Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 Cedro

Cedro

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 26 June 2008 - 01:27 PM

I had a problema because when i start windows, it apperas a windows saying that i have a problem with the file: "userinit.exe". i say ok and then my desktop appears with no icons nor the start bar... i press alt+ctrl+del and the icons and start bar appears in my desktop but it keep appearing, also, windows saying i have a problem with userinit.exe and rundll32... Because of that, i used combofix and did everything that was told me to do in the tutorial but the problem keep appearing! :thumbsup:

Here it is the log:

ComboFix 08-06-20.4 - Cedric 2008-06-26 18:57:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.528 [GMT 1:00]
Executando de: F:\ComboFix.exe
Command switches used :: F:\WindowsXP-KB310994-SP2-Home-BootDisk-PTB.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8b4c40ba.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AcJlnnpo.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\opnnlJcA.dll
C:\WINDOWS\system32\wingsa32.dll
C:\WINDOWS\system32\xwistuyk.ini

.
((((((((((((((((((((((( Ficheiros criados de 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))))
.

2008-06-26 17:57 . 2008-06-26 17:57 <DIR> d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-06-26 17:57 . 2008-06-26 17:57 <DIR> d-------- C:\Documents and Settings\Cedric\Application Data\Malwarebytes
2008-06-26 17:57 . 2008-06-26 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 17:57 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 17:57 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 16:51 . 2008-06-26 18:45 86,016 --a------ C:\WINDOWS\system32\mbcsoiiv.dll
2008-06-26 16:14 . 2008-06-26 16:14 107,008 --a------ C:\WINDOWS\system32\ffipbcam.dll
2008-06-26 13:38 . 2008-06-26 13:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-26 13:38 . 2008-06-26 13:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-25 16:18 . 2008-06-25 16:18 107,520 --a------ C:\WINDOWS\system32\cekwmhrq.dll
2008-06-25 16:12 . 2008-06-25 16:12 95,232 --a------ C:\WINDOWS\system32\uoqhsoss.dll
2008-06-24 16:14 . 2008-06-24 16:14 107,008 --a------ C:\WINDOWS\system32\tojblejx.dll
2008-06-24 16:09 . 2008-06-24 16:09 95,232 --a------ C:\WINDOWS\system32\onlbkujm.dll
2008-06-23 18:02 . 2008-06-26 18:38 34,304 --------- C:\WINDOWS\system32\yayyWqQJ.dll
2008-06-11 10:35 . 2008-06-14 18:59 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:35 . 2008-06-14 18:59 272,640 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 12:37 --------- d-----w C:\Documents and Settings\Cedric\Application Data\AVG7
2008-06-23 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-23 15:10 --------- d-----w C:\Programas\Mplayerc
2008-06-23 15:08 --------- d-----w C:\Documents and Settings\Cedric\Application Data\FileZilla
2008-06-23 15:07 --------- d-----w C:\Programas\eclipse
2008-06-23 15:05 --------- d-----w C:\Programas\Windows Media Connect 2
2008-06-23 15:05 --------- d-----w C:\Programas\FlashGet
2008-06-23 15:05 --------- d-----w C:\Programas\DivX
2008-06-23 15:05 --------- d-----w C:\Programas\Blaze Media Pro
2008-06-23 15:00 --------- d-----w C:\Programas\eMule
2008-06-17 16:29 --------- d-----w C:\Documents and Settings\Cedric\Application Data\Skype
2008-05-14 06:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-10 20:21 --------- d-----w C:\Programas\Ficheiros comuns\Blizzard Entertainment
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 21:18 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-05-04 13:56 --------- d-----w C:\Programas\DAEMON Tools Pro
2008-05-03 17:37 --------- d-----w C:\Documents and Settings\Cedric\Application Data\vlc
2008-05-03 17:29 --------- d-----w C:\Programas\VideoLAN
2008-05-02 17:48 --------- d-----w C:\Programas\Vodafone
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3545aabb-d7df-4f4b-8d2a-f3bb41780b93}]
2008-06-26 16:14 107008 --a------ C:\WINDOWS\system32\ffipbcam.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"msnmsgr"="C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 17:03 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-21 13:00 15360]
"DAEMON Tools Pro Agent"="C:\Programas\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 14:08 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Programas\Google\Gmail Notifier\gnotify.exe" [2005-07-15 22:48 479232]
"CTHelper"="CTHELPER.EXE" [2003-08-28 09:45 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]
"nwiz"="nwiz.exe" [2006-03-09 15:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 15:29 86016]
"ISUSPM Startup"="C:\Programas\Ficheiros comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30 249856]
"ISUSScheduler"="C:\Programas\Ficheiros comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"GrooveMonitor"="C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Programas\iTunes\iTunesHelper.exe" [2007-03-02 15:24 257088]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 14:22 579584]
"Sony Ericsson PC Suite"="C:\Programas\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 09:16 528384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-21 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-17 16:14 219136]

