Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

userinit.exe and sc46a.exe viruses


  • This topic is locked This topic is locked
10 replies to this topic

#1 dwen

dwen

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 20 May 2009 - 08:09 AM

Hi,

I've got a problem with my computer which seems very similar to the one talked about in this thread: link (windows would load the desktop picture but nothing else other than an error message for userinit.exe and scr6a.exe (i'm not exactly sure of the filename for the second one as it's stopped popping up now) but i tried to do what was recommended and now my computer won't load at all other than in safe mode, it just goes straight to a blank screen and stays there.

one of the problems is that it kept reloading my internet browser to websearch but now i've deleted thit it keeps reloading to an avg error page..


my hijack this log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:01:47, on 20/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcservicecall.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'Default user')
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ccofgnt.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ccofgnt.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: reset5c - C:\WINDOWS\SYSTEM32\reset5c.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7297 bytes


thanks a lot!

Edited by dwen, 20 May 2009 - 08:12 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 21 May 2009 - 09:26 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 dwen

dwen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 21 May 2009 - 03:54 PM

Hi Sam, thanks a lot for your reply!

I've downloaded combofix but I have a problem in that as I am only able to use safe mode I am unable to deactivate my AVG antivirus. I have no system tray icons and when I open AVG I get a message saying it can only be used for a "command line scan". I tried uninstalling it but it came up with an error message and the combofix programme kept giving me warning messages that AVG was still active, so I'm unsure what to do now?!

Thanks a lot for your help!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 22 May 2009 - 03:05 PM

It's ok. Go ahead and run Combofix. AVG is one program that does not seem to effect Combofix running.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 dwen

dwen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 23 May 2009 - 02:53 AM

Hi Sam,


This time my computer rebooted into normal mode (before when I tried to do this I would just get a dead black screen) but still came up with the userinit.exe warning message and I had to load explorer by pressing ctrl alt del (just my desktop picture loaded before that)

Here's the log:

ComboFix 09-05-20.A1 - Administrator 23/05/2009 9:32.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.34.1033.18.1015.762 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\dwen\Application Data\wiaserva.log
c:\windows\cpu.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\user.ds.cla

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPI32
-------\Legacy_ATI64SI
-------\Legacy_FIPS32CUP
-------\Legacy_I386SI
-------\Legacy_KSI32SK
-------\Legacy_NETSIK
-------\Legacy_NICSK32
-------\Legacy_PORT135SIK
-------\Legacy_SYSTEMNTMI
-------\Legacy_WS2_32SIK
-------\Service_acpi32
-------\Service_ati64si
-------\Service_fips32cup
-------\Service_i386si
-------\Service_ksi32sk
-------\Service_netsik
-------\Service_nicsk32
-------\Service_port135sik
-------\Service_systemntmi
-------\Service_ws2_32sik


((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-20 12:32 . 2009-05-20 12:32 -------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM
2009-05-20 08:16 . 2009-05-20 08:16 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-17 13:30 . 2009-05-17 13:30 -------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-17 13:30 . 2009-05-17 13:30 -------- d-----w c:\program files\NCH Swift Sound
2009-05-16 18:00 . 2004-08-10 19:00 24576 ----a-w c:\windows\system32\stu2.exe
2009-05-16 17:58 . 2004-08-10 19:00 9728 ----a-w c:\windows\system32\reset5c.dll
2009-05-16 17:58 . 2009-05-16 17:58 11264 ----a-w c:\windows\system32\asdns.dll
2009-05-16 17:58 . 2009-05-16 17:58 63488 ----a-w c:\windows\system32\ccofgnt.dll
2009-05-04 19:22 . 2009-05-04 19:22 -------- d-----w c:\documents and settings\dwen\Application Data\dvdcss
2009-04-23 12:04 . 2009-04-23 12:04 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 07:47 . 2007-10-17 08:42 638355232 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-19 21:53 . 2007-10-17 08:42 8549876 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-16 18:00 . 2006-08-12 16:03 13312 ---ha-w c:\windows\system32\userinit.exe
2009-05-07 15:53 . 2009-04-18 01:16 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-07 15:53 . 2009-04-18 01:16 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-07 15:53 . 2009-04-18 01:16 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-22 08:43 . 2007-05-10 12:19 -------- d-----w c:\program files\BitComet
2009-04-18 01:16 . 2009-04-18 01:16 -------- d-----w c:\program files\AVG
2009-03-06 14:00 . 2006-08-12 16:01 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-01 21:59 826368 ----a-w c:\windows\system32\wininet.dll
2008-12-20 00:11 . 2006-12-27 15:48 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 00:11 . 2006-12-27 15:48 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 00:11 . 2006-12-27 15:48 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-05-16 17:59 . 2009-05-16 17:59 47104 ----a-w c:\program files\mozilla firefox\components\nsFlash.dll
2008-12-20 00:11 . 2006-12-27 15:48 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 00:11 . 2006-12-27 15:48 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-08-12 11:11 . 2006-12-18 23:20 2583 --shatw c:\windows\system32\config\systemprofile\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4083N_AS03_300_DICV018_DRGV2050108.TMP
.

------- Sigcheck -------

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2009-05-16 18:00 13312 3A1BCD7A5019E5BE6C316EED654DBBF4 c:\windows\system32\userinit.exe
[7] 2004-08-10 19:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-18 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-06 3572984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-25 761946]
"NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-25 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-04-25 143360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-05 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-07 1947928]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2006-04-25 557056]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-11 15961088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Philips Media Manager.lnk - c:\program files\Philips\Media Manager\Philips Media Manager.exe [2006-8-12 136704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
FreeventsSchedule.lnk - c:\freevents\FreeventsSchedule.exe [2006-8-12 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 15:53 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\reset5c]
2004-08-10 19:00 9728 ----a-w c:\windows\system32\reset5c.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"=
"c:\\Program Files\\Dell AIO Printer A920\\dlbkbmon.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\jucheck.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgcsrvx.exe"=
"c:\\Program Files\\BitComet\\CrashReport.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\eHome\\ehmsas.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\sm56hlpr.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\Napster\\napster.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"%windir%\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13341:TCP"= 13341:TCP:BitComet 13341 TCP
"13341:UDP"= 13341:UDP:BitComet 13341 UDP

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [25/04/2006 11:28 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [25/04/2006 11:28 28800]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/04/2009 03:16 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/04/2009 03:16 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [18/04/2009 03:16 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18/04/2009 03:16 298776]
S2 amd64si;amd64si;\??\c:\windows\system32\drivers\amd64si.sys --> c:\windows\system32\drivers\amd64si.sys [?]
S2 hshot;Config Support;c:\windows\system32\svchost.exe -k netsvcs [12/08/2006 18:02 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [05/11/2007 19:43 16512]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hshot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49c5c439-9de6-11dd-b6fa-001302e23745}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MntDrCore.exe
\Shell\Open\command - MntDrCore.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b46d01a-d021-11dd-b6a2-001302e23745}]
\Shell\AutoRun\command - E:\2u.com
\Shell\explore\Command - E:\2u.com
\Shell\open\Command - E:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64fab5e8-8eeb-11dd-b45e-001302e23745}]
\Shell\AutoRun\command - e:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
\Shell\open\command - e:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82cb169b-a382-11dd-bfed-001302e23745}]
\Shell\AutoRun\command - F:\fooool.exe
\Shell\explore\Command - F:\fooool.exe
\Shell\open\Command - F:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{919a1391-9333-11da-bf07-806d6172696f}]
\Shell\AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be52e545-0aca-11de-a3a8-001302e23745}]
\Shell\AutoRun\command - E:\2u.com
\Shell\explore\Command - E:\2u.com
\Shell\open\Command - E:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e55366a1-d4e3-11dd-9f3d-001302e23745}]
\Shell\AutoRun\command - E:\2u.com
\Shell\explore\Command - E:\2u.com
\Shell\open\Command - E:\2u.com
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-18 21:26]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-dwen - c:\documents and settings\dwen\dwen.exe
HKCU-Run-Power2GoExpress - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.19.90.2:8080
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...l?p=ZUfox000(2)
LSP: c:\windows\system32\asdns.dll
FF - ProfilePath - c:\documents and settings\dwen\Application Data\Mozilla\Firefox\Profiles\d53dfznx.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.es
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000(2)&fl=0&ptb=pv.L3lBMCipIK1qXOCXrZA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\nsFlash.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-23 09:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hshot]
"ServiceDll"="c:\windows\system32\lgrnl.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\reset5c.dll

- - - - - - - > 'lsass.exe'(880)
c:\windows\system32\reset5c.dll
c:\windows\system32\asdns.dll

- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\ccofgnt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\o2flash.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-05-23 9:50 - machine was rebooted [dwen]
ComboFix-quarantined-files.txt 2009-05-23 07:49

Pre-Run: 10,199,670,784 bytes free
Post-Run: 11,007,188,992 bytes free

282 --- E O F --- 2009-05-13 22:18


Thanks!

