userinit.exe Trogjan horse sheur2.acax

View previous topic View next topic Go down

userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 25th May 2009, 1:10 am

I have run multiple scans, and removed a lot of stuff, but AVG still finds this.. This is not my pc, but when I started it wouldn't boot at all, a blue screen.. Repaired with windows disk. I don't have the windows disk for this pc, or would have wiped it out and started over. Any help will be greatly appreciated!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:09 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\lxcrcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: Save with Download Manager... - [You must be registered and logged in to see this link.] Files\Charter Music\DMDownload.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: mshlp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcr_device - - C:\WINDOWS\System32\lxcrcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6654 bytes

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by Origin on 25th May 2009, 5:31 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
    R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
    O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
    O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL



  • Press "Fix Checked"
  • Close Hijack This.




1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 25th May 2009, 10:50 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "MSHLP" found!
DisplayName: MSHLP
ImagePath: \??\C:\WINDOWS\System32\mssys.sys
Start Type: 2 (Automatic)

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by Origin on 25th May 2009, 10:57 pm

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
mssys.sys

Files to delete:
C:\WINDOWS\System32\mssys.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 26th May 2009, 2:07 am

THANKS SO MUCH for your help!

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "MSHLP" found!
DisplayName: MSHLP
ImagePath: \??\C:\WINDOWS\System32\mssys.sys
Driver disabled successfully.

Rootkit scan completed.


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\mssys.sys" not found!
Deletion of driver "mssys.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\System32\mssys.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by Origin on 26th May 2009, 2:15 am

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV..

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 29th May 2009, 11:19 pm

ComboFix 09-05-29.01 - Owner 05/29/2009 19:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.59 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
c:\documents and settings\Owner\Application Data\wiaserva.log
c:\windows\system\oeminfo.ini
c:\windows\system32\book.dlltmp
c:\windows\system32\ignet2.dlltmp
c:\windows\system32\w3url.dll
c:\windows\system32\win32x.exe

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWINGAMESINSTALLER
-------\Legacy_WIN32X


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w c:\program files\x73_lut.dat
2100-02-08 20:03 . 2001-05-11 15:39 53248 ----a-w c:\program files\ACMonitor_X73.exe
2009-05-25 00:17 . 2009-05-25 00:17 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-24 23:37 . 2009-05-25 00:16 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2009-05-24 23:21 . 2009-05-24 23:21 -------- d-----w c:\program files\JavaFX
2009-05-24 23:18 . 2009-05-24 23:18 -------- d-----w c:\program files\Sun
2009-05-24 23:17 . 2009-05-24 23:17 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-24 23:08 . 2009-05-24 23:17 -------- d-----w c:\program files\Java
2009-05-24 22:53 . 2009-05-24 22:53 -------- d-----w c:\program files\Trend Micro
2009-05-24 07:12 . 2009-05-24 01:47 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-24 07:12 . 2009-05-24 01:47 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-24 07:11 . 2009-05-24 01:47 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-24 03:08 . 2009-05-24 03:08 -------- d-----w c:\windows\system32\scripting
2009-05-24 03:08 . 2009-05-24 03:08 -------- d-----w c:\windows\l2schemas
2009-05-24 03:08 . 2009-05-24 03:08 -------- d-----w c:\windows\system32\en
2009-05-24 01:53 . 2009-05-24 01:53 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-05-24 01:48 . 2009-05-24 01:48 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-24 01:48 . 2009-05-24 01:48 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-24 01:47 . 2009-05-24 01:47 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-24 01:47 . 2009-05-24 01:47 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-24 01:47 . 2009-05-29 21:41 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-24 01:47 . 2009-05-24 01:47 -------- d-----w c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-05-24 01:31 . 2009-05-24 01:31 -------- d-s---w c:\documents and settings\Administrator\UserData
2009-05-24 01:31 . 2009-05-24 01:31 93184 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 13:50 . 2009-05-23 13:50 117760 ----a-w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-23 13:49 . 2009-05-23 13:49 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-23 13:44 . 2009-05-24 07:16 117760 ----a-w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-23 13:43 . 2009-05-23 13:43 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-23 13:43 . 2009-05-23 13:43 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-23 13:43 . 2009-05-23 13:43 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-05-23 13:27 . 2009-05-23 13:27 -------- d-----w c:\program files\CCleaner
2009-05-23 13:24 . 2009-05-23 13:24 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-22 22:33 . 2009-05-23 13:33 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 22:33 . 2009-05-22 22:53 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-22 00:48 . 2009-05-22 00:48 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit
2009-05-22 00:48 . 2009-05-22 00:48 -------- d-----w c:\program files\IObit
2009-05-21 23:47 . 2009-05-21 23:47 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-20 00:12 . 2009-05-20 00:12 -------- d-----w c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-05-18 23:29 . 2008-04-14 00:12 28672 ------w c:\windows\system32\verclsid.exe
2009-05-18 23:29 . 2008-04-14 00:12 208896 ------w c:\windows\system32\dllcache\unregmp2.exe
2009-05-18 23:29 . 2008-04-14 00:12 53248 ------w c:\windows\system32\tsgqec.dll
2009-05-18 23:29 . 2008-04-14 00:12 50688 ------w c:\windows\system32\tspkg.dll
2009-05-18 23:28 . 2008-04-14 00:12 152064 ------w c:\windows\system32\dllcache\shmedia.dll
2009-05-18 23:28 . 2008-04-13 18:40 10240 ------w c:\windows\system32\drivers\sffp_mmc.sys
2009-05-18 23:28 . 2008-04-14 00:12 774144 ------w c:\windows\system32\dllcache\setup_wm.exe
2009-05-18 23:28 . 2008-04-14 00:12 32768 ------w c:\windows\system32\setupn.exe
2009-05-18 23:28 . 2008-04-14 00:12 290304 ------w c:\windows\system32\rhttpaa.dll
2009-05-18 23:28 . 2008-04-14 00:12 61952 ------w c:\windows\system32\rasqec.dll
2009-05-18 23:28 . 2008-04-14 00:12 76800 ------w c:\windows\system32\qutil.dll
2009-05-18 23:28 . 2008-04-14 00:12 62464 ------w c:\windows\system32\qcliprov.dll
2009-05-18 23:28 . 2008-04-14 00:12 291328 ------w c:\windows\system32\qagentrt.dll
2009-05-18 23:28 . 2008-04-14 00:12 150528 ------w c:\windows\system32\qagent.dll
2009-05-18 23:27 . 2008-04-14 00:12 412160 ------w c:\windows\system32\photometadatahandler.dll
2009-05-18 23:27 . 2008-04-14 00:12 144384 ------w c:\windows\system32\onex.dll
2009-05-18 23:25 . 2008-04-14 00:10 4126 ------w c:\windows\system32\dllcache\msdxmlc.dll
2009-05-18 23:25 . 2008-04-14 00:12 4639 ------w c:\windows\system32\dllcache\mplayer2.exe
2009-05-18 23:25 . 2008-04-14 00:12 123392 ------w c:\windows\system32\dllcache\mplay32.exe
2009-05-18 23:25 . 2008-04-14 00:11 368640 ------w c:\windows\system32\dllcache\mpvis.dll
2009-05-18 23:25 . 2008-04-14 00:11 240640 ------w c:\windows\system32\dllcache\mpg4dmod.dll
2009-05-18 23:25 . 2008-04-14 00:11 384512 ------w c:\windows\system32\dllcache\mp4sdmod.dll
2009-05-18 23:25 . 2008-04-14 00:11 310272 ------w c:\windows\system32\dllcache\mp43dmod.dll
2009-05-18 23:25 . 2008-04-14 00:12 33792 ------w c:\windows\system32\mmcperf.exe
2009-05-18 23:25 . 2008-04-14 00:11 397312 ------w c:\windows\system32\mmcex.dll
2009-05-18 23:25 . 2008-04-14 00:11 184320 ------w c:\windows\system32\microsoft.managementconsole.dll
2009-05-18 23:25 . 2008-04-14 00:11 106496 ------w c:\windows\system32\mmcfxcommon.dll
2009-05-18 23:25 . 2008-04-14 00:12 786432 ------w c:\windows\system32\dllcache\migrate.exe
2009-05-18 23:24 . 2008-04-14 00:11 37376 ------w c:\windows\system32\l2gpstore.dll
2009-05-18 23:24 . 2008-04-14 00:11 61440 ------w c:\windows\system32\kmsvc.dll
2009-05-18 23:24 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdpash.dll
2009-05-18 23:24 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdnepr.dll
2009-05-18 23:24 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdiultn.dll
2009-05-18 23:24 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdbhc.dll
2009-05-18 23:22 . 2008-04-14 00:12 294912 ------w c:\windows\system32\dllcache\dlimport.exe
2009-05-18 23:22 . 2008-04-14 00:11 39936 ------w c:\windows\system32\dimsroam.dll
2009-05-18 23:22 . 2008-04-14 00:11 19456 ------w c:\windows\system32\dimsntfy.dll
2009-05-18 23:22 . 2008-04-14 00:11 48640 ------w c:\windows\system32\dhcpqec.dll
2009-05-18 23:22 . 2008-04-14 00:11 33792 ------w c:\windows\system32\dllcache\custsat.dll
2009-05-18 23:22 . 2008-04-14 00:11 12800 ------w c:\windows\system32\credssp.dll
2009-05-18 23:22 . 2008-04-14 00:11 7168 ------w c:\windows\system32\bitsprx4.dll
2009-05-18 23:22 . 2008-04-14 00:11 233472 ------w c:\windows\system32\azroles.dll
2009-05-18 23:22 . 2008-04-13 17:23 8192 ------w c:\windows\system32\dllcache\asferror.dll
2009-05-18 23:21 . 2008-04-14 00:11 136192 ------w c:\windows\system32\aaclient.dll
2009-05-18 22:21 . 2009-05-24 16:46 -------- d--h--w C:\$AVG8.VAULT$
2009-05-18 22:16 . 2008-06-13 11:05 272128 ------w c:\windows\system32\dllcache\bthport.sys
2009-05-18 22:14 . 2008-05-08 14:02 203136 ------w c:\windows\system32\dllcache\rmcast.sys
2009-05-18 22:14 . 2008-04-11 19:04 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-05-18 22:14 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-05-18 22:14 . 2008-05-01 14:33 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-18 22:12 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-05-18 22:12 . 2008-10-03 10:02 247326 ------w c:\windows\system32\dllcache\strmdll.dll
2009-05-18 22:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-18 22:10 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-18 22:01 . 2009-05-24 11:09 -------- d--h--w c:\windows\$hf_mig$
2009-05-18 21:56 . 2009-05-18 21:56 -------- d-----w c:\program files\AVG
2009-05-18 21:56 . 2009-05-24 01:47 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-18 21:47 . 2008-04-14 00:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-05-18 21:47 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-05-18 21:47 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\dllcache\mouhid.sys
2009-05-18 21:47 . 2008-04-13 18:39 14592 ----a-w c:\windows\system32\drivers\kbdhid.sys
2009-05-16 21:04 . 2009-05-24 03:08 -------- d-----w c:\windows\peernet
2009-05-16 21:04 . 2009-05-16 21:04 -------- d-----w c:\windows\provisioning
2009-05-16 21:00 . 2009-05-24 03:10 -------- d-----w c:\windows\ServicePackFiles
2009-05-16 20:52 . 2007-08-11 00:46 26488 ----a-w c:\windows\system32\spupdsvc.exe
2009-05-16 20:48 . 2009-05-24 02:31 -------- d-----w c:\windows\EHome
2009-05-16 20:41 . 2009-05-16 20:45 -------- d-----w c:\documents and settings\Owner\Application Data\Creative
2009-05-16 20:41 . 2009-05-16 20:41 -------- d-----w c:\documents and settings\All Users\Application Data\Creative
2009-05-16 20:36 . 2006-10-06 06:17 53248 ------w c:\windows\Ctregrun.exe
2009-05-16 20:34 . 1999-12-12 17:01 44032 ------w c:\windows\system32\CTSVCCDA.EXE
2009-05-16 20:34 . 1999-11-17 17:00 25088 ------w c:\windows\system32\CTSVCCTL.EXE
2009-05-16 20:34 . 2009-05-16 20:34 -------- d-----w c:\program files\Common Files\Creative
2009-05-16 20:34 . 2009-05-16 20:34 -------- d--h--w c:\program files\Creative Installation Information
2009-05-16 20:33 . 2000-05-11 05:00 90112 ------w c:\windows\Updreg.EXE
2009-05-16 20:30 . 2009-05-16 20:36 -------- d-----w c:\program files\Creative
2009-05-16 20:21 . 2009-05-16 20:21 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-16 20:05 . 2009-05-16 20:05 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-16 19:57 . 2009-05-16 19:57 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-05-16 18:23 . 2009-05-16 18:23 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-16 17:22 . 2009-05-16 17:22 241664 ----a-w c:\windows\system32\bcnet32.dll
2009-05-04 12:53 . 2009-05-04 12:53 69632 --sha-w c:\windows\system32\mshlp.dll

