omega_cmm Posted March 31, 2009 ID:68937 Share Posted March 31, 2009 Ran Malwarebytes Malware Removal and it constantly comes up with 2 viruses I can not get rid of. I have run Hijack this and also combo fix. So if you could review the logs and give me info on how to remove the virus it would be great. Latest Malware logMalwarebytes' Anti-Malware 1.35Database version: 1923Windows 5.1.2600 Service Pack 32009-03-31 08:27:55mbam-log-2009-03-31 (08-27-55).txtScan type: Full Scan (C:\|)Objects scanned: 132442Time elapsed: 49 minute(s), 58 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP285\A0016427.exe (Trojan.Agent) -> Quarantined and deleted successfully.Latest Combo Fix run....ComboFix 09-03-30.02 - omega 2009-03-31 7:22:58.3 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1627 [GMT -4:00]Running from: c:\documents and settings\omega.BTECSOLUTIONS\Desktop\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..---- Previous Run -------.c:\windows\system32\uniq.tll.((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 ))))))))))))))))))))))))))))))).2009-03-25 16:17 . 2009-03-25 16:11 135,486 --a------ C:\DUBO-PDF.pdf2009-03-20 08:04 . 2009-03-20 08:04 <DIR> d-------- c:\program files\Trend Micro2009-03-19 11:59 . 2009-03-19 11:59 <DIR> d---s---- c:\documents and settings\omega.BTECSOLUTIONS\UserData2009-03-13 13:00 . 2009-03-30 10:32 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\OpenOffice.org22009-03-13 11:23 . 2009-03-13 11:23 <DIR> d-------- c:\program files\Microsoft ActiveSync2009-03-13 11:23 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll2009-03-13 11:23 . 2009-03-13 11:23 376 --a------ c:\windows\ODBC.INI2009-03-13 11:22 . 2009-03-13 11:22 <DIR> d-------- c:\program files\Microsoft.NET2009-03-13 11:21 . 2009-03-13 11:21 <DIR> dr-h----- C:\MSOCache2009-03-13 11:18 . 2009-03-13 11:18 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\Apple Computer2009-03-13 10:54 . 2009-03-13 10:54 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\Malwarebytes2009-03-13 10:49 . 2009-03-13 10:49 <DIR> d-------- c:\windows\SchCache2009-03-13 10:48 . 2009-03-13 10:48 <DIR> d-------- c:\documents and settings\matt-f.BTECSOLUTIONS2009-03-13 10:45 . 2009-03-19 11:59 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS2009-03-12 11:26 . 2009-03-12 11:26 <DIR> d-------- c:\documents and settings\mistral\Application Data\Malwarebytes2009-03-12 11:26 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-03-12 11:25 . 2009-03-12 11:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-12 11:25 . 2009-03-12 11:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-12 11:25 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-12 08:24 . 2009-03-12 10:25 <DIR> d-------- c:\program files\Yahoo!2009-03-12 08:24 . 2009-03-12 08:24 <DIR> d-------- c:\documents and settings\mistral\Application Data\Yahoo!2009-03-12 08:23 . 2009-03-12 08:24 <DIR> d-------- c:\program files\CCleaner2009-03-06 10:32 . 2008-09-25 09:08 1,941,504 --a------ C:\SharePod.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-16 21:41 --------- d-----w c:\program files\Microsoft Silverlight2009-03-13 14:07 --------- d-----w c:\documents and settings\mistral\Application Data\OpenOffice.org22009-03-13 13:28 --------- d-----w c:\documents and settings\mistral\Application Data\uTorrent2009-03-12 13:55 --------- d-----w c:\program files\Java2009-03-06 16:47 --------- d-----w c:\program files\Symantec AntiVirus2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\dllcache\win32k.sys2008-12-12 17:01 3,067,904 ----a-w c:\windows\system32\dllcache\mshtml.dll2008-12-11 10:57 333,952 ----a-w c:\windows\system32\dllcache\srv.sys2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll2008-12-05 06:54 144,896 ------w c:\windows\system32\dllcache\schannel.dll.------- Sigcheck -------2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe2004-08-04 03:56 24576 9f81016eddfda65cb7095eb8fbd75f7b c:\windows\system32\userinit.exe2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Java S1"="\\?\globalroot\systemroot\system32\mschr.exe" [?][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192].Contents of the 'Scheduled Tasks' folder2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]..------- Supplementary Scan -------.uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.aspuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.aspmSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.aspuInternet Connection Wizard,ShellNext = hxxp://onlinenotifyq.net/land/eurl/?code=266uSearchURL,(Default) = hxxp://www.google.com/search?q=%sTCP: {5DA91415-C879-4F79-B489-FAB4A1763CBF} = 192.168.1.2,192.168.1.13.**************************************************************************catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-31 07:25:08Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'lsass.exe'(1152)c:\program files\Bonjour\mdnsNSP.dll.Completion time: 2009-03-31 7:26:15ComboFix-quarantined-files.txt 2009-03-31 11:26:13Pre-Run: 59,760,525,312 bytes freePost-Run: 59,753,869,312 bytes free123 --- E O F --- 2009-03-11 07:00:29tell me if you need anything else please.Thanks Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 31, 2009 Staff ID:68960 Share Posted March 31, 2009 Hi,Why did you never reply here? http://www.malwarebytes.org/forums/index.p...c=12895&hl=Please rerun Combofix again, but let it install the recovery console first, because it won't fix your infected userinit.exe otherwise.Then post the new log in your next reply Link to post Share on other sites More sharing options...
