restored userinit.exe and now after logging in nothing

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sikhdawg, Jan 25, 2009.

  1. sikhdawg

    sikhdawg Private E-2

    Hi, I have a Dual Boot System with XP and Vista, On the XP drive I had a malware problem, it wont even let me run antivirus so I ran it from the Vista side it showed me that there were many corrupted files and it deleted them in the process userinit.exe got deleted too, I restored that file from the XP CD but now after I log in XP all I see is background and nothing else loads, but when I go to task manager it shows that all the programs are running. HELP ME :confused
     
    sikhdawg, Jan 25, 2009
    #1
  2. sikhdawg

    sikhdawg Private E-2

    Here is the list of files that were deleted during the virus scan:

    1/22/2009 2:22:31 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WT1KIDBQ\per[1]" file.
    1/22/2009 2:23:41 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZJI2518H\per[1]" file.
    1/22/2009 3:30:09 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\sikhRick\Desktop\Trend Micro Internet Security 2009\Keygen\keygen.exe" file.
    1/22/2009 4:55:57 PM sikhDawg 5012 Sign of "Win32:DNSChanger-VJ [Trj]" has been found in "C:\hiberfil.sys" file.
    1/22/2009 5:05:17 PM sikhDawg 5012 Sign of "Win32:DNSChanger-VJ [Trj]" has been found in "C:\pagefile.sys" file.
    1/22/2009 5:45:57 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\RECYCLER\S-1-5-21-436374069-115176313-725345543-1003\Dc1350.tmp" file.
    1/22/2009 6:43:45 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\aqphhs.dll" file.
    1/22/2009 6:43:51 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\byXOiFWP.dll" file.
    1/22/2009 6:43:57 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\cfagej.dll" file.
    1/22/2009 6:44:16 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\dkuxpz.dll" file.
    1/22/2009 6:45:11 PM sikhDawg 5012 Sign of "Win32:Seneka [Rtk]" has been found in "C:\WINDOWS\system32\drivers\seneka.sys" file.
    1/22/2009 6:45:11 PM sikhDawg 5012 Sign of "Win32:Seneka [Rtk]" has been found in "C:\WINDOWS\system32\drivers\senekaamioemvu.sys" file.
    1/22/2009 6:45:16 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\drvxef.dll" file.
    1/22/2009 6:45:19 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\fhsapo.dll" file.
    1/22/2009 6:45:22 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\frmwrk32.exe" file.
    1/22/2009 6:45:23 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\hpisie.dll" file.
    1/22/2009 6:45:26 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\iifgExYO.dll" file.
    1/22/2009 6:45:30 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\jkkICuVp.dll" file.
    1/22/2009 6:45:30 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\jongsa.dll" file.
    1/22/2009 6:45:32 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\ljJCuRlm.dll" file.
    1/22/2009 6:45:33 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\log.exe" file.
    1/22/2009 6:45:40 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\mlJCVlIa.dll" file.
    1/22/2009 6:45:58 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\opnlMcyY.dll" file.
    1/22/2009 6:46:01 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\pcload.exe" file.
    1/22/2009 6:46:12 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\senekadelbkohs.dll" file.
    1/22/2009 6:46:12 PM sikhDawg 5012 Sign of "Win32:Seneka [Rtk]" has been found in "C:\WINDOWS\system32\senekaooqemolw.dat" file.
    1/22/2009 6:46:12 PM sikhDawg 5012 Sign of "Win32:Seneka [Rtk]" has been found in "C:\WINDOWS\system32\senekasakxnpan.dll" file.
    1/22/2009 6:46:12 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\senekashqnvbro.dll" file.
    1/22/2009 6:46:42 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\urqQggDU.dll" file.
    1/22/2009 6:46:42 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\userinit.exe" file.
    1/22/2009 6:46:56 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\wvUNdaab.dll" file.
    1/22/2009 6:46:56 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\wvUoLcaX.dll" file.
    1/22/2009 6:46:57 PM sikhDawg 5012 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\xbojls.dll" file.
    1/22/2009 6:46:57 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\xxyvuUmm.dll" file.
    1/22/2009 6:46:57 PM sikhDawg 5012 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\yjosxa.dll" file.
    1/22/2009 6:47:06 PM sikhDawg 5012 Sign of "Win32:Seneka [Rtk]" has been found in "C:\WINDOWS\Temp\seneka237d.tmp" file.
    1/22/2009 9:35:24 PM sikhDawg 5012 Sign of "VBS:psyme-AB [Trj]" has been found in "F:\Program Files\Windows Sidebar\Gadgets\GoldandSilver.gadget\vbs\VBScript.vbs" file.
    1/22/2009 9:51:48 PM sikhDawg 5012 Sign of "HTML:Iframe-inf" has been found in "F:\Users\sikhDawg\AppData\Roaming\#ISW.FS#\Normal\fffffffffffffd08.isw" file.
    1/22/2009 11:07:13 PM sikhDawg 5012 Sign of "Win32:VB-KBS [Trj]" has been found in "F:\Vista\UPGRADE\PACKS\SP1\Docs\2.EXE" file.
    1/23/2009 11:53:08 AM SYSTEM 1916 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
    1/23/2009 11:53:33 AM sikhDawg 5012 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
    1/23/2009 12:45:04 PM SYSTEM 1924 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
    1/23/2009 10:45:41 PM SYSTEM 1632 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: F:\Users\sikhDawg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat (F:\Users\sikhDawg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat) returning error, 00000005.
     

    Attached Files:

    sikhdawg, Jan 25, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    What scanner did you run that deleted everything? Perhaps your first step should be to undo (i.e., restore) what ever that scanner did. And then perform our normal cleaning procedures below.


    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, Jan 27, 2009
    #3
  4. sikhdawg

    sikhdawg Private E-2

    Hi, I have fixed the problem, it was really stupid... by the way I ran alwil avast, when I logged in it would show nothing but i could run task manager... so from there i run C:/ I realized that would open a window and from there i could run a program but that was it, once i ran c:/ it loaded everything right after that.

    Thanks for the help anyhow.
    ricky
     
    sikhdawg, Jan 28, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Jan 30, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds