# Zlob AdWare/Trojan!?



## PurePwnage (Aug 5, 2008)

Hi,
I was just kinda surfing the internet and went down to my desktop when I noticed a couple odd icons for pornography.  I immediately deleted them, emptied my trash bin, and then one more came up.

I got a Windows Alert telling me what this does and it said it'll make porn pop ups and stuff.

I immediately shut down.

Does anybody have any help for me?

PS: I have McAfee.
PPS: I 100% do not look at porn, but I do use torrents...so maybe it could have been in one of those.


----------



## PurePwnage (Aug 5, 2008)

I went into Safe Mode.  I turned off System Restore.  I followed these steps:



			
				http://www.symantec.com/security_response/writeup.jsp?docid=2005-060712-1407-99&tabid=3 said:
			
		

> 1. Click Start > Run.
> 2. Type regedit
> 3. Click OK.
> 
> ...



But none of the stuff htey told me to do was there.  It was already deleted/changed (Step 7 was already Explorer.exe).
Do you think I may have gotten rid of it already?


----------



## chibicitiberiu (Aug 5, 2008)

well, this seems familiar to me... I had such trouble before, but not popups. Many of the images on websites (including google image search) were changed to an ad that my pc is infected and clicking it would force me to download an "antivirus".
I removed kaspersky (the antivirus i was using then) and installed AVG and..guess what? I had a virus: Win32.Heur . I quickly scanned my entire hard drive and removed few files (I still get an error message at startup that "scss.exe" i think is missing, so it won't be easy to forget).
Try to get one of the top antivirus software, like AVG or Kaspersky, and run a full scan of your computer.


----------



## Droogie (Aug 5, 2008)

It's not a windows alert, it's a mock alert trying to get you to download some kind of adware.  

Please download and post a log of HijackThis here:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download


----------



## PurePwnage (Aug 5, 2008)

I'm getting BSOD when I do a normal boot (after a minute or so of doing the startup programs).  Should I do Safe w/ Networking?


----------



## Punk (Aug 5, 2008)

PurePwnage said:


> I'm getting BSOD when I do a normal boot (after a minute or so of doing the startup programs).  Should I do Safe w/ Networking?



Yes try to boot in safe mode.


----------



## PurePwnage (Aug 5, 2008)

Punk said:


> Yes try to boot in safe mode.



Alright I'm doing that now.  Will give you a log in a few miutes.


----------



## PurePwnage (Aug 5, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:55 PM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GN-WP01GS Utility.lnk = C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI  Adapter SoftAP\Installer\WINXP\RaUI.exe
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D007E548-1E09-481A-A51B-02ADD57D3E35}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Xampp\apache\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: mysql - Unknown owner - c:\Xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.protrade.com/
O24 - Desktop Component 2: (no name) - http://moola.com/

--
End of file - 8548 bytes


----------



## Droogie (Aug 5, 2008)

If you have viewpoint media player, please uninstall it.


Download and perform a quick scan with Malwarebyte.

http://www.malwarebytes.org/mbam.php


----------



## PurePwnage (Aug 5, 2008)

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 3

4:21:58 PM 8/5/2008
mbam-log-8-5-2008 (16-21-58).txt

Scan type: Quick Scan
Objects scanned: 41573
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexplorer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass driver (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kduxh.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Downloader) -> Data: c:\windows\system32\winupdate.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
*C:\WINDOWS\system32\kduxh.exe (Rootkit.DNSChanger) -> Delete on reboot.*
C:\WINDOWS\system32\wpx11.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex3.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msauc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpx12.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wscmp.dll (Adware.BHO) -> Quarantined and deleted successfully.
*C:\WINDOWS\system32\lich.dat (Stolen.Data) -> Delete on reboot.*

I believe those were the only two.


----------



## PurePwnage (Aug 6, 2008)

Do you guys think it's fixed?


----------



## cohen (Aug 6, 2008)

OK Purepwnage, can you pls do the following:

1. - Pls remove viewpoint manager: Control Panel > Add / Remove Programs > Remove Viewpoint manger.

2. - Hello,

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your reply:

Post the combo fix log
Post a Fresh Hijackthis log

Thankyou


----------



## PurePwnage (Aug 6, 2008)

I deleted Viewpoint MP and Manager earlier today.

As requested...



			
				combofix said:
			
		

> ComboFix 08-08-04.09 - Mike 2008-08-05 23:12:20.1 - NTFSx86 NETWORK
> Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1666 [GMT -4:00]
> Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
> 
> ...



==============================================

*HIJACK THIS LOG IS NEXT*



			
				HiJack This said:
			
		

> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 11:29:35 PM, on 8/5/2008
> Platform: Windows XP SP3 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.6000.16674)
> ...


----------



## GameMaster (Aug 6, 2008)

Ouch...you had some Rootkits and Trojan backdoors. I hope you understand the true 
power of them stealing your data. There are identity thefts today, stealing your CC numbers and passwords...Please stick to Computer Forum until we tell you you're clean. 

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).* 

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account. 


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*. 
Click *Format*, and ensure *Word Wrap* is unchecked. 
Copy and Paste the text in the box below into *Notepad*. 
Now save the file as *RemoveFiles.txt* in a location where you can find it. 



> Files to delete:
> C:\WINDOWS\system32\epfforii.tmp
> C:\WINDOWS\ST5UNST.EXE
> C:\WINDOWS\ST5UNST.000
> ...



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system. 

Start *Avenger* by double clicking on *Avenger.exe*. 

Check *Load script from file:* 
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*. 
Double click it to enter it into Avenger. 
Click the *green traffic light symbol*. 
You will be asked if you want to execute the script, answer *Yes*. 
At this point you may get prompts from your protection systems, allow them please. 
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. 
Answer *Yes*, and allow your computer to re-boot. 
Upon re-boot a command window will briefly appear on screen (this is normal). 
A Notepad text file will be created *C:\avenger.txt*. 
*Copy and Paste it into your next post please.* 


Now open your HijackThis again. Find and place a check next to these entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O24 - Desktop Component 0: (no name) - http://www.protrade.com/
O24 - Desktop Component 2: (no name) - http://moola.com/

Now click *Fix checked.* Reboot your computer again.

In your next reply, please post a fresh HijackThis log and the Avenger log.


----------



## PurePwnage (Aug 6, 2008)

*AVENGER*



> Logfile of The Avenger Version 2.0, (c) by Swandog46
> http://swandog46.geekstogo.com
> 
> Platform:  Windows XP
> ...



*FRESH HIJACK THIS LOG*



> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 11:36:50 AM, on 8/6/2008
> Platform: Windows XP SP3 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.6000.16674)
> ...



I appreciate these helpful instructions.  Thanks!


----------



## PurePwnage (Aug 6, 2008)

Does anybody have the next step?  This is somewhat urgent.


----------



## cohen (Aug 6, 2008)

Wait for ceewi1 or Punk or Gamemaster to come back because they will fix the problem as they have higher training than some of us, so just pls be patient.


----------



## PurePwnage (Aug 6, 2008)

cohen said:


> Wait for ceewi1 or Punk or Gamemaster to come back because they will fix the problem as they have higher training than some of us, so just pls be patient.



Oh, OK.  Thanks.  Hopefully we can get this sorted out as soon as possible.


----------



## Punk (Aug 7, 2008)

PurePwnage said:


> Oh, OK.  Thanks.  Hopefully we can get this sorted out as soon as possible.



I got a full time job so I can't take care of you right now but I'll see what i can do over the weekend if it's not sorted.


----------



## GameMaster (Aug 7, 2008)

Still have pop ups with...porn images and warnings?
That's somehow unbelievable, lol.


Open HijackThis.
Click on *Open the Misc Tools section*.
Look under *System tools*.
Click on the *Open Uninstall Manager*... button.
Click on the *Save list*... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please copy and paste the contents of this log in your next reply.
See in this link details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg


----------



## PurePwnage (Aug 7, 2008)

GameMaster said:


> Still have pop ups with...porn images and warnings?
> That's somehow unbelievable, lol.
> 
> 
> ...



No, I don't still have it.  I've been on safe mode since I tried it and got BSOD during startup a couple days ago.  I don't know if it's working yet, I guess it's worth a shot if you say it's good to go?



> Adobe Anchor Service CS3
> Adobe Asset Services CS3
> Adobe Bridge 1.0
> Adobe Bridge CS3
> ...



Do you think I'm good to go?

*EDIT: I just booted into normal mode.  No strange icons, slow downs, anything yet.  Is it safe to delete any of the programs you sent me?*


----------



## GameMaster (Aug 7, 2008)

Yes, it is. Also, the log is clean and your computer appears to be clean.
Please get back here if your computer starts lagging again


----------



## PurePwnage (Aug 7, 2008)

GameMaster said:


> Yes, it is. Also, the log is clean and your computer appears to be clean.
> Please get back here if your computer starts lagging again



Yeah, buddy, problem.

I was on for 20 minutes today, normal mode.  Web pages were often freezing up, not responding.  I got rid of McAfee because it was ceasing to work and put on Kaspersky.  It came up with a trojan warning and started deleting it.  Then it did a couple restarts and wouldn't log on the first time.... and now when I try to log on, whether it is safe mode or normal mode, it logs on for a tenth of a second, then starts logging off again.

Please, what do I do???  Should I just reformat?


----------



## ceewi1 (Aug 9, 2008)

With backdoor trojans such as this, many experts believe that the system can never be completely trusted and that a reformat and reinstall of the OS is the best course of action.  

We should be able to get your system working again, at least.  It is likely that userinit.exe has been deleted.  Do you have your Windows CD?  If so, please do the following:

Boot from your Windows CD and press *R* to "repair the Windows XP installation using Recovery Console" when prompted.
Select your Windows installation from the list and type your Administrator password if asked.
Type the following commands, pressing Enter after each:
*D:
cd I386
expand userinit.ex_ c:\Windows\System32*

_Note: If your CD-ROM drive has a letter other than D:, please substitute D for the letter of your CD-ROM in the first command._
You should now see "1 file(s) copied".  Please remove your Windows CD and reboot.  Please tell me if you can login normally.


----------



## PurePwnage (Aug 9, 2008)

ceewi1 said:


> With backdoor trojans such as this, many experts believe that the system can never be completely trusted and that a reformat and reinstall of the OS is the best course of action.
> 
> We should be able to get your system working again, at least.  It is likely that userinit.exe has been deleted.  Do you have your Windows CD?  If so, please do the following:
> 
> ...


Thanks for the help.  I had already reformatted...let's just hope Windows will find my key genuine.  I always have a problem w/ this part.


----------



## cohen (Aug 9, 2008)

PurePwnage said:


> Thanks for the help.  I had already reformatted...let's just hope Windows will find my key genuine.  I always have a problem w/ this part.



If it doesn't call Microsoft and say it is a reinstall and they will issue a new key for you.


----------