omega_cmm Posted April 1, 2009 Author ID:69337 Share Posted April 1, 2009 Hi,Why did you never reply here? http://www.malwarebytes.org/forums/index.p...c=12895&hl=Please rerun Combofix again, but let it install the recovery console first, because it won't fix your infected userinit.exe otherwise.Then post the new log in your next replyComboFix 09-03-31.03 - omega 2009-04-01 8:46:21.4 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1595 [GMT -4:00]Running from: c:\documents and settings\omega.BTECSOLUTIONS\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 ))))))))))))))))))))))))))))))).2009-03-25 16:17 . 2009-03-25 16:11 135,486 --a------ C:\DUBO-PDF.pdf2009-03-20 08:04 . 2009-03-20 08:04 <DIR> d-------- c:\program files\Trend Micro2009-03-19 11:59 . 2009-03-19 11:59 <DIR> d---s---- c:\documents and settings\omega.BTECSOLUTIONS\UserData2009-03-13 13:00 . 2009-03-31 10:21 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\OpenOffice.org22009-03-13 11:23 . 2009-03-13 11:23 <DIR> d-------- c:\program files\Microsoft ActiveSync2009-03-13 11:23 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll2009-03-13 11:23 . 2009-03-13 11:23 376 --a------ c:\windows\ODBC.INI2009-03-13 11:22 . 2009-03-13 11:22 <DIR> d-------- c:\program files\Microsoft.NET2009-03-13 11:21 . 2009-03-13 11:21 <DIR> dr-h----- C:\MSOCache2009-03-13 11:18 . 2009-03-13 11:18 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\Apple Computer2009-03-13 10:54 . 2009-03-13 10:54 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\Malwarebytes2009-03-13 10:49 . 2009-03-13 10:49 <DIR> d-------- c:\windows\SchCache2009-03-13 10:48 . 2009-03-13 10:48 <DIR> d-------- c:\documents and settings\matt-f.BTECSOLUTIONS2009-03-13 10:45 . 2009-03-19 11:59 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS2009-03-12 11:26 . 2009-03-12 11:26 <DIR> d-------- c:\documents and settings\mistral\Application Data\Malwarebytes2009-03-12 11:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-03-12 11:25 . 2009-03-31 07:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-12 11:25 . 2009-03-12 11:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-12 11:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-12 08:24 . 2009-03-12 10:25 <DIR> d-------- c:\program files\Yahoo!2009-03-12 08:24 . 2009-03-12 08:24 <DIR> d-------- c:\documents and settings\mistral\Application Data\Yahoo!2009-03-12 08:23 . 2009-03-12 08:24 <DIR> d-------- c:\program files\CCleaner2009-03-06 10:32 . 2008-09-25 09:08 1,941,504 --a------ C:\SharePod.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-16 21:41 --------- d-----w c:\program files\Microsoft Silverlight2009-03-13 14:07 --------- d-----w c:\documents and settings\mistral\Application Data\OpenOffice.org22009-03-13 13:28 --------- d-----w c:\documents and settings\mistral\Application Data\uTorrent2009-03-12 13:55 --------- d-----w c:\program files\Java2009-03-06 16:47 --------- d-----w c:\program files\Symantec AntiVirus2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\dllcache\win32k.sys.------- Sigcheck -------2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe2004-08-04 03:56 24576 9f81016eddfda65cb7095eb8fbd75f7b c:\windows\system32\userinit.exe2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Java S1"="\\?\globalroot\systemroot\system32\mschr.exe" [?][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192].Contents of the 'Scheduled Tasks' folder2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]..------- Supplementary Scan -------.uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.aspuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.aspmSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.aspuInternet Connection Wizard,ShellNext = hxxp://onlinenotifyq.net/land/eurl/?code=266uSearchURL,(Default) = hxxp://www.google.com/search?q=%sTCP: {5DA91415-C879-4F79-B489-FAB4A1763CBF} = 192.168.1.2,192.168.1.13.