Malware Problems - possible smitfraud

[BaldingSteve]

Looks like it still didn't fix the file. Is there a way to fix this?

ComboFix 09-04-19.01 - Owner 04/18/2009 18:02.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1581 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090418-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-30 21:04 . 2009-04-13 02:25 -------- d-----w c:\program files\Perpetuum
2009-04-28 22:56 . 2009-04-28 22:56 -------- d-----w C:\Turok-Dinosaur Hunter
2009-04-28 19:10 . 2009-04-29 11:11 -------- d-----w C:\Jim's Big Ego
2009-04-28 19:08 . 2009-04-29 06:43 -------- d-----w C:\Da Vinci's Notebook
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\windows\system32\AGEIA
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\program files\AGEIA Technologies
2009-04-25 02:19 . 2009-02-18 18:44 212711 ----a-w c:\windows\system32\nvapps.nvb
2009-04-25 02:18 . 2009-04-25 02:18 -------- d-----w C:\NVIDIA
2009-04-24 21:58 . 2008-07-21 02:55 241719 ----a-w c:\windows\system32\stacsv.exe
2009-04-24 21:58 . 2008-07-21 02:55 2314240 ----a-w c:\windows\system32\stlang.dll
2009-04-24 21:58 . 2008-07-21 02:55 8101951 ----a-w c:\windows\system32\idtsg.cpl
2009-04-24 21:58 . 2008-07-21 02:55 462913 ----a-w c:\windows\sttray.exe
2009-04-24 21:58 . 2008-07-21 02:55 442439 ----a-w c:\windows\system32\stacapi.dll
2009-04-24 21:58 . 2008-07-21 02:55 150016 ----a-w c:\windows\system32\staco.dll
2009-04-24 21:58 . 2008-07-21 02:55 1292888 ----a-w c:\windows\system32\drivers\sthda.sys
2009-04-24 21:57 . 2009-04-24 21:58 -------- d-----w c:\program files\IDT
2009-04-24 21:57 . 2008-08-07 11:14 111360 ----a-r c:\windows\system32\drivers\Rtenicxp.sys
2009-04-24 21:57 . 2008-08-07 03:38 9728 ----a-r c:\windows\system32\RtNicProp32.dll
2009-04-24 21:52 . 2009-04-25 02:21 -------- d-----w c:\windows\nview
2009-04-24 21:47 . 2007-10-12 01:40 9096 ----a-r c:\windows\system32\drivers\amdide.sys
2009-04-24 21:46 . 2009-04-24 21:46 -------- d-----w c:\windows\system32\Tools
2009-04-24 21:45 . 2006-12-26 12:31 4864 ----a-r c:\windows\system32\drivers\PortIo.sys
2009-04-17 00:02 . 2009-04-17 00:02 -------- d-s---w c:\documents and settings\Owner\UserData
2009-04-16 03:07 . 2009-04-16 03:07 325 ----a-w c:\windows\wininit.ini
2009-04-16 02:04 . 2009-04-16 02:04 -------- d-----w c:\program files\Trend Micro
2009-04-16 02:03 . 2009-04-16 22:48 -------- d-----w c:\program files\ERUNT
2009-04-16 00:33 . 2009-04-16 00:33 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{FAC88654-A131-4D8F-9250-3BF4B5675C5E}
2009-04-16 00:27 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-15 22:24 . 2009-04-15 22:24 2 ----a-w C:\-200243611
2009-04-14 03:01 . 2009-04-14 03:03 -------- d-----w c:\program files\AIM6
2009-04-12 04:52 . 2009-04-13 23:57 -------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-04-12 04:52 . 2009-04-12 15:53 -------- d-----w c:\program files\IObit
2009-04-09 05:16 . 2009-04-09 09:15 -------- d-----w C:\Jonathan_Coulton_Complete_Discography_192kbps
2009-04-04 20:21 . 2009-04-04 20:21 -------- d-----w c:\program files\Bethesda Softworks
2009-04-04 06:33 . 2009-04-04 06:33 -------- d-----w c:\program files\Common Files\DirectX
2009-04-02 21:42 . 2009-04-04 06:32 -------- d-----w c:\program files\Garena
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w C:\VertigoGames
2009-04-01 06:01 . 2009-04-01 06:26 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-01 05:53 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-01 05:53 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-01 05:50 . 2008-08-14 10:00 2180352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 05:50 . 2008-08-14 09:58 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 05:43 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 05:35 . 2009-04-01 08:05 -------- d--h--w c:\windows\$hf_mig$
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 21:25 . 2009-02-19 00:08 -------- d-----w c:\program files\Last.fm
2009-04-29 22:23 . 2009-01-18 20:51 -------- d-----w c:\documents and settings\Owner\Application Data\Winamp
2009-04-29 01:36 . 2009-02-21 07:16 -------- d-----w c:\program files\Warcraft III
2009-04-29 00:31 . 2009-02-21 07:18 77589 ----a-w c:\windows\War3Unin.dat
2009-04-28 21:11 . 2008-10-03 04:01 -------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2009-04-28 21:11 . 2008-10-03 04:01 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-04-25 02:19 . 2008-01-06 17:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-24 21:57 . 2008-01-02 23:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 21:40 . 2008-01-04 01:15 -------- d-----w c:\documents and settings\Owner\Application Data\Launchy
2009-04-18 21:21 . 2008-03-07 04:10 -------- d-----w c:\program files\Steam
2009-04-18 18:19 . 2008-03-28 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 04:37 . 2008-02-02 03:10 -------- d-----w c:\program files\PowerISO
2009-04-16 22:49 . 2008-10-15 01:39 -------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-04-16 02:46 . 2008-01-02 23:52 -------- d-----w c:\program files\Realtek AC97
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 01:55 . 2009-01-18 20:51 -------- d-----w c:\program files\Winamp
2009-04-16 00:35 . 2008-01-04 01:28 -------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-04-14 03:03 . 2008-01-20 04:20 2588 ---ha-w C:\IPH.PH
2009-04-14 03:03 . 2008-01-18 03:46 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-12 20:48 . 2008-01-04 01:28 -------- d-----w c:\program files\Xfire
2009-04-10 23:25 . 2008-09-12 02:50 -------- d-----w c:\program files\Atari
2009-04-04 19:22 . 2008-12-17 06:08 -------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2009-04-04 18:38 . 2008-12-17 06:08 -------- d-----w c:\program files\mIRC
2009-02-24 05:58 . 2008-04-18 01:02 -------- d-----w c:\program files\QuickTime
2009-02-21 07:24 . 2009-02-21 07:18 2829 ----a-w c:\windows\War3Unin.pif
2009-02-19 19:53 . 2009-02-19 19:53 -------- d-----w c:\program files\Common Files\INCA Shared
2009-02-19 00:09 . 2009-02-19 00:09 -------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2009-02-17 03:17 . 2008-01-02 23:49 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-10-20 23:21 . 2008-01-05 18:33 24880 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-01 11:15 . 2008-08-01 11:15 74864 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

