Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe Application Error


  • This topic is locked This topic is locked
3 replies to this topic

#1 wae

wae

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 03 July 2008 - 08:32 PM

Hi.
I am having trouble getting rid of this thing.
When the computer boots up it displays a message box with "userinit.exe - application error" in the title bar. The message reads "application failed to initialise properly (0xc0000005). Click ok to terminate the application." Clicking ok or exiting the windo twice gets me to a dark blue screen with a blue and yellow box reading "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer. " The screen does not go away and the computer does not continue booting up, but alt-control-delete brings up the task manager, so I can run programs.
Any help is much appreciated.

Here are the logs:

Deckard's System Scanner v20071014.68
Run by Wendy Egan on 2008-07-04 11:13:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-07-04 01:13:48 UTC - RP156 - Deckard's System Scanner Restore Point
3: 2008-07-03 23:35:03 UTC - RP155 - Restore Operation
2: 2008-07-03 23:01:01 UTC - RP154 - Last good restore point
1: 2008-07-03 23:00:56 UTC - RP153 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 13.28 GiB (less than 15%) free.


-- HijackThis (run as Wendy Egan.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:42 AM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Wendy Egan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Wendy Egan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59F8FA75-FF44-4044-895C-2E7DF9CDFC48} - C:\WINDOWS\system32\pmnkLBQh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_SAB.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00BFFBE.dat
O20 - Winlogon Notify: yayXrpOe - C:\WINDOWS\
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8450 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 asuskbnt (Enhanced Display Driver Helper Service) - c:\windows\system32\drivers\atkkbnt.sys <Not Verified; ASUSTeK COMPUTER INC.; ASUS Help driver For Keyboard Service.>
R1 EIO - c:\windows\system32\drivers\eio.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Kernel Mode Driver for NT>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 DgiVecp - c:\windows\system32\drivers\dgivecp.sys <Not Verified; Samsung Electronics Co., Ltd.; Samsung Electronics Co., Ltd. VECP for Windows 2000, XP>
R3 AF15BDA (WinFast DTV Dongle Gold BDA Filter) - c:\windows\system32\drivers\af15bda.sys <Not Verified; AfaTech; AF9015 BDA Driver for USB Device>
R3 asusgsb (ASUS Virtual Video Capture Device Driver) - c:\windows\system32\drivers\asusgsb.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Virtual Video Capture Device Driver>
R3 ULCDRHlp - c:\windows\system32\drivers\ulcdrhlp.sys <Not Verified; Ulead Systems, Inc.; Ulead CD/DVD Burning Engine>
R3 Video3D (ASUS Video3D Service) - c:\windows\system32\drivers\video3d32.sys <Not Verified; ASUSTeK COMPUTER INC.; ASUS Video3D driver>

S2 SSPORT - c:\windows\system32\drivers\ssport.sys (file missing)
S3 WFIOCTL - c:\program files\winfast\wfdtv\wfioctl.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ATKKeyboardService (ATK Keyboard Service) - c:\windows\atkkbservice.exe <Not Verified; ASUSTeK COMPUTER INC.; ASUS Keyboard Service>
R2 SAVAdminService (Sophos Anti-Virus status reporter) - "c:\program files\sophos\sophos anti-virus\savadminservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 SAVService (Sophos Anti-Virus) - "c:\program files\sophos\sophos anti-virus\savservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 Sophos AutoUpdate Service - "c:\program files\sophos\autoupdate\alsvc.exe" <Not Verified; Sophos Plc; Sophos AutoUpdate>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-02 12:20:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-04 10:10:24 0 d-------- C:\Program Files\Trend Micro
2008-07-04 09:08:13 51200 --a------ C:\WINDOWS\system32\__c00BCB88.dat
2008-07-04 09:00:59 5242880 --a------ C:\Documents and Settings\Wendy Egan\ntuser.dat
2008-07-04 08:59:15 60928 --a------ C:\WINDOWS\system32\blphcrqsj0et3r.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-04 08:59:12 109056 --a------ C:\WINDOWS\system32\lphcrqsj0et3r.exe
2008-07-04 08:57:48 51200 --a------ C:\WINDOWS\system32\__c00BFFBE.dat
2008-07-04 08:57:46 51200 --a------ C:\WINDOWS\system32\qsalkhgq.dll
2008-07-03 16:33:44 51200 --a------ C:\WINDOWS\system32\__c00DB4C6.dat
2008-07-02 17:15:09 486502 --ahs---- C:\WINDOWS\system32\hQBLknmp.ini2
2008-07-02 17:15:04 285696 --a------ C:\WINDOWS\system32\pmnkLBQh.dll
2008-07-02 17:10:28 0 d--hs---- C:\Documents and Settings\Wendy Egan\!
2008-07-02 17:10:05 0 d-------- C:\WINDOWS\system32\modtrux05
2008-07-02 17:10:00 34304 --a------ C:\WINDOWS\system32\yayXrpOe.dll
2008-07-02 09:10:10 23 --a------ C:\Documents and Settings\Wendy Egan\jagex_runescape_preferences.dat
2008-06-30 09:53:34 0 d-------- C:\Documents and Settings\Wendy Egan\Application Data\gtk-2.0
2008-06-30 09:51:10 0 d-------- C:\Documents and Settings\Wendy Egan\.thumbnails
2008-06-30 09:36:50 0 d-------- C:\Documents and Settings\Wendy Egan\.gimp-2.4
2008-06-30 09:36:16 0 d-------- C:\Program Files\GIMP-2.0
2008-06-28 18:17:38 0 d-------- C:\Documents and Settings\Wendy Egan\Application Data\Apple Computer
2008-06-26 20:05:32 0 d-------- C:\Program Files\QuickTime
2008-06-26 20:05:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-26 20:05:17 0 d-------- C:\Program Files\Apple Software Update
2008-06-26 20:05:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-26 18:58:30 26 --a------ C:\WINDOWS\winstart.bat
2008-06-26 18:58:30 122 --a------ C:\WINDOWS\tmpdelis.bat
2008-06-26 18:58:30 123 --a------ C:\WINDOWS\tmpcpyis.bat
2008-06-26 18:57:51 132096 --a------ C:\WINDOWS\system32\sst1init.dll <Not Verified; 3Dfx Interactive, Inc.; InitCode for Voodoo Graphics© and Windows® 95>
2008-06-26 18:57:51 263168 --a------ C:\WINDOWS\system32\glide.dll <Not Verified; 3Dfx Interactive, Inc.; Glide™ for Voodoo Graphics© and Windows® 95>
2008-06-26 18:56:11 297472 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-06-26 16:25:55 499 --a------ C:\WINDOWS\eReg.dat
2008-06-26 16:25:49 33792 -ra------ C:\WINDOWS\NPSExec.exe <Not Verified; Electronic Arts; Electronic Arts NPSExec>
2008-06-26 16:25:47 0 d-------- C:\Program Files\Electronic Arts
2008-06-26 16:24:11 0 d-------- C:\Program Files\Maxis
2008-06-26 16:09:50 0 d-------- C:\Program Files\Rockstar Games
2008-06-26 15:44:57 0 d-------- C:\Program Files\3DO
2008-06-21 15:12:00 0 d-------- C:\WINDOWS\Samsung
2008-06-21 11:35:00 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-06-14 22:40:59 0 d-------- C:\Documents and Settings\All Users\Application Data\UDL
2008-06-14 22:33:29 495616 --a------ C:\WINDOWS\system32\PICSDK2.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-06-14 22:33:29 73728 --a------ C:\WINDOWS\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-06-14 22:33:29 77824 --a------ C:\WINDOWS\system32\PICEntry.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-06-14 22:33:29 114688 --a------ C:\WINDOWS\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-06-14 22:33:29 111932 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-06-14 22:33:29 1120 --a------ C:\WINDOWS\system32\EPPICPresetData_IT.dat
2008-06-14 22:33:29 1107 --a------ C:\WINDOWS\system32\EPPICPresetData_GE.dat
2008-06-14 22:33:28 1139 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-06-14 22:33:28 1129 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-06-14 22:33:28 1136 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-06-14 22:33:28 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-06-14 22:33:28 1146 --a------ C:\WINDOWS\system32\EPPICPresetData_DU.dat
2008-06-14 22:33:28 1129 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-06-14 22:33:28 1139 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-06-14 22:33:28 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-06-14 22:33:28 21390 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-06-14 22:33:28 11811 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-06-14 22:33:28 24903 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-06-14 22:33:28 20148 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-06-14 22:33:28 31053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-06-14 22:33:28 27417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-06-14 22:33:28 26154 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-06-14 22:33:28 65536 --a------ C:\WINDOWS\system32\EPPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-06-14 22:28:59 0 d-------- C:\Program Files\epson
2008-06-09 21:03:52 0 d-------- C:\Documents and Settings\Wendy Egan\Application Data\DVD Flick
2008-06-09 21:03:37 0 d-------- C:\Program Files\DVD Flick
2008-06-07 00:06:32 350 --a------ C:\WINDOWS\system32\AF15IRTBL.bin


-- Find3M Report ---------------------------------------------------------------

2008-07-04 09:07:31 0 d-------- C:\Documents and Settings\Wendy Egan\Application Data\OpenOffice.org2
2008-07-02 17:08:35 0 d-------- C:\Documents and Settings\Wendy Egan\Application Data\LimeWire
2008-07-01 18:42:38 2 --a------ C:\WINDOWS\system32\Dvbpws.dll
2008-06-28 12:03:48 0 d-------- C:\Program Files\Online Services
2008-06-28 09:43:07 0 d-------- C:\Program Files\Windows NT
2008-06-27 14:46:03 167064 --a------ C:\Program Files\custom.dat
2008-06-14 22:45:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-14 22:45:11 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-09 19:31:32 0 d-------- C:\Documents and Settings\Wendy Egan\Application Data\VideoReDoPlus
2008-06-01 09:19:13 0 d-------- C:\Program Files\VideoReDoPlus
2008-05-31 20:04:38 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-31 11:44:32 0 d-------- C:\Documents and Settings\Wendy Egan\Application Data\Ahead
2008-05-31 10:06:07 0 d-------- C:\Program Files\Limewire
2008-05-31 09:46:06 0 d-------- C:\Program Files\Common Files\LightScribe
2008-05-31 09:46:05 0 d-------- C:\Program Files\Common Files
2008-05-31 09:45:41 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-31 09:38:40 0 d-------- C:\Program Files\Nero
2008-05-25 12:29:07 0 d-------- C:\Documents and Settings\Wendy Egan\Application Data\Macromedia
2008-05-18 17:59:28 0 d-------- C:\Program Files\User
2008-05-18 17:57:28 0 d-------- C:\Program Files\data
2008-05-18 17:20:36 0 d-------- C:\Program Files\graphics
2008-05-18 17:20:29 0 d-------- C:\Program Files\FESfx
2008-05-18 17:20:25 0 d-------- C:\Program Files\DXLayouts
2008-05-17 21:39:22 0 d-------- C:\Program Files\Warcraft III
2008-05-17 17:15:22 0 d-------- C:\Program Files\PokerStars
2008-04-12 17:28:21 76867 --a------ C:\WINDOWS\War3Unin.dat
2008-04-12 16:47:20 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-04-12 16:47:20 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-04-11 16:31:08 1160 --a------ C:\WINDOWS\mozver.dat
2008-04-11 02:38:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-11 02:34:21 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-10 09:47:33 17920 --a------ C:\WINDOWS\system32\sophosboottasks.exe <Not Verified; Sophos Plc; Sophos Anti-Virus>
2008-04-08 00:04:14 62 --ahs---- C:\Documents and Settings\Wendy Egan\Application Data\desktop.ini
2008-04-07 14:35:08 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-07 14:19:07 0 -rahs---- C:\MSDOS.SYS
2008-04-07 14:19:07 0 -rahs---- C:\IO.SYS
2008-04-07 14:19:07 0 --a------ C:\CONFIG.SYS
2008-04-07 14:19:07 0 --a------ C:\AUTOEXEC.BAT
2008-04-07 14:16:55 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8120 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-04 11:15:14 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 1: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 2: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 3: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 18%
Physical Memory (total/avail): 2046.42 MiB / 1660.31 MiB
Pagefile Memory (total/avail): 3939.16 MiB / 3721.51 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.45 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 13.28 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3250310AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.)
AV: Sophos Anti-Virus v () Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\GIGABYTE\\GEST\\run.exe"="C:\\Program Files\\GIGABYTE\\GEST\\run.exe:*:Enabled:update"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Limewire\\LimeWire.exe"="C:\\Program Files\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------



-- User Profiles ---------------------------------------------------------------

Wendy Egan (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type1754 / Warning
Event Submitted/Written: 07/04/2008 09:18:04 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
File "C:\WINDOWS\system32\hQBLknmp.ini" belongs to virus/spyware 'Troj/Virtum-Gen'.

Event Record #/Type1753 / Warning
Event Submitted/Written: 07/04/2008 09:18:04 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
Registry key "HKCR\CLSID\{99b2f2ee-9f73-496a-ba47-b0ddc9cd51fd}" belongs to virus/spyware 'Troj/Virtum-Gen'.

Event Record #/Type1752 / Warning
Event Submitted/Written: 07/04/2008 09:18:04 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99b2f2ee-9f73-496a-ba47-b0ddc9cd51fd}" belongs to virus/spyware 'Troj/Virtum-Gen'.

Event Record #/Type1751 / Warning
Event Submitted/Written: 07/04/2008 09:18:04 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
File "C:\WINDOWS\system32\pmnkLBQh.dll" belongs to virus/spyware 'Troj/Virtum-Gen'.

Event Record #/Type1750 / Warning
Event Submitted/Written: 07/04/2008 09:18:04 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
Process "C:\WINDOWS\system32\pmnkLBQh.dll:pid:0000033c" belongs to virus/spyware 'Troj/Virtum-Gen'.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11685 / Error
Event Submitted/Written: 07/04/2008 11:08:45 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053

Event Record #/Type11683 / Error
Event Submitted/Written: 07/04/2008 11:08:44 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Event Record #/Type11675 / Error
Event Submitted/Written: 07/04/2008 11:08:40 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SSPORT service failed to start due to the following error:
%%2

Event Record #/Type11668 / Error
Event Submitted/Written: 07/04/2008 11:04:51 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053

Event Record #/Type11667 / Error
Event Submitted/Written: 07/04/2008 11:04:51 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.



-- End of Deckard's System Scanner: finished at 2008-07-04 11:15:14 ------------

BC AdBot (Login to Remove)

 


m

#2 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 23 July 2008 - 01:26 PM

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

I am sorry that we were unable to reply to your post sooner. The forums have been very busy.

If you are still in need of assistance, please scan again with HijackThis and post a fresh log.

Also, please make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.

Post the fresh HijackThis log and the uninstall list in the body of your next reply.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#3 wae

wae
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 26 July 2008 - 12:31 AM

Hi Carolyn,

That's a very kind offer. But ...

I tried to install a different antivirus program. I did some registry edits. I tried running a program at the command prompt to "fix" windows but it didn't. I went to restore to an earlier point, but for some reason only one restore point was accessible. I wasn't sure if it was before or after the invasion, but I think it was after. I did the restore and then the system was giving weird errors and rebooting itself. I tried a windows reinstall (update rather than completely fresh) from the CD, which improved things somewhat but did not clear the userinit.exe error. Then I used knoppix to download the data files onto an external hard disk. And then, why not?, now I have installed fedora core 8.

I have a full time job, 5 kids and a new operating system on my PC - no time for anything more.

So thank you very very much Carolyn for taking the trouble to get back to me. It is very much appreciated.

I'm very new to posting. I'm not sure how to mark this topic closed.

Cheers

#4 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 26 July 2008 - 06:58 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users