**************************************************************************catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-01 08:47:43Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'lsass.exe'(1152)c:\program files\Bonjour\mdnsNSP.dll.Completion time: 2009-04-01 8:48:54ComboFix-quarantined-files.txt 2009-04-01 12:48:51ComboFix2.txt 2009-03-31 11:26:17Pre-Run: 59,639,365,632 bytes freePost-Run: 59,637,157,888 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect119 --- E O F --- 2009-03-11 07:00:29THANKS!!!! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69347 Share Posted April 1, 2009 Hmm, the sigcheck of userinit.exe doesn,'t give any hits. Looks like it's patched after all, however, still unsure if it's malware or not..The MD5 doesn't make sense though..Anyway, do next please..Go to next site:http://www.virustotal.com/en/indexf.htmlOn top you'll find 'Browse'Click the browse button and browse to next file:c:\windows\system32\userinit.exeClick open.Then click the 'Send' button next to it.This will scan the file. Please be patient.Once scanned, copy and paste the results in your next reply. Link to post Share on other sites More sharing options...
omega_cmm Posted April 1, 2009 Author ID:69355 Share Posted April 1, 2009 Hmm, the sigcheck of userinit.exe doesn,'t give any hits. Looks like it's patched after all, however, still unsure if it's malware or not..The MD5 doesn't make sense though..Anyway, do next please..Go to next site:http://www.virustotal.com/en/indexf.htmlOn top you'll find 'Browse'Click the browse button and browse to next file:c:\windows\system32\userinit.exeClick open.Then click the 'Send' button next to it.This will scan the file. Please be patient.Once scanned, copy and paste the results in your next reply.File userinit.exe received on 04.01.2009 16:10:45 (CET)Current status: finished Result: 5/40 (12.50%) Compact Print results Antivirus Version Last Update Result a-squared 4.0.0.101 2009.04.01 Trojan.Trash!IK AhnLab-V3 5.0.0.2 2009.04.01 - AntiVir 7.9.0.129 2009.04.01 TR/Trash.Gen Antiy-AVL 2.0.3.1 2009.04.01 - Authentium 5.1.2.4 2009.03.31 - Avast 4.8.1335.0 2009.03.31 - AVG 8.5.0.285 2009.04.01 - BitDefender 7.2 2009.04.01 - CAT-QuickHeal 10.00 2009.04.01 - ClamAV 0.94.1 2009.04.01 - Comodo 1092 2009.03.31 - DrWeb 4.44.0.09170 2009.04.01 - eSafe 7.0.17.0 2009.04.01 - eTrust-Vet 31.6.6429 2009.04.01 - F-Prot 4.4.4.56 2009.03.31 - F-Secure 8.0.14470.0 2009.04.01 - Fortinet 3.117.0.0 2009.04.01 - GData 19 2009.04.01 - Ikarus T3.1.1.49.0 2009.04.01 Trojan.Trash K7AntiVirus 7.10.687 2009.03.31 - Kaspersky 7.0.0.125 2009.04.01 - McAfee 5570 2009.03.31 - McAfee+Artemis 5570 2009.03.31 - McAfee-GW-Edition 6.7.6 2009.04.01 Trojan.Trash.Gen Microsoft 1.4502 2009.04.01 - NOD32 3980 2009.04.01 - Norman 6.00.06 2009.04.01 Sohanad.BCW nProtect 2009.1.8.0 2009.04.01 - Panda 10.0.0.14 2009.03.31 - PCTools 4.4.2.0 2009.04.01 - Prevx1 V2 2009.04.01 - Rising 21.23.22.00 2009.04.01 - Sophos 4.40.0 2009.04.01 - Sunbelt 3.2.1858.2 2009.04.01 - Symantec 1.4.4.12 2009.04.01 - TheHacker 6.3.4.0.298 2009.04.01 - TrendMicro 8.700.0.1004 2009.04.01 - VBA32 3.12.10.1 2009.03.31 - ViRobot 2009.4.1.1671 2009.04.01 - VirusBuster 4.6.5.0 2009.03.31 - Additional information File size: 24576 bytes MD5...: 9f81016eddfda65cb7095eb8fbd75f7b SHA1..: 24538b773702974df1f871db2e26c3647be88ea3 SHA256: aee790bcb9af3f1e3b684b5b214dcceeb1ad2955532e017832d7d6d68b8872c2 SHA512: 9676cdbf4d8a3128d91dc83b1dd1c6184205b729a1fe4cbc03b008d4effb6943d3ca2e41016a16713d4133ea23cdfc008935ae12c44b3bfddd5adc4a03a929b4 ssdeep: 384:DNkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCSF4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7PEiD..: - TrID..: File type identificationAutodesk FLIC Image File (extensions: flc, fli, cel) (100.0%) PEInfo: - RDS...: NSRL Reference Data Set- Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69358 Share Posted April 1, 2009 Ok, looks like we need to replace it.Since you're having Service Pack 3 installed, we need to replace the userinit.exe with the latest version. In your case, this one is located in the c:\windows\ServicePackFiles\i386\ folder.To make it easier for you, we're going to use Combofix in combination with a script to replace it, so do next please...* Open notepad - don't use any other texteditor than notepad or the script will fail.Copy/paste the text in the quotebox below into notepad:FCOPY::c:\windows\ServicePackFiles\i386\userinit.exe | C:\WINDOWS\system32\userinit.exeSave this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply. Link to post Share on other sites More sharing options...
