infostealer.gamepass - virus can't be killed

Hi,

Here comes the SREng log:

Code:

2007-04-04,01:17:51

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Skype>< "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized>  [(Verified)Skype Technologies SA]
    <H/PC Connection Agent>< "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe ">  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <66><C:\SysDayN6\svchost.exe>  [N/A]
    <4><C:\SysWsj7\svchost.exe>  []
    <50><C:\SysAd5D\svchost.exe>  [N/A]
    <333><C:\Syswm1i\svchost.exe>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <ccApp>< "C:\Program Files\Common Files\Symantec Shared\ccApp.exe ">  [(Verified)Symantec Corporation]
    <WinPatrol><C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe>  [(Verified)BillP Studios]
    <Flashget>< "C:\Program Files\FlashGet\FlashGet.exe" /min>  [FlashGet.com]
    <msccrt><C:\WINDOWS\msccrt.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\kenny\桌面\Download\wmp\NetGet.exe a,>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><; C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <msccrt><; C:\WINDOWS\msccrt.exe>  []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <msnmsgr><;  "C:\Program Files\MSN Messenger\msnmsgr.exe" /background>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <upxdnd><; C:\DOCUME~1\kenny\LOCALS~1\Temp\upxdnd.exe>  [N/A]

==================================
Startup Folders
N/A

==================================
Services
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
  < "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe "><Adobe Systems>
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[Symantec Event Manager / ccEvtMgr][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "><Symantec Corporation>
[Symantec Settings Manager / ccSetMgr][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe "><Symantec Corporation>
[D726C020 / D726C020][Stopped/Auto Start]
  <C:\WINDOWS\system32\D726C020.EXE -service><Microsoft Corporation>
[E5C073A0 / E5C073A0][Stopped/Auto Start]
  <C:\WINDOWS\system32\E5C073A0.EXE -service><N/A>
[LiveUpdate / LiveUpdate][Stopped/Manual Start]
  < "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE "><Symantec Corporation>
[Norton AntiVirus Auto-Protect Service / navapsvc][Running/Auto Start]
  < "C:\Program Files\Norton AntiVirus\navapsvc.exe "><Symantec Corporation>
[Norton AntiVirus Firewall Monitor Service / NPFMntor][Running/Auto Start]
  < "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe "><Symantec Corporation>
[Norton Protection Center Service / NSCService][Running/Manual Start]
  < "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE "><Symantec Corporation>
[Cyberlink RichVideo Service(CRVS) / RichVideo][Running/Auto Start]
  < "C:\Program Files\CyberLink\Shared Files\RichVideo.exe "><>
[Symantec AVScan / SAVScan][Stopped/Manual Start]
  < "C:\Program Files\Norton AntiVirus\SAVScan.exe "><Symantec Corporation>
[SmartLinkService / SLService][Running/Auto Start]
  <slserv.exe><Smart Link>
[Symantec Network Drivers Service / SNDSrvc][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe "><Symantec Corporation>
[SPBBCSvc / SPBBCSvc][Stopped/Manual Start]
  < "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe "><Symantec Corporation>
[Symantec Core LC / Symantec Core LC][Running/Auto Start]
  < "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe "><Symantec Corporation>
[Windows Driver Foundation - User-mode Driver Framework / WudfSvc][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup-->%SystemRoot%\System32\WUDFSvc.dll><Microsoft Corporation>
[自動 LiveUpdate 排程器 / 自動 LiveUpdate 排程器][Running/Auto Start]
  < "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe "><Symantec Corporation>