Edited by dwen, 23 May 2009 - 03:04 AM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 23 May 2009 - 01:57 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\ccofgnt.dll
c:\windows\system32\reset5c.dll
c:\windows\system32\asdns.dll
E:\2u.com
F:\fooool.exe
e:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
E:\2u.com
c:\windows\system32\stu2.exe
c:\windows\system32\reset5c.dll
c:\windows\system32\asdns.dll
c:\windows\system32\ccofgnt.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49c5c439-9de6-11dd-b6fa-001302e23745}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b46d01a-d021-11dd-b6a2-001302e23745}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64fab5e8-8eeb-11dd-b45e-001302e23745}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82cb169b-a382-11dd-bfed-001302e23745}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be52e545-0aca-11de-a3a8-001302e23745}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e55366a1-d4e3-11dd-9f3d-001302e23745}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\reset5c]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 dwen

dwen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 25 May 2009 - 03:24 AM

Here's the combofix log:

ComboFix 09-05-20.A1 - dwen 24/05/2009 20:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.1033.18.1015.404 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dwen\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\asdns.dll
c:\windows\system32\ccofgnt.dll
c:\windows\system32\reset5c.dll
c:\windows\system32\stu2.exe
E:\2u.com
e:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe
F:\fooool.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\asdns.dll
c:\windows\system32\ccofgnt.dll
c:\windows\system32\reset5c.dll
c:\windows\system32\stu2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPI32
-------\Legacy_ATI64SI
-------\Legacy_FIPS32CUP
-------\Legacy_I386SI
-------\Legacy_KSI32SK
-------\Legacy_NETSIK
-------\Legacy_NICSK32
-------\Legacy_PORT135SIK
-------\Legacy_SYSTEMNTMI
-------\Legacy_WS2_32SIK


((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-20 12:32 . 2009-05-20 12:32 -------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM
2009-05-20 08:16 . 2009-05-20 08:16 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-17 13:30 . 2009-05-17 13:30 -------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-17 13:30 . 2009-05-17 13:30 -------- d-----w c:\program files\NCH Swift Sound
2009-05-04 19:22 . 2009-05-04 19:22 -------- d-----w c:\documents and settings\dwen\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 19:11 . 2007-10-17 08:42 638500384 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-24 18:44 . 2007-10-17 08:42 8552348 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-16 18:00 . 2006-08-12 16:03 13312 ---ha-w c:\windows\system32\userinit.exe
2009-05-07 15:53 . 2009-04-18 01:16 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-07 15:53 . 2009-04-18 01:16 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-07 15:53 . 2009-04-18 01:16 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-22 08:43 . 2007-05-10 12:19 -------- d-----w c:\program files\BitComet
2009-04-18 01:16 . 2009-04-18 01:16 -------- d-----w c:\program files\AVG
2009-03-06 14:00 . 2006-08-12 16:01 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-01 21:59 826368 ----a-w c:\windows\system32\wininet.dll
2008-12-20 00:11 . 2006-12-27 15:48 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 00:11 . 2006-12-27 15:48 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 00:11 . 2006-12-27 15:48 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-05-16 17:59 . 2009-05-16 17:59 47104 ----a-w c:\program files\mozilla firefox\components\nsFlash.dll
2008-12-20 00:11 . 2006-12-27 15:48 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 00:11 . 2006-12-27 15:48 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-08-12 11:11 . 2006-12-18 23:20 2583 --shatw c:\windows\system32\config\systemprofile\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4083N_AS03_300_DICV018_DRGV2050108.TMP
.

------- Sigcheck -------

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2009-05-16 18:00 13312 3A1BCD7A5019E5BE6C316EED654DBBF4 c:\windows\system32\userinit.exe
[7] 2004-08-10 19:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-18 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-06 3572984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-25 761946]
"NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-25 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-04-25 143360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-05 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-07 1947928]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2006-04-25 557056]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-11 15961088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Philips Media Manager.lnk - c:\program files\Philips\Media Manager\Philips Media Manager.exe [2006-8-12 136704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
FreeventsSchedule.lnk - c:\freevents\FreeventsSchedule.exe [2006-8-12 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 15:53 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"=
"c:\\Program Files\\Dell AIO Printer A920\\dlbkbmon.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\jucheck.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgcsrvx.exe"=
"c:\\Program Files\\BitComet\\CrashReport.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\eHome\\ehmsas.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\sm56hlpr.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\Napster\\napster.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"%windir%\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13341:TCP"= 13341:TCP:BitComet 13341 TCP
"13341:UDP"= 13341:UDP:BitComet 13341 UDP

R2 amd64si;amd64si;c:\windows\system32\drivers\amd64si.sys [x]
R2 hshot;Config Support;c:\windows\system32\svchost.exe [2004-08-10 14336]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-04-25 34176]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2006-04-25 28800]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-07 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-07 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-05-07 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-07 298776]


