Jump to content

nicolai

Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

 Content Type 

Everything posted by nicolai

  1. nicolai
    I ran combofix in safe mode and it worked (though this means I wasn't able to install Windows recovery console)! Here's the log along with the hijack log. Thanks in advance! ComboFix 09-02-02.04 - okoNK 2009-02-04 10:22:48.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.800 [GMT -5:00] Running from: c:\documents and settings\okonk\Desktop\ComboFix.exe AV: F-Secure Client Security 8.00 *On-access scanning enabled* (Updated) FW: F-Secure Client Security 8.00 *enabled* WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\303374.exe c:\windows\system32\test.ttt c:\windows\system32\tmp.reg c:\windows\system32\uniq.tll c:\windows\system32\win32hlp.cnf ----- BITS: Possible infected sites ----- hxxp://wsus-srv . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 ))))))))))))))))))))))))))))))) . 2009-02-04 09:44 . 2009-02-04 09:44 137,280 --a------ c:\windows\system32\drivers\ethorpkk.sys 2009-02-04 09:44 . 2009-02-04 09:44 66,560 ---h----- c:\windows\system32\secupdat.dat 2009-02-04 09:44 . 2009-02-04 09:44 32,768 --ah----- c:\documents and settings\okonk\gma.exe 2009-02-03 21:33 . 2009-02-03 21:33 0 --a------ c:\windows\system32\55B.tmp 2009-02-03 18:04 . 2009-02-03 18:04 <DIR> d-------- c:\program files\Trend Micro 2009-02-03 16:46 . 2009-02-03 16:46 262,144 --a------ c:\documents and settings\TESTKO~3 2009-02-03 16:42 . 2009-02-03 16:42 262,144 --a------ c:\documents and settings\TESTKO~2 2009-02-03 16:32 . 2009-02-03 16:32 262,144 --a------ c:\documents and settings\TESTKO~1 2009-02-03 16:23 . 2009-02-03 16:23 211 --a------ c:\windows\AvDetected.ini 2009-02-03 14:23 . 2009-02-03 14:23 <DIR> d-------- c:\program files\CCleaner 2009-02-03 13:43 . 2009-02-03 13:43 0 --a------ c:\windows\system32\AC.tmp 2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\documents and settings\okonk\Application Data\SUPERAntiSpyware.com 2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\documents and settings\okonk\Application Data\Malwarebytes 2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-02 10:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-02 10:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-01 22:12 . 2009-02-01 22:12 142,848 --a--c--- c:\windows\system32\dllcache\userinit.exe 2009-02-01 22:03 . 2006-02-27 22:00 221,184 --a------ c:\windows\system32\wmpns.dll 2009-01-26 11:04 . 2009-01-26 11:04 <DIR> d-------- c:\program files\SecureW2 2009-01-26 11:04 . 2009-01-26 11:04 <DIR> d-------- C:\BrownSW 2009-01-23 13:35 . 2009-01-23 13:35 <DIR> d--h----- c:\windows\PIF 2009-01-23 13:32 . 2009-01-23 13:32 <DIR> d-------- c:\documents and settings\okonk\Application Data\Windows Search 2009-01-23 12:48 . 2009-01-25 09:27 115,224 --a------ C:\img2-001.raw 2009-01-23 12:46 . 2008-04-14 05:42 91,136 --a------ c:\windows\system32\kswdmcap.ax 2009-01-23 12:46 . 2008-04-14 05:42 91,136 --a--c--- c:\windows\system32\dllcache\kswdmcap.ax 2009-01-23 12:46 . 2008-04-14 05:42 61,952 --a------ c:\windows\system32\kstvtune.ax 2009-01-23 12:46 . 2008-04-14 05:42 61,952 --a--c--- c:\windows\system32\dllcache\kstvtune.ax 2009-01-23 12:46 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll 2009-01-23 12:46 . 2008-04-14 05:42 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll 2009-01-23 12:46 . 2008-04-14 05:42 43,008 --a------ c:\windows\system32\ksxbar.ax 2009-01-23 12:46 . 2008-04-14 05:42 43,008 --a--c--- c:\windows\system32\dllcache\ksxbar.ax 2009-01-23 12:46 . 2008-04-14 00:16 17,024 --a------ c:\windows\system32\drivers\CCDECODE.sys 2009-01-23 12:46 . 2008-04-14 00:16 17,024 --a--c--- c:\windows\system32\dllcache\ccdecode.sys 2009-01-23 12:44 . 2009-01-23 12:45 <DIR> d-------- c:\program files\Microsoft LifeCam 2009-01-23 12:44 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll 2009-01-22 13:23 . 2009-02-01 09:51 <DIR> d-------- c:\documents and settings\okonk\Application Data\skypePM 2009-01-22 13:23 . 2009-01-22 13:23 56 --ah----- c:\windows\system32\ezsidmv.dat 2009-01-22 07:47 . 2009-02-01 13:59 <DIR> d-------- c:\documents and settings\okonk\Application Data\Skype 2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\program files\Skype 2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\program files\Common Files\Skype 2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype 2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d--h----- c:\windows\system32\GroupPolicy 2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d-------- c:\program files\Windows Desktop Search 2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d-------- c:\documents and settings\okonk\Application Data\Windows Desktop Search 2009-01-21 12:01 . 2008-03-07 12:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll 2009-01-21 12:01 . 2008-03-07 12:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll 2009-01-21 12:01 . 2008-03-07 12:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll 2009-01-19 06:46 . 2009-02-02 09:54 <DIR> d-------- c:\program files\DNA 2009-01-19 06:46 . 2009-02-02 10:03 <DIR> d-------- c:\documents and settings\okonk\Application Data\DNA 2009-01-15 10:34 . 2009-01-15 10:34 <DIR> d-------- c:\documents and settings\okonk\Application Data\MathWorks 2009-01-15 10:26 . 2004-03-01 16:05 407,104 --a------ c:\windows\system32\MSHFLXGD.OCX 2009-01-15 10:26 . 2004-02-11 08:37 203,976 --a------ c:\windows\system32\RICHTX32.OCX 2009-01-15 10:10 . 2009-01-15 10:10 <DIR> d-------- c:\program files\MATLAB 2009-01-15 10:04 . 2009-01-15 10:04 <DIR> d-------- c:\documents and settings\okonk\Application Data\Corel 2009-01-15 10:03 . 2009-01-15 10:04 313 --a------ c:\windows\PowerReg.dat 2009-01-15 10:02 . 2009-01-15 10:02 <DIR> d-------- c:\windows\Setup 2009-01-15 09:59 . 2009-01-15 09:59 <DIR> d-------- c:\program files\Corel 2009-01-15 09:58 . 2009-01-15 10:03 <DIR> d-------- c:\windows\Corel 2009-01-15 09:55 . 2009-01-22 13:34 33,408 --a------ c:\windows\system32\drivers\fsbts.sys 2009-01-15 09:39 . 2008-10-09 05:18 79,872 --a------ c:\windows\system32\drivers\fsdfw.sys 2009-01-15 09:38 . 2009-01-15 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg 2009-01-14 08:43 . 2008-04-13 23:42 159,232 --a------ c:\windows\system32\ptpusd.dll 2009-01-14 08:43 . 2001-08-17 16:36 5,632 --a------ c:\windows\system32\ptpusb.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-04 02:35 --------- d-----w c:\program files\F-Secure 2009-02-03 21:40 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-02 02:22 --------- d-----w c:\documents and settings\okonk\Application Data\F-Secure 2009-01-15 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\F-Secure 2009-01-14 13:50 --------- d-----w c:\program files\GameHouse . ------- Sigcheck ------- 2008-04-13 22:42 1051136 5b7d42a7afcfc1eaed3364598d96588b c:\windows\explorer.exe 2007-06-13 06:26 1050624 1c45e2517832bf15122d5e5db9e36bdb c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe 2007-06-13 05:23 1050624 d330f6e056d972b263ee28a437099d87 c:\windows\$NtServicePackUninstall$\explorer.exe 2008-04-13 22:42 1051136 bb27f12114ee0e2888c0c99345b6f408 c:\windows\ServicePackFiles\i386\explorer.exe 2006-02-27 22:00 32768 fd33d84c38fc26ae13acd2882cd7b187 c:\windows\$NtServicePackUninstall$\ctfmon.exe 2008-04-13 22:42 32768 6a06e6a20c51784bcfab72bd8cdd8034 c:\windows\ServicePackFiles\i386\ctfmon.exe 2008-04-13 22:42 32768 4d432029e19854f14a4640d7af2a3c48 c:\windows\system32\ctfmon.exe 2005-06-10 19:17 75264 2a8780d38ea268296db4311925e621e1 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe 2005-06-10 18:53 75264 b66eb7b4766b703ebc5e24674116412a c:\windows\$NtServicePackUninstall$\spoolsv.exe 2008-04-13 22:42 75264 f5b4a3c4bba0c13af4e3fac5bc023e98 c:\windows\ServicePackFiles\i386\spoolsv.exe 2008-04-13 22:42 75264 5b645231ef9bd87dfe8d637ebd9db632 c:\windows\system32\spoolsv.exe 2006-02-27 22:00 41984 ec4cacd518b1b3d3a2be51cd364d7eee c:\windows\$NtServicePackUninstall$\userinit.exe 2008-04-13 22:42 43520 2fffdfcf583233bff4aaed4278c1c54f c:\windows\ServicePackFiles\i386\userinit.exe 2009-02-01 22:12 142848 a9ea298e724164ff86d9c63231722837 c:\windows\system32\userinit.exe 2009-02-01 22:12 142848 a9ea298e724164ff86d9c63231722837 c:\windows\system32\dllcache\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-16 8495104] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-16 81920] "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 425984] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2005-09-24 503808] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-05-26 136600] "Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 323584] "F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2008-10-09 182936] "F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2008-10-09 1182304] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-09-08 277296] "VX3000"="c:\windows\vVX3000.exe" [2006-07-26 720896] "nwiz"="nwiz.exe" [2007-11-16 c:\windows\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-11-16 c:\windows\system32\nvhotkey.dll] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-13 32768] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-05-15 25214] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 141312] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 1 (0x1) "NoStartMenuMyMusic"= 1 (0x1) "NoSMBalloonTip"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"="0x00000000" "UpdatesDisableNotify"="0x00000000" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-01-15 79872] S0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-01-15 33408] S0 oqlic;oqlic;c:\windows\system32\drivers\gbsekrpw.sys --> c:\windows\system32\drivers\gbsekrpw.sys [?] S1 ethorpkk;ethorpkk;c:\windows\system32\drivers\ethorpkk.sys [2009-02-04 137280] S1 jyk_x;jyk_x;c:\program files\Common Files\System\jyk_x32.dll [2009-02-01 29184] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024] S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2009-01-15 84096] S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-09-03 39048] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [2009-01-15 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [2009-01-15 25184] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbfd4580-7802-11dd-b21c-001a6b76bf43}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-jsf8uiw3jnjgffght - c:\windows\TEMP\winlognn.exe . ------- Supplementary Scan ------- . IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-04 10:28:45 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(364) c:\program files\F-Secure\FSPS\program\FSLSP.DLL c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'lsass.exe'(420) c:\program files\F-Secure\FSPS\program\FSLSP.DLL . Completion time: 2009-02-04 10:32:18 - machine was rebooted [okoNK] ComboFix-quarantined-files.txt 2009-02-04 15:32:16 Pre-Run: 39,648,305,152 bytes free Post-Run: 39,934,730,240 bytes free 229 --- E O F --- 2008-06-16 15:08:16 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:35, on 2009-02-04 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} (CPlayFirstmsiControl Object) - http://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad O17 - HKLM\Software\..\Telephony: DomainName = ibt.ku.dk.ad O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7145 bytes
  2. nicolai
    and btw. the name of the virus is antispyware 2009, of course, not antivirus... I also tried using a program called smitfradfix.exe with no result.
  3. nicolai
    Thanks for your quick reply! I downloaded Combofix on the desktop and launched it. It opens up a blue window with no text in it and then nothing happens. I've let it run for 10 min or so.
  4. nicolai
    I got this nasty virus from installing a fake video codec.... I've managed to remove most of the virus using MBAM. However, it wont remove the infection of the userinit.exe, it keeps on popping up everytime I run MBAM even though I removed it the previous time. I've tried to search for all userinits and it seems there are two more of those. When I upload them to a online scanner, all four show up as infected! When I enter XP after the log-on screen I have to use Task Manager to manually start explorer, otherwise Windows won't load. And everytime I connect to the internet, the virus starts downloading more malware and redirect homepages. I've also tried F-secure but it's not able to find anything. I would have reinstalled XP long time ago if I hadn't had a number of programs installed, which I am not able to reinstall easily. Is there anyway I can repair the userinit.exe-files? Please help me someone! Malwarebytes' Anti-Malware 1.33 Database version: 1654 Windows 5.1.2600 Service Pack 3 2/2/2009 11:07:04 AM mbam-log-2009-02-02 (11-07-04).txt Scan type: Quick Scan Objects scanned: 80120 Time elapsed: 10 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:08:51, on 2/3/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Adobe\Distillr\Acrotray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\F-Secure\Common\FSLAUNCH.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by
  5. nicolai
    I got this nasty virus from installing a fake video codec.... I've managed to remove most of the virus using MBAM. However, it wont remove the infection of the userinit.exe, it keeps on popping up everytime I run MBAM even though I removed it the previous time. I've tried to search for all userinits and it seems there are two more of those. When I upload them to a online scanner, all four show up as infected! When I enter XP after the log-on screen I have to use Task Manager to manually start explorer, otherwise Windows won't load. And everytime I connect to the internet, the virus starts downloading more malware and redirect homepages. I've also tried F-secure but it's not able to find anything. I would have reinstalled XP long time ago if I hadn't had a number of programs installed, which I am not able to reinstall easily. Is there anyway I can repair the userinit.exe-files? Please help me someone! Malwarebytes' Anti-Malware 1.33 Database version: 1654 Windows 5.1.2600 Service Pack 3 2/2/2009 11:07:04 AM mbam-log-2009-02-02 (11-07-04).txt Scan type: Quick Scan Objects scanned: 80120 Time elapsed: 10 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.