------- Sigcheck -------

[-] 2008-04-14 00:12 34304 F659C9716309655AB68765743664E36B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2004-08-04 12:00 34304 F325E0DE4F224CD049D6C75BC620B04F c:\windows\system32\svchost.exe
[-] 2004-08-04 12:00 34304 178EDD883A1119F776C54B7484F7CCD1 c:\windows\system32\dllcache\svchost.exe

[-] 2008-04-14 00:12 527872 876AF0F5AFDB8CC2C6E8CCF16BE3C234 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2008-01-02 23:46 502272 6225F14B8CE08CCBA8B25AD27843C674 c:\windows\system32\winlogon.exe

[-] 2004-08-04 12:00 1052160 4CFCEB7A1641ED7D3E6F9D55690BE1A9 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1053696 A8EA2ABBE4F64C4C7E15E34CD95EC002 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 12:00 1052160 2F9CE7162DCAC8A0B66CDB3ADDD4825F c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 00:12 35328 2C2D86746C81F82DE35E639B43DF591B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2004-08-04 12:00 35328 6D66A0810B4D0947A187799C618F0A0F c:\windows\system32\ctfmon.exe
[-] 2004-08-04 12:00 35328 135DEA5036F9EBA19FD4E5619CCC73B2 c:\windows\system32\dllcache\ctfmon.exe