==================================
Drivers
[Symantec Eraser Control driver / eeCtrl][Running/System Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys><Symantec Corporation>
[EraserUtilRebootDrv / EraserUtilRebootDrv][Running/Manual Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys><Symantec Corporation>
[Mtlmnt5 / Mtlmnt5][Running/Manual Start]
  <System32\DRIVERS\Mtlmnt5.sys><Smart Link>
[Mtlstrm / Mtlstrm][Stopped/Manual Start]
  <System32\DRIVERS\Mtlstrm.sys><Smart Link>
[NAVENG / NAVENG][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070403.021\NAVENG.Sys><Symantec Corporation>
[NAVEX15 / NAVEX15][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070403.021\NavEx15.Sys><Symantec Corporation>
[NtMtlFax / NtMtlFax][Stopped/Manual Start]
  <System32\DRIVERS\NtMtlFax.sys><Smart Link>
[直接平行連接埠連結驅動程式 / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RecAgent / RecAgent][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\RecAgent.sys><Smart Link>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
  <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SAVRT / SAVRT][Running/System Start]
  <\??\C:\Program Files\Norton AntiVirus\SAVRT.SYS><Symantec Corporation>
[SAVRTPEL / SAVRTPEL][Running/System Start]
  <\??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS><Symantec Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[StarForce Protection Environment Driver (version 1.x) / sfdrv01][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01.sys><Protection Technology>
[StarForce Protection Environment Driver (version 1.x.a) / sfdrv01a][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01a.sys><Protection Technology (StarForce)>
[StarForce Protection Helper Driver (version 2.x) / sfhlp02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfhlp02.sys><Protection Technology (StarForce)>
[StarForce Protection Synchronization Driver (version 2.x) / sfsync02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfsync02.sys><Protection Technology>
[StarForce Protection Synchronization Driver (version 4.x) / sfsync04][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfsync04.sys><Protection Technology (StarForce)>
[StarForce Protection VFS Driver (version 2.x) / sfvfs02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfvfs02.sys><Protection Technology (StarForce)>
[SiS315 / SiS315][Running/Manual Start]
  <System32\DRIVERS\sisgrp.sys><Silicon Integrated Systems Corporation>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[SiSkp / SiSkp][Running/System Start]
  <System32\DRIVERS\srvkp.sys><Silicon Integrated Systems Corporation>
[Smart Link 56K Modem Driver / Slntamr][Running/Manual Start]
  <System32\DRIVERS\slntamr.sys><Smart Link>
[SlNtHal / SlNtHal][Stopped/Manual Start]
  <System32\DRIVERS\Slnthal.sys><Smart Link>
[SlWdmSup / SlWdmSup][Running/Manual Start]
  <System32\DRIVERS\SlWdmSup.sys><Smart Link>
[SPBBCDrv / SPBBCDrv][Stopped/Manual Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys><Symantec Corporation>
[sptd / sptd][Running/Boot Start]
  <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[Audio Driver (WDM) - SigmaTel CODEC / STAC97][Running/Manual Start]
  <system32\drivers\STAC97.sys><SigmaTel, Inc.>
[SYMDNS / SYMDNS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMDNS.SYS><Symantec Corporation>
[SymEvent / SymEvent][Running/Manual Start]
  <\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS><Symantec Corporation>
[SYMFW / SYMFW][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMFW.SYS><Symantec Corporation>
[SYMIDS / SYMIDS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMIDS.SYS><Symantec Corporation>
[SYMIDSCO / SYMIDSCO][Running/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20070330.003\symidsco.sys><Symantec Corporation>
[symlcbrd / symlcbrd][Running/Auto Start]
  <\??\C:\WINDOWS\System32\drivers\symlcbrd.sys><Symantec Corporation>
[SYMNDIS / SYMNDIS][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMNDIS.SYS><Symantec Corporation>
[SYMREDRV / SYMREDRV][Running/Manual Start]
  <\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation>
[SYMTDI / SYMTDI][Running/System Start]
  <\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation>
[Windows Driver Foundation - User-mode Driver Framework Platform Driver / WudfPf][Stopped/Manual Start]
  <system32\DRIVERS\WudfPf.sys><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework Reflector / WudfRd][Stopped/Manual Start]
  <system32\DRIVERS\wudfrd.sys><Microsoft Corporation>
[xmasbus / xmasbus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\xmasbus.sys><>
[xmasscsi / xmasscsi][Running/Boot Start]
  <\SystemRoot\System32\Drivers\xmasscsi.sys><>

==================================
Browser Add-ons
[FGCatchUrl]
  {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[BitComet Helper]
  {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll, BitComet>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[Windows Live Sign-in Helper]
  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[CNavExtBho Class]
  {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[FlashGet GetFlash Class]
  {F156768E-81EF-470C-9057-481BA8380DBA} <C:\Program Files\FlashGet\getflash.dll, www.flashget.com>
[Create Mobile Favorite]
  {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} <C:\PROGRA~1\MICROS~4\INetRepl.dll, Microsoft Corporation>
[Create Mobile Favorite]
  {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} <C:\PROGRA~1\MICROS~4\INetRepl.dll, Microsoft Corporation>
[FlashGet]
  {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} <C:\Program Files\FlashGet\FlashGet.exe, FlashGet.com>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Norton AntiVirus]
  {C4069E3A-68F1-403E-B40E-20066696354B} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[PowerList Control]
  {20C2C286-BDE8-441B-B73D-AFA22D914DA5} <C:\WINDOWS\DOWNLO~1\POWERL~1.OCX, PPStream.com>
[YInstStarter Class]
  {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} <C:\Program Files\Yahoo!\Common\yinsthelper.dll, Yahoo! Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[Performance Viewer Activex Control]
  {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} <C:\WINDOWS\Downloaded Program Files\RACtrl.dll, >
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\System32\mshtml.dll, N/A>
[FGCatchUrl]
  {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\System32\mshtmled.dll, Microsoft Corporation>
[BitComet Helper]
  {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} <C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll, BitComet>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Windows Live Sign-in Helper]
  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>
[CNavExtBho Class]
  {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, N/A>
[Norton AntiVirus]
  {C4069E3A-68F1-403E-B40E-20066696354B} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[FlashGet GetFlash Class]
  {F156768E-81EF-470C-9057-481BA8380DBA} <C:\Program Files\FlashGet\getflash.dll, www.flashget.com>
[FGCatchUrl]
  {FB5DA724-162B-11D3-8B9B-AA70B4B0B524} <C:\Program Files\FlashGet\jccatch.dll, www.flashget.com>
[&使用 FlashGet 下載]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[&使用BitComet下載本頁視頻]
  <res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm, N/A>
[&全部使用 FlashGet 下載]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[NetGet搜索文件]
  <C:\Documents and Settings\kenny\桌面\Download\wmp\netget.html, N/A>
[使用BitComet下載全部鏈接]
  <res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm, N/A>
[使用BitComet下載鏈接(&B)]
  <res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm, N/A>
[匯出至 Microsoft Excel(&X)]
  <res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000, N/A>

==================================
Running Processes
[PID: 516][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 564][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1308][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\WINDOWS\system32\D726C020.DLL]  [Microsoft Corporation, ]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCEXT.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCEXT.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\PROGRA~1\Yahoo!\Common\ymmapi.dll]  [Yahoo! Inc., 2005, 1, 1, 4]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\Norton AntiVirus\NavShExt.dll]  [Symantec Corporation, 12.6.0.1]
[PID: 1556][C:\Program Files\Common Files\Symantec Shared\ccApp.exe]  [Symantec Corporation, 104.0.8.3]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Common Files\Symantec Shared\ccL40.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\Program Files\Common Files\Symantec Shared\ccSet.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCALERT.DLL]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCTRAY.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCTRAY.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\NORTON~1\CCIMSCAN.DLL]  [Symantec Corporation, 104.0.5.3]
    [C:\WINDOWS\system32\ATL71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\NORTON~1\DEFALERT.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\rcEmlPxy.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUICOR.dll]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUICOR.LOC]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\NORTON~1\HPP32.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\Common Files\Symantec Shared\ccProSub.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\Common Files\Symantec Shared\Security Console\NSC_Hlpr.dll]  [Symantec Corporation, 2006.1.8.2]
    [C:\WINDOWS\system32\SYMREDIR.DLL]  [Symantec Corporation, 6.0.0.99]
    [C:\PROGRA~1\NORTON~1\HPPRES32.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\IWP\IWP.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\NAVAPW32.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\apwutil.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\ccAVMail.dll]  [Symantec Corporation, 104.0.5.3]
    [C:\PROGRA~1\NORTON~1\navapw32.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\HPPEVT32.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\NAVOPTRF.DLL]  [Symantec Corporation, 12.0.0.94]
    [C:\PROGRA~1\NORTON~1\STATUSHP.DLL]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\Navlcom.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\apwutil.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\NAVError.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\naverror.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\apwcmdnt.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\apwcmdNT.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCEvt.dll]  [Symantec Corporation, 2.1.0.4]
    [C:\Program Files\Norton AntiVirus\NAVEvent.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Symantec\LiveUpdate\NetDetectController_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
    [C:\Program Files\Symantec\LiveUpdate\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Norton AntiVirus\IWP\SymFWAgt.dll]  [Symantec Corporation, 104.0.1.17]
    [C:\WINDOWS\system32\SymNeti.DLL]  [Symantec Corporation, 6.0.0.99]
    [C:\Program Files\Common Files\Symantec Shared\ccLogin.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\Norton AntiVirus\IWP\ccFWSetg.dll]  [Symantec Corporation, 104.0.1.17]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVPS.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\PROGRA~1\NORTON~1\NAVTasks.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\NORTON~1\NAVTasks.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCUIBL.DLL]  [Symantec Corporation, 2006.1.8.2]
    [C:\Program Files\Norton AntiVirus\NAVOpts.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\navopts.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Norton AntiVirus\NAVAPSCR.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\Program Files\Symantec\LiveUpdate\ProductRegCom_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
    [C:\Program Files\Symantec\LiveUpdate\LuComServerPS_3_0.DLL]  [Symantec Corporation, 3.0.0.171]
    [C:\PROGRA~1\NORTON~1\defalert.loc]  [Symantec Corporation, 12.6.0.1]
    [C:\PROGRA~1\COMMON~1\SYMANT~1\rcAlert.dll]  [Symantec Corporation, 104.0.8.3]
    [C:\Program Files\Common Files\Symantec Shared\DefUtDCD.dll]  [Symantec Corporation, 3.1.30.0]
[PID: 1564][C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe]  [BillP Studios, 11, 1, 2007, 0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 1596][C:\SysWsj7\svchost.exe]  [N/A, ]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 1620][C:\Program Files\Skype\Phone\Skype.exe]  [Skype Technologies S.A., 3.0.0.218]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\system32\msdmo.dll]  [, ]
[PID: 1640][C:\Program Files\Microsoft ActiveSync\Wcescomm.exe]  [Microsoft Corporation, 4.5.5096.0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 1688][C:\PROGRA~1\MICROS~4\rapimgr.exe]  [Microsoft Corporation, 4.5.5096.0]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 248][C:\Program Files\Skype\Plugin Manager\SkypePM.exe]  [Skype Technologies, 1.0.0.225]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll]  [EasyBits Software Corp., 1.0.0.599]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 1500][C:\WINDOWS\system32\86B9D630.exe]  [N/A, ]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 3496][C:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 2836][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\Program Files\FlashGet\jccatch.dll]  [www.flashget.com, 1, 8, 1, 1006]
    [C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll]  [BitComet, 20070207]
    [C:\Program Files\Spybot - Search & Destroy\SDHelper.dll]  [Safer Networking Limited, 1, 4, 0, 0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
    [C:\Program Files\Norton AntiVirus\NavShExt.dll]  [Symantec Corporation, 12.6.0.1]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\FlashGet\getflash.dll]  [www.flashget.com, 1, 8, 1, 1002]
    [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 3040][C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe]  [Microsoft Corporation, 4.100.313.1]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]
[PID: 980][C:\Documents and Settings\kenny\桌面\Download\sreng\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]
    [C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL]  [BillP Studios, 1.3.0.0]
    [C:\SysWsj7\Ghook.dll]  [N/A, ]

==================================
File Associations
.TXT  Error. [C:\WINDOWS\notepad.exe %1]
.EXE  OK. [ "%1" %*]
.COM  OK. [ "%1" %*]
.PIF  OK. [ "%1" %*]
.REG  OK. [regedit.exe  "%1"]
.BAT  OK. [ "%1" %*]
.SCR  OK. [ "%1" /S]
.CHM  OK. [ "C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe  "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe  "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
N/A

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

 

I'm looking into a couple of entries as they appear in this last SREng log. I don't use it too often and want to clarify things before making any other moves.

 

Well it looks as tho something is protecting those services, as they're still there. We need to get the files checked via online scan.

C:\WINDOWS\system32\D726C020.EXE<<<--this file
C:\WINDOWS\system32\E5C073A0.EXE<<<--this file

Please go to Jotti Online File Scanner
At the top of the Jotti page, there is a blank box, with a 'browse' button next to it.

• You need to click the browse button and then a 'Choose File' box will pop up.
• Now depending on where you have last used this box, it may be at some different section on the drive, so lets select the 'My Computer' icon on the left side of that 'Choose File' box.
• Then double-click the 'C' drive, and new files and folders will appear
• Then go to the windows folder and double-click that folder, you will then be presented with all the files and folders contained within the Windows folder.
• Then look for the system32 folder in the Windows folder, and double-click it.
• Look for those files listed above

This should shut down the 'Choose File' box and you should see the file path to that file, tho some of it will be obscured due to the limitations of the box. You then wait until the 'submit' button is bolded or the 'Status:' is 'Ready for scan', and hit the submit button. It will tell you the file is uploading and then spit out the results.

Post the scan results back here for me, thanks.

Also please submit the file to Norman Sandbox File Submission. A valid email is required but there is no worry as the site is fully trustful. They will send you back a detailed analysis of the file and please post contents of the analysis back here.

 

Hi,

Here is the jotti results:

Service
Service load: 0% 100%

File: D726C020.EXE
Status: INFECTED/MALWARE
MD5 2af880020b11e04176067aa85e76ed81
Packers detected: Analyzing...

Scanner results
Scan taken on 06 Apr 2007 17:56:13 (GMT)
AntiVir Found BDS/Agent.ahj.232
ArcaVir Found Trojan.Agent.Ahj
Avast Found Win32:Small-ERH
AVG Antivirus Found nothing
BitDefender Found GenPack:Backdoor.Agent.AGR
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found W32/Agent.NEO!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found probably a variant of Win32/Agent.NEO (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found Bck/Agent.ETE
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

jitti results for the second file:

Service
Service load: 0% 100%

File: E5C073A0.EXE
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 4b42c9accb4a1c5e3b912779d877cd0f
Packers detected: -

Scanner results
Scan taken on 06 Apr 2007 18:14:45 (GMT)
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found Win32:Small-ERH
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

Here comes the norman results:

D726C020.EXE : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS

[ General information ]
* Creating several executable files on hard-drive.
* File length: 43762 bytes.
* MD5 hash: 2af880020b11e04176067aa85e76ed81.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\F3ED76F4.EXE.
* Creates file C:\WINDOWS\SYSTEM32\F3ED76F4T.EXE.
* Creates file C:\WINDOWS\SYSTEM32\delme.bat.
* Creates file C:\WINDOWS\SYSTEM32\F3ED76F4.DLL.

[ Changes to registry ]
* Creates key "HKLM\System\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "ImagePath "= "C:\WINDOWS\SYSTEM32\F3ED76F4.EXE -service" in key "HKLM\System\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "DisplayName "= "F3ED76F4" in key "HKLM\System\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "Description "= "F3ED76F4" in key "HKLM\System\CurrentControlSet\Services\F3ED76F4 ".
* Creates key "HKCU\Software\SYSTEM\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "Description "= "F3ED76F4" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "DisplayName "= "F3ED76F4" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "ErrorControl "= "
" in key "HKLM\System\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "ImagePath "= "C:\WINDOWS\SYSTEM32\F3ED76F4.EXE -service" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "ObjectName "= "LocalSystem" in key "HKLM\System\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "ObjectName "= "LocalSystem" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "Start "= "" in key "HKLM\System\CurrentControlSet\Services\F3ED76F4 ".
* Sets value "Type "= "" in key "HKLM\System\CurrentControlSet\Services\F3ED76F4 ".

[ Process/window information ]
* Enumerates running processes.
* Attempts to access service "F3ED76F4 ".
* Creates service "F3ED76F4 (F3ED76F4)" as "C:\WINDOWS\SYSTEM32\F3ED76F4.EXE -service ".
* Enumerates running processes several parses....

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\F3ED76F4.EXE (43762 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\F3ED76F4T.EXE (43762 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\delme.bat (95 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\F3ED76F4.DLL (37190 bytes) : no signature detection.



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

This file is not flagged as malicious by the Norman Sandbox Information Center. However, we can not guarantee that the file is harmless. If you still suspect the file to be malicious and if you urgently need to know for sure, please submit it to your local Norman support department for manual analysis.

 

Norman results for the second file:

E5C073A0.EXE : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS

[ General information ]
* Creating several executable files on hard-drive.
* File length: 43767 bytes.
* MD5 hash: 4b42c9accb4a1c5e3b912779d877cd0f.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\3F9E37A4.EXE.
* Creates file C:\WINDOWS\SYSTEM32\3F9E37A4T.EXE.
* Creates file C:\WINDOWS\SYSTEM32\delme.bat.
* Creates file C:\WINDOWS\SYSTEM32\3F9E37A4.DLL.

[ Changes to registry ]
* Creates key "HKLM\System\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "ImagePath "= "C:\WINDOWS\SYSTEM32\3F9E37A4.EXE -service" in key "HKLM\System\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "DisplayName "= "3F9E37A4" in key "HKLM\System\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "Description "= "3F9E37A4" in key "HKLM\System\CurrentControlSet\Services\3F9E37A4 ".
* Creates key "HKCU\Software\SYSTEM\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "Description "= "3F9E37A4" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "DisplayName "= "3F9E37A4" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "ErrorControl "= "
" in key "HKLM\System\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "ImagePath "= "C:\WINDOWS\SYSTEM32\3F9E37A4.EXE -service" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "ObjectName "= "LocalSystem" in key "HKLM\System\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "ObjectName "= "LocalSystem" in key "HKCU\Software\SYSTEM\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "Start "= "" in key "HKLM\System\CurrentControlSet\Services\3F9E37A4 ".
* Sets value "Type "= "" in key "HKLM\System\CurrentControlSet\Services\3F9E37A4 ".

[ Process/window information ]
* Enumerates running processes.
* Attempts to access service "3F9E37A4 ".
* Creates service "3F9E37A4 (3F9E37A4)" as "C:\WINDOWS\SYSTEM32\3F9E37A4.EXE -service ".
* Enumerates running processes several parses....

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\3F9E37A4.EXE (43767 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\3F9E37A4T.EXE (43767 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\delme.bat (95 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\3F9E37A4.DLL (37172 bytes) : no signature detection.



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

This file is not flagged as malicious by the Norman Sandbox Information Center. However, we can not guarantee that the file is harmless. If you still suspect the file to be malicious and if you urgently need to know for sure, please submit it to your local Norman support department for manual analysis.

 

OK, I got a bit of assistance on this one, but lets fix the sucker up.

Code\reg file information removed to avoid usage by other users

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Then run the reg file saved on your desktop.

Then Click 'Start', select 'Run', type in cmdwhen dialog box appears, hit 'Enter'.

Then type or copy and paste the followinf text, clicking 'Enter' after each:
sc delete 3F9E37A4
sc delete F3ED76F4

Delete the following files:

• c:/windows/nortonq.exe
  c:/windows/system32/kdjs2.exe
  c:/windows/system32/msccrt.dll
  c:/Docume~1/wow0331[1].exe
  c:/Docume~1/mh0330[1].exe
  c:/Docume~1/wm0328[1].exe
  C:\WINDOWS\system32\86B9D630.exe
  C:\WINDOWS\system32\E5C073A0.EXE
  C:\WINDOWS\system32\D726C020.EXE
  C:\WINDOWS\system32\D726C020.DLL
  C:\WINDOWS\system32\E5C073A0.DLL

Delete the following folders:

• C:\SysDayN6
  C:\SysWsj7
  C:\SysAd5D
  C:\Syswm1i

Re-run ATF cleaner ticking the following boxes:

• Windows Temp
• Current User Temp
• All User Temp
• Prefetch
• Recycle Bin

Boot back into normal mode, post fresh HJT log and new SWEng log as well.

 

Hi,

I have performed all steps, but after reboot the windows keeps logging me out, can't login anymore, even using administrator in safe mode.

 

Hi piacso,

Hey TeMerc, Hope it's OK for me to pop in.

piacso:

TeMerc alerted me to this thread.
I did help him with the fix.

Tell me exactly what you did please including what you deleted.
Anything else you deleted besides what TeMerc told you?
Might seem like silly question but I have to know.
This is important so I know where exactly we gotta go to restore what went wrong.

Did you get success messege when you merged that registry file?
You did copy/paste the entire text that is inside that code box?
That last line was the most important one. (this is the instructions in registry to tell windows where userinit.exe lives)

What we did here should not have caused this log-in issue unless there was something that we didn't see that depended on the file that was loading along with userinit.exe or the reg script was not copied properly missing the last line.

Without userinit.exe being told how to properly load you cannot log in.
Userinit is what is responsible for logging user in, loading everything for that user and so on.
If the instruction is missing for userinit; log-in is impossible since windows does not know where to look for userinit.

That's OK. whatever went wrong we'll fix it.

Any chance you have an XP cd? Not the Recovery CD that comes with some new PCs but the real deal.
If you have XP CD we can do repair install.
If you have the CD is it one with SP2?
If it does not have SP2 we'll need to use your XP CD to create a new one with SP2 integrated to it.
You will need access to another PC to do this of course.
Do you by chance have the Product Key handy for this CD?
You will need it to do the repair.

This will mean you will need to get all your XP updates again but your other data should be OK since we are just repairing windows.
Meaning your documents, pictures, mp3 files, installed programs and so on should not be affected.

Don't move on with repair install till we know what you have available.

If this is not possible there is a RC ISO file we can use to get to Recovery console.
You will of course need access to another PC that can burn ISO files.

We might have to get into the recovery Console to restore a backup of the System hive of your registry.
The RC.iso will get us there.
This will likely mean some programs you have will need repair installed or re-installed from scratch. Like your Norton.

Let me know what you have access to and we'll get on with repairing it.

Also do you have a floppy drive on this computer, 2nd CDRom drive and/or USB flash drive available to you?

Thanks

Tammy

 

Hi Tammy,

I follow exactly what is listed in post#28.

For the fix.reg file i use Ctrl-A and Ctrl-C to copy and paste so it should not miss anything, and i do receive a successful run message after I double clicked the file.

But one thing i am not sure it will affect the results or not, it is my PC got two user account, "administrator" and "kenny ", after reboot I login as administrator and perform all the actions, while i save the fix.reg in kenny's desktop.

For the sc delete commands those services are not running anymore.

