Member Avatar for Kiel

Gidday guys!

Been a while since I've been to DaniWeb, but again I need you blokes more than ever!

I'm running XP Prof with SP2. I've been running it about 8 months now hassle free, as basic internet security measures from you guys' advice have lounged me well.

Same old story, my sister has clicked a link she got through MSN saying "omg look at my new picture". Needless to say I got infected something cruel, and no matter what my futile efforts involve, I can't seem to rid myself of the spyware. -BUT-, I honestly don't think the spyware is causing my problem.

Basically right now, I'm in Safe Mode with Networking. My internet works, evidently everything that CAN work in Safe Mode with Networking, is working.

My problem is trying to boot normally. I get to my logon screen, go to logon, the Windows ding-down-ding-doong plays, and my computer reboots. Now the weird thing is, if I don't try to log on, it seems that about the time it'd normally take me to log on, my computer reboots! It's like it's timed.

If it's any help to you, I've HijackThis, AVG 7.5 Prof', Spyware Doctor, Ad-Aware, Spybot, CCleaner, ZoneAlarm etc all now installed. I can run all except AVG 7.5, as I bought the CD yet can't install it in Safe Mode.

My findings tell me I'm constantly infected with "Command Services" (cmdservices), but it doesn't seem to be doing any damage. At one point during my infection, I could run my computer with no hassles, which lasted about 10 minutes before I booted MSN (Windows Live Messenger), at which point my computer made it's loading sound and restarted.

I got a few phonecalls from a few mates telling me I just gave them a link to a photo. Seems everyone on my contact list got it. Thankfully none that I know personally clicked it, though I do feel terrible for those that did. The associated spyware/virus is drsmartload, which loads first when I open Windows Live Messenger, then immediatly followed by goll.exe (which I couldn't find any information on, seems to be a randomly named process). I know this because I've Process Explorer by SysInternals running constantly in the hope to catch out whatever it is screwing me over.

Now the reason I don't think it's a virus/spyware hammering my computer is because when I press F8 at the boot screen to obviously get some extra startup options, I -enabled- the "disabled reboot on system failure" (or something similar) option, and now instead of instant-rebooting in normal mode, I get a blue screen of death.

Any information you need I will gladly hand over, and of course like last time I'll be decent-donating upon immediate fix of my problem.

Thanks guys, and let me assure you sister-related computer problems won't happen again, though I can guarentee something else will.

Let me know what you need.

Yours hopefully,
Kiel

  • 4 Contributors
  • 15 Replies
  • 234 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by gerbil

Recommended Answers

All 15 Replies

Member Avatar for Kiel

Oh, and I forgot to mention, normally I'd use System Restore immediatly, but the bastard deleted all my restore points!

From now on every so days I'm going to backup my system restore files. I didn't know they were not recoverable after deletion. This sucks.

Member Avatar for gerbil

drsmartload is a spyware and ad delivery trojan , and naturally that one does not aim to give you a BSOD. Cmdservices is a pest. You may have a virus which is designed to do that, or it is unintentional from a bad bit of hacker code. Anyway run HT in safe mode from its own folder with nothing else running [apps or windows], and send the log....

Member Avatar for Kiel

Heya gerbil, and thanks for your reply mate!

Here's the HJT log!

Logfile of HijackThis v1.99.1
Scan saved at 8:52:12 PM, on 10/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &eBay Search - res://C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13F15250-BC91-4D7E-9E5D-471D49E60DFF}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5EDE0E-D293-460A-BD2D-23C5DF92BBD8}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{13F15250-BC91-4D7E-9E5D-471D49E60DFF}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{13F15250-BC91-4D7E-9E5D-471D49E60DFF}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\..\{13F15250-BC91-4D7E-9E5D-471D49E60DFF}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - D:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Edit: Justg noticed I still had ZoneAlarm running...is it okay like this? I'm not overly-confident in shutting it down. But if I must, I must.

Member Avatar for Kiel

Oh, and excuse the double post, but I've lost my Windows XP CD (not lost, I know exactly where it is, it's just not accessible), so I'm wondering, do I need that EXACT CD or will any other XP CD work as a Restore/Recovery feature on my machine?

That is, of course, as an extreme last resort.

Anyone analyze my HJT log?

Member Avatar for gerbil

Kiel, i am prompted by the history of the affair, your subsequent fault and actions, plus the appearance of the F2 key about userinit.exe in the log to suggest this: As explained in the M$ article [http://support.microsoft.com/kb/892893] the trojan could have inserted a .exe and changed this key's data to point to it....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

name:- Userinit
data:- C:\WINDOWS\system32\userint.exe,

::: this is what the data should be, if there is a different .exe there then while in Safe Mode regedit it to userinit.exe, [and you must include that comma!]
Reboot.

Adaware or one of your other scans may have deleted the actual dud .exe, and so this key points to nothing. I doubt if userinit.exe is bad or corrupt, so just change the key data.
But you got into safe mode via the login screen already...!! so I may be contradicting my own thinking.......wondering...you have not passworded the default computer Administration account, have you? I'm not suggesting that you do...
Anyway, just search for userinit.exe in the registry, or that key, and report what you find. I could be way wrong....cos without that file running you should not be able to get in.... but you will not hurt anything by looking.
NOTE. Do NOT fix that F2 entry in the HT log.... u have to have it.

Member Avatar for Kiel

Thanks for your effort mate!

Unfortunatly, everything seems to be correct in the registry key, it's pointing to C:\Windows\System32\userinit.exe , so I'm assuming it's fine.

What's next!

Edit: Oh, and for your info', the BSoD states the following:

DRIVER_IRQL_NOT_LESS_OR_EQUAL

***STOP 0x000000D1 (0x00000000, 0x00000002, 0x00000000, 0x00000000)

Member Avatar for caperjack

Hi,this is from the site im linking ,
==================
0x000000D1: DRIVER_IRQL_NOT_LESS_OR_EQUAL
(Click to consult the online Win XP Resource Kit article.)
The system attempted to access pageable memory using a kernel process IRQL that was too high. The most typical cause is a bad device driver (one that uses improper addresses). It can also be caused by caused by faulty or mismatched RAM, or a damaged pagefile.
===================
scroll way down near the bottom of the list for you bsod error .
http://www.aumha.org/win5/kbestop.php

Member Avatar for gerbil

The product key is not coded into the XP CD, but is a unique code and when used with M$ activation creates a code specific to the major hardware models and serial numbers in your pc. So any genuine Microsoft CD will do, just make sure to use your product code.

Do you still have cmdservices? Spybot should detect it and disclose its keys. If so, get delcmdservice from here:-
http://users.telenet.be/marcvn/tools/delcmdservice.zip

Unzip it, onto your desktop will do nicely, and dclick on the delcmdservice folder, dclick on delreg.bat to start it. When the tool finishes reboot your computer

The Driver irql not less than or equal error implies that a driver with a high irql was unable to over-ride a driver operation with a lower irql => conflict. This can come from a RAM error [swap sticks to check it, or run a memtest] or other hardware problems such as overheating on a graphics card..... or driver conflicts. The code STOP 0x000000D1 (0x00000000, 0x00000002, 0x00000000, 0x00000000) does not help me much more that that...
You can check your drivers at the windows update catalog :-
http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
...and of course at your manufacturer's sites.
Btw, your log is clean.. if u suspect something lingering go to f-secure at http://www.f-secure.com/blacklight/ and download their trial blacklight tool, or to www.sysinternals.com and run RKR [follow their instructions to a T!!], or do the pandaonlinescan from here:-
http://www.pandasoftware.com/products/activescan?
Keep in touch.... :)

Member Avatar for gerbil

...an then we never heard from kiel again....

Member Avatar for Kiel

Sorry guys haven't been able to get online, work, sleep, work.

I'm still in Safe Mode, but I got into normal mode the other day without errors, but it restarted about 20 minutes later when I tried launching Windows Live Messenger.

Tried all the solutions...nothing's working so far, what's next?

Member Avatar for Kiel

Okay it -seems- to be fixed.

However whenever I get to the desktop after booting my computer, a whole heap of "Win32 Services" made an error blabla SEND or DON'T SEND windows come up.

Also, there seem to be a lot of windows "SVCHOST" services running, I mean just take a look at this screeny! I've no idea what does what but I'm certain there wasn't that many before:

[img]http://img74.imageshack.us/img74/5575/svchostdd4.jpg[/img]

Member Avatar for caperjack

6 scvhost is the norm i think i know i have 6 running .

Member Avatar for Trace--

I know I'm a late entry to this conversation, but from here on, ill do my best to help. I read over all your posts, and twice you mentioned that the computer rebooted when you attempted to run Windows Live Messenger (WLM). Have you considered that the bug may very well be within that program folder?

Check your WLM folder for any odd files... ill include a list of my files so you can compare and contrast the two...

Also, try starting in normal mode and let the pc sit. if it lasts for more than half an hour, we know it has to be the mesenger.

-Trace

-----------------------
Files List for "C:\Program Files\MSN Messenger\"
Folder: "Device manager" (see below for contents)
abssm.dll
contact.dll
contactsUX.dll
custsat.dll
dfsr.dll
ErrorResponse.xml
fsshext.8.0.0812.00.dll
highcont.thm
lcapi.dll
lcres.dll
MessengerClient.dll
msgrapp.8.0.0812.00.dll
msgsc.8.0.0812.00.dll
mslang.dll
msgsres.dll
msgswcam.dll
msidcr140.dll
msncall.exe
msncallres.dll
msncore.dll
msnmsgr.exe
msvs.exe
msvsConfig2.xml
msvsui.dll
newalert.wma
newemail.wma
nudge.wma (delete to get rid of nudge noise ;))
online.wma
outgoing.wma
pcsdll.dll
phone.wma
psmsong.8.0.0812.00.dll
RTMPLTFM.dll
type.wma
usnsvc.dll
usnsvcps.dll
vimdone.wma
wmp8stub.dll
wmv9vcm.dll


Within "Device Manager":
Folder: "Loc" (see below for contents)
msgrdvmm.exe
WLPhoneC Security Catalog
WLPhoneC Setup Information File


Within "Loc": Alot of numbered folders with msndevmanres.dll in each of them
-------------------------------------

Good luck my friend.

Member Avatar for gerbil

kiel, if u have that [any] genuine XP install CD, try running Start > Run : sfc /scannow to check your dll cache files are not corrupted. sfc.exe checks the installed files with those in the cache, and asks for the CD if it finds cache errors. That may fix your WIN32services problem.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.