Trojan horse Agent 2.AZU

Hi guys,

this is my first post here. I'm glad there is a place on the web that can help in times like these.

I have a Trojan horse Agent 2.AZU stuck in my userinit.exe file. I have the lates paid version of AVG and that program caught it but recomended that it not be removed because the file is whitelisted. Meanwhile, I still have this problem. I can stop the annoying popup by removing it from my process registery but that's all I've been able to do. I've downlaoded and used about 6 different maleware removal programs but NONE of them even found it.

Hello.
We can fix this, but the tool we are going to use is very powerful, so I need to get some information of the system before I can give you instructions for this tool.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-03-16.01) - NTFSx86
Run by Michael at 22:10:14.04 on Sat 03/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.140 [GMT -5:00]

AV: AVG Anti-Virus plus Firewall *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\QBOOKSW\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\Desktop\New Briefcase\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = www.scullypages.com/
BHO: Adobe PDF Reader Link Helper: {removed for security} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {removed for security} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Trellian BHO Impl: {removed for security} - c:\program files\trellian\toolbar\toolbar.dll
BHO: AVG Safe Search: {removed for security} - c:\program files\avg\avg8\avgssie.dll
BHO: {removed for security} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In SSV Helper: {removed for security} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVGTOOLBAR: {removed for security} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {removed for security} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {removed for security} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {removed for security} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: AVGTOOLBAR: {removed for security} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &RoboForm: {removed for security} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Trellian &Toolbar: {removed for security} - c:\program files\trellian\toolbar\toolbar.dll
TB: PayPal Plug-In: {removed for security} - c:\program files\paypal\paypal plug-in\OToolbar.dll
EB: {removed for security} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Lexmark X73 Button Monitor] c:\progra~1\lexmar~1\ACMonitor_X73.exe
mRun: [Lexmark X73 Button Manager] c:\progra~1\lexmar~1\AcBtnMgr_X73.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\qbooksw\components\qbagent\qbdagent2002.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {removed for security} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {removed for security} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {removed for security} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {removed for security} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {removed for security} - c:\program files\messenger\msmsgs.exe
IE: {removed for security} - {removed for security} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {removed for security} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {removed for security} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205163384551
DPF: {removed for security} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {removed for security} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {removed for security} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - f:\program files\coreftp\pftpns.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {removed for security} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\m7pbmj4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT447260&SearchSource=3&q=

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-3-10 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-3-10 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-10 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-3-10 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-15 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-1-15 1356616]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-3-10 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-3-10 29208]
S3 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE [2005-5-10 24576]

=============== Created Last 30 ================

2009-03-28 20:55 1,409 a------- c:\windows\QTFont.for
2009-03-28 20:55 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-28 03:18 --d----- c:\docume~1\michael\applic~1\Uniblue
2009-03-28 03:17 -cd-h--- c:\docume~1\alluse~1\applic~1\~0
2009-03-25 22:53 --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-03-25 22:53 --d----- c:\program files\Security Task Manager
2009-03-24 03:26 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-23 23:16 2,790 a------- c:\windows\system32\tmp.reg
2009-03-23 23:15 --d----- c:\documents and settings\michael\SmitfraudFix
2009-03-23 15:22 --d----- c:\program files\Enigma Software Group
2009-03-23 10:07 --d----- c:\docume~1\michael\applic~1\Malwarebytes
2009-03-23 10:07 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-18 05:15 --d----- c:\program files\AshongSoft
2009-03-17 23:05 8 a------- c:\windows\sess_583d2815c194179b0cb7179a4cf9dd98
2009-02-28 14:05 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-03-25 11:07 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-25 11:07 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-25 11:07 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-24 01:38 253,952 a------- c:\windows\system32\skinboxer43.dll
2009-03-23 07:57 25,088 a------- c:\windows\system32\userinit.exe
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-07-18 21:38 60,744 a------- c:\documents and settings\michael\g2mdlhlpx.exe
2001-07-26 19:58 47 a------- c:\program files\ACMonitor_X73.ini
2001-07-05 15:46 8,116 a------- c:\program files\OSLO3071b2.USB
2001-05-11 14:39 53,248 a------- c:\program files\ACMonitor_X73.exe
2001-05-08 19:36 114,688 a------- c:\program files\lxarscan.dll
2001-04-23 17:22 1,437 a------- c:\program files\gtx73.ini
2001-02-22 12:54 768 a------- c:\program files\x73_lut.dat
2008-10-26 10:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102620081027\index.dat