omega_cmm Posted April 1, 2009 Author ID:69487 Share Posted April 1, 2009 Ok, looks like we need to replace it.Since you're having Service Pack 3 installed, we need to replace the userinit.exe with the latest version. In your case, this one is located in the c:\windows\ServicePackFiles\i386\ folder.To make it easier for you, we're going to use Combofix in combination with a script to replace it, so do next please...* Open notepad - don't use any other texteditor than notepad or the script will fail.Copy/paste the text in the quotebox below into notepad:Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.ComboFix 09-04-01.01 - omega 2009-04-01 16:50:55.5 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1585 [GMT -4:00]Running from: c:\documents and settings\omega.BTECSOLUTIONS\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\omega.BTECSOLUTIONS\Desktop\CFScript.txt * Created a new restore point.((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 ))))))))))))))))))))))))))))))).2009-03-25 16:17 . 2009-03-25 16:11 135,486 --a------ C:\DUBO-PDF.pdf2009-03-20 08:04 . 2009-03-20 08:04 <DIR> d-------- c:\program files\Trend Micro2009-03-19 11:59 . 2009-03-19 11:59 <DIR> d---s---- c:\documents and settings\omega.BTECSOLUTIONS\UserData2009-03-13 13:00 . 2009-04-01 09:32 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\OpenOffice.org22009-03-13 11:23 . 2009-03-13 11:23 <DIR> d-------- c:\program files\Microsoft ActiveSync2009-03-13 11:23 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll2009-03-13 11:23 . 2009-03-13 11:23 376 --a------ c:\windows\ODBC.INI2009-03-13 11:22 . 2009-03-13 11:22 <DIR> d-------- c:\program files\Microsoft.NET2009-03-13 11:21 . 2009-03-13 11:21 <DIR> dr-h----- C:\MSOCache2009-03-13 11:18 . 2009-03-13 11:18 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\Apple Computer2009-03-13 10:54 . 2009-03-13 10:54 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\Malwarebytes2009-03-13 10:49 . 2009-03-13 10:49 <DIR> d-------- c:\windows\SchCache2009-03-13 10:48 . 2009-03-13 10:48 <DIR> d-------- c:\documents and settings\matt-f.BTECSOLUTIONS2009-03-13 10:45 . 2009-03-19 11:59 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS2009-03-12 11:26 . 2009-03-12 11:26 <DIR> d-------- c:\documents and settings\mistral\Application Data\Malwarebytes2009-03-12 11:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-03-12 11:25 . 2009-03-31 07:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-12 11:25 . 2009-03-12 11:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-12 11:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-12 08:24 . 2009-03-12 10:25 <DIR> d-------- c:\program files\Yahoo!2009-03-12 08:24 . 2009-03-12 08:24 <DIR> d-------- c:\documents and settings\mistral\Application Data\Yahoo!2009-03-12 08:23 . 2009-03-12 08:24 <DIR> d-------- c:\program files\CCleaner2009-03-06 10:32 . 2008-09-25 09:08 1,941,504 --a------ C:\SharePod.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-16 21:41 --------- d-----w c:\program files\Microsoft Silverlight2009-03-13 14:07 --------- d-----w c:\documents and settings\mistral\Application Data\OpenOffice.org22009-03-13 13:28 --------- d-----w c:\documents and settings\mistral\Application Data\uTorrent2009-03-12 13:55 --------- d-----w c:\program files\Java2009-03-06 16:47 --------- d-----w c:\program files\Symantec AntiVirus2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\dllcache\win32k.sys.------- Sigcheck -------2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe2008-04-14 05:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe2004-08-04 03:56 24576 9f81016eddfda65cb7095eb8fbd75f7b c:\windows\system32\userinit.exe2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Java S1"="\\?