Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware (or something) keeps removing my userinit.exe file!


  • Please log in to reply
6 replies to this topic

#1 Mr. Marc

Mr. Marc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 06 February 2009 - 01:10 PM

What started as a simple spyware call had gone crazy! :thumbsup:
After running Malwarebytes and rebooting, and then rebooting again because the network wasn't working, we logged in and just got a blank screen with no icons. Being the smart tech, I remoted in and copied a viable userinit.exe file from my pc to theirs.
Logged in, system logs off right away. In safe mode, safe mode networking, or command prompt.
I copy the file to C:\windows\system32, run login, it logs off right away, and the file is GONE!
Reg settings are fine. Ran a system checkdisk from Recovery Console. Same thing.

There is an exe somewhere that is likely running the removal, but I don't know where to look. Any ideas???

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 PM

Posted 06 February 2009 - 05:05 PM

Hello.

IT seems you have a nasty infection. We will run MBAM scan and see if that can help, if not we may need to address you to the HJT-Malware Removal forum.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Mr. Marc

Mr. Marc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 09 February 2009 - 09:14 AM

I'd like to run malwarebytes again, but I can't get to the desktop. Safe mode, safe mode w/ networking, and safe mode command prompt all do the same thing. Logs on, then off right away.
And the user is remote so I can't just insert a Wndows CD and repair it...
Any ideas to get into the background?

Edited by Mr. Marc, 09 February 2009 - 09:15 AM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 PM

Posted 09 February 2009 - 04:53 PM

Anything with those Userinit lines can be fixed with Avira anti-virus. I suggest recommending them for that job and then a clean-up after with our product.


from the head developer at MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#5 Mr. Marc

Mr. Marc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 10 February 2009 - 09:36 AM

Thos fixes are fine, but the main problem is that we can't even LOGIN! Even in safe mode!! I can't get into windows long enough to start any installations or fixes!

Can I run combofix from a Windows Recovery Console? Can I run any tools from Recovery console?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 PM

Posted 10 February 2009 - 10:52 AM

I hate to discourage you but one of the more advanced experts in malware removal that I follow has infected his test box with a newer variant of this userinit.
Even with his armada of advanced tools after repairing the box where it will boot(running boot cd's and antivirus), he is not having much luck.

He had a similar experience after using MBAM, he was testing the newest beta.
Chewy

No. Try not. Do... or do not. There is no try.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 PM

Posted 10 February 2009 - 05:37 PM

Hello.

Sorry for not replying to this topic. Da Chew was doing a good job assisting you around, so decided not to stick my nose in here.

You seem to have a very nasty infection going around here. It may be best to reinstall now as it's probably easier. It will not erase any of your data's either such as important documetns, excel, pictures, music etc...

Can I run combofix from a Windows Recovery Console? Can I run any tools from Recovery console?

No. The RC is not a "boot mode". It is similar to the Command Prompt. More information on the RC can be found over here.

Just wondering, do you have a Windows XP disk anywhere? We may be able to get you to boot and stay a big longer if you have one. Also, do you do any registry backups? Such as using the tool ERUNT? If you do we may be able to fix this.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users