============= FINISH: 22:11:19.37 ===============

Hello.
You didn't really need to remoce the CLSID lines, I can't tell anything about you from them, they are just a set string of numbers and letters that give the software it's own personal ID mark, we can use them to research what the software is or does.

I can see userinit is patched, but the good news is there doesn't appear to be any other malware present.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (AVG8)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

I ran the combofix but the instructions on how to disable my avg did not disable it. Also the recovery console did not load. An error in the connection caused it to not load. So the combofix ran anyway. After it ran, while I was checking things out, I got an Antivirus9 popup.

Here is the log.

ComboFix 09-03-27.02 - Michael 2009-03-29 6:45:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.216 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\New Briefcase\ComboFix.exe
AV: AVG Anti-Virus plus Firewall *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2100-02-23 17:35 . 2001-02-22 12:54 768 --a------ c:\program files\x73_lut.dat
2100-02-23 16:35 . 2001-02-22 11:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 19:03 . 2001-05-11 14:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2100-02-08 17:53 . 2009-03-29 00:19 1,441 --a------ c:\windows\GtX73.ini
2009-03-28 20:55 . 2009-03-29 03:08 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-28 20:55 . 2009-03-28 20:55 1,409 --a------ c:\windows\QTFont.for
2009-03-28 03:18 . 2009-03-28 03:18 d-------- c:\documents and settings\Michael\Application Data\Uniblue
2009-03-25 22:53 . 2009-03-25 22:58 d-------- c:\program files\Security Task Manager
2009-03-25 22:53 . 2009-03-25 22:56 d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-03-24 03:26 . 2009-03-28 02:32 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 03:00 . 2009-03-28 03:23 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-23 23:15 . 2009-03-28 03:31 d-------- c:\documents and settings\Michael\SmitfraudFix
2009-03-23 15:22 . 2009-03-24 01:44 d-------- c:\program files\Enigma Software Group
2009-03-23 10:07 . 2009-03-23 10:07 d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-03-23 10:07 . 2009-03-23 10:07 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-18 05:15 . 2009-03-18 05:15 d-------- c:\program files\AshongSoft
2009-03-17 23:05 . 2009-03-17 23:07 8 --a------ c:\windows\sess_583d2815c194179b0cb7179a4cf9dd98

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 07:49 --------- d-----w c:\documents and settings\Michael\Application Data\CoreFTP
2009-03-29 05:45 --------- d-----w c:\documents and settings\Michael\Application Data\gtk-2.0
2009-03-28 07:35 --------- d-----w c:\program files\HyperVRE
2009-03-25 21:45 --------- d-----w c:\documents and settings\Michael\Application Data\Skype
2009-03-25 16:07 325,640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-25 16:07 108,552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-25 16:07 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-24 06:07 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-23 20:05 --------- d-----w c:\program files\Google
2009-03-23 20:02 --------- d-----w c:\program files\MetaTrader - ForexMeta
2009-03-23 20:01 --------- d-----w c:\program files\iTunes
2009-03-23 20:00 --------- d-----w c:\program files\Forex Killer 4.12
2009-03-23 19:58 --------- d-----w c:\program files\CraigsList Ad Analyzer
2009-03-23 13:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-23 12:57 25,088 ----a-w c:\windows\system32\userinit.exe
2009-03-05 18:50 --------- d-----w c:\program files\optin MAGIK
2009-03-04 18:02 --------- d-----w c:\program files\Instant PopOver
2009-02-28 19:05 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-28 19:05 --------- d-----w c:\program files\Java
2009-02-21 23:04 --------- d-----w c:\program files\JpegSizer 6
2009-02-21 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\JpegSizer
2009-02-20 22:47 --------- d-----w c:\program files\IrfanView
2009-02-20 22:05 --------- d-----w c:\program files\GIMP-2.0
2009-02-14 21:45 --------- dc-h--w c:\documents and settings\All Users\Application Data\{64ac4993-d031-4918-81f2-c29ce7452582}
2009-02-14 21:45 --------- d-----w c:\program files\Jiffy PDF Maker
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 23:52 --------- d-----w c:\program files\Article Engineer
2009-02-03 19:49 --------- d-----w c:\program files\Windows Media Connect 2
2008-07-19 02:38 60,744 ----a-w c:\documents and settings\Michael\g2mdlhlpx.exe
2001-07-27 00:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 20:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-09 00:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 22:22 1,437 ----a-w c:\program files\gtx73.ini
2008-10-26 15:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102620081027\index.dat
.

------- Sigcheck -------

2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-23 07:57 25088 9b18e2b6db69000da40ab377bdd8e2e9 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-29_ 6.00.41.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-29 07:05:31 67,560 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-29 11:01:57 67,560 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-29 07:05:31 432,856 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-29 11:01:57 432,856 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-07-28 49152]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-03-10 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-25 1932568]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-28 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks 2002 Delivery Agent.lnk - c:\qbooksw\Components\QBAgent\qbdagent2002.exe [2008-03-10 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-25 11:07 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-03-10 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-03-10 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-03-10 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-15 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-15 1356616]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-03-10 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-03-10 29208]
S3 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE [2005-05-10 24576]
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 19:57]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = www.scullypages.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - f:\program files\CoreFTP\pftpns.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\m7pbmj4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT447260&SearchSource=3&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 06:48:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-29 6:50:07
ComboFix-quarantined-files.txt 2009-03-29 11:50:04
ComboFix2.txt 2009-03-29 11:02:03

Pre-Run: 100,930,613,248 bytes free
Post-Run: 100,918,796,288 bytes free

156 --- E O F --- 2009-03-14 10:04:27

Hi, I just ran my AVG and it found this...."C:\WINDOWS\system32\userinit.exe";"Trojan horse Agent2.AZU";"Object is white-listed (critical/system file that should not be removed)"

If I can't remove the file, what can I do to get rid of the cirus?

Hello.
Don't worry about it. I thought Combofix would of replaced the file itself. It hasn't, but it's found us 2 more clean copies of userinit to replace over the infected one. To do so, we have to run Combofix with a customized directive.

Please disable AVG because it might interfere with Combofix. If Combofix goes even slightly wrong, there's no telling what might happen.
See HERE for how to disable your AV. (AVG8)

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

FCOPY::
c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\system32\userinit.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

ComboFix 09-03-28.01 - Michael 2009-03-29 8:22:30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.209 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\New Briefcase\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFscript.txt
AV: AVG Anti-Virus plus Firewall *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2100-02-23 17:35 . 2001-02-22 12:54 768 --a------ c:\program files\x73_lut.dat
2100-02-23 16:35 . 2001-02-22 11:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 19:03 . 2001-05-11 14:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2100-02-08 17:53 . 2009-03-29 00:19 1,441 --a------ c:\windows\GtX73.ini
2009-03-28 20:55 . 2009-03-29 03:08 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-28 20:55 . 2009-03-28 20:55 1,409 --a------ c:\windows\QTFont.for
2009-03-28 03:18 . 2009-03-28 03:18 d-------- c:\documents and settings\Michael\Application Data\Uniblue
2009-03-25 22:53 . 2009-03-25 22:58 d-------- c:\program files\Security Task Manager
2009-03-25 22:53 . 2009-03-25 22:56 d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-03-24 03:26 . 2009-03-28 02:32 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 03:00 . 2009-03-28 03:23 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-23 10:07 . 2009-03-23 10:07 d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-03-23 10:07 . 2009-03-23 10:07 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-18 05:15 . 2009-03-18 05:15 d-------- c:\program files\AshongSoft
2009-03-17 23:05 . 2009-03-17 23:07 8 --a------ c:\windows\sess_583d2815c194179b0cb7179a4cf9dd98