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 29th May 2009, 11:19 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 00:15 . 2001-11-15 15:19 -------- d-----w c:\program files\Common Files\Adobe
2009-05-24 03:22 . 2001-11-06 21:34 86691 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-05-24 03:18 . 2009-05-24 03:18 49152 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2009-05-24 03:18 . 2009-05-24 03:18 77824 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2009-05-24 03:18 . 2009-05-24 03:18 126976 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2009-05-24 03:18 . 2009-05-24 03:18 122880 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2009-05-24 03:17 . 2009-05-24 03:17 420432 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2009-05-24 03:17 . 2009-05-24 03:17 155648 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2009-05-24 03:17 . 2009-05-24 03:17 731136 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2009-05-24 03:17 . 2009-05-24 03:17 106496 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2009-05-24 01:14 . 2009-03-06 23:29 -------- d-----w c:\program files\Oberon Media
2009-05-23 13:30 . 2001-11-15 15:21 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-23 13:30 . 2009-01-09 02:03 -------- d-----w c:\program files\iWin.com Games
2009-05-23 13:29 . 2009-01-09 12:16 -------- d-----w c:\program files\iWin.com
2009-05-23 13:29 . 2009-01-09 02:06 -------- d-----w c:\documents and settings\All Users\Application Data\iWin Games
2009-05-23 13:29 . 2009-04-08 22:53 -------- d-----w c:\program files\Charter Music
2009-05-16 21:21 . 2007-06-02 19:34 -------- d-----w c:\program files\lx_cats
2009-05-16 21:20 . 2002-01-31 02:08 93184 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 20:29 . 2001-11-15 15:19 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-16 19:47 . 2009-03-13 00:59 -------- d-----w c:\program files\Common Files\AOL
2009-05-16 19:42 . 2009-03-13 01:00 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-05-16 19:42 . 2009-03-13 01:04 -------- d-----w c:\documents and settings\Owner\Application Data\AOL
2009-04-30 23:48 . 2009-01-09 12:17 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 04:34 . 2009-04-08 23:08 -------- d-----w c:\documents and settings\Owner\Application Data\Charter Music
2009-03-13 00:59 . 2009-03-13 00:59 57344 ----a-w c:\documents and settings\All Users\Application Data\AOL Downloads\kw_setupSTUS\comps\ocp\ocpchk.dll
2009-03-13 00:59 . 2009-03-13 00:59 748608 ----a-w c:\documents and settings\All Users\Application Data\AOL Downloads\kw_setupSTUS\comps\ocp\ocpinst.exe
2009-03-13 00:59 . 2009-03-13 00:58 3183256 ----a-w c:\documents and settings\All Users\Application Data\AOL Downloads\kw_setupSTUS\comps\acs\acssetup.exe
2009-03-06 14:22 . 2001-08-18 05:36 284160 ----a-w c:\windows\system32\pdh.dll
2001-07-26 20:58 . 2000-01-11 16:50 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 16:46 . 2001-07-20 14:48 8116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-08 20:36 . 2000-12-05 19:56 114688 ----a-w c:\program files\lxarscan.dll
2001-04-23 18:22 . 2100-02-08 19:53 1437 ----a-w c:\program files\gtx73.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-24 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-24 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2005-05-03 64512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-24 01:48 11952 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\mshlp.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 6.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 6.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 6.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ExpressPLNRnote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ExpressPLNRnote.lnk
backup=c:\windows\pss\ExpressPLNRnote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Deer Hunter 2005 Registration.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Deer Hunter 2005 Registration.lnk
backup=c:\windows\pss\Deer Hunter 2005 Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\drivers\avgldx86.sys [5/23/2009 9:47 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\drivers\avgtdix.sys [5/23/2009 9:48 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 9:47 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 9:47 PM 298776]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S4 MSHLP;MSHLP;\??\c:\windows\System32\mssys.sys --> c:\windows\System32\mssys.sys [?]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add A Page Note
IE: Bookmark This Page
IE: Email This Link
IE: Save with Download Manager... - [You must be registered and logged in to see this link.] files\Charter Music\DMDownload.htm
IE: Search using CommonName
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hkuy0716.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
.
------- File Associations -------
.
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-29 19:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\drivers\KodakCCS.exe
c:\windows\SYSTEM32\lxcrcoms.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\rundll32.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-29 19:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-29 23:15

