Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log - Please Analyse


  • Please log in to reply
32 replies to this topic

#1 sassenach

sassenach

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Bicester
  • Local time:06:59 PM

Posted 06 August 2008 - 01:58 PM

Help please, I picked up the virtumonde and vundo viruses which I have tried to remove with Spybot S&D and Malawarebyte and ad-aware. When run in safe mode, they are removed but I am unable to get to a command prompt or run combofix as I get a rundll32.exe, cmd.exe and find.exe errors. I can start desktop from the task manager by launching explorer.


My Hijackthis log is below. Any help would be appreciated as I've been at this for 2 days and am going round in circles. Thanks in advance, John

________________________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:26:32, on 06/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\WINDOWS\system32\MMTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Sweex WiFi LAN 140 Nitro XM Utility\WlanUtl.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\opera.exe
C:\Hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {2C75E5E3-4165-41AA-99C4-752F626E9200} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {822073A1-9BAA-46A4-BAC2-54A781E8B3E9} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Sweex WiFi LAN 140 Nitro XM Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{722812DF-401E-406D-AB8D-B9AA9781E97E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: eamszv.dll
O20 - Winlogon Notify: ljJcDUmm - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 8595 bytes

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:59 PM

Posted 06 August 2008 - 02:24 PM

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 sassenach

sassenach
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Bicester
  • Local time:06:59 PM

Posted 06 August 2008 - 03:09 PM

Thanks for the prompt reply D-Trojanator, unfortunately as I said at the beginning of the post, I am unable to run combofix as there are application errors launching rundll32.exe, cmd.exe and find.exe. Do you have any suggestions of how to get you the info you need. This all stems from the initial error of userinit.exe not launching?

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:59 PM

Posted 06 August 2008 - 03:13 PM

Teaches me to dive straight in without reading your information properly! :thumbsup:
Can you please quote the errors exactly as you see them please..

#5 sassenach

sassenach
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Bicester
  • Local time:06:59 PM

Posted 06 August 2008 - 03:55 PM

1. rundll32.exe - Application error
The application failed to initialize properly (0xc0000005). Click on OK to teminate the application
2. cmd.exe - Application error
The application failed to initialize properly (0xc0000005). Click on OK to teminate the application
3. find.exe - Application error
The application failed to initialize properly (0xc0000005). Click on OK to teminate the application
4. rundll32.exe - Application error
The application failed to initialize properly (0xc0000005). Click on OK to teminate the application
5. cmd.exe - Application error
The application failed to initialize properly (0xc0000005). Click on OK to teminate the application
6. find.exe - Application error
The application failed to initialize properly (0xc0000005). Click on OK to teminate the application
7. Error - win32 only
Incompatible OS. Combofixonly works for windows 2000 and XP

The initial error on start up which happens twice and then explorer/desktop has to be launched from task manager:

userinit.exe- Application error
The application failed to initialize properly (0xc0000005). Click on OK to teminate the application

Thanks

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:59 PM

Posted 06 August 2008 - 05:54 PM

Do you have your original XP installation disks?

#7 sassenach

sassenach
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Bicester
  • Local time:06:59 PM

Posted 07 August 2008 - 06:45 AM

Got a legit full copy of XP, but I can't seem to find my SP2 upgrade disc if this is needed. Cheers

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:59 PM

Posted 07 August 2008 - 08:51 AM

Try going to Start...Run...and type in "sfc.exe /scannow" (without the quotes) and press Enter. It may ask for your XP Installation CD. Once it's done, please visit Windows Update to ensure that you've got the latest hotfixes and updates (sfc.exe replaces system files when it runs).

It could be that you are missing particular system files.
Reboot the PC afterwards and let me know if you still get the errors.

#9 sassenach

sassenach
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Bicester
  • Local time:06:59 PM

Posted 07 August 2008 - 02:21 PM

Everything updated by windows. Now on SP3 as well. No more updates. Same errors. One more shows up on start up, which I had not mentioned before (it was happening before but I ignored it as I think this is the remnants of the Trojan:

Windows cannot find /idlist,:thumbsup::2212,C:\Documents'. Make sure you typed the name correctly and try again

I ran the sfc.exe again after all the updating to ensure cmd.exe was working but still nothing, combofix will not run.
Thanks for your advice so far.

#10 sassenach

sassenach
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Bicester
  • Local time:06:59 PM

Posted 08 August 2008 - 11:52 AM

Tried running Symantec's Vundo cleaner, but did not find anything. Malawarebyte does not find anything until explorer or desktop is manually started and finds the following registry entries:

Malwarebytes' Anti-Malware 1.24
Database version: 1032
Windows 5.1.2600 Service Pack 3

17:47:42 08/08/2008
mbam-log-8-8-2008 (17-47-42).txt

Scan type: Quick Scan
Objects scanned: 60066
Time elapsed: 18 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hope this helps. John

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:59 PM

Posted 08 August 2008 - 01:47 PM

Ok, we're going to start a different view on this. I think you have a rootkit install on your PC.
Stick with me here, it should start to get a bit interesting! Ask if you have a question.. :thumbsup:

Click start > run > type the following and hit enter: attrib -s -h c:\boot.ini
Again, click start > run and type this and hit enter: notepad c:\boot.ini
A notepad file will open, copy and paste the contents back here please.

#12 sassenach

sassenach
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Bicester
  • Local time:06:59 PM

Posted 08 August 2008 - 02:17 PM

Because it's opening a command window, I'm getting the same error:

The application failed to initialize properly (0xc0000005). Click on OK to teminate the application.

Copied the file to a pen drive and opened on my laptop. the details are:

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:59 PM

Posted 08 August 2008 - 03:04 PM

Ok, if you click on start > run and enter: msconfig.exe, does it open?

Edited by D-Trojanator, 08 August 2008 - 03:05 PM.


#14 sassenach

sassenach
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Bicester
  • Local time:06:59 PM

Posted 08 August 2008 - 03:47 PM

Yes, got it up in front of me

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:59 PM

Posted 08 August 2008 - 03:51 PM

Click the boot.ini tab and checkmark the '/bootlog' option.
Click apply and reboot.

After the reboot, click start > run and type: C:\Windows\ntbtlog.txt
Paste the contents of the log that opens back here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users