No don't replace it yet. Follow these steps in order numbered: 1) Run this script in AVZ like before you computer will reboot. begin SetAVZGuardStatus(True); SearchRootkit(true, true); QuarantineFile('C:\WINDOWS\System32\Drivers\a6s3c7ua.SYS',''); QuarantineFile('c:\windows\system32\userinit.exe',''); QuarantineFile('C:\DOCUME~1\Patrock\LOCALS~1\Temp\mousehook.dll',''); QuarantineFile('C:\WINDOWS\TEMP\ntdll64.dll',''); DeleteFile('C:\WINDOWS\TEMP\ntdll64.dll'); DeleteFile('C:\DOCUME~1\Patrock\LOCALS~1\Temp\mousehook.dll'); DeleteFile('c:\windows\system32\userinit.exe'); DeleteFile('C:\WINDOWS\System32\Drivers\a6s3c7ua.SYS'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end. 2) After reboot: Attach a Combofix log, please review and follow these instructions carefully. Download it here -> http://download.bleepingcomputer.co... Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it. Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place. Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal. You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed. Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here. -------------------------------------------- To Private Message me Click Here

0

Before or after 2) of Response Number 7 you might have to replace it. Steps to recover that file using windows recovery console: Click R to enter recovery console Type the following expand d:\i386\userinit.ex_ c:\windows\system32 click enter Once it says 1 file copied Then type exit and click enter System will reboot Make sure to remove winxp pro cd before it boots up and let it boot fully Windows should start normally If not post with result -------------------------------------------- To Private Message me Click Here

0

Okay I enter the prompt. I typed the following into the recovery console: expand d:\i386\userinit.ex_ c:\windows\system32 Word for word, but I get this message stating - the system cannot find the file or directory specified I tried looking at the /? command and also on the action expand, and I'm not sure if I am missing something.

0

Its not letting you log in correct? Or you can still log in windows? What is your cd driver letter in recovery console? do command "dir" and paste me all the directories you see. -------------------------------------------- To Private Message me Click Here

0

No, I can not log into windows, at all. The starting drive in recovery console is c: dir' gives me several pages, I'm not sure what you need specificly from those pages, I hope you don't need them all typed. I'm on a seperate computer in a different room.

0

Type this: cd d: dir then follow expand command. -------------------------------------------- To Private Message me Click Here

0

No, there is nothing.

0

follow Response Number 12 i changed it. What is your cd drive letter? -------------------------------------------- To Private Message me Click Here

0

Okay, following response 12: I type in cd d: it still has me in drive C: and typing dir' is still no different. I did change over to drive D: (by typeing "D:" and then tried dir but there wasn't any i386 dir either)

0

Check your recovery CD on another computer and see what folders it has. -------------------------------------------- To Private Message me Click Here

0

The cd does have an I386 folder.

0

Wait...if I'm trying to access the cd, then I wouldn't need drive D: I have two HDD's. I would need E: correct?

0

then D drive is not your CD drive. try to find your cd drive letter and then try expand command accordingly. -------------------------------------------- To Private Message me Click Here

0

Type this command in recovery console. It will show you all the drives and their mapping --> "map arc" without ". -------------------------------------------- To Private Message me Click Here

0

Okay, sorry I hadn't realized that sooner. Okay, the file expanded and I am now able to log onto windows again. Althrough It won't let me onto the internet, neither firefox nor IE.

0

Transfer it via usb and continue with Response Number 7. -------------------------------------------- To Private Message me Click Here

0

Link to the ComboFix http://rapidshare.com/files/2380008...

0

Is your internet working now? -------------------------------------------- To Private Message me Click Here

0

It is. I have no idea why or how it came back. Also, I notice my web pages are all free from the 'virus' warnings and the other oddities that were occurring.

0

Follow these steps now in order numbered: 1) Run this script in AVZ: begin CreateQurantineArchive('c:\quarantine.zip'); end. 2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file. 3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok. -------------------------------------------- To Private Message me Click Here

0

Thanks for the files. Please follow these steps in order numbered and post summary log after each step. 1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with http://www.eset.eu/online-scanner # Check the box next to YES, I accept the Terms of Use. # Click Start # When asked, allow the activex control to be installed. # Click Start # Check below options: * Remove found threats * Scan unwanted applications. # Click Scan # Wait for the scan to finish # When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt # Attach this logfile to your next message. Note: Turn system restore back on, if you wish; this to remove malware from system volume information files. 3) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed. 4) House cleaning [Optional]. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log. -------------------------------------------- To Private Message me Click Here

0

Argh...I ran the program, though at the end, when it asks if I want to delete the quarantined files, which I did, it had another option to remove the program once its finished. I did click that as well, realizing afterward it took the log with it.

0

Should I continue with the next steps?

0

Log is located in C:\Program Files\EsetOnlineScanner\log.txt . Yes continue. -------------------------------------------- To Private Message me Click Here

0

ESETSmartInstaller@High as downloader log: all ok # version=6 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.5863 # api_version=3.0.2 # EOSSerial=593ef7ebe22d664cb2f3910d1d129219 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-05-28 03:24:54 # local_time=2009-05-27 09:24:54 (-0700, Mountain Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # scanned=112630 # found=0 # cleaned=0 # scan_time=1142 -- Eset scan log alwarebytes' Anti-Malware 1.37 Database version: 2186 Windows 5.1.2600 Service Pack 3 5/27/2009 10:39:46 PM mbam-log-2009-05-27 (22-39-44).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 198671 Time elapsed: 35 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -- Malwarebytes log

0

Fix what it detects your malware free now. Does kaspersky detect anything now? Original problem solved? -------------------------------------------- To Private Message me Click Here

0

Everything seems to be good, Kaspersky doesn't see anything else, other than the archived files, and there seem to be no other issues with my pc. That did it it. Thank you neoark, for your time, patience and helping me get rid of the problems!

0