Over 1 million tech questions and answers.

userinit.exe infection? desktop background blocked... possible downloader virus installed.. =(

Q: userinit.exe infection? desktop background blocked... possible downloader virus installed.. =(

hello im new to this website ive been on here numerous times fixing my computer off other peoples request and today i cant seem to fix the problem on my computer... im running windows xp professional .. the problem occured after reenabling my startup menu in msconfig to run commands after i had disabled them prior in the past. i fixed it to my best of my ability but there is one problem that i cant seem to pinpoint... the userinit.exe file does not shut down after startup and when i terminate this process my system seems to run back to normal but i have this desktop background that i cant change... it has locked itself and when i open up my display settings the desktop portion is in faded colors... i can t scroll up the menu or down .. also when i change the screen saver to none.. it reinstalls itself after i apply to a windows screenn please help i am running a business of this computer and need on a regular basis .. i have already backedup my information in case god forbid something would happen to it... please help with steps thank you!

RELEVANCY SCORE 200
Preferred Solution: userinit.exe infection? desktop background blocked... possible downloader virus installed.. =(

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: userinit.exe infection? desktop background blocked... possible downloader virus installed.. =(

Hello c12i513 and welcome to BC

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.

In order to assist you we need additional information.

What is your operating system: Windows XP, Vista, etc.?

What security programs do you have installed?

Orange Blossom

Read other 3 answers
RELEVANCY SCORE 77.2

i think i may have accidentally clicked on something and installed the SurfSidekick virus.
very first thing that happened right after install is my Microsoft AntiSpyware kicked in and started trying to clean everything. and my desktop background is blocked and hiding my desktop calendar. and, of course, computer is running slow and getting lots of popups.
very first thing i did was did a search on google for "Surf Sidekick" and found out that this is a virus (searched for this cause MS AntiSpyware kept trying to clean it and it kept popping back up). i found another forum and followed the removal instructions off of there, using HijackThis and deleting the specified directories.
still having a problem in that my desktop background is still blocked (when i try to go change it, the selections box is grayed out and there is an IE "desktop" selection added in there, but it doesn't let me even scroll through them). next is that i'm getting lots of popups. and last thing i've noticed since, thus far at least, is that my yahoo messenger does not want to turn on.
can someone help??? hopefully this is a good description. and here is my HijackThis log, unfortunately i stumbled upon this site too late and already went through the removal process, so the log is pretty clean.

Logfile of HijackThis v1.99.1
Scan saved at 3:03:13 PM, on 12/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:... Read more

A:SurfSideKick virus - desktop background blocked, yahoo IM not working, popups, slow

http://www.techsupportforum.com//sec...ijackthis.html

4. Please do NOT reply to another users thread. Only trained Analysts are permitted to reply or craft a fix for the users in this forum. This is to avoid unsound advice being posted that may result in an unrecoverable crash of the infected victims PC.

Read other 4 answers
RELEVANCY SCORE 71.2

My computer just changed to a blue background and has a pop-up window stating that I have a virus/spyware infection and I need to download a virus or spyware program.

I also tried to access the "Add or Remove Programs" from Control Panel but it will not display any of the installed programs.

Here is a HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:37 PM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\... Read more

Read other answers
RELEVANCY SCORE 69.6

hi there, first off, i'd like to say thank you to all of the technitians that contribute to this webspace, what you do here is very noble and honorable and from the post counts it looks like youve saved many computers from malware infectionsright, now the bad news, i seem to be infected with malware on my computer, i first got the popups and IE popups and then AVG and Malwarebytes started telling me that system32/Userinit.exe was to blame, however the antivirus/malware program cannot remove them proporly (probably because they are windows system files). so every time i reboot or leave the computer a while my desktop gets fake system errors and IE popups offering anti virus downloads regularlythis is from a malwarebytes logRegistry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.it says that it has deleted it, but it keeps coming backfortunately (shared machine) noone has fell for the fake install offer and has used the task manager to end the popups, but they keep coming back so it must be infected with somethingi also tried a rescue.bat method from another site that has t... Read more

A:malware infection - desktop popups - userinit

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply.] Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instructed to do so! Let me know if any of the links do not work or if any of the tools do not work. Tell me about problems or symptoms that occur during the fix. Do not run any other programs or open any other windows while doing a fix. Ask any questions that yo... Read more

Read other 2 answers
RELEVANCY SCORE 63.2

Hi, any help will be appreciated..
When I open my C:\WINDOWS window on My Computer, I get this weird picture of a manga-ish samurai (which I'm positive I've never intentionally downloaded) as the window background. Other folders window background are unaffected. I've tried changing Window schemes, etc but no change. My PC still works fine, everything functions (except for iTunes & quicktime, but I think its unrelated) so it's merely annoyance really, but I'm worried if it is a virus, it might spread. I've tried scanning with Ad-Aware and Avast but no virus were found. Wanted to try the online Panda scanner but took too long (I'm connecting from Indonesia)
Here's my DSS main.txt:
Deckard's System Scanner v20070807.62
Run by Admin on 2007-08-09 at 10:54:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
27: 2007-08-09 03:54:35 UTC - RP28 - Deckard's System Scanner Restore Point
26: 2007-08-09 02:58:43 UTC - RP27 - Installed Nokia Multimedia Factory
25: 2007-08-09 02:54:41 UTC - RP26 - Installed Nokia PC Suite
24: 2007-08-09 02:43:19 UTC - RP25 - Installed iTunes
23: 2007-08-09 02:42:05 UTC - RP24 - Removed Apple Mobile Device Support


-- First Restore Point --
1: 2007-07-23 06:05:47 UTC - RP2 - System Checkpoint

... Read more

A:Possible virus -- changed windows background (not desktop background)

Hello

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you.
I'll need the C:\ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, ... Read more

Read other 15 answers
RELEVANCY SCORE 60

I believe my computer is infected with either a virus or a very well-designed piece of spyware. I am unable to change my desktop background. Currently, it is a blue background with a black box in the center. The black box has text that reads, "Spyware Infection" in large red letters. Underneath the large red text, there is additional text that reads, "Your system is infected with spyware. Windows recommends you to...". I would really appreciate it if you could recommend a fix. My Hijackthis log is below.Logfile of HijackThis v1.99.1Scan saved at 2:12:18 PM, on 1/3/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exeC:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\System32&#... Read more

A:Desktop Background Will Not Change - Reads "spyware Infection"

Hello and sorry for the wait,If you still require help (and i suspect you might) please post a new hijackThis log in this thread and i will aid you in proper removal.Skate_Punk_21

Read other 1 answers
RELEVANCY SCORE 59.6

Can some kind person please help a newbee girl in distress?

Whilst online today, my Desktop background suddenly started displaying a "WARNING! YOUR COMPUTER IS IN DANGER! ...etc. etc." message (black background with red letters - scary). Managed to get rid of this via Windows Display Properties... however...

NOW Internet Explorer is acting up, sending/diverting me to unrequested pages, occasionally refusing to start up at all. And now Windows has begun displaying error messages when I try to start other programs... HELP!

As a complete newbee, I've tried to be as detailed as possible about this problem. I've created DDS.txt and Attach.txt, as instructed, and will of course give any info needed to anyone who can assist me... many thanx in advance, kali. x

DDS.txt follows (Attach.txt attached):
DDS (Ver_09-06-26.01) - NTFSx86
Run by jamie at 14:12:41.40 on 29/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.329 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
svc... Read more

A:Infection displaying "WARNING! YOUR COMPUTER IS IN DANGER!" Desktop background...

Further to my post (above)... more info: whatever has infected my laptop seems to have taken over my IE Google search bar, sending me to completely irrelevent webpages to those that I clicked on. HOWEVER, the AVG Anti-virus search bar (installed today, as part of an attempt to cure my problem) works fine... hope this helps... thanx 4 your patience, kali. x

Read other 20 answers
RELEVANCY SCORE 59.2

Sorry I'm new to this and I've never really had to post on forums for pc help but this one is driving me nuts. Recently I managed to acquire a trojan downloader that has been installing rootkits and other trojans onto my pc. I did a scan in safemode with both Superantispyware and Malwarebytes' Anti-Malware. I managed to get rid of most of them, but I noticed on every reboot two Trojan.Downloaders keep reappearing.

Here is the registry key data for both of them (detected by Malwarebyte):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit (Located in: c:\windows\system32\userinit.exe)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit (Located in: system32\userinit.exe)

Some of the symptoms that result from the trojans and rootkits downloaded are:

- Desktop doesn't load after user login (no icons or taskbars, can only access task manager): when this occurs, I have to run SuperAntispyware through the task manager to delete the trojan in order to get my desktop to load
- Fake spyware alerts popping up on my bottom task bar telling me to "Download the latest antispyware"
- Slower internet browsing & downloading speeds

Please help me out here, I have a lot of really important documents and programs on my desktop and I don't want to reformat the computer...yet.

Cheers.

Hanzz

A:Trojan Downloader. Userinit.exe

Hello, Please post the last SUPERAntispyware and MalwareBytes ( Mbam ) scan log or run another like this.Try this on the desktop:Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button. Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok". Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan.After scan click Remove Selected, Post new scan log and Reboot.Please run SDFix:Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.Please download SDFix by AndyManchesta and save it to your desktop.When using this tool, you must use the Administrator's account or an account with "Administrative rights"Double click SDFix.exe and it will extract the files to %systemdrive%(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but ... Read more

Read other 1 answers
RELEVANCY SCORE 59.2

Oh boy, how embarrassing...I was following the Startup Guide to removing non-essential startup items and looking for malware. One of the items listed was userinit.exe and when I referenced it in the database, I saw a whole slew of "X"s indicating malware. Well I quickley unchecked it and rebooted (later, I saw one entry that said don't confuse with the needed windows app in sys32 folder). Well now I can only get to the log in screen and when I select a user, I get a flash of the desktop wallpaper then it logs me off and saves settings. I have tried this under Administrator in Safe Mode as well and no luck. I can't ctrl-alt-delete or c-a-e to get to task manager or anything.I've searched and come across many posts of people losing, or having a corrupt userinit.exe, but this is different in that I (oh, how that hurts) told Autoruns to block it from start up.HELP!

A:Userinit.exe blocked by Autoruns - Self Inflicted

Can you boot into safe mode?

Can you access System Restore?

Louis

Read other 39 answers
RELEVANCY SCORE 58.4

Hi
I have Norton internet security 2011. A week ago I got 2 intrusion attempt blocked alerts, one was a fake AVwebpage request, the other was a malicious toolkit variant activity. I thought, Great! It?s been blocked.

The next day my pc downloaded and installed something called googleToolbarInstaller_updater_signed.exe from origin cache.pack.google.com/edgedl/toolbar/t6/data/6.6.1409.1944/GoogleToolbarInstaller_updater_signed.exe. Norton advises it?s a trustworthy file.

I found this slightly suspicious so googled it and it led me to something similar mentioned on geekstogo.com. I ran my full system scan nothing else appeared.

The next day I ran another full system scan and NIS found a downloader which had infected a temporary Internet file \content.ie5\1spchnaz\cd[1].htm.

Now highly suspicious that NIS has not picked up the root of the problem so I downloaded and ran Malwarebytes anti-malware. It found 3 registry data items infected and removed them.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNo... Read more

A:infection with downloader and hijack (?) virus

Hi,Please do the following:Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\C... Read more

Read other 30 answers
RELEVANCY SCORE 58.4

I have been logged out of WinXP. Each time I try to log back in, after entering my password, it begins a "logging off" and reverts back to the user selection screen of XP. None of the accounts (including Guest) work.Before I was logged out this was the initial problem.1. blocked task manager;2. false security and virus warning;3. unknown processes (when viewed through HJT or Killbox's process tree) like CommandServices.exe;4. very slow performance (I realize that could be attributed to other things, but thought I'd put that in here);5. inability to run Malwarebyte's anti-malware app; and6. misc security ad pop-upsThat's about as specific as I can get at the moment. Here are the logs an attachments.Thanks in advance, and be gentle!JDDS (Ver_09-12-01.01) - NTFSx86 Run by JIM at 9:56:21.95 on Fri 01/08/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1140 [GMT -6:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\FolderSize\FolderSizeSvc.exe... Read more

A:Malware/Virus infection: TASKMANAGER blocked, et al.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 57.6

Ok, Pc was running to slow, decided to do some investigating, and ran avg, ca antivirus, and nothing showed up. I got malwarebytes and a ton of things showed up. got rid of them, thought everything was good until I booted up my pc today. it loads, then goes directly to a black screen with my documents folder opened. nothing else, no desktop, no nothing. I can navigate easily through anything with this folder. but it will not run any programs. I ran task manager, and noticed these things running

Desot.exe
B.exe
C.exe

so I found out Desot.exe would start everytime I tried to run ca antivirus, or firefox, basically any program. looked it up and it's part of a windows antivirus rogue program. I followed some stuff I found to get rid of it. by deleting these files

Desot.exe
dddesot.dll
svchast.exe

svchast.exe was tough to find. but got it.

so now I'm having same problem, except when I try to run a program, it opens a folder asking me to choose a program to run it. I can't run regedit off a new task in taskmanger, it says it can't find it. this thing is a real mess, I have years of stuff on here I don't want to lose. but I can't burn anything or save anything if i'm not able to get on desktop, and use some programs.

b.exe and c.exe is still running, not sure what to do with those. I've had ca antivirus on my pc for years, always updated definitions, and had avg for about 3 months. can't understand why neither of them didn't fi... Read more

Read other answers
RELEVANCY SCORE 57.2

First, Thank you in advace for your help.

The following problems occurred:
(1) Updated to Firefox 3
(2) During google search, clicked on link that appeared to open Acrobat, then changed desktop background and installed BSOD-type screen saver.
(3) Access to many virus scan websites is blocked, unable to update Mcafee virus protection software.
(3) Google is modified, resulting links do not lead to the correct websites.

The following steps have been taken:
(1) Mcafee scan detected and cleaned the following:
C:\Documents and Settings\Paul Samuel\Local Settings\Temp\.tt22.tmp.vbs VBS/FakeAlert-AB
C:\WINDOWS\SYSTEM32\blphc70aj0eg47.scr FakeAlert-AG
C:\WINDOWS\SYSTEM32\lphc70aj0eg47.scr Downloader-ASH.gen.b
(2) Ad-Aware Installed, no detections.
(3) Spybot S&D installed, manually updated (spearate comuter used to download current definitions file), and detected and attempted to clean the following:
Smitfraud-C.gp
WildTangent

***(4) Attempted to follow 5 steps listed on your web site, completed Steps 1, 3 and 5 using separate computer to download. Steps 2 and 4 hindered by blocked access to Panda ActiveScan and Windown Update.

Notes:
(1) Current Version of Mcafee: VirusScan Enterprise 7.0.0 with derinision file 5370, created on Aug 26 2008, the day before the infection.
(2) Windows XP SP3
(3) Computer/Internet runs very slowly
(3) Separate computer used for this communication.

I hope this is sufficient detail. HijackThis log follows.

Logfi... Read more

A:Infection lead to: Access to Anti Virus Sites Blocked

BUMP, please

Read other 1 answers
RELEVANCY SCORE 57.2

I have a compouter with Vista Home basic that a virus (xp2008) removed the desktop, and placed their warning as the desktop. the virus also disabled the desktop changing except by an administrator. I cannot seem to find a way to restore the ability to change the desktop.
thanks,

riggs167

A:desktop blocked by virus, need to restore

Hello riggs167, welcome to Vista forums!

Let this run a scan and see what it comes up with.

Free ESET Online Antivirus Scanner

Keep us informed!











Later Ted

Read other 2 answers
RELEVANCY SCORE 56.8

Hi, since yesterday I haven't been able to boot my computer normally. What happened was that my mom accidentally clicked some malware popups (she's not really sure what she did), so when I awoke the computer from standby, there was a malware popup with a download prompt (ErrorSafe was the malware, I believe). I canceled the download prompt, then my Norton Antivirus detects something, then freezing up my computer. So I pulled power from the computer, shutting it down. After I tried starting it up again, I've gotten errors at the "Welcome" windows xp screen, not allowing me to do anything. The errors were for userinit.exe among other a few other apps;

The application failed to initialize properly (Oxc0000005). Click on OK to terminate the application.

After this series of error popups, the desktop background loads and that's it, no icons no taskbar or anything. When I press ctrl+alt+delete, the above error message comes up for the application taskmgr.exe.

I'm currently on the same computer in safe mode. Did a couple virus scans but same thing occurred. I'm not sure what to do. Would a repair install of windows xp do the trick? because it appears my floppy drive is broken, i can't do this because in the windows xp boot cd setup, i need to install my hard drive driver with a floppy because xp boot cd setup can't detect it, as it is a SATA hard drive. If this would fix the problem I'd have no problem getting another floppy ... Read more

Read other answers
RELEVANCY SCORE 56.8

Hi, since yesterday I haven't been able to boot my computer normally. What happened was that my mom accidentally clicked some malware popups (she's not really sure what she did), so when I awoke the computer from standby, there was a malware popup with a download prompt (ErrorSafe was the malware, I believe). I canceled the download prompt, then my Norton Antivirus detects something, then freezing up my computer. So I pulled power from the computer, shutting it down. After I tried starting it up again, I've gotten errors at the "Welcome" windows xp screen, not allowing me to do anything. The errors were for userinit.exe among other a few other apps;

The application failed to initialize properly (Oxc0000005). Click on OK to terminate the application.

After this series of error popups, the desktop background loads and that's it, no icons no taskbar or anything. When I press ctrl+alt+delete, the above error message comes up for the application taskmgr.exe.

I'm currently on the same computer in safe mode. Did a couple virus scans but same thing occurred. I'm not sure what to do. Would a repair install of windows xp do the trick? because it appears my floppy drive is broken, i can't do this because in the windows xp boot cd setup, i need to install my hard drive driver with a floppy because xp boot cd setup can't detect it, as it is a SATA hard drive. If this would fix the problem I'd have no problem getting another floppy drive. In any case, any advice would be... Read more

A:userinit.exe failed to initialize upon boot, then background appears w/ nothing else

I believe ErrorSafe is a known malware and you are still infected since it still shows in some parts of your HJT log.

You should have posted this in the HijackThis section but don't create a new post, we'll move you there where security techs will examine your log. It can take some time before they come to your thread but don't bump your post since they start with the oldest.

Read other 1 answers
RELEVANCY SCORE 56.4

Hi.
I think I got a virus trojan some days ago. What happens in my computer is that I can't move the icons of my desktop. In taskmanager, i dont see the usernames of processess that are active. I cannot do a search in my computer for files. My internet explorer doesn't open, it tries to, but it closes promptly. In network connections I cannot see any connection. If I try to copy paste a file it doesnt work.
I have done the steps proposed. No antivirus or trojan remover has found an infection.
I have downloaded DEckard's System Scanner DSS. I attached the extra.txt
here is the main.txt:

Deckard's System Scanner v20071014.68
Run by Joao Pinto Coelho on 2008-05-14 03:08:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The parameter is incorrect.


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-14 04:47:56
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOW... Read more

Read other answers
RELEVANCY SCORE 56

Hi, I'm very sure that I have a malware infection of some sort. I was browsing online and playing world of warcraft last night when I got a flurry of spybot warning messages about attempted changes to my registry (which I denied) before my browser (firefox) and World of Warcraft were suddenly shut down and my computer restarted. There was an active spybot warning open when my computer shutdown. My pc is running Windows XP professional edition and I think that it is on service pack 2.

When my computer restarted, I was unable to run firefox or IE. I could start them up, they would begin loading and then stopped before any program screen popped up. At some point after my computer initially restarted windows media player popped up, but I'm not sure if that was me launching it by accident (I was trying to find my anti-virus program in the start menu at the time) or if it was something else that caused it to launch. I received several messages from spybot search and destroy saying that realteks was trying to change the registry and I'm reasonably sure that I denied all of those requests. I also received a message from the windows firewall program that I had a worm called win32.brontok which was causing problems and needed to be blocked. The block and unblock options were grayed out, but the enable option was lit so I clicked on that. A program started installing at that point, but I canceled the installation. There is a possibility that this was a program that always ... Read more

A:Malware/Virus infection. win32ircbot.kow? win32.brontok? realteks; Downloader r-BPX?

If you have access to a non-infected computer, you can burn these tools to a CD or download to a flash driveFirst try mbamBe sure to disable Spybot's Teatimer functionThe process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to... Read more

Read other 7 answers
RELEVANCY SCORE 56

Hi,

Our second computer, a Toshiba laptop, seems to have been infected by something bad. When I log into Windows XP, the desktop background is replaced with a blue background and a box that says, "YOUR SYSTEM IS INFECTED! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not run any application before all spyware removed." I tried running MBAM, but it would not let me. I can't get into my browser to download any tools. I have turned off the wireless adapter now because I read this could be a security threat. Any help would be greatly appreciated. I'm using another computer, so perhaps I can burn any tools that I will need to a cd to use on the laptop.

Thank you so much.

John

A:Virus/Malware INfection. Fake background saying, "YOUR SYSTEM IS INFECTED"

Do you have Malwarebytes?

Read other 11 answers
RELEVANCY SCORE 55.6

I cannot change my desktop background. It is blue, icons are ok, and it covers up my chosen background after the welcome screen is finished. I have a hyjack this log, attached, and have no idea what may be causing my problem...help? Thank YOU!!

Logfile of HijackThis v1.99.1
Scan saved at 2:37:53 PM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\kernels88.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Error Safe\start... Read more

A:blue desktop background virus

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 

Read other 3 answers
RELEVANCY SCORE 55.6

Hi,

I seem to have gotten that same virus that changed my desktop background and disabled some of the tabs when I right click the desktop and click properties. Here is a HJT log I ran:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:27 PM, on 26/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\s... Read more

A:Virus Hijacked Desktop Background

Read other 6 answers
RELEVANCY SCORE 55.2

......as the topic indicates, these are a few of the issues, along with pop-ups for various virus killers and what-not. Please review and advise. Thanks all!!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:48:01 AM, on 2/25/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\savedump.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\eHome\ehSched.exec:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\McAfee.com\VSO\mcvsshld.exeC:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\PROGRA~1\McAfee\SPAMKI~1 ... Read more

A:Disable Task Manager, Altered Background, Virus Infection Notice

Hi,* Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix in your next reply.Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Read other 2 answers
RELEVANCY SCORE 55.2

Hi, I have a red biohazard desktop, VirusAlert! in the Toolbar, non stop pop ups and an assigned password for Content Advisor in IE. I erased the password through regedit in the policy section. I've used adaware, spybot and windows defender. Nothing works. Here are my ComboFix and HiJackthis Logs after running full scans.

Combo This
ComboFix 08-08-10.02 - Administrator 2008-08-13 16:40:19.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Desktop\Privacy Protector.url
C:\Documents and Settings\Administrator\My Documents\My Documents.url
C:\Documents and Settings\Administrator\My Documents\My Music\My Music.url
C:\Documents and Settings\Administrator\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\Administrator\My Documents\My Videos\My Video.url
C:\Program Files\SpyGuarder
C:\Program Files\SpyGuarder\Buy.url
C:\Program Files\SpyGuarder\Help.url
C:\Program Files\SpyGuarder\HowToBuy.txt
C:\Program Files\SpyGuarder\License.txt
C:\Program Files\SpyGuarder\redir.dll
C:\Program Files\SpyGuarder\Restart.exe
C:\Program Files\SpyGuarder\Uninstall.exe
C:\Program Files\Web Technologies
C:\Program Files\Web Technologies\myd.ico
C:\Program Files\Web Technologies\mym.ico
C:\Program Fi... Read more

Read other answers
RELEVANCY SCORE 55.2

My computer got spyware from some website that my cousin visited. After nod32 detected the spyware, nod32 removed it. But the spyware changed my desktop background to a html page I think, and disabled background changing.

Here's what my desktop looks like:



I checked the policies and set it to allow background changing, but it's still disabled. In safemode, the background is normal, but the backgroud properties window still won't let me select a background.

How can I fix this?

A:Virus disabled changing desktop background

G'Day OuTLawz, Welcome to TSF!


I recommend that you read this article… "Having problems with spyware and pop-ups? - First Steps"; follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the HiJackThis Log Help Forum.
(Simply, click on the coloured links to be re-directed.)

Please ensure that you create a new thread in the HiJackThis Log Help Forum; not back here in this one.

When carrying out The 5 Steps, if you cannot complete any of them for whatever reason, just continue on with the next one until they are all completed.
However,it is extremely important to make mention of the fact that you could not complete any of the steps in your post to The HJT Help Forum; where an Analyst will assist you with other workarounds.

Once done, please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.

Good Luck with it.

Kind Regards,

Read other 1 answers
RELEVANCY SCORE 54.8

I am constantly getting these pop up messages from Norton:High,An intrusion attempt by 34jh7alm94.asia was blocked.,Blocked,No Action Required,HTTPS Tidserv RequestHigh,An intrusion attempt by zI09lkhale44.com was blocked.,Blocked,No Action Required,HTTPS Tidserv RequestI guess Norton is able to block them but not remove the virus.I've done all the prep required but now I cannot open the notebook file for the dds text doc, so I attached it.Any help is appreciated!thanks in advance,paula

A:Continuos Infection Message High 34jh7alm94.asia was blocked.,Blocked,No Action Required,HTTPS Tidserv Request

Good evening. Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop. You will then need to extract the file(s) from the zipped folder.To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again. In the final window, click on Finish Double click TDSSKiller.exe to begin. Click Start scan and allow the tool to do just that. One the scan has completed, if the tool detects anything the default action is Cure - please click on that and change it to Skip. Finally, click on Report and let me have the contents of the text file that will open.

Read other 15 answers
RELEVANCY SCORE 54.4

Hi,
I share a computer with my mom, and a couple of days ago she got a couple of trojans. It was no problem, I got rid of them with Malwarebytes Anti-Malware. Everything was fine...then today I turned the computer on and the desktop background was changed.

It's a big black box and says:

Quote:




YOUR SYSTEM IS INFECTED!

System has been stopped due to a serious malfunction.
Spyware activity has been detected.

It is recommended to use spyware removal tool to prevent loss.
Do not run any application before all spyware removed.




Something pops up and automatically starts scanning, I'm able to stop it. Everytime I restart, it happens again though.

Problem is I can't open Malwarebytes Anti-Malware. When I try, it says:
"Windows cannot access the specified device, path, or file. You may not have the approptiate permissions to access the item."
I tried in safe mode...says the same thing.


Please help.

A:Virus changed desktop background, Can't open Malwarebytes

Forgot to add something, the virus that pops up and starts scanning is Internet Security 2010.

Read other 4 answers
RELEVANCY SCORE 54.4

Hi, I have a customer's computer running XP Pro Sp3. Looks like they use Firefox 3.5.9. [Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9]I am using IE8 to post this (from the PC itself). Edit: I tried to use IE, when clicking "Post new topic" it went to "IE cannot display the webpage". Trying from Firefox now.Apologies if I have broken any rules etc. Did read the stickies before posting.Upon arriving at this website I had this popup in a seperate tab, don't know if that's relevant:hxxp://www.directrdr.com/v3.php?pid=245&cid=46533&crid=44627&t=0(0)&cc=36&said=0&params=2419a5d000600550d59241b7314fbcae35fdd9d2-sfF.S3.3U.wf3%09f.ffkfff%097cKqLvIaL%09ws4kuk44wk%09pTc&pc=0-46533&vurl=http%3A%2F%2Fwww.bleepingcomputer.com%2Fforums%2Fforum22.html&mm=23Customer brought it in saying there was a virus. They said they'd already run Malwarebytes.I checked: MBAM was the latest version but not the latest definitions.AVG was installed and up to date.All programs mentioned are the latest from the vendor site as of 2 days ago.1) Restarted into Safe Mode, updated MBAM2) Ran MBAM quick scan, fair amount found (about 25 if i recall correctly)3) rebooted as required, back intDeactivate link. ~ OB

A:Multiple virus infection, DHCP & Themes services not starting automatically, Windows update site blocked.

I am also having this exact same issue (DHCP, themes, pop-ups, etc), I have placed a batch file in the startup with "net start DHCP" which seems to reinitialise the DHCP client *most* of the time, however it is very very slow starting the service.

So far I have tried combofix, superantispyware, MBAM, microsoft security essentials, regrun reanimator but with no luck.

I'm going to try a repair install later on tonight, in the meantime did anyone find a solution?

Read other 5 answers
RELEVANCY SCORE 54.4

Hi, my computer has been running slow, making weird clicking noises, over heating and frequently freezing. I also had a hard time uninstalling and installing programs and occasionally emptying the recycle bin. After Norton360, malwarebytes, superantispyware, TDSSkiller, Dr. Web CureIt, ESET, AdwCleaner and Roguekiller didn't show anything, I tried combofix. (I know I shouldn't have). Combofix found and disinfected C:\windows\syswow64\userinit.exe. After rebooting the computer wasn't working. When I tried to open firefox, IE, Word a box would pop up saying that the registry key isn't working. I was able to do a system restore to before combofix changed things and I can access programs again. Thank you for your help. I have since uninstalled ADwCleaner and combofix (but saved the log) so that a newer version could be used. Thank you for your help.
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457
Run by Protege at 10:48:28 on 2013-01-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3999.2545 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\... Read more

A:userinit.exe infection

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/480645 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 21 answers
RELEVANCY SCORE 54.4

Hello, and thank you for taking time to fix my problem. I've recently come across a virus which seems to stick hard onto my userinit.exe registry keys, and which keeps giving me both fake pop-ups and a little red warning box that says...-----------Alert!You have a security problem! Do you want to scan your computer for viruses?-----------This is a very troubling problem, since I've run AVG, Stopzilla 5.0, Spybot - Search and Destroy, and Malwarebytes' Anti-Malware to try and clean it up. As it stands right now, AVG and Stopzilla see nothing wrong, Spybot continues to pick up one or two cookie trackers, and Malwarebytes' continues to recieve the following registry key errors...-----------Malwarebytes' Anti-Malware 1.34Database version: 1828Windows 5.1.2600 Service Pack 33/8/2009 11:13:54 PMmbam-log-2009-03-08 (23-13-54).txtScan type: Quick ScanObjects scanned: 51129Time elapsed: 28 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\... Read more

A:Userinit.exe infection?

Sorry for posting again, but situation has changed. After an update for Malwarebytes', it found a "Fake Driver". Deleting it resulted in some computer problems, quickly followed by the need to shut it off.Two restarts and a little messing around later, I've found that it's now disconnected from the internet. The network is detected, but there's no internet capability. Here's a message it displayed when I tried disabling and re-enabling the internet...---------The instruction at "0x7c9105447" referenced memory at "0x71aa0000". The memory could not be "written".Click on OK to terminate the programClick on CANCEL to debug the program---------Also, whenever I shutdown the computer, I get this message...--------The instruction at "0x19191919" referenced memory at "0x19191919". The memory could not be "written".Click on OK to terminate the programClick on CANCEL to debug the program--------I use a linksys router system. The computer I'm posting this from is the network base which all the other computers connect to from. The internet clearly works, but not on my troubled computer. Furthermore, I recieved a "Terminating windows in :60 seconds" message after trying the disabling/re-enabling thing AND when shutting down... That computer is currently off until further notice.Here's a new DDS and Attach.txt file, which I saved to my flash drive from the trouble computer. PLEASE respond....---------DDS (Ver_09... Read more

Read other 4 answers
RELEVANCY SCORE 54

Hi, I've tried everything to get rid of this stupid infection! I've tried things from Avast, to Spybot Search and Destroy, to Ewido, to removal tools...It would remove it, but it would always come back. The computer was also infected with this thing called Bestselling Antivirus virus, where I had popups coming up advertising virus protection. It installed some kind of security tool bar. It also put some kind of thing in the tool bar that would blink and say that the computer was infected with a trojan/worm and would popup over and over again, till I finally some how removed both of those infections. Well, at least I think it is removed... The computer though is still infected with this trojan.vundo, Downloader, and Downloader.MisleadApp well, that's what her Symantec antivirus autoprotect says, and it won't go away, no matter what I use. Also, the random popups that keep popping up are annoying (like before, but not as bad)..Any help would be appreciated on here, my sister needs her laptop for school work, but she can't use it because it's all messed up.-------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:39:27 PM, on 10/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\... Read more

A:Trojan.vundo, Downloader, Downloader.misleadapp Infection

Sorry for a repost, please don't delete my thread. I really need help getting rid of this infection!!

I see that people are looking at my post, but no replies

It's really annoying and it won't go away, and my sister really needs her laptop for her school work, but can't use it because it keeps acting up.

Read other 6 answers
RELEVANCY SCORE 54

Think I cleaned it up...how can I varify? below is HJT log

Logfile of HijackThis v1.98.2
Scan saved at 7:51:45 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\nHancer 32bit\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\... Read more

A:Computer went to blue desktop background with fake virus message...help!

anyone?
 

Read other 1 answers
RELEVANCY SCORE 54

I think I am infected with Malware, Spyware, or some type of virus. My desktop background has become a bright red screen with a toxic symbol on it and underneath it, it says "Your Privacy Is In Danger!" On the bottom right, in the taskbar, right next to the time and date, it says "Virus Alert!" My computer is also attempting to run anti-Spyware programs all by itself, opening browsers with websites to Spy programs and pop-ups warning me of possible hackers. Below is my HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 06:36: VIRUS ALERT!, on 7/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\AVPersonal\AVWUPSRV.EXEC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\Common... Read more

A:Red Desktop Background! "your Privacy Is In Danger!" Says "virus Alert!" On Bottom.

Hello ridofmalware,I will be assisting you with your malware issues.Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!Please bookmark or favourite this page. In case you need it as reference or etc.---------------------------------------------- Please download SmitfraudFix (by S!Ri) Double-click SmitfraudFix.exe.Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm

Read other 4 answers
RELEVANCY SCORE 54

I downloaded what i thought was an java update on a site for a new online security camera service and soon after I started getting pop ups to sites which are associated with the Vundo virus. (the same day I was also downloading some adobe brushes and freebies which may have also been the cause). My desktop background also turned blue. I also got this using firefox.I have already backed up all my documents and deleted them off this laptop, and I changed all my passwords and removed them from my browser history. I have tried many different free removal programs, mbam, Malwarebytes, mcAfee virtal tecnician, fixVundo, vundofix, and some of them will find theinfected files when they scan, and they will quarantine and remove the files but they always come back when i start up(the last reappearing two are HTregisty keys). I am reluctant to do a full reformat because i have so many programs like adobe and macromedia and its seems like a hassle. I have read that once this Trojan infects your computer there will always be a backdoor to your system making it insecure? also i am on a wireless network, can the Trojan infect other computers on the network through the internet connection? any help would be really appreciated. thankyou!DDS (Ver_09-01-07.01) - NTFSx86 Run by melkorka-newprofile at 12:48:22.45 on Sat 01/10/2009Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1335 [GMT -5:00]AV: McAfee Virus... Read more

A:Vundo Trojan Virus/ popups, blue desktop background

I actually got help on another forum for this issue. I couldn't find out how to delete the post so I am just going to leave it up
, thankyou -mk1224

Read other 2 answers
RELEVANCY SCORE 54

Hi All,

My system was infected and I had the following issues:
1. Flashing screen on my desktop about my machine being infected
2. ALERT VIRUS near the clock on the taskbar
3. Regedit and Taskbar disabled
4. pop-ups redirected to purchasing anti-virus programs
5. IE urls/keys changed, etc

After a combination of using:
1. Malwarebyte's Anti-Malware
2. SUPERAntiSpyware
3. Registry editing
4. Deleting files
5. using Gpedit.msc
....now i've managed to fix almost everything except one:

==> My desktop background still has like a 'blank' screen. I'm able to go to Display property and see that my background/wallpaper is still set properly. Moreover, when the system boots's up or log-in for a brief period I can still see the back ground. After that, its like a white screen on the wall paper.

Some things I haven't tried yet:
1. ComboFix
2. SmitFraudFix.exe

I'm sorry, I'm not able to give the specifics since I didn't note/log the details of the files infected/cleaned or the virus messages.

Appreciate your help.

Thanks in advance

Warm Regards
Narendra

A:Unable To View Desktop Background Even After (?) Cleaning Virus/malware

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button. Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").These are some common malware related entries you may see:Security InfoWarning MessageSecurity DesktopWarning HomepagePrivacy ProtectionDesktop UninstallIf present, select each entry and click the Delete button. Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".When done, go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.

Read other 5 answers
RELEVANCY SCORE 53.6

Hey there,first post so please go easy on me if I dont get this quite right. Following a couple of infections on my machine at work I have had to ask for some help as the tech support will just flush my machine and I'd like to avoid that if possible. I thought I had successfully removed the virus Alureon H which Sophos discovered - was causing browser re-directs and other touble. I used housecall to check and it also found problems - as did the Malicious Removal Tool from Microsoft - I know Ive been stupid, being on the network here for some reason my firewall is disabled and I cannot change it status.so after I cleaned up the recently discovered infections using the tools just mentioned I figured I was ok - everything seemed to be running fine, I even ran a scan using Sophos's SAV32CLI tool in safe mode, it didnt turn up any viruses:Sophos Anti-VirusVersion 1.01.1 [Win32/Intel]Virus data version 4.57E, September 2010Includes detection for 1949992 viruses, trojans and wormsCopyright © 1989-2010 Sophos Plc. All rights reserved.System time 13:52:23, System date 08 September 2010Command line qualifiers are: -remove -p=c:logfile2.txtIDE directory is: C:\Program Files\Sophos\Sophos Anti-VirusUsing IDE file dloa-dck.ideUsing IDE file agen-oez.ideUsing IDE file bredo-ea.ideUsing IDE file dwnl-ijz.ideUsing IDE file agen-oaf.ideUsing IDE file zbot-ux.ideUsing IDE file dwnl-ikb.ideUsing IDE file zbot-vz.ideUsing IDE file wapomi-a.ideUsing IDE file bank-fal.... Read more

A:Userinit.exe infection by Dloadr-DCX??

Hello and to BleepingComputer.Please download RKill by Grinler from one of the 4 links below and save it to your desktop.Link 1Link 2Link 3Link 4Before we begin, you should disable any anti-malware software you have installed so it does not interfere with RKill running. This is because some anti-malware software mistakenly detects RKill as malicious. Please refer to this page if you are not sure how to disable your security software.Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed. If nothing happens or if the tool does not run, please let me know in your next reply***************************************************Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to insta... Read more

Read other 1 answers
RELEVANCY SCORE 53.6

I got hit with Trojan vundo and through a combination of MWB, spybot and mcafee got it down to 2 infected userinit files which mwb says it clears but doesn't. I've done safe mode and non safe mode and nothing seems to clear them. it keeps popping up again, every few days, and has done changes to my computer (brought back welcome screen, removed connectivity icon as examples). mcafee says I'm clean; mwb has the same 2. yesterday I had 27 _void files which I deleted and ave.exe in my task manager which I removed. please help clearing the last 2 problems.Malwarebytes' Anti-Malware 1.44Database version: 3816Windows 5.1.2600 Service Pack 2Internet Explorer 6.0.2900.21803/26/2010 5:05:19 PMmbam-log-2010-03-26 (17-05-19).txtScan type: Quick ScanObjects scanned: 254064Time elapsed: 57 minute(s), 26 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\... Read more

A:userinit infection will not clear

Hello suetx01 Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.In order to better assist you I will need the following:Download DDS and save it to your desktop from here or here.Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your d... Read more

Read other 2 answers
RELEVANCY SCORE 53.6

I'm working on a laptop that isn't working right. The owner told me that it wouldn't open Google Chrome, Safari, Adobe Reader XI and iTunes. I didn't open every program on the computer, but when I opened a few others, they opened just fine.
 
When I open Safari, it crashes and pops up the following message: "Safari has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."
 
When I open Google Chrome, the following message pops up "The item referred to by this shortcut cannot be accessed. You may not have the appropriate permissions."
 
When I open Adobe Reader XI, the following message pops up: "An internal error occurred." When I click on OK, I go back to the desktop and the program never runs.
 
When I open iTunes, the EULA pops up, I click on OK, and the following message comes up: "The iTunes Library Extras.itdb file is locked, on a locked disk, or you do no have write permission for the file." Click on OK, goes back to the desktop, and the program never runs.
 
If I put an Internet Explorer shortcut on the desktop, it gets deleted on reboot and the program doesn't show up in the Start Menu anywhere. I have to create an IE shortcut on the desktop to get online. The shortcut stays there until the computer gets rebooted.
 
I've run MalwareBytes, MalwareByes Anti-Rootkit, Avast boottime scan, CCleaner, Auslogics Registry Cleaner, Rkill, T... Read more

A:Possible svchost.exe or userinit.exe infection

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/520471 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 7 answers
RELEVANCY SCORE 53.6

My desktop background has the words "Spyware Infection" in a black box over blue. Periodically, I am kicked off the website I am viewing. Sometimes the spyware gets so bad that the computer locks up. I have reinstalled Windows, but the problem returns. My log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:59 PM, on 12/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msqf32.exe
C:\WINDOWS\sdkyz32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\MELANI~1\LOCALS~1\Temp\Rar$EX00.437\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lutgi.dll/sp.html#88449
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lutgi.dll/sp.html#88449
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\W... Read more

A:"Spyware Infection" as desktop background

Oh, and random porn sites appear in my Favorites folders.

Read other 19 answers
RELEVANCY SCORE 53.2

Referred here from: http://www.bleepingcomputer.com/forums/t/227491/userinitexe-and-registry-malware-spyware-reopened/ ~ OBi used to have a userinit.exe infection and that was it. I got rid of that (i think) and now mass storage devices don't work, google searches are redirected, and i have some virus downloader on my computer that downloads random fake malware removers when i am connected to the internet. Here is my ddsDDS (Ver_09-05-14.01) - NTFSx86 Run by Matt at 17:02:03.64 on Wed 05/27/2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.515 [GMT -5:00]AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}============== Running Processes ===============C:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\System32\AshEvtSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeC:\WINDOWS\system32\HPZip... Read more

A:userinit.exe infection turned into mess

Hello and welcome to Bleeping Computer. Sorry for the delay the forums here at BC are alwaysvery busy and we do are best to keep up. If you no longer require any help could you let me no please, so this topic can be closed.My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I wouldbe grateful if you would note the following: Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
If I do not hear back from you within 5 days of my last post, then this topic will be closed.First I would like to see a new log since alot could have changed since your origional post.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Thanks

Read other 11 answers
RELEVANCY SCORE 53.2

I'm working on my father in law's PC which was massively infected with SpywareGuard, Vundo, etc. All were successfully cleaned, and Malwarebytes ran clean for about 4 days. Now when I scan with MWB I see (as shown below in log) infected registry data items, specifically userinit.exe Other tools (superantispyware, etc. scan clean).

FWIW the userinit.exe's in system32 and the dllcache are 109K with a modified date of 12/26 on an XP Pro SP3 machine (I'm thinking this should be closer to 30K).

Any help appreciated!

-stevemc


Malwarebytes' Anti-Malware 1.32
Database version: 1633
Windows 5.1.2600 Service Pack 3

1/9/2009 2:26:26 AM
mbam-log-2009-01-09 (02-26-26).txt

Scan type: Quick Scan
Objects scanned: 65860
Time elapsed: 1 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted s... Read more

A:Trojan.Agent userinit.exe infection

As this is a MalwareBytes log, I am shifting this to the Am I Infected forum where you can receive more immediate assistance.

