Tech Support Forum banner
Status
Not open for further replies.

User Interface Failure when using RDP

2K views 2 replies 2 participants last post by  chemist 
#1 ·
Hello,

I recently started having this problem on an XPsp3 machine. The RDP screen comes up but instead of the credentials box, I get the following error:

User Interface Failure

You cannot initiate a Remote Desktop Connection because the Windows software on the remote computer has been replaced by incompatible software ntgina.dll.

As requested, I have pasted the contents of DDS.txt & zipped & attached ark.txt & attach.txt. The error box is also attached.

Any help would be appreciated. Thanks.

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 11:14:48 on 2012-11-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.77 [GMT -4:00]
.
AV: Sophos Anti-Virus *Enabled/Outdated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
============== Running Processes ================
.
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
C:\WINDOWS\system32\mmc.exe
E:\autorun.exe
D:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-vmrc.exe
D:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\4.0\vmware-remotemks.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyServer = proxyva.utc.com:8080
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Osa32] NTOSA32.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1347659897093
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 192.168.11.11 fcwnxxp # VM FCWNX 7.5 PRO XPSP3
Hosts: 192.168.11.12 vmserver2003 # VM FCWNX 7.5 EE Server 2003 Std R2 SP2 w/SQL2005
Hosts: 192.168.11.13 testxp # PM FCWNX 7.0 PRO SP3B PRO XPSP3 (THIS IS THE LOCAL MACHINE!!!)
Hosts: 192.168.11.14 Win7 # VM FCWNX 7.5.1 PRO Win7 Ultimate
Hosts: 192.168.11.15 WinVista # VM Vista Business SP2
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-6-1 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-6-1 38528]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-6-1 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-6-1 98304]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2010-6-1 266240]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-2-3 172032]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2010-6-1 794624]
S2 dfcsvc;Distributed File Controller;NTOSA32.EXE /dfcsvc --> NTOSA32.EXE [?]
S2 nxdtzqlo;Monitor Update;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 tzmfzoq;Config Driver;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 vclspcrq;Image Server;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 zyastsqn;Universal Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 FCWnx API Service;FCWnx API Service;c:\program files\ge\fcwnx\SPAPIService.exe [2011-8-23 943104]
S3 FCWnx Diagnostics;FCWnx Diagnostics;c:\program files\ge\fcwnx\SPDiagnosticService.exe [2011-8-23 416256]
S3 FCWnx Manager;FCWnx Manager;c:\program files\ge\fcwnx\SPManagersService.exe [2011-8-23 5403136]
S3 FCWnx Media Server;FCWnx Media Server;c:\program files\ge\fcwnx\FCWnxMS.exe [2011-8-21 172032]
S3 FCWnx System Manager;FCWnx System Manager;c:\program files\ge\fcwnx\SPSystemServ.exe [2011-11-3 1308160]
S3 FCWnxWCF Service;FCWnxWCF Service;c:\program files\ge\fcwnx\FCWnx.WCF.exe [2011-8-23 13824]
S3 FCWnxWebService;FCWnx WebService;c:\program files\ge\fcwnx\FCWnxWS.exe [2011-8-23 24576]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-12-23 27064]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-6-1 14976]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-11-01 15:01:52 52224 ----a-w- c:\windows\system32\NTOSA32.EXE
2012-11-01 14:08:24 5149 ----a-w- c:\windows\system32\NTKBH32.dll
2012-09-20 22:08:15 26624 ----a-w- c:\windows\system32\ntgina.dll
.
============= FINISH: 11:15:24.59 ===============
 

Attachments

See less See more
2
#2 ·
Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal. For some infections, it may do this multiple times.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
 
#3 ·
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top