\globalroot\systemroot\system32\mschr.exe" [?][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192].Contents of the 'Scheduled Tasks' folder2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]..------- Supplementary Scan -------.uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.aspuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.aspmSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.aspuInternet Connection Wizard,ShellNext = hxxp://onlinenotifyq.net/land/eurl/?code=266uSearchURL,(Default) = hxxp://www.google.com/search?q=%sTCP: {5DA91415-C879-4F79-B489-FAB4A1763CBF} = 192.168.1.2,192.168.1.13.**************************************************************************catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-01 16:52:08Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'lsass.exe'(1152)c:\program files\Bonjour\mdnsNSP.dll.Completion time: 2009-04-01 16:53:14ComboFix-quarantined-files.txt 2009-04-01 20:53:12ComboFix2.txt 2009-04-01 12:48:55ComboFix3.txt 2009-03-31 11:26:17Pre-Run: 59,620,896,768 bytes freePost-Run: 59,618,611,200 bytes free114 --- E O F --- 2009-03-11 07:00:29 Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69490 Share Posted April 1, 2009 Hi,It looks like you did something wrong though..Not sure what you exactly copied /pasted in notepad (cfscript), but I have the feeling that you missed something.Please try again.The following content should be in the cfscript.txt (FCOPY:: included):FCOPY::c:\windows\ServicePackFiles\i386\userinit.exe | C:\WINDOWS\system32\userinit.exe Link to post Share on other sites More sharing options...
omega_cmm Posted April 1, 2009 Author ID:69495 Share Posted April 1, 2009 sorry i forgot the fcopy partnew report.....ComboFix 09-04-01.01 - omega 2009-04-01 17:36:10.6 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1560 [GMT -4:00]Running from: c:\documents and settings\omega.BTECSOLUTIONS\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\omega.BTECSOLUTIONS\Desktop\cfscript.txt * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..--------------- FCopy ---------------c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe.((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 ))))))))))))))))))))))))))))))).2009-03-25 16:17 . 2009-03-25 16:11 135,486 --a------ C:\DUBO-PDF.pdf2009-03-20 08:04 . 2009-03-20 08:04 <DIR> d-------- c:\program files\Trend Micro2009-03-19 11:59 . 2009-03-19 11:59 <DIR> d---s---- c:\documents and settings\omega.BTECSOLUTIONS\UserData2009-03-13 13:00 . 2009-04-01 09:32 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\OpenOffice.org22009-03-13 11:23 . 2009-03-13 11:23 <DIR> d-------- c:\program files\Microsoft ActiveSync2009-03-13 11:23 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll2009-03-13 11:23 . 2009-03-13 11:23 376 --a------ c:\windows\ODBC.INI2009-03-13 11:22 . 2009-03-13 11:22 <DIR> d-------- c:\program files\Microsoft.NET2009-03-13 11:21 . 2009-03-13 11:21 <DIR> dr-h----- C:\MSOCache2009-03-13 11:18 . 2009-03-13 11:18 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\Apple Computer2009-03-13 10:54 . 2009-03-13 10:54 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS\Application Data\Malwarebytes2009-03-13 10:49 . 2009-03-13 10:49 <DIR> d-------- c:\windows\SchCache2009-03-13 10:48 . 2009-03-13 10:48 <DIR> d-------- c:\documents and settings\matt-f.BTECSOLUTIONS2009-03-13 10:45 . 2009-03-19 11:59 <DIR> d-------- c:\documents and settings\omega.BTECSOLUTIONS2009-03-12 11:26 . 2009-03-12 11:26 <DIR> d-------- c:\documents and settings\mistral\Application Data\Malwarebytes2009-03-12 11:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-03-12 11:25 . 2009-03-31 07:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-12 11:25 . 2009-03-12 11:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-12 11:25 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-12 08:24 . 2009-03-12 10:25 <DIR> d-------- c:\program files\Yahoo!2009-03-12 08:24 . 2009-03-12 08:24 <DIR> d-------- c:\documents and settings\mistral\Application Data\Yahoo!2009-03-12 08:23 . 