Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
userinit.exe Fails to initialize, computer reboots randomly.. userinit.exe Fails to initialize, computer reboots randomly..
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 06-29-2008, 05:17 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 7
OS: xp sp2


G'day!

Now as I said in the title, I've been greeted with the userinit.exe fails to initialize and the only way i can get into anything is by running explorer via task manager. Once in, my computer will still randomly shut itself off as it sees fit.

After some googling, I ran a spybot check which discovered various incarnations of 'Vundo'... After i removed it from there, I am still getting the problem.

Here's what HJT says:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:38 PM, on 29/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Winamp\winampa.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B5A0E4F7-09EC-4246-A8C6-99768674511E} - C:\WINDOWS\system32\fccccBTN.dll (file missing)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BMaf44895b] Rundll32.exe "C:\WINDOWS\system32\tlwuvjba.dll",s
O4 - HKLM\..\Run: [ac77bac7] rundll32.exe "C:\WINDOWS\system32\drjcbuin.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209298268671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1209300422906
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0036F2D.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 4217 bytes


Thanks in advance for any help!

OK, I just re-ran Spybot and it found 2 errors this time, one which I thought it had already removed, and another. So i fixed them and here's the updated log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:16 PM, on 29/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Winamp\winampa.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B5A0E4F7-09EC-4246-A8C6-99768674511E} - C:\WINDOWS\system32\fccccBTN.dll (file missing)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BMaf44895b] Rundll32.exe "C:\WINDOWS\system32\tlwuvjba.dll",s
O4 - HKLM\..\Run: [ac77bac7] rundll32.exe "C:\WINDOWS\system32\drjcbuin.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2836] command /c del "C:\WINDOWS\system32\fccccBTN.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC212] cmd /c del "C:\WINDOWS\system32\fccccBTN.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB6686] command /c del "C:\WINDOWS\system32\fccccBTN.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD210] cmd /c del "C:\WINDOWS\system32\fccccBTN.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209298268671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1209300422906
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0036F2D.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 4572 bytes


Cheers!
Last edited by amateur : 06-29-2008 at 06:33 AM. Reason: merged to retain 0-reply status
zambria is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-30-2008, 08:35 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,435
OS: 2000 Pro; XP Pro; XP Home


Re: userinit.exe Fails to initialize, computer reboots randomly..
Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-30-2008, 10:12 AM   #3 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 7
OS: xp sp2


Re: userinit.exe Fails to initialize, computer reboots randomly..
Thanks for the help cobber. Just thought I should mention I've run spybot again and discovered that one particular win32.bho.df (i think) refuses to leave, even though spybot apparently fixes it. Regardless, here's the results!

Deckard's System Scanner v20071014.68
Run by Sambo on 2008-07-01 00:07:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
198: 2008-06-30 16:07:56 UTC - RP198 - Deckard's System Scanner Restore Point
197: 2008-06-30 09:11:23 UTC - RP197 - System Checkpoint
196: 2008-06-29 04:33:05 UTC - RP196 - Configured Driver Detective
195: 2008-06-28 06:00:40 UTC - RP195 - Last known good configuration
194: 2008-06-28 06:00:36 UTC - RP194 - Installed Driver Detective


-- First Restore Point --
1: 2008-06-28 05:59:50 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Sambo.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:31 AM, on 1/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Winamp\winampa.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Sambo\Desktop\Downloaded ****\dss(2).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sambo.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B5A0E4F7-09EC-4246-A8C6-99768674511E} - C:\WINDOWS\system32\fccccBTN.dll (file missing)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BMaf44895b] Rundll32.exe "C:\WINDOWS\system32\tlwuvjba.dll",s
O4 - HKLM\..\Run: [ac77bac7] rundll32.exe "C:\WINDOWS\system32\drjcbuin.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209298268671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1209300422906
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0036F2D.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 4233 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: 45746830
Device ID: USB\VID_07D1&PID_13F1\757
Manufacturer:
Name: 45746830
PNP Device ID: USB\VID_07D1&PID_13F1\757
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\5107DC6923C01
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\5107DC6923C01
Service: NIC1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_00801462&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_00801462&REV_02\3&13C0B0C5&0&FD
Service:


-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-06-29 19:01:08 0 d-------- C:\Program Files\Trend Micro
2008-06-29 17:34:19 0 d-------- C:\VundoFix Backups
2008-06-29 16:24:38 0 d-------- C:\!KillBox
2008-06-29 12:33:53 51200 --a------ C:\WINDOWS\system32\__c0036F2D.dat
2008-06-29 12:33:49 51200 --a------ C:\WINDOWS\system32\ixpddfvq.dll
2008-06-29 12:31:47 81920 --a------ C:\WINDOWS\system32\drjcbuin.dll
2008-06-29 12:31:37 90624 --a------ C:\WINDOWS\system32\tlwuvjba.dll
2008-06-28 13:59:40 469704 --ahs---- C:\WINDOWS\system32\NTBccccf.ini2
2008-06-28 13:54:48 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-06-28 13:54:23 57344 --a------ C:\WINDOWS\system32\opnomjkK.dll
2008-06-28 12:56:34 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-28 11:38:20 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-26 15:52:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-25 20:28:37 0 d-------- C:\Program Files\Messenger Plus! Live
2008-06-18 19:12:25 0 d-------- C:\Program Files\ASIO4ALL v2
2008-06-18 19:12:10 225280 --a------ C:\WINDOWS\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-06-18 19:12:10 0 d-------- C:\Program Files\VstPlugins
2008-06-18 19:11:09 0 d-------- C:\Program Files\Outsim
2008-06-18 19:09:11 0 d-------- C:\Program Files\Image-Line
2008-06-15 1443 0 d-------- C:\Documents and Settings\Sambo\Application Data\SPORE Creature Creator
2008-06-15 13:54:20 0 d-------- C:\WINDOWS\Logs
2008-06-15 13:46:29 0 d-------- C:\Program Files\Electronic Arts
2008-06-08 21:58:28 0 d-------- C:\Documents and Settings\Sambo\Application Data\Moyea
2008-06-08 21:58:27 0 d-------- C:\Program Files\Moyea
2008-06-08 20:29:38 0 d-------- C:\Documents and Settings\Sambo\dwhelper
2008-06-08 20:27:26 0 d-------- C:\Program Files\Red Kawa


-- Find3M Report ---------------------------------------------------------------

2008-07-01 00:03:42 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-29 12:33:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 21:19:01 0 d-------- C:\Documents and Settings\Sambo\Application Data\Audacity
2008-06-28 14:09:59 0 d-------- C:\Documents and Settings\Sambo\Application Data\uTorrent
2008-06-24 20:20:52 0 d-------- C:\Documents and Settings\Sambo\Application Data\Adobe
2008-05-25 17:59:33 0 d-------- C:\Program Files\Ahead
2008-05-25 17:59:32 0 d-------- C:\Program Files\Common Files
2008-05-25 17:59:32 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-16 16:56:35 0 d-------- C:\Documents and Settings\Sambo\Application Data\Sun
2008-05-16 16:49:37 0 d-------- C:\Program Files\Java
2008-05-16 16:44:50 0 d-------- C:\Program Files\Common Files\Java
2008-05-13 17:34:35 0 d-------- C:\Program Files\Power Tab Software
2008-05-08 19:47:48 0 d-------- C:\Program Files\Bonjour
2008-05-08 19:47:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-08 19:38:32 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-06 18:28:49 0 d-------- C:\Program Files\Native Instruments
2008-05-06 18:28:04 0 d-------- C:\Program Files\Common Files\Native Instruments
2008-05-06 18:28:00 0 d-------- C:\Program Files\Common Files\Digidesign
2008-05-05 15:52:14 0 d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-05-05 15:36:55 0 d-------- C:\Documents and Settings\Sambo\Application Data\Help
2008-05-02 16:22:53 0 d-------- C:\Program Files\Avanquest update
2008-05-02 16:22:52 0 d-------- C:\Documents and Settings\Sambo\Application Data\InstallShield
2008-05-02 16:21:21 0 d-------- C:\Program Files\Motorola Phone Tools
2008-05-02 16:17:44 0 d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-01 21:10:18 0 d-------- C:\Program Files\USR
2008-04-29 1924 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-29 1924 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-04-28 02:39:50 62 --ahs---- C:\Documents and Settings\Sambo\Application Data\desktop.ini
2008-04-27 20:57:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-27 20:38:52 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-27 18:55:05 0 -rahs---- C:\MSDOS.SYS
2008-04-27 18:55:05 0 -rahs---- C:\IO.SYS
2008-04-27 18:55:05 0 --a------ C:\CONFIG.SYS
2008-04-27 18:55:05 0 --a------ C:\AUTOEXEC.BAT
2008-04-27 18:52:41 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8783 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-01 00:09:04 ------------
Attached Files
File Type: txt extra.txt (5.2 KB, 1 views)
zambria is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-30-2008, 10:21 AM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,435
OS: 2000 Pro; XP Pro; XP Home


Re: userinit.exe Fails to initialize, computer reboots randomly..
You don't appear to have an AntiVirus application installed.

Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

We will address that during the course of this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please do no more self-help while we're working together, as it may work counter to something I've planned.

---------------------------------------------------------------------------------------------


Download ComboFix from Here:


* IMPORTANT !!! Place combofix.exe on your Desktop

We will first use ComboFix to install the Microsoft Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Next, download the Microsoft file from this link:

    http://www.microsoft.com/downloads/d...displaylang=en


  • Save the file as it's originally named, next to ComboFix.exe.
  • Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix . See this link for help if needed.

  • Drag the setup package onto ComboFix.exe and drop it.



  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

    As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

    Once the Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.




  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-01-2008, 02:21 AM   #5 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 7
OS: xp sp2


Re: userinit.exe Fails to initialize, computer reboots randomly..
I appreciate the hell out of this digger, cheers!

Here's the combofix log:

ComboFix 08-06-30.2 - Sambo 2008-07-01 16:07:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.266 [GMT 8:00]
Running from: C:\Documents and Settings\Sambo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sambo\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ctcoinst.dll
C:\WINDOWS\system32\drjcbuin.dll
C:\WINDOWS\system32\ixpddfvq.dll
C:\WINDOWS\system32\jkxucdvn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\niubcjrd.ini
C:\WINDOWS\system32\NTBccccf.ini
C:\WINDOWS\system32\NTBccccf.ini2
C:\WINDOWS\system32\opnomjkK.dll
C:\WINDOWS\system32\tlwuvjba.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 00:07 . 2008-07-01 00:07 <DIR> d-------- C:\Deckard
2008-06-29 19:01 . 2008-06-29 19:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 17:34 . 2008-06-29 17:34 <DIR> d-------- C:\VundoFix Backups
2008-06-29 16:24 . 2008-06-29 16:24 <DIR> d-------- C:\!KillBox
2008-06-29 16:20 . 2008-06-29 20:00 153 --a------ C:\WINDOWS\wininit.ini
2008-06-29 12:33 . 2008-06-29 12:33 51,200 --a------ C:\WINDOWS\system32\__c0036F2D.dat
2008-06-29 12:31 . 2008-06-29 12:38 110,424 --a------ C:\WINDOWS\BMaf44895b.xml
2008-06-28 13:54 . 2008-06-28 13:54 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-06-28 12:56 . 2008-06-28 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-28 11:38 . 2008-06-28 11:53 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-26 15:52 . 2008-06-26 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-25 20:28 . 2008-06-25 20:28 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-06-18 19:12 . 2008-06-18 19:12 <DIR> d-------- C:\Program Files\VstPlugins
2008-06-18 19:12 . 2008-06-18 19:12 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-06-18 19:12 . 2006-06-20 16:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-06-18 19:11 . 2008-06-18 19:11 <DIR> d-------- C:\Program Files\Outsim
2008-06-18 19:11 . 2002-07-08 06:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-06-18 19:09 . 2008-06-18 19:12 <DIR> d-------- C:\Program Files\Image-Line
2008-06-15 14:06 . 2008-06-17 16:03 <DIR> d-------- C:\Documents and Settings\Sambo\Application Data\SPORE Creature Creator
2008-06-15 14:06 . 2008-06-15 14:06 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-15 13:54 . 2008-06-15 13:54 <DIR> d-------- C:\WINDOWS\Logs
2008-06-15 13:46 . 2008-06-15 13:46 <DIR> d-------- C:\Program Files\Electronic Arts
2008-06-11 15:54 . 2008-06-13 21:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 21:58 . 2008-06-08 22:43 <DIR> d-------- C:\Program Files\Moyea
2008-06-08 21:58 . 2008-06-08 22:43 <DIR> d-------- C:\Documents and Settings\Sambo\Application Data\Moyea
2008-06-08 21:53 . 2008-06-08 21:54 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-06-08 20:29 . 2008-06-08 20:31 <DIR> d-------- C:\Documents and Settings\Sambo\dwhelper
2008-06-08 20:27 . 2008-06-08 20:27 <DIR> d-------- C:\Program Files\Red Kawa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 07:58 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-29 04:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 13:19 --------- d-----w C:\Documents and Settings\Sambo\Application Data\Audacity
2008-06-28 06:09 --------- d-----w C:\Documents and Settings\Sambo\Application Data\uTorrent
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 09:59 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-25 09:59 --------- d-----w C:\Program Files\Ahead
2008-05-16 08:49 --------- d-----w C:\Program Files\Java
2008-05-16 08:44 --------- d-----w C:\Program Files\Common Files\Java
2008-05-13 09:34 --------- d-----w C:\Program Files\Power Tab Software
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-08 11:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 11:47 --------- d-----w C:\Program Files\Bonjour
2008-05-08 11:38 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-06 10:28 --------- d-----w C:\Program Files\Native Instruments
2008-05-06 10:28 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-05-06 10:28 --------- d-----w C:\Program Files\Common Files\Digidesign
2008-05-05 07:52 --------- d-----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-05-02 08:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-02 08:22 --------- d-----w C:\Program Files\Avanquest update
2008-05-02 08:22 --------- d-----w C:\Documents and Settings\Sambo\Application Data\InstallShield
2008-05-02 08:21 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-05-02 08:20 92,064 ----a-w C:\Documents and Settings\Sambo\mqdmmdm.sys
2008-05-02 08:20 9,232 ----a-w C:\Documents and Settings\Sambo\mqdmmdfl.sys
2008-05-02 08:20 79,328 ----a-w C:\Documents and Settings\Sambo\mqdmserd.sys
2008-05-02 08:20 66,656 ----a-w C:\Documents and Settings\Sambo\mqdmbus.sys
2008-05-02 08:20 6,208 ----a-w C:\Documents and Settings\Sambo\mqdmcmnt.sys
2008-05-02 08:20 5,936 ----a-w C:\Documents and Settings\Sambo\mqdmwhnt.sys
2008-05-02 08:20 4,048 ----a-w C:\Documents and Settings\Sambo\mqdmcr.sys
2008-05-02 08:20 25,600 ----a-w C:\Documents and Settings\Sambo\usbsermptxp.sys
2008-05-02 08:20 22,768 ----a-w C:\Documents and Settings\Sambo\usbsermpt.sys
2008-05-02 08:19 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-05-02 08:18 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-02 08:17 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-05-01 13:10 --------- d-----w C:\Program Files\USR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"WinampAgent"="C:\Winamp\winampa.exe" [2008-04-02 02:49 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 00:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

.
- - - - ORPHANS REMOVED - - - -

BHO-{B5A0E4F7-09EC-4246-A8C6-99768674511E} - C:\WINDOWS\system32\fccccBTN.dll
HKLM-Run-BMaf44895b - C:\WINDOWS\system32\tlwuvjba.dll
HKLM-Run-ac77bac7 - C:\WINDOWS\system32\drjcbuin.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 16:11:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-07-01 16:17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 08:17:01

Pre-Run: 69,121,310,720 bytes free
Post-Run: 69,034,795,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

156 --- E O F --- 2008-06-22 04:37:16





And now the new HJT log:

Deckard's System Scanner v20071014.68
Run by Sambo on 2008-07-01 16:19:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Sambo.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:55 PM, on 1/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Sambo\Desktop\Downloaded ****\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sambo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209298268671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1209300422906
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 3944 bytes

-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-07-01 1639 0 d-------- C:\cmdcons
2008-07-01 16:05:43 68096 --a------ C:\WINDOWS\zip.exe
2008-07-01 16:05:43 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-01 16:05:43 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-01 16:05:43 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-01 16:05:43 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-01 16:05:43 98816 --a------ C:\WINDOWS\sed.exe
2008-07-01 16:05:43 80412 --a------ C:\WINDOWS\grep.exe
2008-07-01 16:05:43 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-29 19:01:08 0 d-------- C:\Program Files\Trend Micro
2008-06-29 17:34:19 0 d-------- C:\VundoFix Backups
2008-06-29 16:24:38 0 d-------- C:\!KillBox
2008-06-29 12:33:53 51200 --a------ C:\WINDOWS\system32\__c0036F2D.dat
2008-06-28 13:54:48 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-06-28 12:56:34 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-28 11:38:20 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-26 15:52:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-25 20:28:37 0 d-------- C:\Program Files\Messenger Plus! Live
2008-06-18 19:12:25 0 d-------- C:\Program Files\ASIO4ALL v2
2008-06-18 19:12:10 225280 --a------ C:\WINDOWS\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-06-18 19:12:10 0 d-------- C:\Program Files\VstPlugins
2008-06-18 19:11:09 0 d-------- C:\Program Files\Outsim
2008-06-18 19:09:11 0 d-------- C:\Program Files\Image-Line
2008-06-15 1443 0 d-------- C:\Documents and Settings\Sambo\Application Data\SPORE Creature Creator
2008-06-15 13:54:20 0 d-------- C:\WINDOWS\Logs
2008-06-15 13:46:29 0 d-------- C:\Program Files\Electronic Arts
2008-06-08 21:58:28 0 d-------- C:\Documents and Settings\Sambo\Application Data\Moyea
2008-06-08 21:58:27 0 d-------- C:\Program Files\Moyea
2008-06-08 20:29:38 0 d-------- C:\Documents and Settings\Sambo\dwhelper
2008-06-08 20:27:26 0 d-------- C:\Program Files\Red Kawa


