We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide

Infected computer, need help understanding Hijack This log please

123578

Comments

  • gaming_guy
    gaming_guy Posts: 6,128 Forumite
    1,000 Posts Combo Breaker
    if that doesnt work, it may be woth downloading a trial of kaspersky anti-virus and eset's anti-virus program (i can't remember what is is called, but it is one of the reccommended AV programs on this site) and seeing if they can remove it
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Best of luck mate
    :idea:
  • Reluctant_spender
    Reluctant_spender Posts: 2,785 Forumite
    Part of the Furniture Combo Breaker
    I have a canned for SDFix - but you also want to update Malwarebytes - definitions now stand at 1811.

    Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

    Please download SDFix by AndyManchesta and save it to your desktop.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
    -- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
    Please go to Start Menu > Run > and copy/paste the following line:
    %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
    Press Ok and then run SDFix again.

    -- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
    %systemdrive%\SDFix\apps\FixPath.exe /Q
    Reboot and then run SDFix again.

    -- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
    %SystemRoot%\system32\cmd.exe
  • tranmererovers
    tranmererovers Posts: 2,313 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Well I have just run SDfix and here is the log, don't think it managed to fix it though :(

    Just downloading Malwarebytes to run again


    SDFix: Version 1.240
    Run by user on 28/02/2009 at 15:05

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Infected userinit.exe Found!

    userinit.exe File Locations:

    "C:\WINDOWS\$NtServicePackUninstall$\userinit.exe" 24576 04/08/2004 12:00
    "C:\WINDOWS\ServicePackFiles\i386\userinit.exe" 26112 14/04/2008 00:12
    "C:\WINDOWS\system32\userinit.exe" 8704 15/02/2009 08:44

    LDPinch Infected File Listed Below:

    C:\WINDOWS\SYSTEM32\USERINIT.EXE

    File copied to Backups Folder
    Attempting to replace userinit.exe with original version

    Unable To Replace Infected File!

    "C:\WINDOWS\$NtServicePackUninstall$\userinit.exe" 24576 04/08/2004 12:00
    "C:\WINDOWS\ServicePackFiles\i386\userinit.exe" 26112 14/04/2008 00:12
    "C:\WINDOWS\system32\userinit.exe" 8704 15/02/2009 08:44


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    No Trojan Files Found






    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-02-28 15:13:29
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    Remaining Files :



    Files with Hidden Attributes :

    Mon 10 Mar 2008 31 A..H. --- "C:\WINDOWS\UKCpInfo.sys"
    Sun 15 Feb 2009 8,704 A..H. --- "C:\WINDOWS\system32\userinit.exe"
    Fri 23 May 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

    Finished!
    It's easier to get forgiveness than to ask permission ;)
  • tranmererovers
    tranmererovers Posts: 2,313 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    I can't connect the infected PC to the internet to download the updates to Malwarebytes, I have looked on gt500.org that Thomas01155 suggested in an earlier post but that is still at Version 1793, do you have a link to download the latest database please?
    It's easier to get forgiveness than to ask permission ;)
  • Reluctant_spender
    Reluctant_spender Posts: 2,785 Forumite
    Part of the Furniture Combo Breaker
    I think you may require the original windows disc to replace USERINIT.EXE.
  • Reluctant_spender
    Reluctant_spender Posts: 2,785 Forumite
    Part of the Furniture Combo Breaker
    Sadly gt500 are showing the update you have.
  • tranmererovers
    tranmererovers Posts: 2,313 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    I've got a Bart PE Build disc with a copy of userinit.exe, would I just need to copy that to the System32 directory?
    It's easier to get forgiveness than to ask permission ;)
  • Reluctant_spender
    Reluctant_spender Posts: 2,785 Forumite
    Part of the Furniture Combo Breaker
    That I am not 100% sure about.

    I am going to have to have a dig around.
  • Reluctant_spender
    Reluctant_spender Posts: 2,785 Forumite
    Part of the Furniture Combo Breaker
    Ok, this is a bit trial and error so lets play very safe.

    c:\windows\$NtServicePackUninstall$\userinit.exe
    c:\windows\ServicePackFiles\i386\userinit.exe
    c:\windows\system32\userinit.exe

    Can you submit each of those files to virustotal - http://www.virustotal.com/

    I am hoping that one of those will come back clean. You may have to show hidden files to see then.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 354.1K Banking & Borrowing
  • 254.3K Reduce Debt & Boost Income
  • 455.3K Spending & Discounts
  • 247.1K Work, Benefits & Business
  • 603.7K Mortgages, Homes & Bills
  • 178.3K Life & Family
  • 261.2K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture