Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe / services.exe Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 FireCrackerArg

FireCrackerArg

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 05 July 2009 - 06:59 AM

Morning fellas, by accident i installed a trojan and cant get rid of it.

i got to this forum following [topic="www.bleepingcomputer.com/forums/topic197873.html"]this topic[/topic] which is kind of similar to my problem but was unable to fully remove this thing.

first thing, when windows finishes booting up i get to my desktop and an error window about userinit.exe and then i can see my wallpaper but no taskbar or icons there, i press ctrl alt del and type explorer so that it beggins the process, and nothing happend, IF i unplugg the internet cable, explorer starts running and everything is there and quite functional.

i first i followed boopme instructions Run ATF-Cleaner cleared everything, run SUPERAntiSpyware, got around 15 items to quarantine, but logs tells me that either userinit.exe or services.exe couldnt be quarantined, run malwarebytes scan and it tells me everything is ok.

tryed booting up with the lan cable plugged and back to square one, first i tried mannualy deleting userinit.exe seemed to kill the problem since superantispyware told that nothing was found, rebooted and made a copy from my windows xp cd of the file to being able to login again, and when it finished there it was again.

run sdfix, it removed some more files that where called 1.tmp and 2.tmp, and userinit.exe and services.exe where cleaned and restore it rebooted.... and back to square one

below are the logs that are first requiered, if anyone request others ill rescan a post the newones, help will be reeaaallly appreciated!



DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrador at 8:41:43,73 on 05/07/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.54.3082.18.2047.1586 [GMT -3:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Malwarebytes' Anti-Malware\mbam.exe
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrador\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uRun: [SUPERAntiSpyware] c:\archivos de programa\superantispyware\SUPERAntiSpyware.exe
uRun: [DAEMON Tools Lite] "c:\archivos de programa\daemon tools lite\daemon.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [services] c:\windows\services.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\archivos de programa\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-5 38160]
R3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2009-6-23 7408]
RUnknown protect;protect; [x]

=============== Created Last 30 ================

2009-07-05 08:41 61,440 a------- c:\windows\system32\drivers\dkulmo.sys
2009-07-05 08:36 72,192 -------- c:\windows\services.exe
2009-07-05 08:30 <DIR> --d----- c:\windows\ERUNT
2009-07-05 08:28 <DIR> --d----- C:\SDFix
2009-07-05 05:28 <DIR> --d----- c:\windows\pss
2009-07-05 04:43 360,832 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-05 04:18 0 a------- c:\windows\ativpsrm.bin
2009-07-05 04:17 614,400 a------- c:\windows\system32\ati2sgag.exe
2009-07-05 04:17 <DIR> --d----- c:\archivos de programa\ATI Technologies
2009-07-05 04:16 <DIR> --d----- C:\ATI
2009-07-05 03:51 <DIR> --d----- c:\archivos de programa\Trend Micro
2009-07-05 03:49 <DIR> --d----- c:\archivos de programa\archivos comunes\InstallShield
2009-07-05 03:49 35,840 a----r-- c:\windows\system32\drivers\AmdK8.sys
2009-07-05 03:49 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-07-05 03:49 635,094 a------- c:\windows\system32\MS7125.bmp
2009-07-05 03:49 258 a------- c:\windows\system32\raidmgmt.ini
2009-07-05 03:46 6,400 a------- c:\windows\system32\drivers\splitter.sys
2009-07-05 03:46 52,864 a------- c:\windows\system32\drivers\DMusic.sys
2009-07-05 03:46 156,672 a----r-- c:\windows\system32\RTLCPAPI.dll
2009-07-05 03:46 141,016 a----r-- c:\windows\system32\ALSNDMGR.WAV
2009-07-05 03:46 9,347,584 a------- c:\windows\system32\RTLCPL.EXE
2009-07-05 03:46 16,166,912 a----r-- c:\windows\system32\ALSNDMGR.CPL
2009-07-05 03:46 98,304 a------- c:\windows\SOUNDMAN.EXE
2009-07-05 03:46 2,300,928 a----r-- c:\windows\system32\drivers\ALCXWDM.SYS
2009-07-05 03:46 130,048 a------- c:\windows\system32\ksproxy.ax
2009-07-05 03:46 4,096 a------- c:\windows\system32\ksuser.dll
2009-07-05 03:45 180,480 a----r-- c:\windows\system32\drivers\yk51x86.sys
2009-07-05 03:32 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\SUPERAntiSpyware.com
2009-07-05 03:32 <DIR> --d----- c:\docume~1\admini~1\datosd~1\SUPERAntiSpyware.com
2009-07-05 03:32 <DIR> --d----- c:\archivos de programa\SUPERAntiSpyware
2009-07-05 03:32 <DIR> --d----- c:\archivos de programa\archivos comunes\Wise Installation Wizard
2009-07-05 03:32 <DIR> --d----- c:\docume~1\admini~1\datosd~1\Malwarebytes
2009-07-05 03:32 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 03:32 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-05 03:32 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\Malwarebytes
2009-07-05 03:32 <DIR> --d----- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-07-05 03:15 221,184 a------- c:\windows\system32\wmpns.dll
2009-07-05 03:13 <DIR> --d----- c:\archivos de programa\BurnInTest
2009-07-05 03:12 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-05 03:12 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-05 03:12 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-05 03:12 87,608 a------- c:\docume~1\admini~1\datosd~1\inst.exe
2009-07-05 03:12 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-07-05 03:12 47,360 a------- c:\docume~1\admini~1\datosd~1\pcouffin.sys
2009-07-05 03:12 217,127 a------- c:\windows\system32\drv43260.dll
2009-07-05 03:12 208,935 a------- c:\windows\system32\drv33260.dll
2009-07-05 03:12 176,165 a------- c:\windows\system32\drv23260.dll
2009-07-05 03:12 <DIR> --d----- c:\archivos de programa\vso
2009-07-05 03:12 <DIR> --d----- c:\archivos de programa\XnView
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\Unlocker
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\archivos comunes\EZB Systems
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\UltraISO
2009-07-05 03:11 1,066,176 a------- c:\windows\system32\MSCOMCTL.OCX
2009-07-05 03:11 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-07-05 03:11 115,920 a------- c:\windows\system32\MSINET.OCX
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\SpywareBlaster
2009-07-05 03:11 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\Spybot - Search & Destroy
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\Spybot - Search & Destroy
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\Real Alternative
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\Quintessential Media Player
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\PowerISO
2009-07-05 03:11 <DIR> --d----- c:\archivos de programa\Eset
2009-07-05 03:10 1,757,184 a------- c:\windows\system32\imagX7.dll
2009-07-05 03:10 802,816 a------- c:\windows\system32\imagXRA7.dll
2009-07-05 03:10 497,296 a------- c:\windows\system32\imagXpr7.dll
2009-07-05 03:10 368,640 a------- c:\windows\system32\TwnLib4.dll
2009-07-05 03:10 258,048 a------- c:\windows\system32\imagXR7.dll
2009-07-05 03:10 <DIR> --d----- c:\docume~1\alluse~1\datosd~1\Nero
2009-07-05 03:10 <DIR> --d----- c:\archivos de programa\Nero
2009-07-05 03:09 1,559,040 a------- c:\windows\system32\xvidcore.dll
2009-07-05 03:09 164,352 a------- c:\windows\system32\unrar.dll
2009-07-05 03:09 <DIR> --d----- c:\archivos de programa\K-Lite Codec Pack
2009-07-05 03:08 <DIR> --d----- c:\archivos de programa\DVD Shrink
2009-07-05 03:08 <DIR> --d----- c:\archivos de programa\DVD Decrypter
2009-07-05 03:08 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2009-07-05 03:08 2,958 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-07-05 03:08 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.bmp
2009-07-05 03:08 3,037 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2009-07-05 03:08 4,103,032 a----r-- c:\windows\system32\SpoonUninstall.exe
2009-07-05 03:08 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-07-05 03:08 13,020 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-07-05 03:08 <DIR> --d----- c:\archivos de programa\Illustrate
2009-07-05 03:08 <DIR> --d----- c:\archivos de programa\DAEMON Tools Lite
2009-07-05 03:07 <DIR> --d----- c:\archivos de programa\Yahoo!
2009-07-05 03:07 <DIR> --d----- c:\archivos de programa\CCleaner
2009-07-05 03:07 <DIR> --d----- c:\archivos de programa\Alcohol Soft
2009-07-05 03:07 <DIR> --d----- c:\archivos de programa\AIMP2
2009-07-05 03:07 69,632 a------- c:\windows\system32\javacpl.cpl
2009-07-05 03:06 <DIR> --d----- c:\archivos de programa\MSECache
2009-07-05 03:04 <DIR> --d----- c:\windows\system32\DirectX
2009-07-05 03:03 <DIR> --d----- c:\windows\system32\URTTemp
2009-07-05 02:56 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-07-05 02:56 35,864 a------- c:\windows\system32\wucltui.dll.mui
2009-07-05 02:56 27,672 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-07-05 02:56 18,968 a------- c:\windows\system32\wuaueng.dll.mui
2009-07-05 02:56 27,672 a------- c:\windows\system32\wuapi.dll.mui
2009-07-05 02:56 <DIR> --d-hr-- c:\documents and settings\administrador\Reciente
2009-07-05 02:56 <DIR> --d-hr-- c:\documents and settings\administrador\Datos de programa
2009-07-05 02:56 <DIR> --d-h--- c:\documents and settings\administrador\Plantillas
2009-07-05 02:56 <DIR> --d-h--- c:\documents and settings\administrador\Impresoras
2009-07-05 02:56 <DIR> --d-h--- c:\documents and settings\administrador\Entorno de red
2009-07-05 02:56 <DIR> --d-h--- c:\documents and settings\administrador\Configuración local
2009-07-05 02:56 <DIR> --d--r-- c:\documents and settings\administrador\Mis documentos
2009-07-05 02:56 <DIR> --d--r-- c:\documents and settings\administrador\Menú Inicio
2009-07-05 02:56 <DIR> --d--r-- c:\documents and settings\administrador\Favoritos
2009-07-05 02:56 <DIR> --d----- c:\documents and settings\administrador\Escritorio
2009-07-05 02:56 <DIR> --d----- c:\documents and settings\Administrador
2009-07-05 02:56 <DIR> --ds---- c:\windows\system32\Microsoft
2009-07-05 02:56 8,192 a------- c:\windows\REGLOCS.OLD
2009-07-05 02:54 <DIR> --d----- c:\archivos de programa\MSXML 4.0
2009-07-05 02:53 23,392 a------- c:\windows\system32\nscompat.tlb
2009-07-05 02:53 16,832 a------- c:\windows\system32\amcompat.tlb
2009-07-05 02:53 316,640 a------- c:\windows\WMSysPr9.prx
2009-07-05 02:53 <DIR> -cdshr-- c:\windows\system32\dllcache
2009-07-05 02:53 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-05 02:53 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-07-05 02:53 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-07-05 02:53 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-07-05 02:53 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-07-05 02:52 <DIR> --d-h--- c:\archivos de programa\WindowsUpdate
2009-07-05 02:52 <DIR> --d----- c:\archivos de programa\Servicios en línea
2009-07-05 02:52 <DIR> --d----- c:\archivos de programa\archivos comunes\MSSoap
2009-07-05 02:50 <DIR> --d----- c:\archivos de programa\Windows Media Connect 2
2009-07-05 02:50 <DIR> --d----- c:\archivos de programa\MSN Gaming Zone
2009-07-05 02:49 <DIR> --d----- c:\archivos de programa\Windows NT
2009-07-04 22:45 <DIR> --d----- c:\archivos de programa\archivos comunes\ODBC
2009-07-04 22:45 <DIR> --d----- c:\archivos de programa\archivos comunes\SpeechEngines
2009-07-04 22:44 <DIR> --d-h--- c:\documents and settings\all users\Plantillas
2009-07-04 22:44 <DIR> --d--r-- c:\documents and settings\all users\Menú Inicio
2009-07-04 22:44 <DIR> --d--r-- c:\documents and settings\all users\Documentos
2009-07-04 22:44 <DIR> --d----- c:\documents and settings\all users\Favoritos
2009-07-04 22:44 <DIR> --d----- c:\documents and settings\all users\Escritorio
2009-07-04 22:42 <DIR> --d-hr-- c:\documents and settings\all users\Datos de programa