-- Find3M Report ---------------------------------------------------------------

2008-07-01 16:17:33 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-29 12:33:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 21:19:01 0 d-------- C:\Documents and Settings\Sambo\Application Data\Audacity
2008-06-28 14:09:59 0 d-------- C:\Documents and Settings\Sambo\Application Data\uTorrent
2008-06-24 20:20:52 0 d-------- C:\Documents and Settings\Sambo\Application Data\Adobe
2008-05-25 17:59:33 0 d-------- C:\Program Files\Ahead
2008-05-25 17:59:32 0 d-------- C:\Program Files\Common Files
2008-05-25 17:59:32 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-16 16:56:35 0 d-------- C:\Documents and Settings\Sambo\Application Data\Sun
2008-05-16 16:49:37 0 d-------- C:\Program Files\Java
2008-05-16 16:44:50 0 d-------- C:\Program Files\Common Files\Java
2008-05-13 17:34:35 0 d-------- C:\Program Files\Power Tab Software
2008-05-08 19:47:48 0 d-------- C:\Program Files\Bonjour
2008-05-08 19:47:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-08 19:38:32 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-06 18:28:49 0 d-------- C:\Program Files\Native Instruments
2008-05-06 18:28:04 0 d-------- C:\Program Files\Common Files\Native Instruments
2008-05-06 18:28:00 0 d-------- C:\Program Files\Common Files\Digidesign
2008-05-05 15:52:14 0 d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-05-05 15:36:55 0 d-------- C:\Documents and Settings\Sambo\Application Data\Help
2008-05-02 16:22:53 0 d-------- C:\Program Files\Avanquest update
2008-05-02 16:22:52 0 d-------- C:\Documents and Settings\Sambo\Application Data\InstallShield
2008-05-02 16:21:21 0 d-------- C:\Program Files\Motorola Phone Tools
2008-05-02 16:17:44 0 d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-01 21:10:18 0 d-------- C:\Program Files\USR
2008-04-29 1924 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-29 1924 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-04-28 02:39:50 62 --ahs---- C:\Documents and Settings\Sambo\Application Data\desktop.ini
2008-04-27 20:57:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-27 20:38:52 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-27 18:55:05 0 -rahs---- C:\MSDOS.SYS
2008-04-27 18:55:05 0 -rahs---- C:\IO.SYS
2008-04-27 18:55:05 0 --a------ C:\CONFIG.SYS
2008-04-27 18:55:05 0 --a------ C:\AUTOEXEC.BAT
2008-04-27 18:52:41 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [21/01/2008 12:17 PM]
"WinampAgent"="C:\Winamp\winampa.exe" [02/04/2008 02:49 AM]
"CTHelper"="CTHELPER.EXE" [11/08/2006 02:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 02:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\wd_windows_tools\setup.exe




-- End of Deckard's System Scanner: finished at 2008-07-01 16:20:19 ------------


Cheers cobber!
zambria is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-01-2008, 08:22 AM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,435
OS: 2000 Pro; XP Pro; XP Home


Re: userinit.exe Fails to initialize, computer reboots randomly..
Things are looking better. Still some more work to do....

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/264233-userinit-exe-fails-initialize-computer-reboots-randomly.html

    File::
    C:\WINDOWS\BMaf44895b.xml

    Folder::
    C:\VundoFix Backups
    C:\!KillBox

    Collect::
    C:\WINDOWS\system32\__c0036F2D.dat
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  5. Ensure your AntiSpyware applications are re-enabled. A reboot should have done this.

    ---------------------------------------------------------------------------------------------

  6. Install this FREE AntiVirus program, update it, and run a full system scan.

    Avira PersonalEdition Classic

    Here is a tutorial on it's setup and use:

    http://www.techsupportforum.com/content/Security/Articles/64.html

    When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply.

    Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    ---------------------------------------------------------------------------------------------

  7. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------

Please return with results from:

ComboFix (C:\ComboFix.txt)
Avira
HijackThis
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-02-2008, 08:08 AM   #7 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 7
OS: xp sp2


Re: userinit.exe Fails to initialize, computer reboots randomly..
G'day! Alrighty then, the ComboFix scan log is as follows:

ComboFix 08-06-30.2 - Sambo 2008-07-02 20:00:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.278 [GMT 8:00]
Running from: C:\Documents and Settings\Sambo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sambo\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMaf44895b.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\!KillBox
C:\!KillBox\Logs\kb.log
C:\VundoFix Backups
C:\WINDOWS\BMaf44895b.xml
C:\WINDOWS\system32\__c0036F2D.dat

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 00:07 . 2008-07-01 00:07 <DIR> d-------- C:\Deckard
2008-06-29 19:01 . 2008-06-29 19:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 16:20 . 2008-06-29 20:00 153 --a------ C:\WINDOWS\wininit.ini
2008-06-28 13:54 . 2008-06-28 13:54 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-06-28 12:56 . 2008-06-28 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-28 11:38 . 2008-06-28 11:53 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-26 15:52 . 2008-06-26 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-25 20:28 . 2008-06-25 20:28 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-06-18 19:12 . 2008-06-18 19:12 <DIR> d-------- C:\Program Files\VstPlugins
2008-06-18 19:12 . 2008-06-18 19:12 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-06-18 19:12 . 2006-06-20 16:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-06-18 19:11 . 2008-06-18 19:11 <DIR> d-------- C:\Program Files\Outsim
2008-06-18 19:11 . 2002-07-08 06:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-06-18 19:09 . 2008-06-18 19:12 <DIR> d-------- C:\Program Files\Image-Line
2008-06-15 14:06 . 2008-06-17 16:03 <DIR> d-------- C:\Documents and Settings\Sambo\Application Data\SPORE Creature Creator
2008-06-15 14:06 . 2008-06-15 14:06 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-15 13:54 . 2008-06-15 13:54 <DIR> d-------- C:\WINDOWS\Logs
2008-06-15 13:46 . 2008-06-15 13:46 <DIR> d-------- C:\Program Files\Electronic Arts
2008-06-11 15:54 . 2008-06-13 21:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 21:58 . 2008-06-08 22:43 <DIR> d-------- C:\Program Files\Moyea
2008-06-08 21:58 . 2008-06-08 22:43 <DIR> d-------- C:\Documents and Settings\Sambo\Application Data\Moyea
2008-06-08 21:53 . 2008-06-08 21:54 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-06-08 20:29 . 2008-06-08 20:31 <DIR> d-------- C:\Documents and Settings\Sambo\dwhelper
2008-06-08 20:27 . 2008-06-08 20:27 <DIR> d-------- C:\Program Files\Red Kawa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 11:42 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-06-29 04:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 13:19 --------- d-----w C:\Documents and Settings\Sambo\Application Data\Audacity
2008-06-28 06:09 --------- d-----w C:\Documents and Settings\Sambo\Application Data\uTorrent
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 06:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 06:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 06:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 06:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 06:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 06:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 06:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-25 09:59 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-25 09:59 --------- d-----w C:\Program Files\Ahead
2008-05-16 08:49 --------- d-----w C:\Program Files\Java
2008-05-16 08:44 --------- d-----w C:\Program Files\Common Files\Java
2008-05-13 09:34 --------- d-----w C:\Program Files\Power Tab Software
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-08 11:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 11:47 --------- d-----w C:\Program Files\Bonjour
2008-05-08 11:38 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 10:28 --------- d-----w C:\Program Files\Native Instruments
2008-05-06 10:28 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-05-06 10:28 --------- d-----w C:\Program Files\Common Files\Digidesign
2008-05-05 07:52 --------- d-----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-05-02 08:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-02 08:22 --------- d-----w C:\Program Files\Avanquest update
2008-05-02 08:22 --------- d-----w C:\Documents and Settings\Sambo\Application Data\InstallShield
2008-05-02 08:21 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-05-02 08:20 92,064 ----a-w C:\Documents and Settings\Sambo\mqdmmdm.sys
2008-05-02 08:20 9,232 ----a-w C:\Documents and Settings\Sambo\mqdmmdfl.sys
2008-05-02 08:20 79,328 ----a-w C:\Documents and Settings\Sambo\mqdmserd.sys
2008-05-02 08:20 66,656 ----a-w C:\Documents and Settings\Sambo\mqdmbus.sys
2008-05-02 08:20 6,208 ----a-w C:\Documents and Settings\Sambo\mqdmcmnt.sys
2008-05-02 08:20 5,936 ----a-w C:\Documents and Settings\Sambo\mqdmwhnt.sys
2008-05-02 08:20 4,048 ----a-w C:\Documents and Settings\Sambo\mqdmcr.sys
2008-05-02 08:20 25,600 ----a-w C:\Documents and Settings\Sambo\usbsermptxp.sys
2008-05-02 08:20 22,768 ----a-w C:\Documents and Settings\Sambo\usbsermpt.sys
2008-05-02 08:19 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-05-02 08:18 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-02 08:17 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-04-29 11:06 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-04-29 11:06 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-01_16.16.47.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 08:10:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 11:37:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"WinampAgent"="C:\Winamp\winampa.exe" [2008-04-02 02:49 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 00:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 20:02:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0