Results 1 to 8 of 8

Thread: userinit.exe - is it a problem?

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    4

    Red face userinit.exe - is it a problem?

    Hello... I just joined the group and am new to the forum so please have mercy on my first post. I have been experiencing some difficulties in performance and noticed the following services that I have since disabled: ADNKJB,BINNDBZWN,DXGNZ,JTLBHRHCTGV, and XK. They were never really started and had a startup type = manual. I don't think any .exe files existed for these services but have no clue what they are. Does anyone recognize any of these services? Anyway, since I use my pc for banking and online xfers I would really like to clean any nasties. I did run one of your suggested web-based anti-virus scans (TrendMicro)and detected TSPY_LOWZONES.BR which was subsequently cleaned. I currently have loaded, but do not let run at the same time, the following anti-spyware programs: SpyBot Search & Destroy,SpyCatcher,Trend Micro, Ad-Aware SE Personal, NoAdware, Spyware Blaster, and XoftSpy (as you know no one tools finds all). I also run Norton AntiVirus as well as ZoneAlarm Pro as my firewall. I also keep my windows critical updates up-to-date. You would think I would be fairly well protected! ha I'm nervous about any rootkits that may exist and a method to remove tham. Thanks in advance for taking a look at these logs:

    HiJackThis.log

    Logfile of HijackThis v1.99.1
    Scan saved at 11:11:39 AM, on 12/12/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\DSentry.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\SpyCatcher 2006\Protector.exe
    C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
    C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.foxnews.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://wp.netscape.com/bookmark/index.html"); (C:\Documents and Settings\Anonymous\Application Data\Mozilla\Profiles\default\tkwq36ss.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Anonymous\Application Data\Mozilla\Profiles\default\tkwq36ss.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
    O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINNT\system32\BhoCitUS.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
    O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
    O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://www.uspsepm.com/crm/capicom.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O20 - AppInit_DLLs: interceptor.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\system32\nvsvc32.exe (file missing)
    O23 - Service: OracleOraHome92TNSListener - Unknown owner - F:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
    O23 - Service: OracleServiceTRAINING - Unknown owner - f:\oracle\ora92\bin\ORACLE.EXE (file missing)
    O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
    O23 - Service: System Commander 7 MBR check (WinMBR) - Unknown owner - C:\SC\WINMBR.EXE

    GMer log to follow...

    thanks,

    Joe

  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    4

    Red face

    GMER log

    GMER 1.0.12.12011 - http://www.gmer.net
    Rootkit scan 2006-12-11 12:08:03
    Windows 5.0.2195 Service Pack 4


    ---- System - GMER 1.0.12 ----

    SSDT 819CC4C8 ZwAlertResumeThread
    SSDT 819CC5C8 ZwAlertThread
    SSDT 819CD1A8 ZwAllocateVirtualMemory
    SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
    SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwCreateKey
    SSDT 819CC1C8 ZwCreateMutant
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
    SSDT 819CD3C8 ZwCreateThread
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
    SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteKey
    SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
    SSDT 819CCF68 ZwFreeVirtualMemory
    SSDT 819CC2C8 ZwImpersonateAnonymousToken
    SSDT 819CC3C8 ZwImpersonateThread
    SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
    SSDT 819CC0C8 ZwOpenEvent
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
    SSDT 819CD2C8 ZwOpenProcessToken
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
    SSDT 819CCB48 ZwOpenThreadToken
    SSDT 819CBF68 ZwQueryValueKey
    SSDT 820812E0 ZwQueueApcThread
    SSDT 8208C020 ZwReadVirtualMemory
    SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
    SSDT 819CE968 ZwResumeThread
    SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
    SSDT 819CCA48 ZwSetContextThread
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
    SSDT 82081860 ZwSetInformationKey
    SSDT 819CCC48 ZwSetInformationProcess
    SSDT 819CC948 ZwSetInformationThread
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
    SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
    SSDT 819CC748 ZwSuspendThread
    SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
    SSDT 819CC848 ZwTerminateThread
    SSDT 819CCD48 ZwUnmapViewOfSection
    SSDT 819CD088 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.12 ----

    .text NTDLL.DLL!NtClose 77F881F8 5 Bytes JMP 72033FAA
    .text NTDLL.DLL!NtCreateProcess 77F88308 5 Bytes JMP 72034135
    .text NTDLL.DLL!NtCreateSection 77F88328 5 Bytes JMP 72033FC8

    ---- User code sections - GMER 1.0.12 ----

    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!GetScrollRange 77E1FD75 5 Bytes JMP 0260D5CC C:\Program Files\SpyCatcher 2006\skin.dll
    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!EnableScrollBar 77E1FDC5 5 Bytes JMP 0260D557 C:\Program Files\SpyCatcher 2006\skin.dll
    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!GetScrollPos 77E258A2 9 Bytes JMP 0260D5A7 C:\Program Files\SpyCatcher 2006\skin.dll
    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!SetScrollPos 77E280B8 2 Bytes JMP 0260D622 C:\Program Files\SpyCatcher 2006\skin.dll
    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!SetScrollPos + 3 77E280BB 2 Bytes [ 7E, 8A ]
    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!GetScrollInfo 77E2FF46 7 Bytes JMP 0260D57F C:\Program Files\SpyCatcher 2006\skin.dll
    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!ShowScrollBar 77E3870D 5 Bytes JMP 0260D67B C:\Program Files\SpyCatcher 2006\skin.dll
    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!SetScrollRange 77E38DEA 5 Bytes JMP 0260D64D C:\Program Files\SpyCatcher 2006\skin.dll
    .text C:\Program Files\SpyCatcher 2006\Protector.exe[1896] USER32.dll!SetScrollInfo 77E43456 5 Bytes JMP 0260D5F7 C:\Program Files\SpyCatcher 2006\skin.dll

    More to come... still trying to make it fit

  3. #3
    Junior Member
    Join Date
    Dec 2006
    Posts
    4

    Default

    ---- Devices - GMER 1.0.12 ----

    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 81B665E0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 81B664E0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 81B66460
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 81B663E0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 81B66360
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 81B662E0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 81B66260
    Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 81B65020
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 81B65EA0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 81B65CA0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 81B65C20
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 81B65B20
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 81B65AA0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 81B65A20
    Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 81B659A0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 81B65920
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 81B658A0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 81B65820
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 81B657A0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 81B65720
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 81B665E0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 81B664E0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 81B66460
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 81B663E0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 81B66360
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 81B662E0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 81B66260
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 81B65020
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 81B65EA0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 81B65CA0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 81B65C20
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 81B65B20
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 81B65AA0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 81B65A20
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 81B659A0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 81B65920
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 81B658A0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 81B65820
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 81B657A0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 81B65720
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 81B665E0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 81B664E0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 81B66460
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 81B663E0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 81B66360
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 81B662E0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 81B66260
    Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 81B65020
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
    Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 81B65EA0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
    Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 81B65CA0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 81B65C20
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 81B65B20
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 81B65AA0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 81B65A20
    Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 81B659A0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 81B65920
    Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 81B658A0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 81B65820
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 81B657A0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 81B65720
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 81B665E0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 81B664E0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 81B66460
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 81B663E0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 81B66360
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 81B662E0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 81B66260
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 81B65020
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 81B65EA0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 81B65CA0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 81B65C20
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 81B65B20
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 81B65AA0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 81B65A20
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 81B659A0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 81B65920
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 81B658A0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 81B65820
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 81B657A0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 81B65720
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 81B665E0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 81B664E0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 81B66460
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 81B663E0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 81B66360
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 81B662E0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 81B66260
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 81B65020
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 81B65FA0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 81B65F20
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 81B65EA0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 81B65E20
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 81B65CA0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 81B65C20
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BE8732A0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 81B65B20
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 81B65AA0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 81B65A20
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 81B659A0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 81B65920
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 81B658A0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 81B65820
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 81B657A0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 81B65720

    ---- Files - GMER 1.0.12 ----

    File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt
    File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt
    File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt

    ---- EOF - GMER 1.0.12 ----

  4. #4
    Junior Member
    Join Date
    Dec 2006
    Posts
    4

    Default userinit.exe - is it a problem?

    I'm receiving conflicting reports on userinit.exe displayed in a hijackthis.log. Is the following entry legit or a problem?

    F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

    Thanks for you help,

    Joe
    Last edited by LonnyRJones; 2006-12-13 at 13:46. Reason: Merged posts, keep responses in one thread please

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello and sorry for the wait.

    If you have not resolved the problem, we do have this sticky topic:

    If you have waited three days for advice post here.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    This topic has been archived.

    If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  7. #7
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Re-opened since jgleaso posted in the waiting thread 2006-12-22, 23:24


    There is nothing wrong with userinit.exe or this line in the hijackthis log
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

    However it is missing a trailing comma, scan with hijackthis put a check next to it and click fix checked.

    That gmer logs looks fine.

    For those services you mentioned Post a startup list from hijackthis
    Start Hijackthis click config misc tools >
    plcase a check in [X] list also minor sections
    and [X] list empty sections, then click gernerate startuplist log.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    This topic has been closed to prevent others with similar issues posting in it.
    If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

    Applies only to the original topic starter.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •