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-06 16:44 107,272 -c--a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-06 16:44 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-06 16:44 --------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-01-23 19:15 --------- dc----w c:\program files\BitLord
.

((((((((((((((((((((((((((((( SnapShot@2009-03-04_18.50.25.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-03 00:07:40 1,914,440 -c--a-w c:\windows\Downloaded Program Files\CONFLICT.1\FP_AX_CAB_INSTALLER.exe
- 2007-11-15 00:04:46 796,048 ----a-w c:\windows\system32\libeay32_0.9.6l.dll
+ 2008-07-09 15:05:08 796,048 -c--a-w c:\windows\system32\libeay32_0.9.6l.dll
+ 2009-02-03 02:07:18 240,544 -c--a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2009-03-06 14:22:26 89,102 -c--a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-02-25 18:08:30 54,272 -c--a-w c:\windows\system32\userinit.exe
+ 2004-08-04 12:00:00 24,576 -c--a-w c:\windows\system32\userinit.exe
- 2008-07-15 01:26:41 4,212 -c-h--w c:\windows\system32\zllictbl.dat
+ 2009-03-06 15:45:16 4,212 -c-h--w c:\windows\system32\zllictbl.dat
- 2008-07-15 01:47:07 152,976 -c--a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-07-09 15:05:24 152,976 -c--a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2009-03-07 17:10:13 16,384 -c--atw c:\windows\Temp\Perflib_Perfdata_684.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-30 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-30 86016]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-04-26 12288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"nwiz"="nwiz.exe" [2006-10-30 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-04-02 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-06 10:44 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-13 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-13 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-13 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 298264]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 11:17:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-07 11:19:11
ComboFix-quarantined-files.txt 2009-03-07 17:19:08
ComboFix2.txt 2009-03-06 00:34:59
ComboFix3.txt 2009-03-05 00:51:21

Pre-Run: 5,933,887,488 bytes free
Post-Run: 5,949,464,576 bytes free

198 --- E O F --- 2008-06-20 23:24:32

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 09 March 2009 - 09:55 AM

Mourdsoe

Which Anti Virus would you use? AVG Free OR Avira? OR something else?

I use AVG, but Avira and Avast are good as well. It's personal preference. But the rule is only one Antivirus program should be running at any lne time.

Let's Remove Combofix

Select Start ->> Run ->> type in combofix /u (there is a space between x and /) Then O.K.

Posted Image

You may now remove/delete/uninstall the other tools we used to clean your PC

Now that your log is clean

There are some final notes:
Lets create a clean System Restore point
The instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u11.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users