C:\Documents and Settings\Cedric\Menu Iniciar\Programas\Arranque\
desktop(2).ini [2006-03-28 21:07:39 84]
Inicia‡Æo R pida do Microsoft Office OneNote 2007.lnk - C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=tojblejx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
"vidc.ffds"= ffdshow.ax
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Diciopédia 2005 DVD Tray.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Diciopédia 2005 DVD Tray.lnk
backup=C:\WINDOWS\pss\Diciopédia 2005 DVD Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bruno^Menu Iniciar^Programas^Arranque^Iniciação Rápida do Microsoft Office OneNote 2007.lnk]
path=C:\Documents and Settings\Bruno\Menu Iniciar\Programas\Arranque\Iniciação Rápida do Microsoft Office OneNote 2007.lnk
backup=C:\WINDOWS\pss\Iniciação Rápida do Microsoft Office OneNote 2007.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-04-21 17:03 94208 C:\PROGRA~1\FICHEI~1\Ahead\Lib\NMBGMO~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Programas\Daemon Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-02 15:24 257088 C:\Programas\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 01:00 28672 C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2004-02-12 16:57 188416 C:\Programas\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2004-02-12 16:59 77824 C:\Programas\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PelSetupRun]
E:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Programas\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Jogos\\Dungeon Siege 2\\DungeonSiege2.exe"=
"C:\\Programas\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"C:\\Programas\\DC++\\DCPlusPlus.exe"=
"C:\\Programas\\eMule\\emule.exe"=
"C:\\Programas\\RadLight 4.0\\rlkernel.exe"=
"C:\\Jogos\\Counter-Strike\\hltv.exe"=
"C:\\Jogos\\Counter-Strike\\hl.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Programas\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Programas\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programas\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Programas\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"C:\\Programas\\iTunes\\iTunes.exe"=
"C:\\Programas\\FlashGet\\flashget.exe"=
"C:\\Programas\\BitComet\\BitComet.exe"=
"C:\\Jogos\\World of Warcraft\\Repair.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Programas\\DShutdown\\RDShutdown.exe"=
"C:\\Programas\\DShutdown\\DShutdown.exe"=
"C:\\Programas\\mIRC\\mirc.exe"=
"C:\\Programas\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programas\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Programas\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programas\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Programas\\Sony Ericsson\\Update Service\\Update Service.exe"=
"C:\\Programas\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Programas\\VoipBuster\\VoipBuster.exe"=
"C:\\Programas\\Mozilla Firefox\\firefox.exe"=
"C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programas\\SopCast\\adv\\SopAdver.exe"=
"C:\\Programas\\SopCast\\SopCast.exe"=
"C:\\Programas\\Vodafone\\DesktopPhone.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23531:TCP"= 23531:TCP:BitComet 23531 TCP
"23531:UDP"= 23531:UDP:BitComet 23531 UDP
"14465:TCP"= 14465:TCP:BitComet 14465 TCP
"14465:UDP"= 14465:UDP:BitComet 14465 UDP

S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2007-12-28 13:57]
S3 kwwalpgr;kwwalpgr;C:\DOCUME~1\Cedric\DEFINI~1\Temp\kwwalpgr.sys []
S3 o1394bul;o1394bul;C:\DOCUME~1\Cedric\DEFINI~1\Temp\o1394bul.sys []
S3 PciCon;PciCon;E:\PciCon.sys []
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e70c676-e3e9-11da-8d66-0015f234c8ac}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM

.
Conte£do da pasta 'Tarefas Agendadas'
"2008-06-24 20:01:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programas\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 19:02:19
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"C:\Programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Programas\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-06-26 19:08:18 - machine was rebooted [Cedric]
ComboFix-quarantined-files.txt 2008-06-26 18:08:15

Pre-Run: 7,676,878,848 bytes livres
Post-Run: 7,596,593,152 bytes livres

WindowsXP-KB310994-SP2-Home-BootDisk-PTB.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

221 --- E O F --- 2008-06-21 02:01:24


Hope you can help me because i fear my pc is at risk!!! :)

BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 18 July 2008 - 03:51 AM

Hello Cedro,

I apologise for the delay, the forum is too busy.

Please remove Combofix from your computer.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 23 July 2008 - 06:05 AM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users