Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Reader_s and more
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 02-22-2009, 02:54 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2009
Posts: 10
OS: Windows XP


Pin Reader_s and more
My computer has slowed down, internet is slowed, programs broken, programs crashing, sometimes when i right click explorer.exe crashes. No pop ups at least lol but i cannot wipe my HD, to much important stuff.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Mychal at 16:41:07.64 on Sun 02/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2030.1205 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mychal\Desktop\STUFF\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\temp\init.exe
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [reader_s] c:\documents and settings\mychal\reader_s.exe
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\mychal\startm~1\programs\startup\stardo~1.lnk - e:\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mychal\applic~1\mozilla\firefox\profiles\3g7uwvug.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?rls=ig
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-2-21 22536]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-19 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-19 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-19 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-19 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-19 298264]
S0 cvoj;cvoj;c:\windows\system32\drivers\wfakwb.sys --> c:\windows\system32\drivers\wfakwb.sys [?]
S2 kmewznumnsnzdgt;kmewznumnsnzdgt;\??\c:\windows\system32\drivers\lwipdkbs.sys --> c:\windows\system32\drivers\lwipdkbs.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-8-29 10664]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S4 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-2-21 4150840]
S4 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-02-22 13:44 30,208 a------- c:\documents and settings\mychal\reader_s.exe
2009-02-22 13:44 30,208 a------- c:\windows\system32\reader_s.exe
2009-02-22 13:44 46,080 a------- c:\windows\system32\undname.exe
2009-02-22 13:44 67,585 a------- c:\windows\system32\7.tmp
2009-02-22 13:44 24,577 a------- c:\windows\system32\5.tmp
2009-02-22 13:44 168 a------- c:\windows\system32\4.tmp
2009-02-22 12:18 46,080 a------- c:\windows\system32\7z.exe
2009-02-22 12:18 38,913 a------- c:\windows\system32\3.tmp
2009-02-22 12:18 168 a------- c:\windows\system32\2.tmp
2009-02-22 11:20 46,080 a------- c:\windows\system32\idaw64.exe
2009-02-22 11:20 67,585 a------- c:\windows\system32\6.tmp
2009-02-22 00:57 67,585 a------- c:\windows\system32\4F.tmp
2009-02-22 00:57 38,913 a------- c:\windows\system32\4E.tmp
2009-02-22 00:57 168 a------- c:\windows\system32\4D.tmp
2009-02-22 00:17 67,585 a------- c:\windows\system32\40.tmp
2009-02-22 00:17 38,913 a------- c:\windows\system32\3F.tmp
2009-02-22 00:17 168 a------- c:\windows\system32\3E.tmp
2009-02-21 23:34 67,585 a------- c:\windows\system32\35.tmp
2009-02-21 23:34 25,601 a------- c:\windows\system32\34.tmp
2009-02-21 23:34 168 a------- c:\windows\system32\33.tmp
2009-02-21 22:59 <DIR> --d----- c:\program files\Gravity
2009-02-21 22:54 67,585 a------- c:\windows\system32\11.tmp
2009-02-21 22:49 130 a------- c:\windows\adobe.bat
2009-02-21 22:49 67,585 a------- c:\windows\system32\5.tm_
2009-02-21 22:49 24,577 a------- c:\windows\system32\4.tm_
2009-02-21 22:11 96 a---h--- c:\windows\system32\HsInfo.dat
2009-02-21 18:53 67,585 a------- c:\windows\system32\C4.tmp
2009-02-21 18:53 38,913 a------- c:\windows\system32\C3.tmp
2009-02-21 18:53 168 a------- c:\windows\system32\C2.tmp
2009-02-21 18:16 <DIR> --d----- c:\program files\Marcos Velasco Security
2009-02-21 18:08 67,585 a------- c:\windows\system32\7B.tmp
2009-02-21 18:07 38,913 a------- c:\windows\system32\7A.tmp
2009-02-21 18:07 168 a------- c:\windows\system32\79.tmp
2009-02-21 17:59 22,536 a------- c:\windows\system32\drivers\pxscan.sys
2009-02-21 17:59 <DIR> --d----- c:\program files\Prevx
2009-02-21 17:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-02-21 17:41 <DIR> --d----- c:\program files\common files\Download Manager
2009-02-21 15:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-21 15:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-21 15:59 <DIR> --d----- c:\docume~1\mychal\applic~1\SUPERAntiSpyware.com
2009-02-21 15:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-21 08:53 <DIR> --d----- c:\docume~1\mychal\applic~1\Uniblue
2009-02-20 23:24 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\~0
2009-02-20 23:24 <DIR> --d----- c:\program files\Lavasoft
2009-02-20 20:53 616 a------- c:\windows\system32\C1.tmp
2009-02-20 20:52 2,560 a------- c:\windows\system32\BC.tmp
2009-02-20 20:52 88,065 a------- c:\windows\system32\B9.tmp
2009-02-20 20:52 25,601 a------- c:\windows\system32\B8.tmp
2009-02-20 20:52 208 a------- c:\windows\system32\B5.tmp
2009-02-12 22:51 <DIR> --d----- c:\windows\EasyBind
2009-02-11 20:54 <DIR> --d----- c:\program files\XBCD
2009-02-10 12:27 509 a------- c:\windows\system32\win32hlp.cnf
2009-02-08 17:19 <DIR> --d----- c:\program files\MSXML 6.0
2009-02-08 17:17 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-02-08 17:16 156 a------- c:\windows\Twunk001.MTX
2009-02-08 17:16 3 a------- c:\windows\Twain001.Mtx
2009-02-08 17:16 0 a------- c:\windows\Twunk002.MTX
2009-02-08 17:09 <DIR> --d----- c:\program files\Vstplugins
2009-02-07 17:20 529 a------- c:\windows\system32\winlogon2.exe
2009-02-06 20:43 36,104 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-02-06 20:43 33,846 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2009-02-06 20:43 <DIR> --d----- c:\program files\Illustrate
2009-02-06 16:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-02-06 16:47 <DIR> --d----- c:\docume~1\mychal\applic~1\Red Alert 3
2009-02-06 16:42 13,972 a------- c:\windows\system32\ealregsnapshot1.reg
2009-02-05 17:12 141,612 a------- c:\windows\system32\drivers\dump_wmimmc.sys
2009-02-05 15:50 42,320 a------- c:\windows\system32\xfcodec.dll
2009-02-04 04:00 27,310 a------- c:\windows\scunin.dat
2009-02-04 04:00 114,688 a------- c:\windows\ScUnin.exe
2009-02-04 04:00 967 a------- c:\windows\ScUnin.pif
2009-02-03 23:42 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-02-03 19:24 <DIR> --d----- c:\program files\uTorrent
2009-02-03 19:24 <DIR> --d----- c:\docume~1\mychal\applic~1\uTorrent
2009-01-30 23:52 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-01-30 23:51 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-30 23:51 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-30 23:51 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-01-30 23:51 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-01-30 23:51 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-01-30 23:51 3,851,784 a------- c:\windows\system32\D3DX9_39.dll

==================== Find3M ====================

2009-02-21 17:22 513 a------- c:\program files\Shortcut to DAEMON Tools Pro.lnk
2009-02-20 20:57 84,992 a--sh--- c:\windows\system32\gusasode.dll
2009-02-20 20:53 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-12 19:58 138,584 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-12 19:58 70,968 a------- c:\windows\system32\PnkBstrA.exe
2009-02-12 19:58 189,672 a------- c:\windows\system32\PnkBstrB.exe
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-10 12:27 121,856 a------- c:\windows\system32\userinit.exe
2009-02-06 20:43 148,480 a------- c:\windows\system32\SpoonUninstall.exe
2009-02-04 19:28 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-01 20:37 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-02-01 20:37 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-01-30 23:52 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-30 23:52 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-30 23:52 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-15 18:35 164 a------- C:\install.dat
2009-01-13 20:00 741,376 a------- c:\windows\iun6002ev.exe
2008-12-17 14:08 2,713 a--sh--- c:\windows\system32\lifemima.exe
2008-12-10 19:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 21:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 21:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 21:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 21:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-11-19 22:32 22,328 a------- c:\docume~1\mychal\applic~1\PnkBstrK.sys
2008-08-14 23:01 47,360 a------- c:\docume~1\mychal\applic~1\pcouffin.sys
2007-11-07 21:01 1 a------- c:\documents and settings\mychal\SI.bin
2007-09-17 22:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007091720070918\index.dat

============= FINISH: 16:41:55.87 ===============

Also wanted to say that the virus disabled my windows firewall and wont let me on it and also redirects google links
Attached Files
File Type: zip Attach.zip (6.3 KB, 4 views)
Last edited by chemist; 02-22-2009 at 05:37 PM. Reason: to retain 0 reply status
n00bhunt3r is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-23-2009, 07:18 PM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,525
OS: XP SP3


Re: Reader_s and more
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 09:33 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2009
Posts: 10
OS: Windows XP


Re: Reader_s and more
ComboFix 09-02-21.01 - Mychal 2009-02-23 23:07:17.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2030.1435 [GMT -5:00]
Running from: c:\documents and settings\Mychal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mychal\reader_s.exe
c:\windows\services.exe
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\edwvndr.dll
c:\windows\system32\edwvndr.dll.bak
c:\windows\system32\reader_s.exe
c:\windows\Tasks\At1.job
.
---- Previous Run -------
.
c:\documents and settings\Mychal\reader_s.exe
c:\windows\services.exe
c:\windows\system32\7.tmp
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\init32.exe
c:\windows\system32\pvkcbax.dll
c:\windows\system32\reader_s.exe
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winlogon2.exe
c:\windows\system32\zqbuhqs.dll

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RESTORE
-------\Service_restore
-------\Service_seneka
-------\Legacy_RESTORE
-------\Service_restore
-------\Legacy_RESTORE
-------\Service_oiwqmhqq
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-23 23:26 . 2009-02-23 23:26 60,253 --a------ c:\windows\system32\7.tmp
2009-02-23 23:26 . 2009-02-23 23:26 168 --a------ c:\windows\system32\6.tmp
2009-02-23 23:02 . 2009-02-23 23:02 <DIR> d-------- C:\Gravity
2009-02-23 21:59 . 2009-02-23 21:59 38,913 --a------ c:\windows\system32\17.tmp
2009-02-23 21:59 . 2009-02-23 21:59 0 --a------ c:\windows\system32\18.tmp
2009-02-23 21:57 . 2009-02-23 21:57 168 --a------ c:\windows\system32\5.tmp
2009-02-23 21:44 . 2009-02-23 21:45 73,213 --a------ c:\windows\system32\4.tmp
2009-02-23 21:44 . 2009-02-23 21:44 168 --a------ c:\windows\system32\2.tmp
2009-02-23 21:31 . 2009-02-23 21:31 0 --a------ c:\windows\system32\8.tmp
2009-02-23 21:29 . 2009-02-23 21:29 168 --a------ c:\windows\system32\3.tmp
2009-02-23 07:09 . 2009-02-23 07:09 24,577 --a------ c:\windows\system32\14.tmp
2009-02-23 07:09 . 2009-02-23 07:09 0 --a------ c:\windows\system32\15.tmp
2009-02-22 17:23 . 2009-02-22 17:23 30,208 --a------ c:\windows\system32\reader_s.ex_
2009-02-22 16:43 . 2009-02-22 16:43 250 --a------ c:\windows\gmer.ini
2009-02-22 00:57 . 2009-02-22 00:57 67,585 --a------ c:\windows\system32\4F.tmp
2009-02-22 00:57 . 2009-02-22 00:57 38,913 --a------ c:\windows\system32\4E.tmp
2009-02-22 00:57 . 2009-02-22 00:57 168 --a------ c:\windows\system32\4D.tmp
2009-02-22 00:17 . 2009-02-22 00:17 67,585 --a------ c:\windows\system32\40.tmp
2009-02-22 00:17 . 2009-02-22 00:17 38,913 --a------ c:\windows\system32\3F.tmp
2009-02-22 00:17 . 2009-02-22 00:17 168 --a------ c:\windows\system32\3E.tmp
2009-02-21 23:34 . 2009-02-21 23:35 67,585 --a------ c:\windows\system32\35.tmp
2009-02-21 23:34 . 2009-02-21 23:34 25,601 --a------ c:\windows\system32\34.tmp
2009-02-21 23:34 . 2009-02-21 23:34 168 --a------ c:\windows\system32\33.tmp
2009-02-21 22:59 . 2009-02-21 22:59 <DIR> d-------- c:\program files\Gravity
2009-02-21 22:54 . 2009-02-21 22:54 67,585 --a------ c:\windows\system32\11.tmp
2009-02-21 22:49 . 2009-02-21 22:49 67,585 --a------ c:\windows\system32\5.tm_
2009-02-21 22:49 . 2009-02-21 22:49 24,577 --a------ c:\windows\system32\4.tm_
2009-02-21 22:49 . 2009-02-21 22:49 130 --a------ c:\windows\adobe.bat
2009-02-21 22:11 . 2009-02-21 22:11 96 --ah----- c:\windows\system32\HsInfo.dat
2009-02-21 18:53 . 2009-02-21 18:54 67,585 --a------ c:\windows\system32\C4.tmp
2009-02-21 18:53 . 2009-02-21 18:53 38,913 --a------ c:\windows\system32\C3.tmp
2009-02-21 18:53 . 2009-02-21 18:53 168 --a------ c:\windows\system32\C2.tmp
2009-02-21 18:08 . 2009-02-21 18:08 67,585 --a------ c:\windows\system32\7B.tmp
2009-02-21 18:07 . 2009-02-21 18:08 38,913 --a------ c:\windows\system32\7A.tmp
2009-02-21 18:07 . 2009-02-21 18:07 168 --a------ c:\windows\system32\79.tmp
2009-02-21 17:41 . 2009-02-21 17:41 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-21 15:59 . 2009-02-22 19:19 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-21 15:59 . 2009-02-22 19:19 <DIR> d-------- c:\documents and settings\Mychal\Application Data\SUPERAntiSpyware.com
2009-02-21 15:59 . 2009-02-21 15:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-21 15:58 . 2009-02-21 15:58 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-21 08:53 . 2009-02-21 08:53 <DIR> d-------- c:\documents and settings\Mychal\Application Data\Uniblue
2009-02-20 23:24 . 2009-02-22 14:11 <DIR> d-------- c:\program files\Lavasoft
2009-02-20 23:24 . 2009-02-22 14:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 20:53 . 2009-02-20 20:53 616 --a------ c:\windows\system32\C1.tmp
2009-02-20 20:52 . 2009-02-20 20:52 88,065 --a------ c:\windows\system32\B9.tmp
2009-02-20 20:52 . 2009-02-20 20:52 25,601 --a------ c:\windows\system32\B8.tmp
2009-02-20 20:52 . 2009-02-20 20:52 2,560 --a------ c:\windows\system32\BC.tmp
2009-02-20 20:52 . 2009-02-20 20:52 208 --a------ c:\windows\system32\B5.tmp
2009-02-12 22:51 . 2008-01-27 00:35 <DIR> d-------- c:\windows\EasyBind
2009-02-11 20:54 . 2009-02-11 20:54 <DIR> d-------- c:\program files\XBCD
2009-02-08 17:19 . 2009-02-08 17:19 <DIR> d-------- c:\program files\MSXML 6.0
2009-02-08 17:17 . 2009-02-08 17:19 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-02-08 17:16 . 2009-02-08 17:16 <DIR> d-------- c:\documents and settings\Mychal\Application Data\Publish Providers
2009-02-08 17:16 . 2009-02-13 22:55 156 --a------ c:\windows\Twunk001.MTX
2009-02-08 17:16 . 2009-02-13 22:55 3 --a------ c:\windows\Twain001.Mtx
2009-02-08 17:16 . 2009-02-08 17:16 0 --a------ c:\windows\Twunk002.MTX
2009-02-08 17:15 . 2009-02-08 17:22 <DIR> d-------- c:\documents and settings\Mychal\Application Data\Sony
2009-02-08 17:09 . 2009-02-08 17:09 <DIR> d-------- c:\program files\Vstplugins
2009-02-08 17:09 . 2009-02-08 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-02-06 20:43 . 2009-02-06 20:43 <DIR> d-------- c:\program files\Illustrate
2009-02-06 20:43 . 2009-02-06 20:43 36,104 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-02-06 20:43 . 2009-02-06 20:43 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2009-02-06 16:56 . 2009-02-06 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-06 16:47 . 2009-02-06 16:47 <DIR> d-------- c:\documents and settings\Mychal\Application Data\Red Alert 3
2009-02-06 16:42 . 2009-02-06 16:43 13,972 --a------ c:\windows\system32\ealregsnapshot1.reg
2009-02-05 17:12 . 2009-02-08 01:28 141,612 --a------ c:\windows\system32\drivers\dump_wmimmc.sys
2009-02-05 15:50 . 2009-02-05 15:50 42,320 --a------ c:\windows\system32\xfcodec.dll
2009-02-04 04:00 . 2009-02-04 04:02 114,688 --a------ c:\windows\ScUnin.exe
2009-02-04 04:00 . 2009-02-04 04:02 27,310 --a------ c:\windows\scunin.dat
2009-02-04 04:00 . 2009-02-04 04:02 967 --a------ c:\windows\ScUnin.pif
2009-02-03 23:42 . 2009-02-03 23:42 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2009-02-03 19:24 . 2009-02-03 19:24 <DIR> d-------- c:\program files\uTorrent
2009-02-03 19:24 . 2009-02-23 21:22 <DIR> d-------- c:\documents and settings\Mychal\Application Data\uTorrent
2009-01-30 23:52 . 2009-01-30 23:54 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-01-30 23:51 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-01-30 23:51 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-01-30 23:51 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-01-30 23:51 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-01-30 23:51 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-01-30 23:51 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 04:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-24 04:05 --------- d-----w c:\documents and settings\Mychal\Application Data\Xfire
2009-02-24 03:49 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-24 02:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 00:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-22 22:58 --------- d-s---w c:\program files\Xfire
2009-02-22 22:04 --------- d-----w c:\program files\DAEMON Tools Pro
2009-02-22 05:46 --------- d-----w c:\program files\Trillian
2009-02-21 22:30 --------- d-----w c:\documents and settings\Mychal\Application Data\InstallShield Installation Information
2009-02-21 22:22 513 ----a-w c:\program files\Shortcut to DAEMON Tools Pro.lnk
2009-02-21 20:58 --------- d-----w c:\program files\Java
2009-02-21 16:35 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2009-02-21 01:53 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-19 20:53 --------- d-----w c:\documents and settings\Mychal\Application Data\Vso
2009-02-17 12:20 --------- d-----w c:\program files\iTunes
2009-02-16 03:11 --------- d-----w c:\documents and settings\Mychal\Application Data\Winamp
2009-02-15 19:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-14 03:59 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-13 00:58 138,584 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-08 23:09 --------- d-----w c:\program files\PeerGuardian2
2009-02-08 23:05 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-02-08 22:19 --------- d-----w c:\program files\Microsoft.NET
2009-02-06 21:44 --------- d-----w c:\program files\Electronic Arts
2009-02-01 05:30 --------- d-----w c:\program files\Common Files\Adobe
2009-01-31 19:11 --------- d-----w c:\program files\Common Files\BioWare
2009-01-31 04:52 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-31 04:52 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-23 02:08 --------- d-----w c:\documents and settings\Mychal\Application Data\Hamachi
2009-01-20 02:11 --------- d-----w c:\program files\DivX
2009-01-19 19:41 --------- d-----w c:\program files\AVG
2009-01-19 19:03 --------- d-----w c:\documents and settings\Mychal\Application Data\VMware
2009-01-18 00:38 --------- d-----w c:\documents and settings\Mychal\Application Data\dvdcss
2009-01-16 03:39 --------- d-----w c:\documents and settings\Mychal\Application Data\ESET
2009-01-16 03:38 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-01-15 23:35 164 ----a-w C:\install.dat
2009-01-15 23:10 --------- d-----w c:\program files\CCleaner
2009-01-15 12:22 --------- d-----w c:\documents and settings\All Users\Application Data\_comodo_
2009-01-15 03:42 --------- d-----w c:\program files\Trend Micro
2009-01-15 03:08 --------- d-----w c:\documents and settings\Mychal\Application Data\LimeWire
2009-01-14 01:00 741,376 ----a-w c:\windows\iun6002ev.exe
2009-01-13 05:00 --------- d-----w c:\program files\Trillian ASTRA
2009-01-06 00:43 --------- d-----w c:\documents and settings\Dad\Application Data\LimeWire
2008-11-20 03:32 22,328 ----a-w c:\documents and settings\Mychal\Application Data\PnkBstrK.sys
2008-08-15 04:01 47,360 ----a-w c:\documents and settings\Mychal\Application Data\pcouffin.sys
2007-11-08 02:01 1 ----a-w c:\documents and settings\Mychal\SI.bin
2007-09-18 03:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007091720070918\index.dat
.

------- Sigcheck -------

2004-08-03 18:56 31232 6a63965d9ee3ad57e273b4426a88275d c:\windows\system32\svchost.exe
2004-08-03 18:56 31744 004c864b6b926c35f0a2a7c4f38ad1e3 c:\windows\system32\dllcache\svchost.exe

2009-02-20 20:53 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-02-20 20:53 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2007-05-25 00:16 1050624 be06469e5a59c44f09890f05d7b0581e c:\windows\explorer.exe
2007-05-25 00:16 1050112 2b73ed59f3b2c635e5ad6bfb825e8a12 c:\windows\system32\dllcache\explorer.exe

2004-08-03 18:56 32768 48f3d0db7853403dad6340eb4ede0929 c:\windows\system32\ctfmon.exe

2007-05-25 00:17 75264 5a7d959a9ac30b4e7147a5f4084a8bc9 c:\windows\system32\spoolsv.exe
2007-05-25 00:17 74752 db95e8999de9b468318b218876dea04b c:\windows\system32\dllcache\spoolsv.exe

2009-02-10 12:27 121856 1725d82ed4e7140e0914d84feb485636 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2007-05-25 186880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 61440]

c:\documents and settings\Mychal\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - e:\stardock\ObjectDock\ObjectDock.exe [2008-10-13 3450608]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 23:52 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ZMBV"= zmbv.dll
"VIDC.XFR1"= xfcodec.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mychal^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mychal^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mychal^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 18:56 32768 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2007-05-25 00:16 186880 c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reader_s]
--a------ 2009-02-23 23:29 47104 c:\windows\system32\reader_s.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"NVSvc"=2 (0x2)
"usnjsvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"Adobe Version Cue CS3"=3 (0x3)
"LBTServ"=3 (0x3)
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"idsvc"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"HotspotShieldService"=2 (0x2)
"cmdAgent"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"MSSQL$SONY_MEDIAMGR2"=3 (0x3)
"SQLWriter"=2 (0x2)
"CcEvtSvc"=2 (0x2)
"SwPrv"=3 (0x3)
"COMSysApp"=3 (0x3)
"UPS"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"CSIScanner"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian Astra\\trillian.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"e:\\Steam\\steamapps\\n00bhunt3r92\\team fortress 2\\hl2.exe"=
"e:\\Steam\\steamapps\\n00bhunt3r92\\insurgency\\hl2.exe"=
"c:\\Documents and Settings\\Mychal\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Steam\\steamapps\\n00bhunt3r92\\garrysmod\\hl2.exe"=
"e:\\Steam\\Steam.exe"=
"e:\\Steam\\steamapps\\n00bhunt3r92\\counter-strike\\hl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"=
"e:\\Steam\\steamapps\\n00bhunt3r92\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"e:\\Steam\\steamapps\\n00bhunt3r92\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\THQ\\Dawn of War\\W40k.exe"=
"e:\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"e:\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"e:\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
"e:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"e:\\THQ\\Dawn of War\\W40kWA.exe"=
"e:\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"e:\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaW.exe"=
"e:\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaWmp.exe"=
"e:\\VentSrv\\ventrilo_srv.exe"=
"e:\\Steam\\steamapps\\common\\left 4 dead\\srcds.exe"=
"e:\\Steam\\steamapps\\n00bhunt3r92\\source dedicated server\\srcds.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14922:TCP"= 14922:TCP:BitComet 14922 TCP
"14922:UDP"= 14922:UDP:BitComet 14922 UDP
"61318:TCP"= 61318:TCP:*:Disabled:SolidNetworkManager
"61318:UDP"= 61318:UDP:*:Disabled:SolidNetworkManager
"60000:TCP"= 60000:TCP:BitComet 60000 TCP
"60000:UDP"= 60000:UDP:BitComet 60000 UDP
"40000:TCP"= 40000:TCP:BitComet 40000 TCP
"40000:UDP"= 40000:UDP:BitComet 40000 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-19 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-19 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-19 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-19 298264]
S0 cvoj;cvoj;c:\windows\system32\drivers\wfakwb.sys --> c:\windows\system32\drivers\wfakwb.sys [?]
S2 dpdlnuoatsj;dpdlnuoatsj;\??\c:\windows\system32\drivers\oistwzjh.sys --> c:\windows\system32\drivers\oistwzjh.sys [?]
S2 kmewznumnsnzdgt;kmewznumnsnzdgt;\??\c:\windows\system32\drivers\lwipdkbs.sys --> c:\windows\system32\drivers\lwipdkbs.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-08-29 10664]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S4 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PROTECT
*Deregistered* - protect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\1-Click Maintenance.job
- e:\tuneup utilities 2008\OneClick.exe [2008-01-08 16:31]

2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-reader_s - c:\documents and settings\Mychal\reader_s.exe


.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/fios/includes/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Mychal\Application Data\Mozilla\Firefox\Profiles\3g7uwvug.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?rls=ig
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 23:27:40
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-299502267-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:45,93,64,47,bb,a9,db,cb,ca,3c,0e,e9,de,90,08,b3,96,76,f9,be,9b,60,38,
52,66,46,89,75,c4,34,2b,7e,b9,fc,cf,07,70,87,5f,29,58,7c,7a,91,49,78,4d,05,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-527237240-299502267-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:c5,1f,79,34,3b,40,38,48,b8,07,a3,55,29,c0,72,b5,2f,fe,36,5a,09,
f3,75,f8,f9,94,2c,87,b8,52,3b,f7,7d,cc,ec,e2,e5,4d,5f,4d,d1,73,04,cc,d7,e4,\
"rkeysecu"=hex:fb,a1,5e,88,99,a9,e0,7d,8e,8d,26,0d,f7,48,58,90
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\windows\temp\BN9.tmp
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\makehm.exe
.
**************************************************************************
.
Completion time: 2009-02-23 23:30:41 - machine was rebooted [Mychal]
ComboFix-quarantined-files.txt 2009-02-24 04:30:39
ComboFix2.txt 2009-01-19 18:33:38

Pre-Run: 238,098,960,384 bytes free
Post-Run: 238,444,367,872 bytes free

456
n00bhunt3r is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 05:43 AM   #4 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,525
OS: XP SP3


Re: Reader_s and more
Hello nOObhunt3r.

Please go to: VirusTotal
  • On the page you'll find a Browse button.
  • Next to the Browse button you'll see a box to enter text.
  • Please copy/paste the following bolded text into the box:

    c:\windows\explorer.exe

  • Then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.
  • Please repeat for the following file:

    c:\windows\system32\userinit.exe
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 01:37 PM   #5 (permalink)
Registered User
 
Join Date: Jan 2009
Posts: 10
OS: Windows XP


Re: Reader_s and more
Explorer.exe:
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.24 Trojan.Win32.Patched!IK
AhnLab-V3 2009.2.24.0 2009.02.24 Win32/Virut.F
AntiVir 7.9.0.88 2009.02.24 W32/Virut.Gen
Authentium 5.1.0.4 2009.02.24 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.02.24 Win32:Vitro
AVG 8.0.0.237 2009.02.24 -
BitDefender 7.2 2009.02.24 -
CAT-QuickHeal 10.00 2009.02.22 -
ClamAV 0.94.1 2009.02.24 -
Comodo 983 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.24 Win32.Virut.56
eSafe 7.0.17.0 2009.02.19 -
eTrust-Vet 31.6.6372 2009.02.24 Win32/Virut.17408
F-Prot 4.4.4.56 2009.02.24 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.02.24 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.02.24 -
GData 19 2009.02.24 Win32:Vitro
Ikarus T3.1.1.45.0 2009.02.24 Trojan.Win32.Patched
K7AntiVirus 7.10.639 2009.02.21 -
Kaspersky 7.0.0.125 2009.02.24 Virus.Win32.Virut.ce
McAfee 5535 2009.02.24 W32/Virut.n.gen
McAfee+Artemis 5535 2009.02.24 W32/Virut.n.gen
Microsoft 1.4306 2009.02.24 Virus:Win32/Virut.BM
NOD32 3886 2009.02.24 Win32/Virut.NBK
Norman 6.00.06 2009.02.24 -
nProtect 2009.1.8.0 2009.02.24 -
Panda 10.0.0.10 2009.02.24 W32/Sality.AO
PCTools 4.4.2.0 2009.02.24 -
Prevx1 V2 2009.02.24 -
Rising 21.18.12.00 2009.02.24 -
SecureWeb-Gateway 6.7.6 2009.02.24 Win32.Virut.Gen
Sophos 4.39.0 2009.02.24 W32/Scribble-A
Sunbelt 3.2.1856.2 2009.02.24 Win32.Virut.cf (v)
Symantec 10 2009.02.24 W32.Virut.CF
TheHacker 6.3.2.5.264 2009.02.24 W32/Virut.gen
TrendMicro 8.700.0.1004 2009.02.24 PE_VIRUX.D
VBA32 3.12.10.0 2009.02.24 Virus.Win32.Virut.X5
ViRobot 2009.2.24.1621 2009.02.24 -
VirusBuster 4.5.11.0 2009.02.24 -
Additional information
File size: 1050624 bytes
MD5...: be06469e5a59c44f09890f05d7b0581e
SHA1..: 0bed5fc2cba0eab3a4a3f424c1361ef4a3c56a0d
SHA256: 47c21edaea07ac18f39fbddfa35b9371b0c333b03aa368ea2a4752a161b0e21e
SHA512: 5881501c623a7053a8c3fe41f6b64a45e3dae829535917670b99c174d33b64f4
0d28b8b414c050329b553e706b2a45b5d4fa3720035b2435f3feb69dfc040865
ssdeep: 24576:QWSYrDeRUwLnra3akf8I+skj1/g/J/Zk:nCVLnra3akf8Vjh
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10febcc
timedatestamp.....: 0x444cc701 (Mon Apr 24 12:39:29 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44b19 0x44c00 6.36 ac924536d98248d4437a226454f63bfd
.data 0x46000 0x1db4 0x1800 1.30 d17e33805cf5d76b401a765b4bc90734
.rsrc 0x48000 0xb2268 0xb2400 6.63 a7b33b569dfc83af927438928b25a65e
.reloc 0xfb000 0x8800 0x7c00 7.61 167c5bbbcab5618418b1a02a43ccc1a2

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )


userinit.exe
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.24 Backdoor.Win32.Agent.adqt!A2
AhnLab-V3 2009.2.24.0 2009.02.24 Win32/Virut.F
AntiVir 7.9.0.88 2009.02.24 W32/Virut.Gen
Authentium 5.1.0.4 2009.02.24 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.02.24 Win32:Vitro
AVG 8.0.0.237 2009.02.24 -
BitDefender 7.2 2009.02.24 -
CAT-QuickHeal 10.00 2009.02.22 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.02.24 -
Comodo 983 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.24 Win32.Virut.56
eSafe 7.0.17.0 2009.02.19 Suspicious File
eTrust-Vet 31.6.6372 2009.02.24 Win32/Virut.17408
F-Prot 4.4.4.56 2009.02.24 W32/Virut.AI!Generic
F-Secure 8.0.14470.0 2009.02.24 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.02.24 -
GData 19 2009.02.24 Win32:Downloader-CDV
Ikarus T3.1.1.45.0 2009.02.24 -
K7AntiVirus 7.10.639 2009.02.21 -
Kaspersky 7.0.0.125 2009.02.24 Virus.Win32.Virut.ce
McAfee 5535 2009.02.24 W32/Virut.n.gen
McAfee+Artemis 5535 2009.02.24 W32/Virut.n.gen
Microsoft 1.4306 2009.02.24 Virus:Win32/Virut.BM
NOD32 3886 2009.02.24 Win32/Virut.NBK
Norman 6.00.06 2009.02.24 -
nProtect 2009.1.8.0 2009.02.24 -
Panda 10.0.0.10 2009.02.24 W32/Sality.AO
PCTools 4.4.2.0 2009.02.24 -
Prevx1 V2 2009.02.24 -
Rising 21.18.12.00 2009.02.24 -
SecureWeb-Gateway 6.7.6 2009.02.24 Win32.Virut.Gen
Sophos 4.39.0 2009.02.24 W32/Scribble-A
Sunbelt 3.2.1856.2 2009.02.24 Win32.Virut.cf (v)
Symantec 10 2009.02.24 W32.Virut.CF
TheHacker 6.3.2.5.264 2009.02.24 W32/Virut.gen
TrendMicro 8.700.0.1004 2009.02.24 PE_VIRUX.D
VBA32 3.12.10.0 2009.02.24 Virus.Win32.Virut.X5
ViRobot 2009.2.24.1621 2009.02.24 -
VirusBuster 4.5.11.0 2009.02.24 -
Additional information
File size: 121856 bytes
MD5...: 1725d82ed4e7140e0914d84feb485636
SHA1..: bcccc52ed06e5982e6f22aef2c544ef671d1f64a
SHA256: 1ec6ba2252244f1e2efa74940e599972dc941c6792f6555a46cf5f55b4f5ba91
SHA512: 7f010d778e0be64c5ba15f498a14bd2a641760ea3cc65437a4004458755f763e
9226d81f760fb30b8fc7007906a27eafc68524ed908c50cfe4ef5a714753fa88
ssdeep: 3072:uk/h0LTOyg//0Kz6/00qXqI9pI0B8Dsjf85:uk/+/Oyg//0Wu1OJ8Aj
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41ef42
timedatestamp.....: 0x4991adcc (Tue Feb 10 16:39:40 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2663 0x2600 7.98 6ef55d1df4c0e8c9d3af3c34cbc6cf01
.rdata 0x4000 0xfd6 0x1000 7.95 cc5dfb8808774d7bc7ef08cb38543703
.data 0x5000 0x1b000 0x1a200 7.99 aa4249bfff3c3cc90b901fcf4b4267e7

( 0 imports )

( 0 exports )
n00bhunt3r is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 02:25 PM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,525
OS: XP SP3


Re: Reader_s and more
Hello nOObhunt3r. I hate to be the bearer of bad news, but your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Read here

Virut is also a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

------------------------------------------------------

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

If you need help with a clean reformat and reinstall of Windows, I suggest you seek expert advice in our Windows XP Support Forum

They are more knowledgeable about this procedure and can answer your questions or help you in case something goes wrong.

Remember to immediately install an antivirus program and to then reinstall all the Windows Updates.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:
How Did I Get Infected In The First Place? by TonyKlein

PC Safety and Security--What Do I Need?

------------------------------------------------------

Let me know if you have questions or need help.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 02:31 PM   #7 (permalink)
Registered User
 
Join Date: Jan 2009
Posts: 10
OS: Windows XP


Re: Reader_s and more
Thanks, I'll reformat asap
n00bhunt3r is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 02:33 PM   #8 (permalink)
Registered User
 
Join Date: Jan 2009
Posts: 10
OS: Windows XP


Re: Reader_s and more
Is my E drive infected also? do I have to format that too?
n00bhunt3r is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 03:21 PM   #9 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,525
OS: XP SP3


Re: Reader_s and more
Hello nOObhunt3r. Good question. We would have to see results from some kind of scanner. You could do an online scan of E: with Kaspersky:

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Or you could dump AVG, and install Avira's AntiVir and scan your E: drive.

You have a very large number of files on your E: drive. Either scan is likely to take a very long time. Although if you see any Virut result during the scan, you would have your answer and wouldn't necessarily have to complete the scan.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 04:07 PM   #10 (permalink)
Registered User
 
Join Date: Jan 2009
Posts: 10
OS: Windows XP


Re: Reader_s and more
Yeah, Virut came up.
I'll format both then.
Thanks for your help
n00bhunt3r is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 04:17 PM   #11 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,525
OS: XP SP3


Re: Reader_s and more
You're welcome! Sorry it turned out the way it did. Good luck!
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
Last edited by chemist; 02-24-2009 at 04:20 PM.
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:13 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85