2009-03-12 08:24 <DIR> d-------- c:\program files\CCleaner2009-03-06 10:32 . 2008-09-25 09:08 1,941,504 --a------ C:\SharePod.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-16 21:41 --------- d-----w c:\program files\Microsoft Silverlight2009-03-13 14:07 --------- d-----w c:\documents and settings\mistral\Application Data\OpenOffice.org22009-03-13 13:28 --------- d-----w c:\documents and settings\mistral\Application Data\uTorrent2009-03-12 13:55 --------- d-----w c:\program files\Java2009-03-06 16:47 --------- d-----w c:\program files\Symantec AntiVirus2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\dllcache\win32k.sys.((((((((((((((((((((((((((((( SnapShot@2009-03-30_17.11.43.93 ))))))))))))))))))))))))))))))))))))))))).- 2004-08-04 07:56:57 24,576 ----a-w c:\windows\system32\dllcache\userinit.exe+ 2008-04-14 09:42:40 26,112 ----a-w c:\windows\system32\dllcache\userinit.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-27 39408][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Java S1"="\\?\globalroot\systemroot\system32\mschr.exe" [?][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192].Contents of the 'Scheduled Tasks' folder2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]..------- Supplementary Scan -------.uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.aspuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.aspmSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.aspuInternet Connection Wizard,ShellNext = hxxp://onlinenotifyq.net/land/eurl/?code=266uSearchURL,(Default) = hxxp://www.google.com/search?q=%sTCP: {5DA91415-C879-4F79-B489-FAB4A1763CBF} = 192.168.1.2,192.168.1.13.**************************************************************************catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-01 17:37:08Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'lsass.exe'(1152)c:\program files\Bonjour\mdnsNSP.dll.Completion time: 2009-04-01 17:38:20ComboFix-quarantined-files.txt 2009-04-01 21:38:17ComboFix2.txt 2009-04-01 20:53:16ComboFix3.txt 2009-04-01 12:48:55ComboFix4.txt 2009-03-31 11:26:17Pre-Run: 59,601,907,712 bytes freePost-Run: 59,596,083,200 bytes free120 --- E O F --- 2009-03-11 07:00:29 Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 1, 2009 Staff ID:69500 Share Posted April 1, 2009 sorry i forgot the fcopy partThat's what I thought It went fine here and the infected userinit got replaced with a clean one.Open notepad and copy and paste next present in the quotebox below in it:(don't forget to copy and paste REGEDIT4)REGEDIT4[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Java S1"=-Save this as fix.reg Choose to save as *all files and place it on your desktop.It should look like this: Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.Then, * Go to start > run and copy and paste next command in the field:ComboFix /uMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Then, run malwarebytes again and let me know if it's still detecting the two entries (it shouldn't though) Link to post Share on other sites More sharing options...
omega_cmm Posted April 2, 2009 Author ID:69668 Share Posted April 2, 2009 That's what I thought It went fine here and the infected userinit got replaced with a clean one.Open notepad and copy and paste next present in the quotebox below in it:(don't forget to copy and paste REGEDIT4)Save this as fix.reg Choose to save as *all files and place it on your desktop.It should look like this: Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.Then, * Go to start > run and copy and paste next command in the field:ComboFix /uMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Then, run malwarebytes again and let me know if it's still detecting the two entries (it shouldn't though)THANKS!!!!!!!! It is all good now. I really appreciate all the help! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 2, 2009 Staff ID:69669 Share Posted April 2, 2009 Glad I could help. Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 6, 2009 Staff ID:70894 Share Posted April 6, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts