PDA

View Full Version : userinit.exe - is it a problem?



jgleaso
2006-12-12, 20:37
Hello... I just joined the group and am new to the forum so please have mercy on my first post. I have been experiencing some difficulties in performance and noticed the following services that I have since disabled: ADNKJB,BINNDBZWN,DXGNZ,JTLBHRHCTGV, and XK. They were never really started and had a startup type = manual. I don't think any .exe files existed for these services but have no clue what they are. Does anyone recognize any of these services? Anyway, since I use my pc for banking and online xfers I would really like to clean any nasties. I did run one of your suggested web-based anti-virus scans (TrendMicro)and detected TSPY_LOWZONES.BR which was subsequently cleaned. I currently have loaded, but do not let run at the same time, the following anti-spyware programs: SpyBot Search & Destroy,SpyCatcher,Trend Micro, Ad-Aware SE Personal, NoAdware, Spyware Blaster, and XoftSpy (as you know no one tools finds all). I also run Norton AntiVirus as well as ZoneAlarm Pro as my firewall. I also keep my windows critical updates up-to-date. You would think I would be fairly well protected! ha I'm nervous about any rootkits that may exist and a method to remove tham. Thanks in advance for taking a look at these logs:

HiJackThis.log

Logfile of HijackThis v1.99.1
Scan saved at 11:11:39 AM, on 12/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\SpyCatcher 2006\Protector.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://wp.netscape.com/bookmark/index.html"); (C:\Documents and Settings\Anonymous\Application Data\Mozilla\Profiles\default\tkwq36ss.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Anonymous\Application Data\Mozilla\Profiles\default\tkwq36ss.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINNT\system32\BhoCitUS.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://www.uspsepm.com/crm/capicom.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\system32\nvsvc32.exe (file missing)
O23 - Service: OracleOraHome92TNSListener - Unknown owner - F:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceTRAINING - Unknown owner - f:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: System Commander 7 MBR check (WinMBR) - Unknown owner - C:\SC\WINMBR.EXE

GMer log to follow...

thanks,

Joe

jgleaso
2006-12-12, 20:40
GMER log

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-11 12:08:03
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT 819CC4C8 ZwAlertResumeThread
SSDT 819CC5C8 ZwAlertThread
SSDT 819CD1A8 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
SSDT 819CC1C8 ZwCreateMutant
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT 819CD3C8 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT 819CCF68 ZwFreeVirtualMemory
SSDT 819CC2C8 ZwImpersonateAnonymousToken
SSDT 819CC3C8 ZwImpersonateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT 819CC0C8 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT 819CD2C8 ZwOpenProcessToken
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT 819CCB48 ZwOpenThreadToken
SSDT 819CBF68 ZwQueryValueKey
SSDT 820812E0 ZwQueueApcThread
SSDT 8208C020 ZwReadVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT 819CE968 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT 819CCA48 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT 82081860 ZwSetInformationKey
SSDT 819CCC48 ZwSetInformationProcess
SSDT 819CC948 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 819CC748 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT 819CC848 ZwTerminateThread
SSDT 819CCD48 ZwUnmapViewOfSection
SSDT 819CD088 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text NTDLL.DLL!NtClose 77F881F8 5 Bytes JMP 72033FAA
.text NTDLL.DLL!NtCreateProcess 77F88308 5 Bytes JMP 72034135
.text NTDLL.DLL!NtCreateSection 77F88328 5 Bytes JMP 72033FC8

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!GetScrollRange 77E1FD75 5 Bytes JMP 0260D5CC C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!EnableScrollBar 77E1FDC5 5 Bytes JMP 0260D557 C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!GetScrollPos 77E258A2 9 Bytes JMP 0260D5A7 C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!SetScrollPos 77E280B8 2 Bytes JMP 0260D622 C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!SetScrollPos + 3 77E280BB 2 Bytes [ 7E, 8A ]
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!GetScrollInfo 77E2FF46 7 Bytes JMP 0260D57F C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!ShowScrollBar 77E3870D 5 Bytes JMP 0260D67B C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!SetScrollRange 77E38DEA 5 Bytes JMP 0260D64D C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!SetScrollInfo 77E43456 5 Bytes JMP 0260D5F7 C:\Program Files\SpyCatcher 2006\skin.dll

More to come... still trying to make it fit

jgleaso
2006-12-12, 20:42
---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 81B665E0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 81B664E0
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 81B66460
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 81B663E0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 81B66360
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 81B662E0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 81B66260
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 81B65020
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 81B65EA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 81B65CA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 81B65C20
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 81B65B20
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 81B65AA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 81B65A20
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 81B659A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 81B65920
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 81B658A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 81B65820
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 81B657A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 81B65720
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 81B665E0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 81B664E0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 81B66460
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 81B663E0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 81B66360
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 81B662E0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 81B66260
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 81B65020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 81B65EA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 81B65CA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 81B65C20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 81B65B20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 81B65AA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 81B65A20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 81B659A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 81B65920
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 81B658A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 81B65820
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 81B657A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 81B65720
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 81B665E0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 81B664E0
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 81B66460
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 81B663E0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 81B66360
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 81B662E0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 81B66260
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 81B65020
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 81B65EA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 81B65CA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 81B65C20
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 81B65B20
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 81B65AA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 81B65A20
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 81B659A0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 81B65920
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 81B658A0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 81B65820
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 81B657A0
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 81B65720
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 81B665E0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 81B664E0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 81B66460
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 81B663E0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 81B66360
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 81B662E0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 81B66260
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 81B65020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 81B65EA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 81B65CA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 81B65C20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 81B65B20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 81B65AA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 81B65A20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 81B659A0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 81B65920
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 81B658A0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 81B65820
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 81B657A0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 81B65720
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 81B665E0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 81B664E0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 81B66460
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 81B663E0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 81B66360
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 81B662E0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 81B66260
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 81B65020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 81B65EA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 81B65CA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 81B65C20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 81B65B20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 81B65AA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 81B65A20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 81B659A0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 81B65920
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 81B658A0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 81B65820
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 81B657A0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 81B65720

---- Files - GMER 1.0.12 ----

File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt

---- EOF - GMER 1.0.12 ----

jgleaso
2006-12-13, 08:53
I'm receiving conflicting reports on userinit.exe displayed in a hijackthis.log. Is the following entry legit or a problem?

F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

Thanks for you help,

Joe

tashi
2006-12-18, 21:31
Hello and sorry for the wait.

If you have not resolved the problem, we do have this sticky topic:

If you have waited three days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

tashi
2006-12-22, 08:41
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.

LonnyRJones
2006-12-25, 13:44
Re-opened since jgleaso posted in the waiting thread 2006-12-22, 23:24


There is nothing wrong with userinit.exe or this line in the hijackthis log
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

However it is missing a trailing comma, scan with hijackthis put a check next to it and click fix checked.

That gmer logs looks fine.

For those services you mentioned Post a startup list from hijackthis
Start Hijackthis click config misc tools >
plcase a check in [X] list also minor sections
and [X] list empty sections, then click gernerate startuplist log.

tashi
2007-01-04, 08:44
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.