Pre-Run: 14,622,318,592 bytes free
Post-Run: 14,724,009,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

310 --- E O F --- 2009-05-24 22:32

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by Belahzur on 30th May 2009, 12:24 am

Hello.
Origin is away, so I am stepping in for him.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
MSHLP

File::
c:\windows\SYSTEM32\mshlp.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

DDS::
uSearchURL,(Default) = [You must be registered and logged in to see this link.]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 30th May 2009, 3:22 pm

Thanks again!! Not sure if I am to post this, but just in case, here it is...

ComboFix 09-05-29.01 - Owner 05/30/2009 11:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.67 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\SYSTEM32\mshlp.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\mshlp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSHLP
-------\Service_MSHLP


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w c:\program files\x73_lut.dat
2100-02-08 20:03 . 2001-05-11 15:39 53248 ----a-w c:\program files\ACMonitor_X73.exe
2009-05-25 00:17 . 2009-05-25 00:17 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-24 23:37 . 2009-05-25 00:16 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2009-05-24 23:21 . 2009-05-24 23:21 -------- d-----w c:\program files\JavaFX
2009-05-24 23:18 . 2009-05-24 23:18 -------- d-----w c:\program files\Sun
2009-05-24 23:17 . 2009-05-24 23:17 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-24 23:08 . 2009-05-24 23:17 -------- d-----w c:\program files\Java
2009-05-24 22:53 . 2009-05-24 22:53 -------- d-----w c:\program files\Trend Micro
2009-05-24 07:12 . 2009-05-24 01:47 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-24 07:12 . 2009-05-24 01:47 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-24 07:11 . 2009-05-24 01:47 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-24 03:08 . 2009-05-24 03:08 -------- d-----w c:\windows\system32\scripting
2009-05-24 03:08 . 2009-05-24 03:08 -------- d-----w c:\windows\l2schemas
2009-05-24 03:08 . 2009-05-24 03:08 -------- d-----w c:\windows\system32\en
2009-05-24 01:53 . 2009-05-24 01:53 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-05-24 01:48 . 2009-05-24 01:48 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-24 01:48 . 2009-05-24 01:48 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-24 01:47 . 2009-05-24 01:47 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-24 01:47 . 2009-05-24 01:47 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-24 01:47 . 2009-05-30 14:53 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-24 01:47 . 2009-05-24 01:47 -------- d-----w c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-05-24 01:31 . 2009-05-24 01:31 -------- d-s---w c:\documents and settings\Administrator\UserData
2009-05-24 01:31 . 2009-05-24 01:31 93184 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 13:50 . 2009-05-23 13:50 117760 ----a-w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-23 13:49 . 2009-05-23 13:49 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-23 13:44 . 2009-05-24 07:16 117760 ----a-w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-23 13:43 . 2009-05-23 13:43 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-23 13:43 . 2009-05-23 13:43 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-23 13:43 . 2009-05-23 13:43 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-05-23 13:27 . 2009-05-23 13:27 -------- d-----w c:\program files\CCleaner
2009-05-23 13:24 . 2009-05-23 13:24 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-22 22:33 . 2009-05-23 13:33 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 22:33 . 2009-05-22 22:53 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-22 00:48 . 2009-05-22 00:48 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit
2009-05-22 00:48 . 2009-05-22 00:48 -------- d-----w c:\program files\IObit
2009-05-21 23:47 . 2009-05-21 23:47 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-20 00:12 . 2009-05-20 00:12 -------- d-----w c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-05-18 23:29 . 2008-04-14 00:12 28672 ------w c:\windows\system32\verclsid.exe
2009-05-18 23:29 . 2008-04-14 00:12 208896 ------w c:\windows\system32\dllcache\unregmp2.exe
2009-05-18 23:29 . 2008-04-14 00:12 53248 ------w c:\windows\system32\tsgqec.dll
2009-05-18 23:29 . 2008-04-14 00:12 50688 ------w c:\windows\system32\tspkg.dll
2009-05-18 23:28 . 2008-04-14 00:12 152064 ------w c:\windows\system32\dllcache\shmedia.dll
2009-05-18 23:28 . 2008-04-13 18:40 10240 ------w c:\windows\system32\drivers\sffp_mmc.sys
2009-05-18 23:28 . 2008-04-14 00:12 774144 ------w c:\windows\system32\dllcache\setup_wm.exe
2009-05-18 23:28 . 2008-04-14 00:12 32768 ------w c:\windows\system32\setupn.exe
2009-05-18 23:28 . 2008-04-14 00:12 290304 ------w c:\windows\system32\rhttpaa.dll
2009-05-18 23:28 . 2008-04-14 00:12 61952 ------w c:\windows\system32\rasqec.dll
2009-05-18 23:28 . 2008-04-14 00:12 76800 ------w c:\windows\system32\qutil.dll
2009-05-18 23:28 . 2008-04-14 00:12 62464 ------w c:\windows\system32\qcliprov.dll
2009-05-18 23:28 . 2008-04-14 00:12 291328 ------w c:\windows\system32\qagentrt.dll
2009-05-18 23:28 . 2008-04-14 00:12 150528 ------w c:\windows\system32\qagent.dll
2009-05-18 23:27 . 2008-04-14 00:12 412160 ------w c:\windows\system32\photometadatahandler.dll
