Infected with fake Svchost.exe, services.exe, and userinit.e

I've tried running SDfix, ComboFix, Spybot Search and Destroy, and none of them can open up (Safe nor regular mode) I usually keep my computer pretty clean and know what is suppose to run. Unfortunaly the same can't be said about my dad who shares this computer also. Anyways as the title mentions I seem to have some fake svchost.exe, services.exe, and a fake or infected userinit.exe file. Also other things that have been happening included alot of freezing up of the browsers (we normally run opera and that normally doesn't crash easily). Anyway's here's my hijack this file if its of any help. Let me know what you can come up with.

Logfile of HijackThis v1.99.1
Scan saved at 03:44:29, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Sam\Desktop\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: userinit.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-----------------------------------------------------------------------------------------------------------------
Forgot to mention that bonjour thing too I don't think that's suppose to be there

Your version of HijackThis is out of date & needs to be updated. Having an outdated version may not give a reliable log.

Download the latest version of HijackThis (2.0.2)from Here

Run HijackThis again and send us the new log.

Sorry about that. Here it goes again :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:18:41, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sam\Desktop\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService.NT AUTHORITY.000\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [winlogon] C:\Documents and Settings\LocalService.NT AUTHORITY.000\svchost.exe (User 'Default user')
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 1493 bytes

Hello.
Have you done anything since the first log was taken?

First log shows this:
O4 - Startup: userinit.exe

Quite clearly it's fake, but now that is gone and this has appeared:
O4 - HKUS\.DEFAULT\..\Run: [winlogon] C:\Documents and Settings\LocalService.NT AUTHORITY.000\svchost.exe (User 'Default user')

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKUS\.DEFAULT\..\Run: [winlogon] C:\Documents and Settings\LocalService.NT AUTHORITY.000\svchost.exe (User 'Default user')
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Actually, this doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

The reason that I don't install any virus protection is because most of the time they're not really effective. I do keep Spybot S&D running but what ever came on disabled it. I'm downloading that Antivirus program as we speak, but the userinit.exe I actually disabled from "msconfig", doubt it takes it all away but it does something usually. Besides that, I was actually able to run superantispyware, but that didn't seem to do that much as far as cleaning up. I'm running Malwarebyte's right now too to see if that does anything but doubt it.

The reason that I don't install any virus protection is because most of the time they're not really effective.

Honestly, what are you thinking? there is malware floating around our there today that will leave your machine battered and broken, I get users with it a few times, and you can only fix it by reformatting the machine. Do you want that too? No antivirus is perfect, but it will keep most of the crap out.

Also, please do not use msconfig, because it takes stuff away from the registry and Hijack This won't be able to see it. I can't fix it if I can't see it.

Please do not use msconfig. I will be waiting for the Avira report when it's done.

Avira AntiVir Personal
Report file date: Thursday, April 02, 2009 01:51

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : Sam
Computer name : HOME-D402897744

Version information:
BUILD.DAT : 9.0.0.386 17962 Bytes 3/11/2009 15:55:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 17:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 12:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 19:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 22:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 01:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 16:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 18:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 20:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 18:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 19:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 12:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 20:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, April 02, 2009 01:51

Initiating scan of system files:
Signed -> 'C:\WINDOWS\system32\svchost.exe'
Signed -> 'C:\WINDOWS\system32\winlogon.exe'
Signed -> 'C:\WINDOWS\explorer.exe'
Signed -> 'C:\WINDOWS\system32\smss.exe'
Signed -> 'C:\WINDOWS\system32\wininet.DLL'
Signed -> 'C:\WINDOWS\system32\wsock32.DLL'
Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'
Signed -> 'C:\WINDOWS\system32\services.exe'
Signed -> 'C:\WINDOWS\system32\lsass.exe'
Signed -> 'C:\WINDOWS\system32\csrss.exe'
Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'
Signed -> 'C:\WINDOWS\system32\spoolsv.exe'
Signed -> 'C:\WINDOWS\system32\alg.exe'
Signed -> 'C:\WINDOWS\system32\wuauclt.exe'
Signed -> 'C:\WINDOWS\system32\advapi32.DLL'
Signed -> 'C:\WINDOWS\system32\user32.DLL'
Signed -> 'C:\WINDOWS\system32\gdi32.DLL'
Signed -> 'C:\WINDOWS\system32\kernel32.DLL'
Signed -> 'C:\WINDOWS\system32\ntdll.DLL'
Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'
Signed -> 'C:\WINDOWS\system32\ctfmon.exe'
The system files were scanned ('21' files)

Starting search for hidden objects.
'113493' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'update.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
27 processes with 27 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '51' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: Thursday, April 02, 2009 03:00
Used time: 1:09:19 Hour(s)

The scan has been done completely.

6274 Scanned directories
381885 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
381884 Files not concerned
4527 Archives were scanned
1 Warnings
1 Notes
113493 Objects were scanned with rootkit scan
0 Hidden objects were found

This was after I ran it the first time and rebooted. This is the new Hijackthis Log also:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:05:37, on 4/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Documents and Settings\Sam\Desktop\mplayerc.exe
C:\WINDOWS\system32\divxsm.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Sam\Desktop\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Sam\svchost.exe
O4 - HKCU\..\Run: [tiphi9gl] C:\WINDOWS\system32\tiphi9gl.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2339 bytes

This is the Hijack this log after I've selected:

O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Sam\svchost.exe
O4 - HKCU\..\Run: [tiphi9gl] C:\WINDOWS\system32\tiphi9gl.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:09:58, on 4/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Sam\Desktop\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 1796 bytes

Also just to add to thing too, when browsing on google, my pages get redirected to other sites but if I click back it'll hit the right sites.

Hello.
More and more malware keeps appearing. I'm gonna see if we can get Combofix to run, because with an infection like this, there's too much malware to take down manually.

• Download combofix from here
  Link 1
  Link 2
  
• We need to rename Combofix before running it.
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We also need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Avira)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Hmm ... I can't seem to open up the link from bleepingcomputers .. not sure if their site is down right now or what. The reason that more things have shown up though is because I went back to MSconfig and re-selected everything. I figured might as well do it the right way.

Did you try getting Combofix from link 2?

I was able to download combo-fix but i meant the link to disable Avira

Ah.
Good thing I use Avira then.

There's an umbrella image in the corner tray > right click it > untick "AntiVir Guard Enable"

That will disable Avira.

oh lol .. thats all you meant. I thought you meant fully turn it off. But Combo fix is still not running. It now atleast pops up a window then closes.

Did you rename it?

Lets see if DDS will run.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

Yes I did rename it. DDS.scr also doesn't want to open up. I get a message saying its not a valid Win32 application.

Well, since you've hidden everything msconfig, we'll have to do this manually.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
  regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
  regedit /e peek3.txt "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services"
  type peek1.txt >> look.txt
  type peek2.txt >> look.txt
  type peek3.txt >> look.txt
  del peek*.txt
  start notepad look.txt
  
  

  
  
• Save this as look.bat, save it to your desktop.
  
• Double click look.bat to run it.
  
• Copy and paste the report back here.
  

no report ... it closes explorer for a second then goes back to normal

Now would be a good time to format this machine if I'm honest.
By not having an AV installed, you've let a lot of malware get in and it's caused serious damage as you can probably tell.

When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Alright i've moved a couple of steps forward. I went back and looked at my restore point and did on from a month ago roughly. I'm now able to run combo fix. I updated it and scanning.

Look.bat text file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=dword:00000002
"wscsvc"=dword:00000002

____________________________________________________________

Combo fix seems to have recognized all the stuff that I needed out and deleted them. So I think that I might be good now. I'll do a hijack this after its fully done though. Here's the combo fix log though:

ComboFix 09-04-01.01 - Sam 2009-04-02 14:13:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.614 [GMT -5:00]
Running from: c:\documents and settings\Sam\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.exe
C:\Autorun.inf
c:\documents and settings\home\Start Menu\Programs\Startup\userinit.exe
c:\documents and settings\home\svchost.exe
c:\documents and settings\LocalService.NT AUTHORITY.000\svchost.exe
c:\documents and settings\Sam\Start Menu\Programs\Startup\userinit.exe
c:\documents and settings\Sam\svchost.exe
C:\userinit.exe
c:\windows\system32\drivers\services.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-02 15:03 . 2009-04-02 15:03 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-04-02 15:03 . 2009-04-02 15:03 d-------- c:\program files\Common Files\Apple
2009-04-02 15:02 . 2009-04-02 15:02 d-------- C:\SDFix
2009-04-02 15:02 . 2009-04-02 15:02 d-------- C:\rsit
2009-04-02 15:02 . 2009-04-02 15:03 d-------- c:\program files\SUPERAntiSpyware
2009-04-02 15:02 . 2009-04-02 15:03 d-------- c:\program files\SpywareBlaster
2009-04-02 15:02 . 2009-04-02 15:03 d-------- c:\program files\Bonjour
2009-04-02 15:02 . 2009-04-02 15:02 d-------- C:\Logs
2009-04-02 15:02 . 2009-04-02 15:02 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-04-02 15:02 . 2009-04-02 15:02 d-------- C:\!KillBox
2009-04-02 02:04 . 2009-04-02 15:03 d-------- C:\32788R22FWJFW(2)
2009-03-31 08:42 . 2009-03-31 08:42 d-------- c:\documents and settings\home\Application Data\Ahead
2009-03-31 08:38 . 2009-03-31 08:38 d-------- c:\program files\Nero
2009-03-31 08:38 . 2009-04-02 15:03 d-------- c:\program files\Common Files\Ahead
2009-03-30 12:36 . 2009-03-30 12:36 d-------- c:\documents and settings\home\Application Data\Apple Computer
2009-03-13 15:41 . 2009-03-13 15:41 d-------- c:\documents and settings\Sam\Application Data\Apple Computer
2009-03-13 15:41 . 2009-03-13 15:41 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 15:40 . 2009-03-13 15:40 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2009-03-13 15:40 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-13 15:40 . 2009-03-05 23:59 36,864 --a------ c:\windows\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 20:03 --------- d-----w c:\program files\Apple Software Update
2009-04-02 13:29 --------- d-----w c:\documents and settings\Sam\Application Data\LimeWire
2009-04-02 06:55 --------- d-----w c:\program files\Webroot
2009-03-13 20:40 --------- d-----w c:\program files\QuickTime
2009-02-20 08:40 --------- d-----w c:\program files\3GP Player
2009-02-11 13:14 31,632 ----a-w c:\documents and settings\home\Application Data\GDIPFONTCACHEV1.DAT
2009-02-05 07:29 --------- d-----w c:\program files\ACAD2000
2009-01-19 07:55 1,529,241 ----a-w C:\SDFix.exe
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-30 7634944]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-25 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

c:\documents and settings\Sam\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks\swScheduler\swBOEngine.exe [2008-02-01 488728]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-31 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-31 10384]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:\program files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [2007-12-03 245760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c1ccfbd-d08e-11dd-bb79-001d601cd728}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63d59dae-dfb6-11dd-bbd8-001d601cd728}]
\Shell\AutoRun\command - E:\SETUP.EXE
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-[system] - c:\windows\system32\drivers\services.exe
HKU-Default-Run-winlogon - c:\documents and settings\LocalService.NT AUTHORITY.000\svchost.exe



**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 14:15:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-04-02 14:16:12
ComboFix-quarantined-files.txt 2009-04-02 19:16:11
ComboFix2.txt 2009-01-19 20:25:55

Pre-Run: 245,945,540,608 bytes free
Post-Run: 250,548,314,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

128

Hello.
Well done, but stay OFFLINE for now.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
C:\SDFix.exe
c:\windows\system32\wdmaud.sys

Folder::
c:\documents and settings\Sam\Application Data\LimeWire
C:\Logs
C:\rsit
C:\!KillBox
C:\Program Files\LimeWire

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"="wdmaud.drv"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c1ccfbd-d08e-11dd-bb79-001d601cd728}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

is that going to kill my limewire? .. I do use that quite a bit

This is the new Hijack this log btw:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:26:51, on 4/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Sam\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2008 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 3051 bytes

Yes, it will kill Limewire.
That's probably how you got infected in the first place.

The Hijack This log looks fine.

P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.

I will help you this once, then if you choose to get infected via Limewire again, I won't help you again until Limewire is removed.

75% of everything on Limewire is infected, even music files.

Please run my CFScript I have posted for you.