PDA

View Full Version : userinit.exe and RunDLL32.exe problems


n8saxman
2008-07-05, 23:49
Hello

I can get my desktop to show using the explorer.exe, so that is working correctly but I still can't use certain programs.

Thank you for your help... here is the HJT log file



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:51 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Documents and Settings\Nate\lsass.exe
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\qcntpkdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00A4159C-F281-4966-B7C6-DC747EFE6E7A} - (no file)
O2 - BHO: (no name) - {07257AC9-1273-4596-8780-8D6F1BBBEA93} - (no file)
O2 - BHO: (no name) - {233BE716-2BB2-4FA2-8F6E-1AF5E465D033} - (no file)
O2 - BHO: (no name) - {38244B8B-8915-44C5-A87A-817036F5360D} - (no file)
O2 - BHO: (no name) - {393D097B-570F-455F-94AC-183373D073C8} - (no file)
O2 - BHO: (no name) - {4690A2F6-060D-442E-B596-9C58AE8211DB} - (no file)
O2 - BHO: (no name) - {5353D114-042B-4E23-B198-B87554A8D48D} - (no file)
O2 - BHO: (no name) - {697F8100-6668-4282-A1F0-1B5BC1C66BA7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8428CD4E-ADCB-4B41-8A7A-2D4DDB1C410F} - (no file)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {DA030632-BDFE-4F55-8259-9EC5E18ED577} - (no file)
O2 - BHO: {272300c8-2a08-48da-4164-aca32108ca2e} - {e2ac8012-3aca-4614-ad84-80a28c003272} - C:\WINDOWS\system32\kdfmfptk.dll
O2 - BHO: gooochi browser optimizer - {e387d02d-9a22-4276-f9e3-d1db05a50d20} - C:\WINDOWS\system32\{f1cf6c9b-0dd8-b7e6-79c9-5f0a443b6122}.dll
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Nate\lsass.exe
O4 - HKLM\..\Run: [{FB-BD-D7-73-DW}] C:\windows\system32\rwwnw64d.exe DWram1FF
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qcntpkdm.exe DWram1FF
O4 - HKLM\..\Run: [980fbddc] rundll32.exe "C:\WINDOWS\system32\namnfhuc.dll",b
O4 - HKLM\..\Run: [{e4835ac5-3658-2c9a-38eb-5fb422bfdaaf}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{f1cf6c9b-0dd8-b7e6-79c9-5f0a443b6122}.dll" DllStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntpkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stratnet.com
O17 - HKLM\Software\..\Telephony: DomainName = stratnet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stratnet.com
O20 - AppInit_DLLs: wbsys.dll kdfmfptk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

--
End of file - 7431 bytes
pskelley
2008-07-08, 16:04
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

I guess I don't have to say badly infected do I? Looks at this junk:
http://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99&tabid=2

This Trojan contains its own Internet Relay Chat (IRC) client. This allows it to connect to an IRC channel that was hardcoded into the Trojan. Using the IRC channel, the Trojan listens for commands from the hacker. The hacker accesses the Trojan by using a password-protected authorization. The commands allow the hacker to perform any of the following actions:
Manage the installation of the Trojan
Control the IRC client on the compromised computer
Update the installed Trojan
Send the Trojan to other IRC channels
Download and execute files
Perform DoS attacks against a target defined by the hacker
Uninstall itself completely by removing the relevant registry entries
You must keep the computer offline when you are not troubleshooting these issues, let's start like this:

1) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log
(wait until you finsih to post reports)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Report.txt from SDFix, the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
n8saxman
2008-07-09, 02:18
I tried to do the step:

Open the extracted SDFix folder and double click RunThis.bat to start the script.

But first, the error comes up right when the computer is trying to load the desktop saying "userinit.exe" "cmd.exe" "find.exe" and that the "application failed to initialize properly (0xc0000005). Click OK to terminate the application."

Once I get this error away, then I can run the RunThis.bat and get us on our way.

Thank you for your post
Talk to you in a bit

:flame:
pskelley
2008-07-09, 02:29
Well sir, you have a badly infected computer and this may be your only option:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

I can suggest you try this:
Click Start > Run, type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things. You may need your XP disc in your CD drive for this.
http://dwightblackburn.com/winxp/ <<< tutorial
If you have missing or corrupt files that utility should replace them.

You can also try running combofix first, but I have a feeling if you can not run SDFix, you will not be able to run combofix.

Thanks