TomPabst
2006-06-02, 07:49
Hi Guys and Gals.....
I almost posted this problem in the SpyBot forum as the symptoms of this malware (or system file corruption) first showed up with a malfunction in the SpyBot scan I did last Monday morning (after downloading the latest "includeds" of 5/26). I had very little desk time left Monday so I decided to wait until I could do more checks before posting that there was a problem with the "includes 5/26/2006" download. I had no office time on Tuesday and very little on Wednesday, so this is why I'm just getting to making this post tonight (Thursday night, 6/1/06). But I've now had the last several hours to check out this infection....it's a bizarre one (at least with my experience level to date).
Here are the symptoms and I will begin with last Monday morning (5/29) problem with the SpyBot scan:
(1) 5/29/06: Downloaded latest "includes" from SpyBot Updates and installed (no issues). Ran scan immediately (after system reboot) and got the following error message (red triangle with exclamation point in center on SB scan page): "Services.sbs file missing, go to updates to replace it." (Not verbatim, but close enough). I downloaded the "5/26 includes" again (by xx-rename the "downloaded.ini" file in the SB "Updates" folder), and reinstalled them. Result: Same error message upon running SB scan. I also tried extracting the "services.sbs" file manually from the "includes.zip" file.....it will not extract (but all other files in the zip will extract to a temp folder pointed to). And probably don't need to say this, but indeed, "services.sbs" file is not located in the SB Includes folder. The last good SB scan I ran was on Saturday, 5/27 and nothing unusual was detected (some tracking cookies and that was it). I've not been able to run a good SB scan since then.
(2) Today: I ran HJT scan and compared to last Sunday's HJT scan. They were identical (and both are the same as the one I've posted below) with one "odd man out" entry at F2 (see below). I checked the last HJT routine scan I have archived (I run HJT about 3 to 6 times per week as routine, and just archive those scans dated/timed)....which was on Friday, 5/26 and the "F2" entry was not present. Please note: The HJT scan below says that "processes can not be listed." That also appears on the previous scans except for last Friday when the F2 is not present.
(3) Went to the "target file" of the F2 regentry, "services.exe" and tried to rename it. Can't, says "File is in use by another program." Also tried to delete it. Can't, says "Disk is full....yada, yada, yada." Neither was a surprise but I always like to try it! -:)
Now it starts getting weird!
(4) Following standard procedures before posting in this Malware Forum, I ran my eTrust AV program (on C drive only). It runs about 1/3 through the "Documents and Settings" folder and then hangs with: "ETrust AV has encountered a problem and needs to close....yada, yada, yada." App hangs and needs to be control/alt/deleted to "end program" and clear.
(5) Attempted to look for a "services.dll" file in Windows/system32 folder and this blows me away: I can't access the folder. As soon as I click on it, I get a message such as, "Windows Explorer has encountered a problem and needs to close!" Nervously I decided to go to "system restore".......
(6) Can't open System Restore! Message says, "System Restore can not protect your computer, please reboot and try again." Now I'm thinking my WinXP, SP2 ops sys is in big trouble.
(7) Made several attempts to let HJT "fix" the F2 entry....it removes it but it's back after either a reboot and HJT rerun, or a HJT rerun without rebooting.
(8) Finally was able to access the c:windows/system32 folder by doing the following: Change the "View" from "list/details" to "thumbnails" and I could open the system32 folder. I immediately looked for a "services.dll" file (just for grins) but none existed. I went to the "restore" folder and almost fell out of my chair! Something had "xx-renamed" the "filelist.xml" file to "xxfilelist.xml".......huh? I renamed it back. Opened "System Restore" from the normal "start/programs/help" and it started right up. I was delighted....but it didn't last long! All the "restore points" prior to today's date have been deleted.
And that leads me to making this post. I'm not screwing with this buggar any more as you guys are the experts. I'm hoping this is not something new? But I'm fearful that it might be. Other than email and IE browser (which work fine or seemed to work fine), I've not tried running any other programs.
My HJT log follows (minus the "running processes" list as indicated:
(Note: Every entry on this HJT log is known to be good to me, except the F2 entry.)
Logfile of HijackThis v1.99.1
Scan saved at 6:43:48 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
(Unable to list running processes)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\WINDOWS\SERVICES.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color'n'Code Wizzard.lnk = C:\Program Files\Color n Code\Common\IconMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135272627828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
*************end HJT Log******************
Besides fixing this nasty thing.....I'd be interested to know what purpose it was written to do.....other than screwing up my computer. It seems particularly malicious for some reason to me?
Lonny....you da man! Have at it! -:)
Regards,
Tom Pabst
I almost posted this problem in the SpyBot forum as the symptoms of this malware (or system file corruption) first showed up with a malfunction in the SpyBot scan I did last Monday morning (after downloading the latest "includeds" of 5/26). I had very little desk time left Monday so I decided to wait until I could do more checks before posting that there was a problem with the "includes 5/26/2006" download. I had no office time on Tuesday and very little on Wednesday, so this is why I'm just getting to making this post tonight (Thursday night, 6/1/06). But I've now had the last several hours to check out this infection....it's a bizarre one (at least with my experience level to date).
Here are the symptoms and I will begin with last Monday morning (5/29) problem with the SpyBot scan:
(1) 5/29/06: Downloaded latest "includes" from SpyBot Updates and installed (no issues). Ran scan immediately (after system reboot) and got the following error message (red triangle with exclamation point in center on SB scan page): "Services.sbs file missing, go to updates to replace it." (Not verbatim, but close enough). I downloaded the "5/26 includes" again (by xx-rename the "downloaded.ini" file in the SB "Updates" folder), and reinstalled them. Result: Same error message upon running SB scan. I also tried extracting the "services.sbs" file manually from the "includes.zip" file.....it will not extract (but all other files in the zip will extract to a temp folder pointed to). And probably don't need to say this, but indeed, "services.sbs" file is not located in the SB Includes folder. The last good SB scan I ran was on Saturday, 5/27 and nothing unusual was detected (some tracking cookies and that was it). I've not been able to run a good SB scan since then.
(2) Today: I ran HJT scan and compared to last Sunday's HJT scan. They were identical (and both are the same as the one I've posted below) with one "odd man out" entry at F2 (see below). I checked the last HJT routine scan I have archived (I run HJT about 3 to 6 times per week as routine, and just archive those scans dated/timed)....which was on Friday, 5/26 and the "F2" entry was not present. Please note: The HJT scan below says that "processes can not be listed." That also appears on the previous scans except for last Friday when the F2 is not present.
(3) Went to the "target file" of the F2 regentry, "services.exe" and tried to rename it. Can't, says "File is in use by another program." Also tried to delete it. Can't, says "Disk is full....yada, yada, yada." Neither was a surprise but I always like to try it! -:)
Now it starts getting weird!
(4) Following standard procedures before posting in this Malware Forum, I ran my eTrust AV program (on C drive only). It runs about 1/3 through the "Documents and Settings" folder and then hangs with: "ETrust AV has encountered a problem and needs to close....yada, yada, yada." App hangs and needs to be control/alt/deleted to "end program" and clear.
(5) Attempted to look for a "services.dll" file in Windows/system32 folder and this blows me away: I can't access the folder. As soon as I click on it, I get a message such as, "Windows Explorer has encountered a problem and needs to close!" Nervously I decided to go to "system restore".......
(6) Can't open System Restore! Message says, "System Restore can not protect your computer, please reboot and try again." Now I'm thinking my WinXP, SP2 ops sys is in big trouble.
(7) Made several attempts to let HJT "fix" the F2 entry....it removes it but it's back after either a reboot and HJT rerun, or a HJT rerun without rebooting.
(8) Finally was able to access the c:windows/system32 folder by doing the following: Change the "View" from "list/details" to "thumbnails" and I could open the system32 folder. I immediately looked for a "services.dll" file (just for grins) but none existed. I went to the "restore" folder and almost fell out of my chair! Something had "xx-renamed" the "filelist.xml" file to "xxfilelist.xml".......huh? I renamed it back. Opened "System Restore" from the normal "start/programs/help" and it started right up. I was delighted....but it didn't last long! All the "restore points" prior to today's date have been deleted.
And that leads me to making this post. I'm not screwing with this buggar any more as you guys are the experts. I'm hoping this is not something new? But I'm fearful that it might be. Other than email and IE browser (which work fine or seemed to work fine), I've not tried running any other programs.
My HJT log follows (minus the "running processes" list as indicated:
(Note: Every entry on this HJT log is known to be good to me, except the F2 entry.)
Logfile of HijackThis v1.99.1
Scan saved at 6:43:48 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
(Unable to list running processes)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\WINDOWS\SERVICES.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color'n'Code Wizzard.lnk = C:\Program Files\Color n Code\Common\IconMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135272627828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
*************end HJT Log******************
Besides fixing this nasty thing.....I'd be interested to know what purpose it was written to do.....other than screwing up my computer. It seems particularly malicious for some reason to me?
Lonny....you da man! Have at it! -:)
Regards,
Tom Pabst