Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe & Services.exe Eating All Memory


  • Please log in to reply
19 replies to this topic

#1 aqueeng

aqueeng

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 08 August 2008 - 04:39 PM

Userinit.exe is eating all memory at startup. It seems to work fine if I explicitly disable it from msconfig. In addition, on startup I get the following error,

This application has failed to start because framedyn.dll was not found. Re-installing the application may fix this problem
netsh.exe - unable to locate component
dgnet.dll not found

It all started after symanted antivirus asked me to reboot after detecting and cleaning an infection of W32.SillyFDC.

Thank you very mcuh for your help in advance. The dss and kaspersky logs are provided below.


Deckard's System Scanner v20071014.68
Run by Amit Goyal on 2008-08-08 22:20:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Amit Goyal.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:31 PM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\Amit Goyal\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Amit Goyal.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://online.wsj.com/public/us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.228.253:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\Amit Goyal\svchost.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Amit Goyal\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: userinit.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvan.../cab/tvants.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8059 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080808-122859-790 O20 - Winlogon Notify: cbxya - C:\WINDOWS\system32\cbxya.dll (file missing)
backup-20080808-123046-604 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
backup-20080808-123049-484 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1"
.pif - piffile - shell\open\command - "%1" %*"
.scr - scrfile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 pgsql-8.3 (PostgreSQL Database Server 8.3) - "c:\program files\postgresql\8.3\bin\pg_ctl.exe" runservice -w -n "pgsql-8.3" -d "c:\program files\postgresql\8.3\data\" <Not Verified; PostgreSQL Global Development Group; PostgreSQL>
R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

S3 ServiceLayer - "c:\program files\common files\pcsuite\services\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-03 19:14:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2006-04-19 03:06:38 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 13:13:00 0 d-------- C:\Documents and Settings\Amit Goyal\.housecall6.6
2008-08-08 10:04:45 0 d-------- C:\Program Files\Safer Networking
2008-08-08 09:45:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 09:44:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 09:06:17 0 d-------- C:\Program Files\Trend Micro
2008-08-08 08:42:58 0 d-------- C:\Documents and Settings\postgres\Application Data\Adobe
2008-08-08 08:19:29 0 d-------- C:\Documents and Settings\Amit Goyal\Application Data\Uniblue
2008-08-08 08:18:55 0 d-------- C:\Program Files\Uniblue
2008-08-08 08:07:37 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-08 08:07:16 0 d-------- C:\Program Files\Security Task Manager
2008-08-08 07:46:01 33792 --a------ C:\Documents and Settings\LocalService\svchost.exe
2008-08-07 22:20:42 0 d-------- C:\Documents and Settings\postgres\Application Data\Google
2008-08-03 04:46:23 0 d-------- C:\Documents and Settings\Amit Goyal\Application Data\vlc
2008-08-03 04:14:06 0 d-------- C:\Program Files\VideoLAN
2008-07-18 15:44:08 0 d-------- C:\Program Files\Remove Empty Directories


-- Find3M Report ---------------------------------------------------------------

2008-08-08 10:09:58 40 --a------ C:\WINDOWS\system32\profile.dat
2008-08-08 09:45:02 0 d-------- C:\Program Files\Lavasoft
2008-08-07 22:33:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-07 22:27:39 0 d-------- C:\Program Files\Lizard Safeguard PDF Viewer
2008-07-28 14:29:04 0 d-------- C:\Program Files\PartyGaming
2008-06-25 11:02:14 0 d-------- C:\Program Files\TVAntsX
2008-06-19 17:08:59 0 d-------- C:\Program Files\PokerStars


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-08-08 22:25:19 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.60GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 494.42 MiB / 228.74 MiB
Pagefile Memory (total/avail): 1155.66 MiB / 742.68 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.94 MiB

C: is Fixed (NTFS) - 24.4 GiB total, 4.92 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - IC25N030ATMR04-0 - 27.95 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 24.4 GiB - C:
\PARTITION2 - Unknown - 3.5 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
FirewallDisableNotify is set.
AntivirusOverride is set.

FW: Symantec Client Firewall v8.6.2.143 (Symantec Corporation)
AV: Symantec AntiVirus Corporate Edition v10.0.2.2010 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\system32\\drivers\\services.exe"="C:\\WINDOWS\\system32\\drivers\\services.exe:*:Enabled:sys"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Amit Goyal\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GOYAL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Amit Goyal
LOGONSERVER=\\GOYAL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Perl\bin\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\AMITGO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\AMITGO~1\LOCALS~1\Temp
USERDOMAIN=GOYAL
USERNAME=Amit Goyal
USERPROFILE=C:\Documents and Settings\Amit Goyal
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Amit Goyal (admin)
postgres
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type42933 / Error
Event Submitted/Written: 08/08/2008 07:57:16 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type42932 / Error
Event Submitted/Written: 08/08/2008 07:57:16 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Event Record #/Type42931 / Error
Event Submitted/Written: 08/08/2008 07:56:59 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type42930 / Error
Event Submitted/Written: 08/08/2008 07:56:59 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Event Record #/Type42929 / Error
Event Submitted/Written: 08/08/2008 00:09:43 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: W32.SillyFDC in File: Unavailable by: Invalid : (15) scan. Action: Delete failed : Leave Alone failed. Action Description:



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5841 / Warning
Event Submitted/Written: 08/08/2008 03:52:29 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5837 / Error
Event Submitted/Written: 08/08/2008 01:11:48 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type5815 / Error
Event Submitted/Written: 08/08/2008 11:57:22 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Bluetooth Support Service service failed to start due to the following error:
%%1053

Event Record #/Type5814 / Error
Event Submitted/Written: 08/08/2008 11:57:22 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Bluetooth Support Service service to connect.

Event Record #/Type5813 / Error
Event Submitted/Written: 08/08/2008 11:57:22 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1053



-- End of Deckard's System Scanner: finished at 2008-08-08 22:25:19 ------------



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 08, 2008 19:46:48
Records in database: 1070054
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Amit Goyal\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 49717
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:54:51


File name / Threat name / Threats count
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b 1
C:\WINDOWS\SYSTEM32\ms_tcp.dll Infected: Worm.Win32.AutoRun.lkx 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:36 AM

Posted 08 August 2008 - 08:29 PM

Hello aqueeng

Welcome to BleepingComputer :thumbsup:
========================
Please go to Start > Run> then copy\paste this in "%userprofile%\desktop\dss.exe" /daft then hit ok.
Place a check next to everything and click on fix.
Rescan again and it should say all associations ok.
==================================
Disable all Compnents of Norton before running combofix.

Please visit this web page for instructions for downloading and running Combofix > ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

(Note:If the Recovery Console fails to install then do not proceed rather alert me and post back here we will continue)
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 aqueeng

aqueeng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 09 August 2008 - 08:19 AM

Hello Kahdah,

Thanks for helpping me.

I am having trouble installing the recovery console.

I downloaded the file fromt he microsoft website and tired draggign and dropping onto combofix icon.

I just get a little combofix status bar which disappears in a few seconds. I do not get the prompt saying that recover console was installed.

How should I proceed?

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:36 AM

Posted 09 August 2008 - 08:26 AM

Ok try ti right click on the Combofix icon and choose rename.
Then rename it to the word nothing then try it again.
If it still does not work then just double click on the combofix icon and follow the prompts.
Then post the 2 logs Combofix log and the new Hijackthis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 aqueeng

aqueeng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 09 August 2008 - 09:08 AM

I tried renaming it followe by just double-clicking. Still not able to run COmbofix

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:36 AM

Posted 09 August 2008 - 09:12 AM

Download GMER from Here :
Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 aqueeng

aqueeng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 09 August 2008 - 09:39 AM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-09 15:39:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 85527BF8 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEE29E410]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xEE29EB60]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device ECF28C8A

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d092fbc
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000b0d092fbc
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.14 ----

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:36 AM

Posted 09 August 2008 - 10:03 AM

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\Amit Goyal\svchost.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Amit Goyal\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: userinit.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe


Now click on Fix Checked and then close Hijackthis.

Do not reboot if asked.
======================================================
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"Description"="Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start."
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Task Scheduler"
"Group"="SchedulerGroup"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,05,00,03,\
  00,01,00,00,00,70,17,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00
"NextAtJobId"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  73,00,63,00,68,00,65,00,64,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="SchedServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Enum]
"0"="Root\\LEGACY_SCHEDULE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
============
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\drivers\services.exe
    C:\Documents and Settings\Amit Goyal\svchost.exe
    C:\Documents and Settings\LocalService\svchost.exe 
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll 
    C:\WINDOWS\SYSTEM32\ms_tcp.dll 
    c:\documents and settings\Amit Goyal\start menu\programs\startup\userinit.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====================================================
Please post these logs in your next reply:
OT MOve it log
Mbam log
New dss log


Let me know of any error messages that remain please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 aqueeng

aqueeng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 09 August 2008 - 02:23 PM

I performed all the recommended steps and none of the problems seem to reappear. The system does appear to be slower compared to before the problems.

The requested logs are below. Please let me know if I should run any more tests or diagnostics.

Thanks again for your help.

OT MOve it log
C:\WINDOWS\system32\drivers\services.exe moved successfully.
C:\Documents and Settings\Amit Goyal\svchost.exe moved successfully.
C:\Documents and Settings\LocalService\svchost.exe moved successfully.
File/Folder C:\WINDOWS\Downloaded Program Files\popcaploader.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\ms_tcp.dll
C:\WINDOWS\SYSTEM32\ms_tcp.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\ms_tcp.dll moved successfully.
File/Folder c:\documents and settings\Amit Goyal\start menu\programs\startup\userinit.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08092008_162552


Mbam log
Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2

4:45:32 PM 8/9/2008
mbam-log-8-9-2008 (16-45-32).txt

Scan type: Quick Scan
Objects scanned: 45844
Time elapsed: 13 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\ms_tcp.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amit Goyal\ms_tcp.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\userinit.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


New DSS log
Deckard's System Scanner v20071014.68
Run by Amit Goyal on 2008-08-09 19:55:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Amit Goyal.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:15 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Amit Goyal\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\AMITGO~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://online.wsj.com/public/us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.228.253:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://download.tvants.com/pub/tvants/tvan.../cab/tvants.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 7132 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 16:29:24 0 d-------- C:\Documents and Settings\Amit Goyal\Application Data\Malwarebytes
2008-08-09 16:29:19 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 16:29:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 16:22:53 93979678 --a------ C:\registrybackup.reg <REGIST~1.REG>
2008-08-09 14:05:39 0 d-------- C:\327882R2FWJFW
2008-08-08 10:04:45 0 d-------- C:\Program Files\Safer Networking
2008-08-08 09:45:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 09:06:17 0 d-------- C:\Program Files\Trend Micro
2008-08-08 08:42:58 0 d-------- C:\Documents and Settings\postgres\Application Data\Adobe
2008-08-08 08:19:29 0 d-------- C:\Documents and Settings\Amit Goyal\Application Data\Uniblue
2008-08-08 08:07:37 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-08 08:07:16 0 d-------- C:\Program Files\Security Task Manager
2008-08-07 22:20:42 0 d-------- C:\Documents and Settings\postgres\Application Data\Google
2008-08-03 04:46:23 0 d-------- C:\Documents and Settings\Amit Goyal\Application Data\vlc
2008-08-03 04:14:06 0 d-------- C:\Program Files\VideoLAN
2008-07-18 15:44:08 0 d-------- C:\Program Files\Remove Empty Directories


-- Find3M Report ---------------------------------------------------------------

2008-08-09 17:32:33 0 d-------- C:\Documents and Settings\Amit Goyal\Application Data\SecondLife
2008-08-09 17:24:34 0 d-------- C:\Documents and Settings\Amit Goyal\Application Data\SSH
2008-08-09 15:08:44 0 d-------- C:\Program Files\Common Files
2008-08-09 15:08:39 0 d-------- C:\Program Files\Lavasoft
2008-08-09 14:55:24 40 --a------ C:\WINDOWS\system32\profile.dat
2008-08-07 22:33:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-07 22:27:39 0 d-------- C:\Program Files\Lizard Safeguard PDF Viewer
2008-07-28 14:29:04 0 d-------- C:\Program Files\PartyGaming
2008-06-25 11:02:14 0 d-------- C:\Program Files\TVAntsX
2008-06-19 17:08:59 0 d-------- C:\Program Files\PokerStars


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-08-09 19:56:40 ------------

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:36 AM

Posted 09 August 2008 - 02:26 PM

See now if you are able to run Combofix and post that log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 aqueeng

aqueeng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 09 August 2008 - 02:45 PM

Still can't run ComboFix. I get "Incompatible OS. Combofix oly works for Windows 2000 and XP."

:thumbsup: :)

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:36 AM

Posted 09 August 2008 - 02:47 PM

Try to redownload it and run it again please let me know what happens
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 aqueeng

aqueeng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 09 August 2008 - 02:49 PM

I tried redownloading and renaming but still get the incompatible OS error.

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:36 AM

Posted 09 August 2008 - 02:50 PM

Ok forget about Combofix:

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 aqueeng

aqueeng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 09 August 2008 - 04:23 PM

For some reason I am not able to access the above websites anymore (and google as well for that matter). I am hoping this is temporary and has nothing to do with the infection or the remedial steps taken so far. I will try again later.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users