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 12:23 --------- d-----w c:\documents and settings\Michael\Application Data\CoreFTP
2009-03-29 05:45 --------- d-----w c:\documents and settings\Michael\Application Data\gtk-2.0
2009-03-28 07:35 --------- d-----w c:\program files\HyperVRE
2009-03-25 21:45 --------- d-----w c:\documents and settings\Michael\Application Data\Skype
2009-03-25 16:07 325,640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-25 16:07 108,552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-24 06:07 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-23 20:05 --------- d-----w c:\program files\Google
2009-03-23 20:02 --------- d-----w c:\program files\MetaTrader - ForexMeta
2009-03-23 20:00 --------- d-----w c:\program files\Forex Killer 4.12
2009-03-23 19:58 --------- d-----w c:\program files\CraigsList Ad Analyzer
2009-03-23 13:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-05 18:50 --------- d-----w c:\program files\optin MAGIK
2009-03-04 18:02 --------- d-----w c:\program files\Instant PopOver
2009-02-28 19:05 --------- d-----w c:\program files\Java
2009-02-21 23:04 --------- d-----w c:\program files\JpegSizer 6
2009-02-21 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\JpegSizer
2009-02-20 22:05 --------- d-----w c:\program files\GIMP-2.0
2009-02-14 21:45 --------- dc-h--w c:\documents and settings\All Users\Application Data\{64ac4993-d031-4918-81f2-c29ce7452582}
2009-02-14 21:45 --------- d-----w c:\program files\Jiffy PDF Maker
2009-02-03 23:52 --------- d-----w c:\program files\Article Engineer
2009-02-03 19:49 --------- d-----w c:\program files\Windows Media Connect 2
2008-07-19 02:38 60,744 ----a-w c:\documents and settings\Michael\g2mdlhlpx.exe
2001-07-27 00:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 20:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-09 00:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 22:22 1,437 ----a-w c:\program files\gtx73.ini
2008-10-26 15:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102620081027\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-29_ 6.00.41.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
- 2009-03-29 07:05:31 67,560 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-29 11:01:57 67,560 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-29 07:05:31 432,856 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-29 11:01:57 432,856 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-29 13:25:30 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-07-28 49152]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-03-10 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-25 1932568]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-28 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks 2002 Delivery Agent.lnk - c:\qbooksw\Components\QBAgent\qbdagent2002.exe [2008-03-10 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-25 11:07 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-03-10 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-03-10 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-03-10 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-15 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-15 1356616]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-03-10 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-03-10 29208]
S3 OKI OPHC DCS Loader;OKI OPHC DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHCLDCS.EXE [2005-05-10 24576]
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 19:57]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = www.scullypages.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - f:\program files\CoreFTP\pftpns.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\m7pbmj4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT447260&SearchSource=3&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 08:25:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-29 8:28:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-29 13:28:17
ComboFix2.txt 2009-03-29 11:50:09
ComboFix3.txt 2009-03-29 11:02:03

Pre-Run: 100,890,456,064 bytes free
Post-Run: 100,889,337,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

175 --- E O F --- 2009-03-14 10:04:27

Hello.
That looks like it did the job, userinit is replaced with a fresh clean copy.
AVG warnings shouldn't bother you anymore.

How is the machine running now?

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Please re-enable AVG antivirus and firewall now, were done here.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.