Jump to content

Can't get rid of infection on userinit.exe


osckar

Recommended Posts

Hello:

I have an infected Windows XP SP3 PC, and I just can't get rid of the infection. The system keeps restarting every now and then, and even when I do a scan with Malwarebytes and delete the infected items, when rebooting and do a new Malwarebytes scan, the infected items appear again.

Here are my HJT and Malwarebytes recent scan logs.

================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:21:59 p.m., on 23/09/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\TPSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\ARCHIVOS DE PROGRAMA\PANDA SECURITY\PANDA INTERNET SECURITY 2010\WebProxy.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Archivos de programa\IObit\IObit Security 360\IS360srv.exe

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\PsCtrls.exe

C:\WINDOWS\Explorer.EXE

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\PavFnSvr.exe

C:\Archivos de programa\Archivos comunes\Panda Security\PavShld\pavprsrv.exe

c:\archivos de programa\panda security\panda internet security 2010\firewall\PSHOST.EXE

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\PsImSvc.exe

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\PskSvc.exe

C:\Archivos de programa\Spyware Terminator\sp_rsser.exe

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\pavsrv51.exe

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\AVENGINE.EXE

c:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\AGRSMMSG.exe

C:\HP\KBD\KBD.EXE

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Archivos de programa\Spyware Terminator\SpywareTerminatorShield.exe

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\APVXDWIN.EXE

C:\Archivos de programa\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe

C:\Archivos de programa\Compaq Connections\6750491\Program\Compaq Connections.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\SRVLOAD.EXE

C:\Archivos de programa\Panda Security\Panda Internet Security 2010\PavBckPT.exe

C:\Archivos de programa\Malwarebytes' Anti-Malware\mbam.exe

C:\Archivos de programa\Mozilla Firefox\firefox.exe

C:\ARCHIV~1\Crawler\CToolbar.exe

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Archivos de programa\Outlook Express\msimn.exe"

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = V

Link to post
Share on other sites

Welcome to Malwarebytes!!!! :P

You have a patched/infected copy of userinit.exe.

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

Welcome to Malwarebytes!!!! :)

You have a patched/infected copy of userinit.exe.

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Hi:

thanks for the reply.

After the last scan result (the logs I posted previously) I deleted the infections showed on Malwarebytes and then I rebooted the computer and entered safe mode, then I did a new scan and for my surprise it didn't show any infection. Then I did a full scan and nothing found again.

I rebooted in normal mode and did another fast scan and the system appeared clean again. I did a full system scan and nothing found. So, misteriously the infection has gone.

I used the computer with no sudden reboot and everything seem to work fine now.

Question: Do you recommend to use the Combofix as the system now appear to be clean? Or what should I do?

Thank you!

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.