[-] 2008-04-14 00:12 77824 6D6FA43A4765DDA269DFD174A7E5235D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2004-08-04 12:00 77824 6B6E8B138E4A8E91CE8D6404042D7E8D c:\windows\system32\spoolsv.exe
[-] 2004-08-04 12:00 77824 B978FB23FA8E0673D06A8C07166BC7DF c:\windows\system32\dllcache\spoolsv.exe

[-] 2008-04-14 00:12 46080 AFE92A5AEC531E32BCA0FC21BF7AC1B5 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-04 12:00 44544 17EE0D9D476DE54BDAA82C40B65A4340 c:\windows\system32\userinit.exe
[-] 2004-08-04 12:00 44544 4F5F151B939E02F5312934B9EFE8947D c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-18_19.05.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 20:57 . 2009-04-18 20:57 16384 c:\windows\temp\Perflib_Perfdata_5c8.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 59904 c:\windows\system32\dllcache\cmmon32.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 67072 c:\windows\system32\dllcache\cmdl32.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 53248 c:\windows\system32\dllcache\clipsrv.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 83968 c:\windows\system32\dllcache\cleanmgr.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 27648 c:\windows\system32\dllcache\ckcnv.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 25600 c:\windows\system32\dllcache\cisvc.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 28160 c:\windows\system32\dllcache\cidaemon.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 62543 c:\windows\system32\dllcache\chkrzm.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 31232 c:\windows\system32\dllcache\chkntfs.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 31744 c:\windows\system32\dllcache\chkdsk.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 34304 c:\windows\system32\dllcache\chgusr.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 35840 c:\windows\system32\dllcache\chgport.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 33280 c:\windows\system32\dllcache\chglogon.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 29696 c:\windows\system32\dllcache\change.exe
+ 2008-01-02 23:40 . 2004-08-04 12:00 32768 c:\windows\system32\dllcache\cb32.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 38400 c:\windows\system32\dllcache\cacls.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 25088 c:\windows\system32\dllcache\bootvrfy.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 24576 c:\windows\system32\dllcache\bootok.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 91648 c:\windows\system32\dllcache\blastcln.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 62545 c:\windows\system32\dllcache\bckgzm.exe
+ 2008-01-02 23:42 . 2003-03-24 21:52 36919 c:\windows\system32\dllcache\author.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 34304 c:\windows\system32\dllcache\auditusr.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 31232 c:\windows\system32\dllcache\attrib.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 31232 c:\windows\system32\dllcache\atmadm.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 45056 c:\windows\system32\dllcache\at.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 39424 c:\windows\system32\dllcache\arp.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 64512 c:\windows\system32\dllcache\alg.exe
+ 2008-01-02 23:42 . 2003-03-24 21:52 36919 c:\windows\system32\dllcache\admin.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 24064 c:\windows\system32\dllcache\actmovie.exe
- 2009-04-16 00:26 . 2009-04-18 18:57 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-16 00:26 . 2009-04-18 18:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-12 05:01 . 2004-08-04 12:00 97280 c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 408576 c:\windows\system32\dllcache\cmd.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 122880 c:\windows\system32\dllcache\clipbrd.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 500224 c:\windows\system32\dllcache\cintsetp.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 100352 c:\windows\system32\dllcache\charmap.exe
+ 2008-01-02 23:42 . 2003-03-24 21:52 208960 c:\windows\system32\dllcache\cfgwiz.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 134656 c:\windows\system32\dllcache\calc.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 118272 c:\windows\system32\dllcache\ahui.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 276480 c:\windows\system32\dllcache\agentsvr.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 203776 c:\windows\system32\dllcache\accwiz.exe
- 2009-04-16 00:26 . 2009-04-18 18:57 229376 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 229376 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5BF49A0-94F3-42BD-F434-3604812C8955}]
2009-04-18 22:07 15000 ----a-w c:\windows\system32\zfgh83jg3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Gaming Mouse"="c:\program files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe" [2006-12-01 839680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 462913]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"<NO NAME>"="c:\windows\TEMP\lehas.exe" [2009-04-18 15001]
"Windows Resurections"="c:\windows\TEMP\lehas.exe" [2009-04-18 15001]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-1-3 294912]
Reboot.exe [2006-12-29 429056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{D5BF49A0-94F3-42BD-F434-3604812C8955}"= "c:\windows\system32\zfgh83jg3.dll" [2009-04-18 15000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 17:10 18744 ----a-w c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli idashemg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\opposing force\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life blue shift\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\dystopia\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:War3

S1 aswSP;avast! Self Protection; [x]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22229d0c-2c47-11de-ba43-002197d3ca05}]
\shell\autorun\command - F:\RUNDLL32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff94b590-b958-11dc-b694-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-28 22:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mtgxo9p.default\
FF - prefs.js: browser.startup.homepage - www.left4dead411.com
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 18:06
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

? [28164]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\PCANotify.dll

- - - - - - - > 'explorer.exe'(159236)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\zfgh83jg3.dll
.
Completion time: 2009-04-18 18:08
ComboFix-quarantined-files.txt 2009-04-18 22:08
ComboFix2.txt 2009-04-18 21:04
ComboFix3.txt 2009-04-18 19:06

Pre-Run: 15,372,091,392 bytes free
Post-Run: 15,361,716,224 bytes free

341 --- E O F --- 2009-04-01 08:05

 

[pskelley]

We have more to do but let's look at this issue first. Please make sure you can view all files and folder:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

Now navigate to that file: c:\windows\system32\userinit.exe
and scan it with one of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

post the results of that scan.

Please use Search Companion: Start > Search > All Files and Folders > Search for userinit.exe
Tell me about any locations that search reports.

Do you have a friend with the same Operating System:
Microsoft Windows XP Home Edition
who copy make a copy on a floppy or clean USB device?

I am showing 28.0 KB (28,672 bytes) but my computer is Windows XP Pro so it likely is not the same exact file.

In case I have not mentioned, a reformat of the hard drive and a new install of the operating system will also fix your problems.

 

[BaldingSteve]

It seems that all of the links you provided to free scanners are broken.

But I do know someone (with the same OS) who can make a clean copy of the userinit.exe file onto a zip drive. If I replace my userinit.exe file with theirs will it fix this?

 

[BaldingSteve]

I also searched for the userinit.exe file with the search companion and came up with these results:

userinit C:\WINDOWS\system32

userinit C:\WINDOWS\SoftwareDistribution\e9500597a78495f397efb821e37bf356

 

[pskelley]

First, let me assure you there is nothing wrong with the links I provided, the problem is your computer. To be sure you understand, I wish to be positive the userinit.exe file is infected before we replace it. Right now I am 99.9% sure it is.

Perhaps you should understand what that file does on the computer, have a look here:
http://technet.microsoft.com/en-us/library/cc939862.aspx
and the Google: http://www.google.com/search?hl=en&q=userinit.exe+&btnG=Search

Now to be sure, when you click the scan, say: http://virusscan.jotti.org/
(if it will not open, try another browser if you have one)
you will see: File to upload & scan: you need to click the Browse button and navigate to the actual file here: c:\windows\system32\userinit.exe
and the click the Submit button. Within a few minutes you will have a report I need to see. All three scans work about the same.

But I do know someone (with the same OS) who can make a clean copy of the userinit.exe file onto a zip drive. If I replace my userinit.exe file with theirs will it fix this?

First we need to be sure the file on the computer is infected, then you have to be sure it is exactly the same file you have. Then you have to be sure the .zip drive the friend is using is NOT infected. Have them insert it and use the antivirus program to scan the drive assigned to the removable media.
Then you can move the infected file on your computer to the Recycle Bin for now (can not harm you in the RB) then install the new clean file in the same spot (c:\windows\system32 <<< that folder)

I believe you will find the file on the friend's computer should be file version 5.1.2600.5512 > Userinit Logon Application > Microsoft Corporation.

Keep me posted.

 

[BaldingSteve]

If the links you provided do in fact work, then it must be the malware preventing me from accessing it. I always get the 'page load error' when I click on any of the three links.

 

[pskelley]

Watch for a private message

 

[BaldingSteve]

ComboFix 09-04-19.01 - Owner 04/22/2009 16:12.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1614 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090422-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\reader_s.exe
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\program files\ThunMail\testabd.ex_
c:\windows\IE4 Error Log.txt
c:\windows\system32\6to4v32.dll
c:\windows\system32\at1394.sys
c:\windows\system32\ntos.exe
c:\windows\system32\reader_s.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\temp\1057692733.exe
c:\windows\temp\1147999388.exe
c:\windows\temp\1270228137.exe
c:\windows\temp\1375025589.exe
c:\windows\temp\3631064825.exe
c:\windows\temp\713231475.exe
c:\windows\temp\76845766.exe
c:\windows\temp\836983276.exe

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_AT1394
-------\Service_6to4
-------\Service_at1394
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-30 21:04 . 2009-04-13 02:25 -------- d-----w c:\program files\Perpetuum
2009-04-28 22:56 . 2009-04-28 22:56 -------- d-----w C:\Turok-Dinosaur Hunter
2009-04-28 19:10 . 2009-04-29 11:11 -------- d-----w C:\Jim's Big Ego
2009-04-28 19:08 . 2009-04-29 06:43 -------- d-----w C:\Da Vinci's Notebook
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\windows\system32\AGEIA
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\program files\AGEIA Technologies
2009-04-25 02:19 . 2009-02-18 18:44 212711 ----a-w c:\windows\system32\nvapps.nvb
2009-04-25 02:18 . 2009-04-25 02:18 -------- d-----w C:\NVIDIA
2009-04-24 21:58 . 2008-07-21 02:55 241719 ----a-w c:\windows\system32\stacsv.exe
2009-04-24 21:58 . 2008-07-21 02:55 2314240 ----a-w c:\windows\system32\stlang.dll
2009-04-24 21:58 . 2008-07-21 02:55 8101951 ----a-w c:\windows\system32\idtsg.cpl
2009-04-24 21:58 . 2008-07-21 02:55 462913 ----a-w c:\windows\sttray.exe
2009-04-24 21:58 . 2008-07-21 02:55 442439 ----a-w c:\windows\system32\stacapi.dll
2009-04-24 21:58 . 2008-07-21 02:55 150016 ----a-w c:\windows\system32\staco.dll
2009-04-24 21:58 . 2008-07-21 02:55 1292888 ----a-w c:\windows\system32\drivers\sthda.sys
2009-04-24 21:57 . 2009-04-24 21:58 -------- d-----w c:\program files\IDT
2009-04-24 21:57 . 2008-08-07 11:14 111360 ----a-r c:\windows\system32\drivers\Rtenicxp.sys
2009-04-24 21:57 . 2008-08-07 03:38 9728 ----a-r c:\windows\system32\RtNicProp32.dll
2009-04-24 21:52 . 2009-04-25 02:21 -------- d-----w c:\windows\nview
2009-04-24 21:47 . 2007-10-12 01:40 9096 ----a-r c:\windows\system32\drivers\amdide.sys
2009-04-24 21:46 . 2009-04-24 21:46 -------- d-----w c:\windows\system32\Tools
2009-04-24 21:45 . 2006-12-26 12:31 4864 ----a-r c:\windows\system32\drivers\PortIo.sys
2009-04-22 19:56 . 2009-04-22 19:57 44 ----a-w c:\windows\system32\3.tmp
2009-04-22 01:56 . 2009-04-22 01:56 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-21 15:01 . 2009-04-21 15:02 -------- d-----w C:\music
2009-04-21 03:12 . 2009-04-21 03:12 80 ----a-w c:\windows\system32\2.tmp
2009-04-21 03:10 . 2009-04-20 23:24 40960 ----a-w c:\windows\system32\xz.exe
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\61.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\60.tmp
2009-04-18 22:09 . 2009-04-18 22:09 38 ----a-w C:\5F.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5E.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5D.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5C.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5B.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5A.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\59.tmp
2009-04-18 22:09 . 2009-04-18 22:09 38 ----a-w C:\58.tmp
2009-04-18 22:09 . 2009-04-18 22:09 52736 ----a-w C:\57.tmp
2009-04-18 22:09 . 2009-04-18 22:09 15000 ----a-w c:\windows\system32\yaubfh983ind.dll
2009-04-18 22:08 . 2009-04-18 22:08 0 ----a-w c:\windows\system32\3F.tmp
2009-04-18 22:07 . 2009-04-18 22:08 84 ----a-w c:\windows\system32\3E.tmp
2009-04-18 22:07 . 2009-04-18 22:07 15000 ----a-w c:\windows\system32\zfgh83jg3.dll
2009-04-17 00:02 . 2009-04-17 00:02 -------- d-s---w c:\documents and settings\Owner\UserData
2009-04-16 03:07 . 2009-04-16 03:07 325 ----a-w c:\windows\wininit.ini
2009-04-16 02:04 . 2009-04-16 02:04 -------- d-----w c:\program files\Trend Micro
2009-04-16 02:03 . 2009-04-16 22:48 -------- d-----w c:\program files\ERUNT
2009-04-16 00:33 . 2009-04-16 00:33 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{FAC88654-A131-4D8F-9250-3BF4B5675C5E}
2009-04-16 00:27 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-15 22:24 . 2009-04-15 22:24 2 ----a-w C:\-200243611
2009-04-14 03:01 . 2009-04-14 03:03 -------- d-----w c:\program files\AIM6
2009-04-12 04:52 . 2009-04-13 23:57 -------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-04-12 04:52 . 2009-04-12 15:53 -------- d-----w c:\program files\IObit
2009-04-09 05:16 . 2009-04-09 09:15 -------- d-----w C:\Jonathan_Coulton_Complete_Discography_192kbps
2009-04-04 20:21 . 2009-04-04 20:21 -------- d-----w c:\program files\Bethesda Softworks
2009-04-04 06:33 . 2009-04-04 06:33 -------- d-----w c:\program files\Common Files\DirectX
2009-04-02 21:42 . 2009-04-04 06:32 -------- d-----w c:\program files\Garena
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w C:\VertigoGames
2009-04-01 06:01 . 2009-04-01 06:26 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-01 05:53 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-01 05:53 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-01 05:50 . 2008-08-14 10:00 2180352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 05:50 . 2008-08-14 09:58 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 05:43 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 05:35 . 2009-04-01 08:05 -------- d--h--w c:\windows\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 21:25 . 2009-02-19 00:08 -------- d-----w c:\program files\Last.fm
2009-04-29 22:23 . 2009-01-18 20:51 -------- d-----w c:\documents and settings\Owner\Application Data\Winamp
2009-04-29 01:36 . 2009-02-21 07:16 -------- d-----w c:\program files\Warcraft III
2009-04-29 00:31 . 2009-02-21 07:18 77589 ----a-w c:\windows\War3Unin.dat
2009-04-28 21:11 . 2008-10-03 04:01 -------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2009-04-28 21:11 . 2008-10-03 04:01 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-04-25 02:19 . 2008-01-06 17:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-24 21:57 . 2008-01-02 23:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 21:40 . 2008-01-04 01:15 -------- d-----w c:\documents and settings\Owner\Application Data\Launchy
2009-04-22 03:51 . 2008-03-28 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-21 13:32 . 2008-03-07 04:10 -------- d-----w c:\program files\Steam
2009-04-18 22:08 . 2004-08-04 12:00 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-18 22:08 . 2008-10-15 01:39 -------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-04-17 04:37 . 2008-02-02 03:10 -------- d-----w c:\program files\PowerISO
2009-04-16 02:46 . 2008-01-02 23:52 -------- d-----w c:\program files\Realtek AC97
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 01:55 . 2009-01-18 20:51 -------- d-----w c:\program files\Winamp
2009-04-16 00:35 . 2008-01-04 01:28 -------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-04-14 03:03 . 2008-01-20 04:20 2588 ---ha-w C:\IPH.PH
2009-04-14 03:03 . 2008-01-18 03:46 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-12 20:48 . 2008-01-04 01:28 -------- d-----w c:\program files\Xfire
2009-04-10 23:25 . 2008-09-12 02:50 -------- d-----w c:\program files\Atari
2009-04-04 19:22 . 2008-12-17 06:08 -------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2009-04-04 18:38 . 2008-12-17 06:08 -------- d-----w c:\program files\mIRC
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-02-24 05:58 . 2008-04-18 01:02 -------- d-----w c:\program files\QuickTime
2009-02-21 07:24 . 2009-02-21 07:18 2829 ----a-w c:\windows\War3Unin.pif
2009-02-17 03:17 . 2008-01-02 23:49 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-10-20 23:21 . 2008-01-05 18:33 24880 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-01 11:15 . 2008-08-01 11:15 74864 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

------- Sigcheck -------

[-] 2008-04-14 00:12 34304 F659C9716309655AB68765743664E36B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2004-08-04 12:00 34304 F325E0DE4F224CD049D6C75BC620B04F c:\windows\system32\svchost.exe
[-] 2004-08-04 12:00 34304 178EDD883A1119F776C54B7484F7CCD1 c:\windows\system32\dllcache\svchost.exe

[-] 2008-04-14 00:12 527872 876AF0F5AFDB8CC2C6E8CCF16BE3C234 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2008-01-02 23:46 502272 6225F14B8CE08CCBA8B25AD27843C674 c:\windows\system32\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2009-04-18 22:08 213376 FF85EBD2AD3679254CF251136C62D764 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-18 22:08 213376 FF85EBD2AD3679254CF251136C62D764 c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 12:00 1052160 4CFCEB7A1641ED7D3E6F9D55690BE1A9 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1053696 A8EA2ABBE4F64C4C7E15E34CD95EC002 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 12:00 1052160 2F9CE7162DCAC8A0B66CDB3ADDD4825F c:\windows\system32\dllcache\explorer.exe

[-] 2008-04-14 00:12 35328 2C2D86746C81F82DE35E639B43DF591B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2004-08-04 12:00 35328 6D66A0810B4D0947A187799C618F0A0F c:\windows\system32\ctfmon.exe
[-] 2004-08-04 12:00 35328 135DEA5036F9EBA19FD4E5619CCC73B2 c:\windows\system32\dllcache\ctfmon.exe

[-] 2008-04-14 00:12 77824 6D6FA43A4765DDA269DFD174A7E5235D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2004-08-04 12:00 77824 6B6E8B138E4A8E91CE8D6404042D7E8D c:\windows\system32\spoolsv.exe
[-] 2004-08-04 12:00 77824 B978FB23FA8E0673D06A8C07166BC7DF c:\windows\system32\dllcache\spoolsv.exe

[-] 2008-04-14 00:12 46080 AFE92A5AEC531E32BCA0FC21BF7AC1B5 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-04 12:00 44544 2105A0CC37871AD13928627E252A5D01 c:\windows\system32\userinit.exe
[-] 2004-08-04 12:00 44544 4F5F151B939E02F5312934B9EFE8947D c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-04-18_22.06.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-22 01:56 . 2009-04-22 02:43 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-04-22 20:01 . 2009-04-22 20:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009042220090423\index.dat
+ 2009-04-21 04:06 . 2009-04-22 02:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009042120090422\index.dat
+ 2009-04-21 03:10 . 2009-04-21 03:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009042020090421\index.dat
+ 2009-04-21 03:10 . 2009-04-21 03:10 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041320090420\index.dat
- 2009-04-16 00:26 . 2009-04-18 20:57 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-16 00:26 . 2009-04-22 20:11 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-16 00:26 . 2009-04-18 20:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-16 00:26 . 2009-04-22 20:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 39148 c:\windows\system32\certstore.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 46080 c:\windows\idashemg.dll
+ 2009-04-16 00:26 . 2009-04-22 20:11 327680 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5AF42A3-94F3-42BD-F634-0604832C897D}]
2009-04-18 22:09 15000 ----a-w c:\windows\system32\yaubfh983ind.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Gaming Mouse"="c:\program files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe" [2006-12-01 839680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 462913]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk.disabled [2008-10-14 911]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-1-3 294912]
Reboot.exe [2006-12-29 429056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{D5BF49A0-94F3-42BD-F434-3604812C8955}"= "c:\windows\system32\zfgh83jg3.dll" [2009-04-18 15000]
"{A5AF42A3-94F3-42BD-F634-0604832C897D}"= "c:\windows\system32\yaubfh983ind.dll" [2009-04-18 15000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli idashemg.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\opposing force\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life blue shift\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\dystopia\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:War3

R1 iqi6bdb;iqi6bdb; [x]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 45132]
R3 XDva225;XDva225; [x]
S1 aswSP;avast! Self Protection; [x]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]


--- Other Services/Drivers In Memory ---

*Deregistered* - Aavmker4
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - aswFsBlk
*Deregistered* - aswMon2
*Deregistered* - aswSP
*Deregistered* - aswTdi
*Deregistered* - aswUpdSv
*Deregistered* - Ati HotKey Poller
*Deregistered* - ATI Smart
*Deregistered* - audstub
*Deregistered* - awecho
*Deregistered* - awlegacy
*Deregistered* - Beep
*Deregistered* - BIOS
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - Dhcp
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gernuwa
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nvatabus
*Deregistered* - NVSvc
*Deregistered* - NVTCP
*Deregistered* - PartMgr
*Deregistered* - PCIIde
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SCDEmu
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - sr
*Deregistered* - Srv
*Deregistered* - STacSV
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - wuauserv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22229d0c-2c47-11de-ba43-002197d3ca05}]
\shell\autorun\command - F:\RUNDLL32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff94b590-b958-11dc-b694-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2009-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-28 22:08]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\619967451.exe
HKU-Default-Run-reader_s - c:\documents and settings\Owner\reader_s.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mtgxo9p.default\
FF - prefs.js: browser.startup.homepage - www.left4dead411.com/forums
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 16:19
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\6to4]
"ServiceDll"="c:\windows\system32\6to4v32.dll"
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\at1394]
"ImagePath"="\??\c:\windows\system32\at1394.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\restore]
"ImagePath"="\??\c:\windows\system32\drivers\restore.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(760)
c:\windows\idashemg.dll

- - - - - - - > 'explorer.exe'(620)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\idashemg.dll
c:\windows\system32\zfgh83jg3.dll
c:\windows\system32\yaubfh983ind.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-22 16:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 20:25
ComboFix2.txt 2009-04-18 22:08
ComboFix3.txt 2009-04-18 21:04
ComboFix4.txt 2009-04-18 19:06

Pre-Run: 15,434,309,632 bytes free
Post-Run: 15,427,239,936 bytes free

465 --- E O F --- 2009-04-01 08:05


And I wasn't sure if you wanted another HJT log, so I included one.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:00 PM, on 4/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN2.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\yaubfh983ind.dll - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll
O2 - BHO: C:\WINDOWS\system32\zfgh83jg3.dll - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Gaming Mouse] C:\Program Files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - S-1-5-21-796845957-1409082233-839522115-1003 Startup: OpenOffice.org 2.4.lnk.disabled (User '?')
O4 - Startup: OpenOffice.org 2.4.lnk.disabled
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Reboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O22 - SharedTaskScheduler: as3iur98wajkef3wgf3 - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\xpv_5902_012208\wdm\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5638 bytes

 

[pskelley]

This machine needs to be formatted.

This system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Information Links

http://free.avg.com/66558
http://www.avast.com/eng/win32-virut.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=66586
http://securitywatch.eweek.com/exploits_and_attacks/virut_delivers_polymorphic_punch.html

:sad:

 

[BaldingSteve]

Oh great. Well I guess there's no denying it then, I'll just have to format.

Thanks for your help.