2009-05-18 23:27 . 2008-04-14 00:12 144384 ------w c:\windows\system32\onex.dll
2009-05-18 23:25 . 2008-04-14 00:10 4126 ------w c:\windows\system32\dllcache\msdxmlc.dll
2009-05-18 23:25 . 2008-04-14 00:12 4639 ------w c:\windows\system32\dllcache\mplayer2.exe
2009-05-18 23:25 . 2008-04-14 00:12 123392 ------w c:\windows\system32\dllcache\mplay32.exe
2009-05-18 23:25 . 2008-04-14 00:11 368640 ------w c:\windows\system32\dllcache\mpvis.dll
2009-05-18 23:25 . 2008-04-14 00:11 240640 ------w c:\windows\system32\dllcache\mpg4dmod.dll
2009-05-18 23:25 . 2008-04-14 00:11 384512 ------w c:\windows\system32\dllcache\mp4sdmod.dll
2009-05-18 23:25 . 2008-04-14 00:11 310272 ------w c:\windows\system32\dllcache\mp43dmod.dll
2009-05-18 23:25 . 2008-04-14 00:12 33792 ------w c:\windows\system32\mmcperf.exe
2009-05-18 23:25 . 2008-04-14 00:11 397312 ------w c:\windows\system32\mmcex.dll
2009-05-18 23:25 . 2008-04-14 00:11 184320 ------w c:\windows\system32\microsoft.managementconsole.dll
2009-05-18 23:25 . 2008-04-14 00:11 106496 ------w c:\windows\system32\mmcfxcommon.dll
2009-05-18 23:25 . 2008-04-14 00:12 786432 ------w c:\windows\system32\dllcache\migrate.exe
2009-05-18 23:24 . 2008-04-14 00:11 37376 ------w c:\windows\system32\l2gpstore.dll
2009-05-18 23:24 . 2008-04-14 00:11 61440 ------w c:\windows\system32\kmsvc.dll
2009-05-18 23:24 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdpash.dll
2009-05-18 23:24 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdnepr.dll
2009-05-18 23:24 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdiultn.dll
2009-05-18 23:24 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdbhc.dll
2009-05-18 23:22 . 2008-04-14 00:12 294912 ------w c:\windows\system32\dllcache\dlimport.exe
2009-05-18 23:22 . 2008-04-14 00:11 39936 ------w c:\windows\system32\dimsroam.dll
2009-05-18 23:22 . 2008-04-14 00:11 19456 ------w c:\windows\system32\dimsntfy.dll
2009-05-18 23:22 . 2008-04-14 00:11 48640 ------w c:\windows\system32\dhcpqec.dll
2009-05-18 23:22 . 2008-04-14 00:11 33792 ------w c:\windows\system32\dllcache\custsat.dll
2009-05-18 23:22 . 2008-04-14 00:11 12800 ------w c:\windows\system32\credssp.dll
2009-05-18 23:22 . 2008-04-14 00:11 7168 ------w c:\windows\system32\bitsprx4.dll
2009-05-18 23:22 . 2008-04-14 00:11 233472 ------w c:\windows\system32\azroles.dll
2009-05-18 23:22 . 2008-04-13 17:23 8192 ------w c:\windows\system32\dllcache\asferror.dll
2009-05-18 23:21 . 2008-04-14 00:11 136192 ------w c:\windows\system32\aaclient.dll
2009-05-18 22:21 . 2009-05-24 16:46 -------- d--h--w C:\$AVG8.VAULT$
2009-05-18 22:16 . 2008-06-13 11:05 272128 ------w c:\windows\system32\dllcache\bthport.sys
2009-05-18 22:14 . 2008-05-08 14:02 203136 ------w c:\windows\system32\dllcache\rmcast.sys
2009-05-18 22:14 . 2008-04-11 19:04 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-05-18 22:14 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-05-18 22:14 . 2008-05-01 14:33 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-18 22:12 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-05-18 22:12 . 2008-10-03 10:02 247326 ------w c:\windows\system32\dllcache\strmdll.dll
2009-05-18 22:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-18 22:10 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-18 22:01 . 2009-05-24 11:09 -------- d--h--w c:\windows\$hf_mig$
2009-05-18 21:56 . 2009-05-18 21:56 -------- d-----w c:\program files\AVG
2009-05-18 21:56 . 2009-05-24 01:47 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-18 21:47 . 2008-04-14 00:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-05-18 21:47 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-05-18 21:47 . 2001-08-17 17:48 12160 ----a-w c:\windows\system32\dllcache\mouhid.sys
2009-05-18 21:47 . 2008-04-13 18:39 14592 ----a-w c:\windows\system32\drivers\kbdhid.sys
2009-05-16 21:04 . 2009-05-24 03:08 -------- d-----w c:\windows\peernet
2009-05-16 21:04 . 2009-05-16 21:04 -------- d-----w c:\windows\provisioning
2009-05-16 21:00 . 2009-05-24 03:10 -------- d-----w c:\windows\ServicePackFiles
2009-05-16 20:52 . 2007-08-11 00:46 26488 ----a-w c:\windows\system32\spupdsvc.exe
2009-05-16 20:48 . 2009-05-24 02:31 -------- d-----w c:\windows\EHome
2009-05-16 20:41 . 2009-05-16 20:45 -------- d-----w c:\documents and settings\Owner\Application Data\Creative
2009-05-16 20:41 . 2009-05-16 20:41 -------- d-----w c:\documents and settings\All Users\Application Data\Creative
2009-05-16 20:36 . 2006-10-06 06:17 53248 ------w c:\windows\Ctregrun.exe
2009-05-16 20:34 . 1999-12-12 17:01 44032 ------w c:\windows\system32\CTSVCCDA.EXE
2009-05-16 20:34 . 1999-11-17 17:00 25088 ------w c:\windows\system32\CTSVCCTL.EXE
2009-05-16 20:34 . 2009-05-16 20:34 -------- d-----w c:\program files\Common Files\Creative
2009-05-16 20:34 . 2009-05-16 20:34 -------- d--h--w c:\program files\Creative Installation Information
2009-05-16 20:33 . 2000-05-11 05:00 90112 ------w c:\windows\Updreg.EXE
2009-05-16 20:30 . 2009-05-16 20:36 -------- d-----w c:\program files\Creative
2009-05-16 20:21 . 2009-05-16 20:21 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-16 20:05 . 2009-05-16 20:05 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-16 19:57 . 2009-05-16 19:57 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-05-16 18:23 . 2009-05-16 18:23 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-16 17:22 . 2009-05-16 17:22 241664 ----a-w c:\windows\system32\bcnet32.dll

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 30th May 2009, 3:22 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 00:15 . 2001-11-15 15:19 -------- d-----w c:\program files\Common Files\Adobe
2009-05-24 03:22 . 2001-11-06 21:34 86691 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-05-24 03:18 . 2009-05-24 03:18 49152 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2009-05-24 03:18 . 2009-05-24 03:18 77824 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2009-05-24 03:18 . 2009-05-24 03:18 126976 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2009-05-24 03:18 . 2009-05-24 03:18 122880 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2009-05-24 03:17 . 2009-05-24 03:17 420432 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2009-05-24 03:17 . 2009-05-24 03:17 155648 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2009-05-24 03:17 . 2009-05-24 03:17 731136 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2009-05-24 03:17 . 2009-05-24 03:17 106496 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2009-05-24 01:14 . 2009-03-06 23:29 -------- d-----w c:\program files\Oberon Media
2009-05-23 13:30 . 2001-11-15 15:21 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-23 13:30 . 2009-01-09 02:03 -------- d-----w c:\program files\iWin.com Games
2009-05-23 13:29 . 2009-01-09 12:16 -------- d-----w c:\program files\iWin.com
2009-05-23 13:29 . 2009-01-09 02:06 -------- d-----w c:\documents and settings\All Users\Application Data\iWin Games
2009-05-23 13:29 . 2009-04-08 22:53 -------- d-----w c:\program files\Charter Music
2009-05-16 21:21 . 2007-06-02 19:34 -------- d-----w c:\program files\lx_cats
2009-05-16 21:20 . 2002-01-31 02:08 93184 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 20:29 . 2001-11-15 15:19 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-16 19:47 . 2009-03-13 00:59 -------- d-----w c:\program files\Common Files\AOL
2009-05-16 19:42 . 2009-03-13 01:00 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-05-16 19:42 . 2009-03-13 01:04 -------- d-----w c:\documents and settings\Owner\Application Data\AOL
2009-04-30 23:48 . 2009-01-09 12:17 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 04:34 . 2009-04-08 23:08 -------- d-----w c:\documents and settings\Owner\Application Data\Charter Music
2009-03-13 00:59 . 2009-03-13 00:59 57344 ----a-w c:\documents and settings\All Users\Application Data\AOL Downloads\kw_setupSTUS\comps\ocp\ocpchk.dll
2009-03-13 00:59 . 2009-03-13 00:59 748608 ----a-w c:\documents and settings\All Users\Application Data\AOL Downloads\kw_setupSTUS\comps\ocp\ocpinst.exe
2009-03-13 00:59 . 2009-03-13 00:58 3183256 ----a-w c:\documents and settings\All Users\Application Data\AOL Downloads\kw_setupSTUS\comps\acs\acssetup.exe
2009-03-06 14:22 . 2001-08-18 05:36 284160 ----a-w c:\windows\system32\pdh.dll
2001-07-26 20:58 . 2000-01-11 16:50 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 16:46 . 2001-07-20 14:48 8116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-08 20:36 . 2000-12-05 19:56 114688 ----a-w c:\program files\lxarscan.dll
2001-04-23 18:22 . 2100-02-08 19:53 1437 ----a-w c:\program files\gtx73.ini
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-30 15:10 . 2009-05-30 15:10 16384 c:\windows\temp\Perflib_Perfdata_10c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-24 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-24 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2005-05-03 64512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-24 01:48 11952 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 6.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 6.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 6.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ExpressPLNRnote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ExpressPLNRnote.lnk
backup=c:\windows\pss\ExpressPLNRnote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Deer Hunter 2005 Registration.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Deer Hunter 2005 Registration.lnk
backup=c:\windows\pss\Deer Hunter 2005 Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\drivers\avgldx86.sys [5/23/2009 9:47 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\drivers\avgtdix.sys [5/23/2009 9:48 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 9:47 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 9:47 PM 298776]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add A Page Note
IE: Bookmark This Page
IE: Email This Link
IE: Save with Download Manager... - [You must be registered and logged in to see this link.] files\Charter Music\DMDownload.htm
IE: Search using CommonName
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hkuy0716.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-30 11:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\drivers\KodakCCS.exe
c:\windows\SYSTEM32\lxcrcoms.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-30 11:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-30 15:18
ComboFix2.txt 2009-05-29 23:15

Pre-Run: 14,738,202,624 bytes free
Post-Run: 14,717,857,792 bytes free

287 --- E O F --- 2009-05-24 22:32

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by Belahzur on 30th May 2009, 4:18 pm

Hello.
A few things left to do now, but were nearly done.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Next,

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 30th May 2009, 10:37 pm

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Reader 9.1
Advanced SystemCare 3
AVG Free 8.5
CardRd81
CCHelp
CCleaner (remove only)
CCScore
CR2
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Deal or No Deal
Detto IntelliMover
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
Hallmark Card Studio Express
HijackThis 2.0.2
HLPCCTR
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for Windows XP (KB952287)
hp center
HP Instant Support
HP Learning Adventure
HP RecordNow
Inactive HP Printer Drivers (Remove only)
Java DB 10.4.1.3
Java(TM) 6 Update 13
Java(TM) SE Development Kit 6 Update 13
JavaFX(TM) 1.1 SDK
KSU
Lernout & Hauspie TruVoice American English TTS Engine
Lexmark 2400 Series
Lexmark Fax Solutions
Lexmark Toolbar
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 2.0
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
Microsoft XML Parser and SDK
Monster Buck Pack
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB954430)
MUSICMATCH Jukebox
My Photo Center
Notifier
NVIDIA Windows 2000/XP Display Drivers
OTtBP
OTtBPSDK
PCDLNCH
Photo Explosion Special Edition
Physician's Home Assistant 1.8
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken Financial Center
QuickTime
RealPlayer Basic
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
SFR
SFR2
Sound Blaster Audigy
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Tcl 8.0.5 for Windows
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VCAMCEN
Viewpoint Media Player
VPRINTOL
WildTangent Channel Manager
Windows Media Format Runtime
Windows XP Service Pack 3
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by Belahzur on 30th May 2009, 10:47 pm

Hello.
Do you play games on this machine? I ask because this machine has iWin installed, along with WildTangent.

Please read here for more information about [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.]. Your choice if you want to remove it or not.

If you choose to follow my advice, please follow these instructions.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Viewpoint Media Player
  • WildTangent Channel Manager


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by pipnik on 6th June 2009, 12:22 am

Thanks for your help. this isn't my computer, I think it is just used for games and trivial things, but I am going to uninstall!
Thanks again!

pipnik
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27595
# Likes # Likes : 0

View user profile

Back to top Go down

Re: userinit.exe Trogjan horse sheur2.acax

Post by Origin on 6th June 2009, 12:36 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum