PDA

View Full Version : Virus Removal Help



Blam
20-02-2009, 11:32 AM
Currently trying to remove a virus from a friends PC, must be a newer variant as I have run Spyware Terminator, Trojan Remover and the virus still persists.

Attached is a HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:04 a.m., on 20/02/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Executor\Executor.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Users\12189\AppData\Local\Google\Update\GoogleU pdate.exe
C:\Users\12189\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\Aero_Shake_1.3.exe
C:\Users\12189\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\Belvedere 0.3.exe
D:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\FirstClass\fcc32.exe
C:\Program Files\AVG\AVG8\avgui.exe
D:\Flash drive\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pressf1.pcworld.co.nz/forumdisplay.php?f=4
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://skcproxy/proxy1.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ThpSrv] C:\Windows\system32\thpsrv /logon
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\12189\AppData\Local\Google\Update\GoogleU pdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Windows Live Messenger .lnk = C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.sk.edu
O17 - HKLM\Software\..\Telephony: DomainName = student.sk.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.sk.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.sk.edu
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\Windows\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Websense Desktop Client (WebsenseDesktopClient) - Unknown owner - C:\Program Files\PMM\WDC.exe (file missing)
--
End of file - 6502 bytes

Firefox does not open, I have tried FF safe mode, but it tries to open but then crashes straight away. Also, AVG pops up many times when user tries to access internet explorer, I have attached an image. AVG seems to think that most HTM files are "infected"

There is also a dodgy file in C drive I have been trying to remove called asyoclq.exe

TIA
Blam

Pancake
20-02-2009, 11:39 AM
Please download Malwarebytes' Anti-Malware from one of these places:

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

http://www.besttechie.net/tools/mbam-setup.exe



Double Click mbam-setup.exe to install the application.
If it will not run make a copy of the MBAM.exe and rename MBAM.exe to xxx.exe and run that.Keep the genuine MBAM.exe as we may need to run that later as is.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

PLEASE NOTE:
If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Once that Malwarebytes' Anti-Malware is done removing the malware and you have rebooted the computer, browse around and see if you are still having that problem.

Blam
20-02-2009, 12:14 PM
I forgot to mention that I have already run MBAM.
Its usually the first one I run.

Thanks
Blam

pctek
20-02-2009, 12:21 PM
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

How did you get infected if you are running the above??!!

You had to have let it in yourself.

You had Spybot up to date with the latest definitions? That and MB didn't remove it? You had MB up to date too?

Then Run NOD32, you'll have to get rid of AVG first or run NOD with this drive attached to another PC

Speedy Gonzales
20-02-2009, 12:27 PM
Disable system restore

Tick these then tick fix checked

Close browsers

O4 - HKCU\..\Run: [Google Update] "C:\Users\12189\AppData\Local\Google\Update\Google Update.exe" /c

Uninstall all versions of Java its out of date then update it

Scan the whole hdd with trojan remover / AVG

Sweep
20-02-2009, 12:35 PM
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

How did you get infected if you are running the above??!!

You had to have let it in yourself.

You had Spybot up to date with the latest definitions? That and MB didn't remove it? You had MB up to date too?

Then Run NOD32, you'll have to get rid of AVG first or run NOD with this drive attached to another PC

Blam6 says,
"Currently trying to remove a virus from a friends PC, must be a newer variant as I have run Spyware Terminator, Trojan Remover and the virus still persists."

How did Blam6 let it in? It is a PC belonging to a friend in my opinion.

Blam
20-02-2009, 01:23 PM
Done all that, problem still persists?
BTW when you browse for a webpage it creates a temp file right?
Well AVG pops up saying that "htm" file is infected everytime I open a new webpage???

BTw PCTek-He only downloaded sandboxie a week ago, when everything was fine.

He saw it in a blog..

Blam

Speedy Gonzales
20-02-2009, 01:25 PM
Select all options under utilities in Trojan remover if you havent yet

Run ccleaner and get rid of the temp files etc

Then reboot

Well it adds whatever to a cache

pctek
20-02-2009, 02:29 PM
Done all that, problem still persists?


BTw PCTek-He only downloaded sandboxie a week ago, when everything was fine.



Done what exactly? Ran NOD?
That file you mentioned is malware, if you have run all 3 of whats been suggested it should have found it.
And sandboxie - he thought everything was fine. It probably wasn't.

shell49
20-02-2009, 04:15 PM
go online & type HOUSECALL in your search bar it will take you to trendmicro online virus scan follow the prompts.

Blam
20-02-2009, 06:13 PM
Eh...thanks for the advice shell49 but it sucks....and I'm not a n00b:p

BTW I tried to install Nod and do a scan, but when trying to logon on a message popped up and the computer logged off itself:

Windows Software Protection:
"An unauthorized change was made to windows."

"Windows has discovered a change that will result in limited Windows functionality. Use the link below to find out how to fix windows."

So I tried safe mode and luckily it worked.
But when I tried to install nod, It said "Access Denied Error 5"
Ran as administrator, but still didn't work.

I've removed ALOT of viruses and malware throughout my life, but this one is VERY effective and is pretty hard to remove....

My next option will be to connect the drive to a PC for a scan....

Blam

Speedy Gonzales
20-02-2009, 06:33 PM
By the looks of it, that error means it or something isnt compatible with Vista

I dont think a virus is causing it

What version of Vista is it? Is it 32 or64 bit?

Blam
20-02-2009, 07:02 PM
32bit Vista Business

Speedy Gonzales
20-02-2009, 07:15 PM
It should be compatible with Vista ( It doesnt say with what versions though)

I would check the Eset / NOD forum, or send Eset / Chillisoft (which is in NZ), an email.

Theyre up Dominion Road actually. And see what they say

Blam
20-02-2009, 07:19 PM
I use nod32 on my home pc with vista ultimate and it works fine.
I think this is the virus causing damage...

Speedy Gonzales
20-02-2009, 07:38 PM
Is bkha.exe on this system as well?

Blam
20-02-2009, 07:53 PM
It was originally-but I deleted it and its seemed to have gone...
This virus is hidden incredibly well...

Speedy Gonzales
20-02-2009, 07:58 PM
Hmm that first file is related to it.. Looks like its cloaked malware.

Maybe a rootkit

Get this unzip it then run it (http://www.gmer.net/gmer.zip)

And catchme then run it (http://www.gmer.net/catchme.exe)

Info about it is here (http://www.gmer.net/index.php)

Blam
20-02-2009, 08:54 PM
Ran Catchme, and it detected something, but when I tried to from gmer it said "gmer has stopped working" restarting, etc.

May be because I'm doing this from safe mode, as I cannot access windows otherwise

Speedy Gonzales
20-02-2009, 09:00 PM
Did you disable system restore?

Try renaming gmer.exe to something else (ie: test.exe) . Then try again

As it looks like some rootkits (or whatever) can stop this program from working

Also, according to the gmer site, DONT click on show all while its scanning

Blam
20-02-2009, 09:25 PM
Disabled system restore already-1st thing i did
Renamed gmer, still won't

I managed to run combo fix, and it removed some stuff, here's are the combofix and catchme logs:

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

-------------------------------------------------------------------------------

ComboFix 09-02-18.01 - 12189 2009-02-20 20:59:30.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2039.1689 [GMT 13:00]
Running from: F:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Windows\Start Menu\Programs\coolplay
c:\programdata\Microsoft\Windows\Start Menu\Programs\coolplay\Uninstall.lnk
c:\windows\system32\nvaux32.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-20 06:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-20 00:33 --------- d-----w c:\program files\MBAM
2009-02-19 23:00 --------- d-----w c:\programdata\Lavasoft
2009-02-19 22:59 --------- d-----w c:\program files\Lavasoft
2009-02-19 22:31 --------- d-----w c:\programdata\ESET
2009-02-19 22:31 --------- d-----w c:\program files\ESET
2009-02-19 20:35 --------- d-----w c:\programdata\STOPzilla!
2009-02-19 19:41 --------- d-----w c:\program files\PowerMenu
2009-02-19 10:27 --------- d-----w c:\program files\Folder Marker
2009-02-19 09:42 --------- d-----w c:\programdata\SITEguard
2009-02-19 09:26 --------- d-----w c:\program files\Common Files\iS3
2009-02-19 09:09 96,520 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-19 09:09 67,080 ----a-w c:\windows\system32\drivers\avgwfpx.sys
2009-02-19 09:08 --------- d-----w c:\programdata\avg8
2009-02-19 09:08 --------- d-----w c:\program files\AVG
2009-02-19 07:18 --------- d-----w c:\program files\Windows Live
2009-02-19 07:18 --------- d-----w c:\program files\Sandboxie
2009-02-19 07:03 --------- d---a-w c:\programdata\TEMP
2009-02-19 07:03 --------- d-----w c:\program files\Trojan Remover
2009-02-19 06:53 --------- d-----w c:\programdata\NBC Direct
2009-02-17 22:53 --------- d-----w c:\programdata\Simply Super Software
2009-02-16 04:42 --------- d-----w c:\program files\KeePass Password Safe
2009-02-15 19:33 --------- d-----w c:\program files\Opera
2009-02-15 06:24 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-02-15 06:08 --------- d-----w c:\programdata\Microsoft Help
2009-02-14 06:53 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-14 04:53 --------- d-----w c:\program files\LANcet Chat
2009-02-12 05:12 --------- d-----w c:\program files\HandBrake
2009-02-10 06:26 --------- d-----w c:\program files\Insofta Cover Commander
2009-02-09 05:18 --------- d--h--w c:\program files\PMM
2009-02-07 06:26 --------- d-----w c:\programdata\Stardock
2009-02-07 06:25 --------- d-----w c:\program files\Stardock
2009-02-07 06:10 --------- d-----w c:\program files\7-Zip
2009-02-07 05:05 --------- d-----w c:\program files\Executor
2009-02-07 01:02 --------- d-----w c:\programdata\GRETECH
2009-02-07 01:01 --------- d-----w c:\program files\GRETECH
2009-02-06 09:20 --------- d-----w c:\program files\Raxco
2009-02-06 07:25 --------- d-----w c:\program files\FileASSASSIN
2009-02-06 06:45 --------- d-----w c:\program files\VideoLAN
2009-02-05 04:40 32,256 ----a-w c:\windows\hh.exe
2009-02-04 04:15 --------- d-----w c:\program files\Install Creator
2009-02-03 07:28 --------- d-----w c:\program files\Replay AV 8
2009-02-03 06:35 --------- d-----w c:\program files\CCleaner
2009-02-03 05:29 --------- d-----w c:\program files\Windows Mail
2009-02-03 05:29 --------- d-----w c:\program files\Windows Journal
2009-02-03 05:29 --------- d-----w c:\program files\Protector Suite QL
2009-02-03 05:29 --------- d-----w c:\program files\Opus Pro 6
2009-02-03 05:29 --------- d-----w c:\program files\ltmoh
2009-02-03 05:29 --------- d-----w c:\program files\Java
2009-02-03 05:29 --------- d-----w c:\program files\IrfanView
2009-02-03 05:29 --------- d-----w c:\program files\GetASFStream
2009-02-03 05:29 --------- d-----w c:\program files\DataStudio
2009-02-03 05:29 --------- d-----w c:\program files\Common Files\Java
2009-02-03 05:29 --------- d-----w c:\program files\Autograph 3.20
2009-02-03 05:29 --------- d-----w c:\program files\Apoint2K
2009-02-03 02:09 --------- d-----w c:\programdata\Malwarebytes
2009-02-02 10:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 10:08 --------- d-----w c:\program files\YouSendIt
2009-02-02 10:07 --------- d-----w c:\program files\WinPcap
2009-02-02 10:06 --------- d-----w c:\program files\Replay Converter 3
2009-02-02 10:05 757,760 ----a-w c:\windows\iun6002.exe
2009-02-02 07:59 40,448 ----a-w C:\asyoclq.exe
2009-02-02 07:45 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-02 07:44 --------- d-----w c:\program files\Common Files\Adobe
2009-02-02 07:42 --------- d-----w c:\program files\COMODO
2009-02-02 06:47 --------- d-----w c:\program files\Microsoft Games
2009-02-02 06:04 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-02 06:04 --------- d-----w c:\program files\Microsoft
2009-02-02 06:03 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-02 05:52 --------- d-----w c:\program files\Windows Live SkyDrive
2009-02-02 05:44 --------- d-----w c:\program files\Common Files\Windows Live
2009-02-01 09:09 --------- d-----w c:\program files\Alwil Software
2009-02-01 08:58 --------- d-----w c:\program files\NCH Swift Sound
2009-01-30 07:23 --------- d-----w c:\program files\Windows Sidebar
2009-01-30 06:37 110,080 ----a-w c:\windows\system32\drivers\mrxdav.sys
2009-01-30 06:32 803,328 ----a-w c:\windows\system32\drivers\tcpip.sys
2009-01-30 06:32 216,632 ----a-w c:\windows\system32\drivers\netio.sys
2009-01-30 06:30 54,784 ----a-w c:\windows\system32\drivers\i8042prt.sys
2009-01-30 06:30 495,160 ----a-w c:\windows\system32\drivers\Wdf01000.sys
2009-01-30 06:30 35,384 ----a-w c:\windows\system32\drivers\WdfLdr.sys
2009-01-30 06:30 35,384 ----a-w c:\windows\system32\drivers\kbdclass.sys
2009-01-30 06:30 34,360 ----a-w c:\windows\system32\drivers\mouclass.sys
2009-01-30 06:30 19,968 ----a-w c:\windows\system32\drivers\sermouse.sys
2009-01-30 06:30 15,872 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-01-30 06:30 15,872 ----a-w c:\windows\system32\drivers\kbdhid.sys
2009-01-30 06:28 290,304 ----a-w c:\windows\system32\drivers\srv.sys
2009-01-30 06:27 113,664 ----a-w c:\windows\system32\drivers\rmcast.sys
2009-01-30 06:25 84,992 ----a-w c:\windows\system32\drivers\srvnet.sys
2009-01-30 06:25 58,368 ----a-w c:\windows\system32\drivers\mrxsmb20.sys
2009-01-30 06:25 130,048 ----a-w c:\windows\system32\drivers\srv2.sys
2009-01-30 06:25 101,888 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2009-01-30 06:21 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-01-29 20:43 0 --sha-r c:\windows\system32\drivers\1179_TOSHIBA_PORTEGE M500_SYSTEM_PPM51A-02900L.MRK
2008-12-04 09:55 307,560 ----a-w c:\windows\WLXPGSS.SCR
2008-04-15 02:49 174 --sha-w c:\program files\desktop.ini
2007-11-21 07:10 952 --sha-w c:\windows\System32\KGyGaAvL.sys
.

------- Sigcheck -------

2007-11-22 10:39 2940928 31b652c4437a533ea15bb8b056126940 c:\windows\explorer.exe
2006-11-02 22:45 2940928 22060fc0968f5b5087935aee4e874864 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7d e5167cd15deb\explorer.exe
2007-11-22 10:39 2940928 31b652c4437a533ea15bb8b056126940 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac 29707cae347a\explorer.exe
2007-11-22 10:39 2940928 423a900489e2af66e6a12952bbaaf72e c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f 261995dcf2cf\explorer.exe

2006-11-02 22:45 26112 f131d8ba54efcb2a0079205726c38753 c:\windows\System32\ctfmon.exe
2006-11-02 22:45 26112 f131d8ba54efcb2a0079205726c38753 c:\windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.0.6000.16386_none_9af9ca d793a67953\ctfmon.exe

2006-11-02 22:45 142336 61a46d6c23b712d3a02519a64c09aac1 c:\windows\System32\spoolsv.exe
2006-11-02 22:45 142336 61a46d6c23b712d3a02519a64c09aac1 c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6000.16386_none_d414e125 c49db442\spoolsv.exe

2006-11-02 22:45 41984 994b96ad5c8768aa3be450efdd4047e3 c:\windows\System32\userinit.exe
2006-11-02 22:45 41984 994b96ad5c8768aa3be450efdd4047e3 c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1 f819d4c4e737\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 14:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 14:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1070080]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 219136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 200704]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-19 1177368]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"Wrapper"="runonce" [X]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Windows Live Messenger .lnk - c:\program files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3882312]

c:\users\12189\AppData\Roaming\MICROS~1\Windows\ST ARTM~1\Programs\Startup\
Aero_Shake_1.3.exe [2008-11-13 206065]
Rainmeter.lnk - d:\program files\Rainmeter\Rainmeter.exe [2006-01-22 139264]
rules.ini [2009-02-16 47]

c:\users\12189\AppData\Roaming\MICROS~1\Windows\ST ARTM~1\Programs\Startup\resources
belvedere.ico [2008-02-01 370070]
belvederename.png [2008-02-01 158723]
both.png [2008-02-01 45885]

c:\users\12189\AppData\Roaming\MICROS~1\Windows\ST ARTM~1\Programs\Startup\resources(78)
belvederename.png [2008-02-01 158723]
both.png [2008-02-01 45885]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-04 13:50 90112 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-11869\Scripts\Logon\0\0]
"Script"=\\sweden\netlogon\settime.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-11869\Scripts\Logon\0\1]
"Script"=\\sweden\NETLOGON\IEPrint2.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-11869\Scripts\Logon\1\0]
"Script"=08student.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-643970264-1529554251-782984527-11869\Scripts\Logon\1\1]
"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2007-08-03 23:32 714080 c:\program files\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
--a------ 2006-12-07 16:49 55416 c:\program files\TOSHIBA\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
--a------ 2006-12-04 13:29 49168 c:\program files\Protector Suite QL\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2007-06-15 21:01 448080 c:\program files\TOSHIBA\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-11-17 14:36 1006264 c:\program files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{DA806815-2928-4C36-BEDB-185A3F2779BE}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{964B2A7A-27A3-4779-BC64-6E411BA91393}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{1252A1A8-CE52-48C4-A7D0-4359BAD1791F}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{06186416-4128-4A4F-9B13-C348D1DF15AA}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{F38FBD7C-DFBA-43A6-9F5D-06C70A72FE03}d:\\downloads\\hijackthis.exe"= UDP:d:\downloads\hijackthis.exe:HijackThis
"UDP Query User{FDAA9839-379F-4604-AB70-27F366DD5CEE}d:\\downloads\\hijackthis.exe"= TCP:d:\downloads\hijackthis.exe:HijackThis
"TCP Query User{E1D1C8CE-1FC2-40C8-8EB6-A50EDC029943}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{4C2CB304-4C26-445A-A6FB-77AF31AAFF4B}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{B76E8212-85DA-4CA1-9AA7-24666D758A7D}c:\\windows\\system32\\wercon.exe"= UDP:c:\windows\system32\wercon.exe:Problem Reports and Solutions
"UDP Query User{6045692D-344D-416C-9885-50E0E10B85EA}c:\\windows\\system32\\wercon.exe"= TCP:c:\windows\system32\wercon.exe:Problem Reports and Solutions
"TCP Query User{AF9DF791-E0C1-4101-A398-528EEB012B43}c:\\program files\\microsoft office\\office12\\winword.exe"= UDP:c:\program files\microsoft office\office12\winword.exe:Microsoft Office Word
"UDP Query User{64C63C64-D3BA-4FC7-BFB6-6C585F77270E}c:\\program files\\microsoft office\\office12\\winword.exe"= TCP:c:\program files\microsoft office\office12\winword.exe:Microsoft Office Word
"TCP Query User{ACA167D6-2E61-43B1-AEDE-6825C016BACC}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{D02EE336-D962-48DA-BBEE-491033D1DCE6}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A9CF5304-625B-4590-8D7B-2789E5B9E679}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{29F1651F-E076-47A8-9B2F-4848B7D51CE2}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{C170B9D3-BCDE-4DF8-88C1-951419E55099}c:\\program files\\lancet chat\\lchat.exe"= UDP:c:\program files\lancet chat\lchat.exe:?hat for local networks
"UDP Query User{3D68C2C5-FEC5-42DC-B97F-FC1D23359D51}c:\\program files\\lancet chat\\lchat.exe"= TCP:c:\program files\lancet chat\lchat.exe:?hat for local networks
"TCP Query User{43A81BDF-76BA-47D3-BB8E-DAA29F1A5D46}c:\\program files\\lancet chat\\lancetchat.exe"= UDP:c:\program files\lancet chat\lancetchat.exe:?hat for local networks
"UDP Query User{A7D2BCE4-6533-4C33-B6F0-BC542D28EBE5}c:\\program files\\lancet chat\\lancetchat.exe"= TCP:c:\program files\lancet chat\lancetchat.exe:?hat for local networks
"{2BC73476-A4E8-4E58-8ADC-26202819FDFD}"= UDP:F:\uTorrent.exe:µTorrent (TCP-In)
"{20A43B7F-A336-4AB0-A5AE-A396339C8C39}"= TCP:F:\uTorrent.exe:µTorrent (UDP-In)
"{44A14EB1-8796-4534-990D-BB9CBFB82619}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{A08BEF6C-2474-450F-BF8F-4359A7E235B8}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile\AuthorizedApplications\List]
"c:\\Windows\\system32\\wininit.exe"= c:\windows\system32\wininit.exe:*:enabled:@shell32 .dll,-1

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\System32\drivers\thpdrv.sys [2006-10-31 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\System32\drivers\Thpevm.sys [2006-10-20 6528]
R0 WsFsF;WsFsF;c:\windows\System32\drivers\wsfsfwlh.s ys [2007-05-08 31744]
R2 KbdFIOControl;KbdFIOControl;c:\windows\System32\dr ivers\KbdF.sys [2007-11-18 7168]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-19 96520]
S1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfw tdir.sys [2008-07-01 34312]
S1 wscam6300;wscam6300;c:\windows\System32\drivers\ws cam6300.sys [2007-05-08 33024]
S1 wstdi;wstdi;c:\windows\System32\drivers\wstdiwlh.s ys [2007-05-08 35328]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-19 902424]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-19 282904]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2007-11-18 600912]
S2 WebsenseDesktopClient;Websense Desktop Client;c:\program files\PMM\WDC.exe --> c:\program files\PMM\WDC.exe [?]
S3 AvgWfpX;AVG8 Firewall Driver x86;c:\windows\System32\drivers\avgwfpx.sys [2009-02-19 67080]
S3 netr73;TL-WN321G Wireless USB Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [2009-02-13 329728]
S3 NJXUVCN;NJXUVCN;c:\users\12189\AppData\Local\Temp\ NJXUVCN.exe --> c:\users\12189\AppData\Local\Temp\NJXUVCN.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [2007-01-26 42000]
S3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2009-01-06 103936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{960ca98b-f417-11dd-9ec4-001c7e33551d}]
\shell\AutoRun\command - F:\2u.com
\shell\explore\Command - F:\2u.com
\shell\open\Command - F:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{960ca98f-f417-11dd-9ec4-001c7e33551d}]
\shell\AutoRun\command - G:\2u.com
\shell\explore\Command - G:\2u.com
\shell\open\Command - G:\2u.com
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-643970264-1529554251-782984527-11869.job
- c:\users\12189\AppData\Local\Google\Update\GoogleU pdate.exe [2009-02-02 20:10]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-WsUiMgr - c:\program files\PMM\WsUIMgr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://pressf1.pcworld.co.nz/forumdisplay.php?f=4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\12189\AppData\Roaming\Mozilla\Firefox\Pro files\7un6b0k7.default\
FF - prefs.js: browser.startup.homepage - hxxp://pressf1.pcworld.co.nz/forumdisplay.php?f=4
FF - component: c:\users\12189\AppData\Roaming\Mozilla\Firefox\Pro files\7un6b0k7.default\extensions\glasser@sixxgate .com\components\dwmxpcom.dll
FF - component: c:\users\12189\AppData\Roaming\Mozilla\Firefox\Pro files\7un6b0k7.default\extensions\piclens@cooliris .com\components\coolirisstub.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\12189\AppData\Local\Google\Update\1.2.141 .5\npGoogleOneClick7.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 21:08:10
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(436)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(820)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\igfxsrvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\System32\igfxsrvc.exe
.
************************************************** ************************
.
Completion time: 2009-02-20 21:10:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-20 08:10:49

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 29,022,646,272 bytes free

312 --- E O F --- 2009-02-02 07:16:12

wainuitech
20-02-2009, 09:27 PM
You can always try using ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) -- Been using it quite a bit - its amazing the crap (infections) it will pull out that many of the others turn turtle on.

Biggest thing - let it do its job, even if it looks like its stalled, or not working it actually is - stopping it or getting impatient can have negative affects.

And it now does work on Vista.

EDITED:

SNAP - I see you ran it while I was posting :D -- Cant be bothered looking back through the post - have you run Spyware Terminator ?? either y OR N make sure you go to settings, Scan Settings, and tick the two unticked boxes.

Speedy Gonzales
20-02-2009, 09:29 PM
Get rid of Mcafee and AVG, if NOD is running OK

I dont know what to do with combofix logs (thats if you have to do anything)

Blam
20-02-2009, 09:31 PM
It IS! AVG and Mcafee were already uninstalled...don't know what combofix was complaining about...

Speedy Gonzales
20-02-2009, 09:42 PM
Should have guessed it had some sort of P2P program on it :ban

Find this file then delete it

NJXUVCN.exe

And delete it

Or use ccleaner and run it, delete asyoclq.exe as well (in safe mode)

Blam
20-02-2009, 10:18 PM
Deleted, now what?

Speedy Gonzales
20-02-2009, 10:37 PM
Is it any better when you boot into vista? I guess not

Find this file right mouse / properties whats it say?

c:\windows\iun6002.exe, a file with this name spies on you

Blam
20-02-2009, 10:40 PM
Nope:(

Speedy Gonzales
20-02-2009, 10:53 PM
If you didnt delete this file (or if you did) restore it iun6002.exe

Then go into its properties

Blam
20-02-2009, 10:57 PM
Nope. its deleted. Why would you want it back anyways?

Speedy Gonzales
20-02-2009, 11:00 PM
Did you reboot after?

Blam
21-02-2009, 08:36 AM
Yep

Speedy Gonzales
21-02-2009, 10:58 AM
Whats F and G??

These entries

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{960ca98b-f417-11dd-9ec4-001c7e33551d}]
\shell\AutoRun\command - F:\2u.com
\shell\explore\Command - F:\2u.com
\shell\open\Command - F:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{960ca98f-f417-11dd-9ec4-001c7e33551d}]
\shell\AutoRun\command - G:\2u.com
\shell\explore\Command - G:\2u.com
\shell\open\Command - G:\2u.com

That file may belong to a rootkit

Blam
21-02-2009, 11:51 AM
It may belong to his external hard drive?

BTw its really bad now, did a scan with combofix, now computer doesn't start up, just loads, then goes to a black screen..

Speedy Gonzales
21-02-2009, 11:56 AM
Remove the external hdd

That maybe F whats G?? or is it partitioned or something?

wainuitech
21-02-2009, 12:28 PM
It may belong to his external hard drive?

BTw its really bad now, did a scan with combofix, now computer doesn't start up, just loads, then goes to a black screen.. A SECOND combofix scan ???

Hopefully you have system restore enabled - boot from safe mode with command prompt if you can, and run restore back to prior running of combofix, as combofix makes a restore point before doing anything.

The command is C:\windows\system32\restore\rstrui.exe
Seriously though - sometimes depending on just how bad a PC is its sometimes better to save the data and reinstall from fresh - that of course depends on how much time you want to play around with a badly infected system - if its to bad you'll never be sure you got every thing.

Blam
21-02-2009, 02:35 PM
No, it was from the first combofix scan.

System restore was disabled:x

wainuitech
21-02-2009, 02:41 PM
Hmmmm only time I have seen combo fix really screw a system is when the viruses / spyware attack some of the system files and basically distroy them.

When that has happened in the past ( and from memory its only been twice out of the MANY times I run Combofix) a repair install gets it going again.

As mentioned before - if a system is so badly damaged - a complete new install maybe best - sometimes you think you have every thing and it turns round and bites you in the backside 5 minutes later.

Blam
21-02-2009, 02:57 PM
Ran Vista recovery CD, and it seems to have fixed it...I'll do a few more scans...
I really want to reinstall, but my friend is very reluctant to do so....

I'll update you on anything

Thanks
Blam

wainuitech
21-02-2009, 03:05 PM
OOPS! :o My mistake on the repair install - forgot it was Vista. The repair install works on XP.

Blam
21-02-2009, 03:07 PM
I know lol, vista just has the recovery cd option:)

Blam
21-02-2009, 03:29 PM
Ok-Did managed to install trojan remover(virus had deleted it)

Updated and scanned, and it thinks the userinit.exe file is infected so badly it must be replaced.

What are your thoughts on this?
I have a vista cd so I can replace it if needed....

Speedy Gonzales
21-02-2009, 03:55 PM
Does the link in the 2nd pic work? If it does do what it says there

Blam
21-02-2009, 04:05 PM
Nope, it doesn't its instructions for XP:(

Speedy Gonzales
21-02-2009, 04:13 PM
Its probably the same for Vista

Or connect the hdd to another system as slave if its ide

Put the Vista cd in and extract it like what it says on that link

Just extract it in a different folder, then copy it to the vista PC

Or use the sfc comand

Blam
21-02-2009, 04:20 PM
Tried sfc, didn't work:(

wainuitech
21-02-2009, 04:20 PM
OH CRAP! that one:eek: if the Userinit is infected you have to make a new account Before you wipe that - I personally have found once thats infected its touch and go as to wheather the PC ends up being reinstalled -

Two things you can try - boot from the DVD run restore (as long as its turned on) put back the infected userinit.

Other wise have a look at This article (http://www.vistax64.com/general-discussion/195146-cant-access-user-guest-account.html) then This article (http://www.vistax64.com/tutorials/130095-user-profile-service-failed-logon-user-profile-cannot-loaded.html) if you get it going again - and replace the userinit.

Personally ( and this is only me) I would say to your friend, the system is to badly damaged - save the data- wipe it - reinstall.

Twice I have managed to repair the userinit - twice its corrupted within 2-3 days and had to start again.

Blam
22-02-2009, 12:27 PM
I've backed up all his data, and I've decided if its can't be fixed today, it'll be a repair install.

Its worse now-can't even boot into safe mode, freezes at crcdisk.sys

Anything else I can do today?

Speedy Gonzales
22-02-2009, 01:10 PM
Take your pick (http://www.google.co.nz/search?q=crcdisk.sys&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a)

Looks like that file can cause probs in Vista

Blam
22-02-2009, 06:24 PM
Tried that, no luck, any thing i can do b4 a reinstall?

Speedy Gonzales
22-02-2009, 06:25 PM
No I think 51 posts is enough :p

Or connect it to another system (thats got Vista on it, just make sure its the same version 32 or 64 bit), copy that userinit file in safe mode, see what happens

Blam
22-02-2009, 06:42 PM
Ok, can I just copy it from a Vista DVD?

Speedy Gonzales
22-02-2009, 06:53 PM
If you can find it you'll probably have to extract it

Open up a command prompt (probably have to run it as admin).

Once you copy it (if you find it), if this command exists in vista

Depending on where you copy this file to on the hdd , cd to it, in the command prompt

cd (wherever you copy it to on the hdd)

expand userinit.ex_ (or whatever its called) folder where the current userinit.exe file is, (it may not let you do this), then reboot

It maybe called userinit.ex_ or something on the dvd

Only thing is, it may not be the same version as (whats on your hdd right now). You may have to go through add/remove programs, click on all the updates since SP1, and go to the MS site to find out which update installed the version of userinit.exe thats installed.

If you manage to extract the file from the DVD, right mouse / properties on it and the installed one. See what the version is

Or do a search on the hdd for userinit.exe. See if there's more than 1 userinit.exe. If there is and the other file is the same size and version copy it to the same folder as the infected file in safe mode