--- Other Services/Drivers In Memory ---

*Deregistered* - abp480n5
*Deregistered* - adpu160m
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - agp440
*Deregistered* - agpCPQ
*Deregistered* - Aha154x
*Deregistered* - aic78u2
*Deregistered* - aic78xx
*Deregistered* - ALG
*Deregistered* - AliIde
*Deregistered* - alim1541
*Deregistered* - amdagp
*Deregistered* - amsint
*Deregistered* - Arp1394
*Deregistered* - asc
*Deregistered* - asc3350p
*Deregistered* - asc3550
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8emc
*Deregistered* - avg8wd
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - cbidf
*Deregistered* - cd20xrnt
*Deregistered* - Cdfs
*Deregistered* - CmdIde
*Deregistered* - Compbatt
*Deregistered* - COMSysApp
*Deregistered* - Cpqarray
*Deregistered* - CryptSvc
*Deregistered* - dac2w2k
*Deregistered* - dac960nt
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - dpti2o
*Deregistered* - ehRecvr
*Deregistered* - ehSched
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - EvtEng
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - gusvc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - hpn
*Deregistered* - hshot
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - i2omp
*Deregistered* - IAANTMON
*Deregistered* - ImapiService
*Deregistered* - ini910u
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KLIF
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - McrdSvc
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - mraid35x
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nvata
*Deregistered* - nvatabus
*Deregistered* - nvraid
*Deregistered* - O2Flash
*Deregistered* - PartMgr
*Deregistered* - perc2
*Deregistered* - perc2hib
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - ql1080
*Deregistered* - Ql10wnt
*Deregistered* - ql12160
*Deregistered* - ql1240
*Deregistered* - ql1280
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RegSrvc
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - S24EventMonitor
*Deregistered* - s24trans
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sisagp
*Deregistered* - Sparrow
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srescan
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - sym_hi
*Deregistered* - sym_u3
*Deregistered* - symc810
*Deregistered* - symc8xx
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TosIde
*Deregistered* - TrkWks
*Deregistered* - ultra
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - viaagp
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - vsdatant
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hshot
.
Contents of the 'Scheduled Tasks' folder

2009-05-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-18 21:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.19.90.2:8080
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...l?p=ZUfox000(2)
FF - ProfilePath - c:\documents and settings\dwen\Application Data\Mozilla\Firefox\Profiles\d53dfznx.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.es
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000(2)&fl=0&ptb=pv.L3lBMCipIK1qXOCXrZA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\nsFlash.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 21:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hshot]
"ServiceDll"="c:\windows\system32\lgrnl.dll"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\o2flash.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
.
**************************************************************************
.
Completion time: 2009-05-24 21:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 19:13
ComboFix2.txt 2009-05-23 07:50

Pre-Run: 11,003,043,840 bytes free
Post-Run: 10,996,928,512 bytes free

398 --- E O F --- 2009-05-13 22:18


I did the first dr.web scan and it identified the userinit.exe problem and the log said:

"userinit.exe;c:\windows\system32;Trojan.DownLoad.35735;Deleted."

When the second scan was about a quarter of the way through though (it had identified about 41 problems by then) my computer crashed, when I turned it on again it loaded fine, and explorer opened fine with no 'userinit.exe' error message, instead there was a 'proquota.exe' message. I've started another scan and will edit this post with the log when it's finished.

edit- the log is:

A0024533.scr;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.7;;
A0024543.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.3;;
A0024544.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.4;;
A0024545.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.5;;
A0024546.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MWS.78;;
A0024547.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.6;;
A0024548.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MWS.75;;
A0024549.SCR;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.7;;
A0024551.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.8;;
A0024552.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.9;;
A0024553.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.10;;
A0024554.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.Msearch;;
A0024557.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.11;;
A0024558.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MWS;;
A0024561.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.12;;
A0024563.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MWS.76;;
A0024565.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.14;;
A0024567.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MyWebSearch.15;;
A0024568.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.Websearch.6;;
A0024569.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MWS.77;;
A0024570.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.Websearch.7;;
A0024571.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.Websearch.35;;
A0024572.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.MWS.74;;
A0024573.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Adware.Websearch.8;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data003;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.4;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data008;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MWS.75;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data009;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.7;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data010;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MWS.82;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data011;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.Websearch.7;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data012;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.Websearch.35;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data013;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MWS.74;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data014;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MWS.76;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data015;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.14;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data016;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.11;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data020;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.8;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data021;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.10;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data022;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.Msearch;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data023;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.9;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data025;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MWS;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data028;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.15;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data031;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.MyWebSearch.12;;
A0024595.exe/mwsSetup.CommonCodebase.exe\data032;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22\A0024595.exe/mwsSetup.CommonCodebase.exe;Adware.Websearch.8;;
mwsSetup.CommonCodebase.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Container contains infected objects;;
A0024595.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Archive contains infected objects;Moved.;
A0024595.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP22;Probably DLOADER.Trojan;;
A0034801.dll;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.6;;
A0034802.scr;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.7;;
A0034810.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.3;;
A0034811.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.4;;
A0034812.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MWS.79;;
A0034813.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MWS.75;;
A0034814.SCR;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.7;;
A0034817.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.8;;
A0034818.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.9;;
A0034819.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.10;;
A0034820.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.Msearch;;
A0034823.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.11;;
A0034824.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MWS;;
A0034827.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.12;;
A0034829.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MWS.76;;
A0034830.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.14;;
A0034832.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MyWebSearch.15;;
A0034833.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.Websearch.7;;
A0034834.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.Websearch.35;;
A0034835.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MWS.74;;
A0034836.EXE;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.Websearch.8;;
A0034858.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MWS.82;;
A0034862.DLL;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.Websearch.13;;
A0034893.dll;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP27;Adware.MWS.82;;
A0038130.bat;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP31;Probably BATCH.Virus;;
A0038251.bat;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Probably BATCH.Virus;;
A0038381.bat;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Probably BATCH.Virus;;
A0038419.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Trojan.DownLoad.35735;Deleted.;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data003;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.4;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data007;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS.75;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data008;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.7;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data010;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS.77;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data011;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.Websearch.7;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data012;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.Websearch.35;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data013;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS.74;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data014;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS.76;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data015;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.14;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data016;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.11;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data019;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.8;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data020;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.10;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data021;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.Msearch;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data022;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.9;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data024;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data027;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.15;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data028;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.Websearch.6;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data030;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.12;;
A0038425.exe/data001/mwsSetup.CommonCodebase.exe\data031;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038425.exe/data001/mwsSetup.CommonCodebase.e;Adware.Websearch.8;;
mwsSetup.CommonCodebase.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Container contains infected objects;;
data001;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Archive contains infected objects;;
A0038425.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Container contains infected objects;Moved.;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data003;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.4;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data007;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS.75;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data008;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.7;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data010;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS.77;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data011;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.Websearch.7;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data012;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.Websearch.35;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data013;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS.74;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data014;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS.76;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data015;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.14;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data016;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.11;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data019;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.8;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data020;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.10;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data021;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.Msearch;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data022;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.9;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data024;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MWS;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data027;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.15;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data028;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.Websearch.6;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data030;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.MyWebSearch.12;;
A0038426.exe/data001/mwsSetup.CommonCodebase.exe\data031;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038426.exe/data001/mwsSetup.CommonCodebase.e;Adware.Websearch.8;;
mwsSetup.CommonCodebase.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Container contains infected objects;;
data001;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Archive contains infected objects;;
A0038426.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Container contains infected objects;Moved.;
A0038427.exe\data001;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33\A0038427.exe;Adware.Zango;;
A0038427.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Container contains infected objects;Moved.;
A0038428.exe;C:\System Volume Information\_restore{5EF61E35-F473-47F0-AB71-E40210802868}\RP33;Trojan.Swizzor.based;Deleted.;
proquota.exe;C:\WINDOWS\system32\wbem;Trojan.Packed.2463;Incurable.Moved.;


Thanks!

Edited by dwen, 25 May 2009 - 05:02 AM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 25 May 2009 - 09:40 AM

Good! Nicely done! :thumbup2:


Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

==================


Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\lgrnl.dll


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html



How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 dwen

dwen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 25 May 2009 - 10:20 AM

Thanks for your reply!

I've searched for the c:\windows\system32\lgrnl.dll file and it doesn't seem to exist on my computer?

Other than that my computer seems to be fine now, when I rebooted just now I didn't get any error messages and everything seems to be working ok! (except windows firewall has turned off and I can't seem to turn it on again)

Edited by dwen, 25 May 2009 - 02:13 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 26 May 2009 - 09:21 AM

Let's check something. Click Start -> Run -> services.msc

Scroll down to Windows Firewall/Internet Connection Sharing (ICS)
Status should be set to "Started"
Startup type should be set to "Automatic"

If it's not, double click to bring up Properties where you can start the service and adjust the startup type.


See if you can enable Windows Firewall now.
Let me know if this does the trick.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 24 June 2009 - 09:10 AM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users