userinit error (i think) HELP!

Hi there and welcome, have a look at the below link

Read and Run Me First

 

Try this if you haven't already done so

If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.


TDSSserv Non-Plug & Play Driver Disable

• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

 

Have you tried running the steps in safe mode?

Give us the file path of where and what infection avg is finding

Not to worry, you shouldn't need your windows disk unless the virus has done damage that will require you to have a CD handy...

 

<--- your not running both of those together?

 

Hi there ermolnar

Do you also have the log from running combofix and SAS? Let me know and then I can start to review your logs and get back to you with a plan of action as soon as possible, and I appreciate your patience during this time.

Thanks
Kes

 

Hi there, sorry about the slight delay, we have been run off our feet.

1) Did you install WinPcap at some point?

2) Please go to Add or Remove programs and uninstall the following softwares:

• Java(TM) 6 Update 7
• QQ2004II Standard Version

3) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

With regards to AVG giving you grief, you could reinstall it, reboot and then try to uninstall it if your goal is to use something else.

Thanks
Kes

 

1) Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send the Picture by QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE

After clicking Fix exit HJT.


2) Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Folder::
c:\documents and settings\evan\Application Data\QQUpdate
c:\documents and settings\evan\Application Data\QQ
C:\Program Files\Tencent
C:\WINDOWS\system32\qqedit 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


3) Now Run Ccleaner!

4) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix

5) Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

• Have you tried using another browser?
• Have you tried running in safe mode and seeing if there's any change?

1) Please navigate to the following bold file:

Right click the spoolsv.exe > choose to copy > and move it back to the following location as indicated below:

2) Now I would like for you to run a rootkit scan:

Go to this link: Alternative Scans

Scroll down until you see: "Check for a possible RootKit Infections"

and choose one of the available tools that are used to locate and remove rootkits. After scanning with it, attach the log it generates.

3) Also: Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

1) I still have not seen an answer about how things run in safe boot mode. Please le me know.

2) Also what happens if the PC is never connected to the internet (like have the cable unplugged)? How do
normal operations seem?

3) Also does another user account behave the same? You will have to create a new one since you only have one user account to use in normal boot mode.

3) When did you install Uniblue RegistryBooster 2009 and what did you do with it?

Please answer all my questions

Thanks
kes

 

Since Kes is not around right now I will give you final instructions; however could you please state what you did to remove your final problems.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!