For the file deletion only the last 5 files exist, does the first 6 files got typo in the path? Anyway I copy all the files into clipboard, then open killbox, and paste from clipboard, killbox only found the following 5 files:

C:\WINDOWS\system32\86B9D630.exe
C:\WINDOWS\system32\E5C073A0.EXE
C:\WINDOWS\system32\D726C020.EXE
C:\WINDOWS\system32\D726C020.DLL
C:\WINDOWS\system32\E5C073A0.DLL

after checked the "delete on reboot" box, I then click the delete button, I didn't reboot right away as I wish to finish all deletion first.

For the folders deletion only the following folders still exist

C:\SysWsj7
C:\Syswm1i

so I deleted them.

For ATF Cleaner I tick the "temporary Internet files" box as well.

Then I reboot my machine and found the login problem.

I got a Windows CD + CD Key (not SP2) with me and I have another machine running with alcohol120% installed, should be able to burn ISO. I have tried bootup the machine in repair mode and got the command prompt access, is there anyway to check the registry entry there?

Cheers,
Kenny

 

Hi Kenny,

Sounds like you dod it OK. Some of the reg fix would not have worked cus the nasties were loading under the "Kenny" account.
Anything that was fixing under HKEY_LOCAL_MACHINE affect everyone.
the sc commands affect everyone as does the files/folders you deleted.
Those files/folders you could not find is OK. TeMerc had you delete some earlier.


If I understand you right you have been able to boot to Recovery Console using the XP CD.
You won't be able to access regedit from there. RC has very limited tools to work with.
If you type help at the cmd console you will see what is available to you.
Not a very helpful list I know...
Limited description what each command does...:

http://support.microsoft.com/kb/314058

I'd rather try repair install so to lessen the damage.

Because your CD does not have SP2 you will need to build one.
Sounds like you have a pretty decent idea what you are doing so I'll lead you to page what you will have to do to create the XP SP2 cd.

Here's how to create the slipstreamed image:

http://www.theeldergeek.com/slipstreamed_xpsp2_cd.htm

Once you create the image you will need to create the bootable CD.

I assume you know how to burn ISO files to make the CD bootable.

Once created... test the CD to ensure it is in fact bootable.

If so....

Instructions here to do repair install:

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

Once it's repaired it will go through the same set-up as if fresh install. It should only ask if you want to register with M$. You shouldn't get the "activate xp" nag.

Let me know how it goes.

Thanks

Tammy

 

me again,

I guess it would have been helpful if I posted the link for SP2 download eh?
In case you don't have it...:

http://www.microsoft.com/downloads/...BE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en

Sorry about that.

Tammy

 

Hi Tammy and TeMerc,

After reparing my windows can be login again, however, after reboot it will got only the mouse pointer showing but nothing further, I can pop up the task manager by pressing ctrl+alt+del, it seems like the explorer.exe is not running normally.

After several reparing attempts I got totally no clues about it, so I have backup all my files and got my PC reinstalled. -- "

Thank you very much for your help.

 

Ok, well we're sorry we were not able to properly fix your machine. The important thing is you have all your data saved.

Once Windows is installed be sure you immediately go to Windows Update Page

After that is done be sure you have proper protection, beginning with antivirus and firewall:
Antivirus:

• Avira AntiVir
• AVG

Firewalls:

• COMODO Personal Firewall
• Zone Alarm Firewall

Then follow the links below to ensure the highest possible level of protection against any further invasions. The links and the apps are some of the most highly regarded apps in the field of security/protection & detection. Run AdAware & Spybot at least once a week, depending on your surfing habits.
Spybot Search & Destroy v1.4
Ad-Aware SE Free v1.06r

With AdAware and Spybot: DL, install then check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next.

SpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.
With Spyware Blaster, just DL, check for updates, enable Internet Explorer protection, and your done! I don't recommend using 'Restricted Sites' protection in SpywareBlaster nor the 'Immunize' feature in Spybot, you can get far greater coverage with IE-SPYADs, listed below.

To avoid known malware infested sites from loading in IE install IE-SPY ADS.
And MVPS Hosts File will provide another layer of protection.

And to prevent unknown applications from being installed on your machine install WinPatrol 2007 v11.2.2007.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Tutorials for all can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!
Tom