Jump to content

Infected Userinit.exe file, and some fun


Recommended Posts

I'm attempting to fix my sister's laptop. It's Windows XP Media Center Edition (SP3). One of her friends apparently clicked on a pop-up ad that informed her that she had spyware, it said "Click here to scan," so naturally she did. I think Malwarebytes took a chunk of them out, but obviously not all of them. There currently is one that has disabled my access to the Desktop Background settings.

Below are the Malwarbytes and Hijack This logs:

MBAM:

Malwarebytes' Anti-Malware 1.34

Database version: 1813

Windows 5.1.2600 Service Pack 3

3/1/2009 7:12:50 PM

mbam-log-2009-03-01 (19-12-45).txt

Scan type: Full Scan (C:\|)

Objects scanned: 169424

Time elapsed: 2 hour(s), 39 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\userinit.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:19:28 PM, on 3/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Documents and Settings\Emily Miller\My Documents\download\stinger10000482.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\LVComsX.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061029

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061029

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy33.asbury.edu:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: ayezmn.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--

End of file - 6701 bytes

Any ideas on how to cook this goose?

Thanks

~Andy Miller

Link to post
Share on other sites

  • Root Admin

The logs show that you did not tell MBAB to fix it. You need to tell MBAM to fix it.

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O20 - AppInit_DLLs: ayezmn.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 02

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
    Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
    Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Post back the MBAM log

STEP 04

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java
    Once you have removed all the old Java you can install the latest version.
    Download and Update Java Runtime
    The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.
    • Go to http://java.sun.com/javase/downloads/index.jsp
    • Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
    • In Platform box choose Windows.
    • Check the box to Accept License Agreement and click Continue.
    • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
    • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
    • Uncheck the Toolbar button (unless you want the toolbar)
    • Reboot your computer
Link to post
Share on other sites

The logs show that you did not tell MBAB to fix it. You need to tell MBAM to fix it.

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O20 - AppInit_DLLs: ayezmn.dll

    Then Quit All Browsers including the one you're reading this in now.

    Then click on Fix checked and then quit HJT

STEP 02

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.

  • Double click on FixPolicies.exe to run it.

  • Click on Install. It will create a folder named FixPolicies on your desktop.

  • Open the FixPolicies folder.

  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.

    Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

    Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)

  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.

    • Update Malwarebytes' Anti-Malware

    • Select the Update tab

    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:

    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Post back the MBAM log

STEP 04

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.

  • From the drop-down menu, choose English and click on Select.

  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.

  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.

  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

    Then look for the following Java folders and if found delete them.

    C:\Program Files\Java

    C:\Program Files\Common Files\Java

    C:\Documents and Settings\All Users\Application Data\Java

    C:\Documents and Settings\All Users\Application Data\Sun\Java

    C:\Documents and Settings\username\Application Data\Java

    C:\Documents and Settings\username\Application Data\Sun\Java

    Once you have removed all the old Java you can install the latest version.

    Download and Update Java Runtime

    The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.

    • Go to http://java.sun.com/javase/downloads/index.jsp

    • Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.

    • In Platform box choose Windows.

    • Check the box to Accept License Agreement and click Continue.

    • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.

    • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.

    • Uncheck the Toolbar button (unless you want the toolbar)

    • Reboot your computer

Here we go:

Malwarebytes' Anti-Malware 1.34

Database version: 1814

Windows 5.1.2600 Service Pack 3

3/2/2009 8:14:54 AM

mbam-log-2009-03-02 (08-14-54).txt

Scan type: Quick Scan

Objects scanned: 74242

Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

JavaRa:

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Mar 02 08:19:37 2009

Found and removed: C:\Program Files\Java\jre1.5.0_06

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Mar 02 08:20:15 2009

Could not delete: C:\Program Files\Java\jre1.5.0_10

Asking Windows to delete

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Mar 02 08:26:17 2009

Found and removed: C:\Windows\System32\jpicpl32.cpl

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_10

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

------------------------------------

Finished reporting.JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Mar 02 08:29:36 2009

------------------------------------

Finished reporting.

The effects I had noticed are gone. Is there still a problem?

Link to post
Share on other sites

  • Root Admin

The logs indicate your clean now.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.