~ OB

Read other 5 answers
RELEVANCY SCORE 53.2

Hi everyone,Images (on all sites) disappear, re-appear and sometimes fade away slowly.Even the buttons on my toolbar disappear/re-appear and at times fade away when I mouse over. Have a screen shot of a tool bar buttons half faded away. Odd also URL in address box is not complete either (It shows in screenshot) And Firefox constantly crashes. Also Forecast Fox icons in system tray do the same thing as others, fade in fade out disappear re-appear) It is freaky. I'm careful at what I do, but others have used my computer, so who knows what havoc they have caused. I use Firefox's default theme (3.6)Anti-virus AVG free 8.5Spyware Guard v2.2SpybotSpyware Blaster 4.2a-Squared free 4.5Hitman Pro 3.5Malwarebytes' Anti-MalwareHijack This 2.0.0Zone Alarm firewall 8.0Windows XPFirefox 3.6Most recent program installed (other than security programs): Golf Buddy Manager (It is a program that allows golf courses to be uploaded to the Golf Buddy GPS golf accessory)Nasty things that have been found in security scans:AVG scan results 2/08/10(Ran this scan because I was experiencing google re-directs)Trojan Horse Rootkit-Patkes.UHitman Pro 3.5 scan 3/01/10GBProxyps.dll (Rootkit)- C:\WINDOWS\system32atapi.sys (Rootkit) - C:\WINDOWS\system32\DriversMalwarebytes' Anti-Malware 1.44 mbam-log-2010-03-03 Ran in safe mode(The bad bits)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: c:\windows\system32\userinit.exe -> No... Read more

A:Rootkit infection: Trojan.PWS userinit.exe

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 52.8

Hi,
I have a friend who's been using his Compaq laptop with Win7 (starter) for some while now and somehow he's been running it without any antivirus. So the obvious happened and he's got his laptop infected with a real stubborn thing that won't allow him to do anything.
Anyways, I booted the system with AVG System Rescue LiveCD, ran through and scanned and healed whatever could be done and then scanned again only to see the laptop still infected.
So I moved onto Avira Rescue LiveCD and scanned,healed only to see the machine still infected after doing a scan again.

The worst part is, from Win7, even regedit and task manager "cannot be found".

I tried installing Avira anti virus free edition through Safe Mode, but when I boot the machine in normal mode, Avira anti-virus doesn't load. Even if I manually load Avira, nothing happens.

The worst is yet to come: Even the recovery partition in the hard drive is infected and the guy has no idea if he has any copies on CD/DVD.

I even booted the system with Ubuntu 9 liveCD and tried to install and run Avast, but the update makes Avast engine crash.

So this is the story:banghead: please help.

UPDATE:
Looks like the guy didn't even make go through the "Recovery Media Creation" when he bought this laptop - I went through the Recovery Media Creation and while the recovery DVD can be made only once, the option is still available, meaning no recovery DVD has yet been made. My only concern... Read more

Read other answers
RELEVANCY SCORE 52.8

Ok first of all im a computer tech at a local shop, I have seen this virus many times. I was wondering how many of you have this problem. This actually happened to me when I downloaded a game patch from rapidshare.com and I forgot to uncheck open up ad in a new window option on the download page. Well the ad popped up and I closed out of it from processes. Next thing I know I got background hijacked and screen saver hijacked and Advanced XP Fixer program downloaded and installed onto my system. I ran anti-virus software and spybot search and destory and CCleaner on my computer and was able to rid myself of the virus since it only happened within those 5-10mins so no corruption was on my system.

I was wondering if anybody has experienced this problem as well and what you did to get rid of it without formatting and reloading? I had to format and reload of some customers computers because it kept comming back after the virus/spyware removal?

I tried deleting the infected files, but it axed the "Desktop" and "Screensaver" Tabs under display settings. this only fixed it for a short time. Any ideas?

A:Advanced: Blue background with Spyware message and bugs eating desktop VIRUS!

G'Day Link2057, Welcome to TSF!

Please read this article? "Having problems with spyware and pop-ups? - First Steps"; follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the HiJackThis Log Help Forum.
(Simply, click on the coloured links to be re-directed.)

Please ensure that you create a new thread in the HiJackThis Log Help Forum; not back here in this one.

When carrying out The 5 Steps, if you cannot complete any of them for whatever reason, just continue on with the next one until they are all completed.
However,it is extremely important to make mention of the fact that you could not complete any of the steps in your post to The HJT Help Forum; where an Analyst will assist you with other workarounds.

Once done, please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.

Good Luck with it.

Kind Regards,

Read other 1 answers
RELEVANCY SCORE 52.4

Firstly, when switching user on Windows I have been unable to log onto other user accounts. Instead, after selecting a second user account to log on to, I am shown the desktop background of the first user, then returned to the user selection screen.

The second problem I have been having is that when clicking on Google results, I have been redirected to scareware sites, ad sites and fake antivirus screens.

After Bitdefender repeatedly found no infections I downloaded and ran AVG Free. It successfully removed "Win32.Heur" and "Win32.PolyCrypt", but wouldn't remove "Downloader.Generic8.ABKH", as one of the two files it had infected was whitelisted (userinit.exe). How can I resolve this?

If anyone could give me any help regarding either issue I would be greatly appreciative.

Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:54, on 11/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon... Read more

Read other answers
RELEVANCY SCORE 52.4

I'm using laptop with Windows 8.1 Pro. Recently, i ran Malwarebytes to scan and check my computer for infections and I found this, please find it in attachments.
 
There's thing with HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Userinit, C:\Windows\system32\userinit.exe,C:\Windows\taskhost.exe /boot, if i remove it, will it cause damage to my system?
 
Need help.

A:C:\Windows\system32\userinit.exe malware infection

Greetings and to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:
Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
Make sure to read my instructions fully before attempting a step.
If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
Important information in my posts will often be in bold, make sure to take note of these.
I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
Let's get going now
==========================
 
Hi User1412,
 
You should be able to delete it fine, yes.
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 Note: You need to run the version compatible with your system. If you are not sure which version applies ... Read more

Read other 12 answers
RELEVANCY SCORE 52.4

After virus attack my background wallpaper gone, desktop icons disappeared except for Mozilla and recycle bin and start menu nearly empty except for the start search at the bottom.Rogue.Fake HDD and Plum.hyjack.Startmenu attacked and I'd really like to get my computer back to being useful again. It believe my data is all there - I can access word documents by naming them individually or requesting into the search menu. I access google by searching for google.ca in the start search and I managed to find Windows Mail which seems to be all there - but its hard to function well without icons and start menu programs etc. I'm afraid I'm a complete tiresome newbie when it comes to this. I did get rid of the virus(s)(successfully I hope) with a copy of malware byes I had on the computer - it actually stopped working and disappeared from my desktop but I managed to get it back and I disconnected from my router and after a long time did manage to get rid of all the virus - 7 in all 4 of them FAKE.HDD and two PLUM.HYJACK.STARTMENU (according to maleware bytes). Can someone help me? Is there a way I can get my desktop and startmenu back to looking normal (or returned to its former condition)?

A:After virus attack my background wallpaper gone, desktop icons disappeared and start menu nearly empty.

DownloadUNHIDERun it.This should unhide your filesgood luck

Read other 3 answers