==================== Find3M ====================

2009-07-05 08:37 439,680 a------- c:\windows\system32\perfh00A.dat
2009-07-05 08:37 68,696 a------- c:\windows\system32\perfc00A.dat
2009-07-05 04:27 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-05 02:54 715,248 a------- c:\windows\system32\drivers\sptd.sys
2009-05-16 00:58 4,069,888 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-05-16 00:39 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-05-16 00:38 335,872 a------- c:\windows\system32\ati2dvag.dll
2009-05-16 00:18 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-05-16 00:17 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-05-16 00:17 46,080 a------- c:\windows\system32\Ati2mdxx.exe
2009-05-16 00:17 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-05-16 00:17 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-05-16 00:15 622,592 a------- c:\windows\system32\ati2evxx.exe
2009-05-16 00:14 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-05-16 00:07 2,987,136 a------- c:\windows\system32\ati3duag.dll
2009-05-15 23:55 11,423,744 a------- c:\windows\system32\atioglxx.dll
2009-05-15 23:54 2,122,624 a------- c:\windows\system32\ativvaxx.dll
2009-05-15 23:54 887,724 a------- c:\windows\system32\ativva6x.dat
2009-05-15 23:51 311,296 a------- c:\windows\system32\atiiiexx.dll
2009-05-15 23:38 49,664 a------- c:\windows\system32\atimpc32.dll
2009-05-15 23:38 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-05-15 23:33 479,232 a------- c:\windows\system32\atikvmag.dll
2009-05-15 23:31 139,264 a------- c:\windows\system32\atiadlxx.dll
2009-05-15 23:31 17,408 a------- c:\windows\system32\atitvo32.dll
2009-05-15 23:30 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-05-15 23:26 376,832 a------- c:\windows\system32\atiok3x2.dll
2009-05-15 23:24 651,264 a------- c:\windows\system32\ati2cqag.dll
2009-05-15 22:35 45,056 a------- c:\windows\system32\aticalrt.dll
2009-05-15 22:34 45,056 a------- c:\windows\system32\aticalcl.dll
2009-05-15 22:33 3,158,016 a------- c:\windows\system32\aticaldd.dll
2009-05-05 16:33 139,264 a------- c:\windows\system32\atibtmon.exe
2009-04-23 16:04 189,051 a------- c:\windows\system32\atiicdxx.dat

============= FINISH: 8:41:57,56 ===============


and the hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04:44 a.m., on 05/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Archivos de programa\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Archivos de programa\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 3084 bytes

Attached Files


Edited by FireCrackerArg, 05 July 2009 - 07:04 AM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 09 July 2009 - 12:51 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following....


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post these logs in your next reply... Post each log in separate post

1. SDFix
2. ComboFix
3. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 20 July 2009 - 04:02 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users