Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde / userinit.exe Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 hitemuprobbo

hitemuprobbo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 10 February 2009 - 01:11 AM

Hi,

After downloading some software on the 09/02/09 from a less than reputable site i have been unable to properly login to Windows. My login has changed from the "Graphical" (sorry for none techy description) Windows XP login interface, into an old school text box login. I can login to Windows fine, but only my Desktop Wallpaper loads, so my Start Menu doesn't, along with all my desktop, clock, taskbar etc etc. The only way i can run programs is thru the Task Manager "run" command.

I have run Spyware doctor (found one virtumonde threat and removed it), Norton (found nothing), and SpyBot (found numerous, Virtumonde, Win32.Delf.uc, Nugache.A@mm) all say they have removed the viruses but i still cant login.

After around 20 seconds of a stalled login i get a windows error message saying userinit.exe failed to initialize (was blocked by Windows).

Any help with this issue is greatly appreciated, i didnt know there was places like this, otherwise i would have signed up years ago before wasting hours of my life in the past removing these damn pests.

Thank you for any replies and help received in advance.



DDS TEXT LOG:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 5:49:55.56 on 10/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rapcentral.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://server.iad.liveperson.net/hc/10973025/?

cmd=file&file=visitorWantsToChat&site=10973025&referrer=http%3A//accounts.pkr.com/Contact.aspx
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {09628AAA-66AD-4FA2-82E2-698185B66463} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton

antivirus\engine\16.2.0.7\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program

files\hpq\iam\bin\ItIeAddIN.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [cogad] "c:\documents and settings\administrator\application data\cogad\cogad.exe"

61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SDTray] "c:\program files\spyware doctor\SDTrayApp.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\microsoft

activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\microsoft

activesync\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search &

destroy\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
Notify: urqRJCSj - urqRJCSj.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli AsWlnPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\suext21c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rapcentral.co.uk/
FF - plugin: c:\documents and settings\administrator\application

data\mozilla\firefox\profiles\suext21c.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-

msvc\plugins\npmnqmp07076007.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-10 05:34 69,700 a------- c:\windows\system32\usrshuta.exe
2009-02-10 05:34 69,700 a------- c:\windows\system32\dllcache\usrshuta.exe
2009-02-10 05:33 73,796 a------- c:\windows\system32\slserv.exe
2009-02-10 05:33 73,796 a------- c:\windows\system32\dllcache\slserv.exe
2009-02-10 05:26 <DIR> --d----- c:\program files\ESET
2009-02-10 05:14 <DIR> --d----- C:\!KillBox
2009-02-10 05:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-10 05:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-10 04:26 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-02-09 16:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\Sports Interactive
2009-02-09 15:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\cogad
2009-02-09 15:13 <DIR> --d----- c:\program files\Steam
2009-02-09 15:13 <DIR> --d-h--- c:\program files\Zero G Registry
2009-02-09 15:13 <DIR> --d----- c:\program files\Sports Interactive
2009-02-09 15:10 <DIR> --d-h--- c:\documents and settings\administrator\InstallAnywhere
2009-02-09 14:37 <DIR> --d----- c:\program files\Alex Feinman
2009-02-03 15:31 <DIR> --d----- c:\program files\JRE
2009-01-24 06:36 38 a------- c:\windows\AviSplitter.INI
2009-01-24 06:33 421,888 a------- c:\windows\system32\ac3filter.acm
2009-01-24 06:32 <DIR> --d----- c:\program files\XP Codec Pack

==================== Find3M ====================

2009-01-07 18:55 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 15:15 4,338,246 a------- c:\windows\system32\libavcodec.dll
2008-12-17 17:41 884,237 a------- c:\windows\system32\ff_x264.dll
2008-12-17 17:22 93,184 a------- c:\windows\system32\ff_wmv9.dll
2008-12-17 17:22 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-12-17 17:17 239,247 a------- c:\windows\system32\ff_theora.dll
2008-12-17 16:59 560,802 a------- c:\windows\system32\libmplayer.dll
2008-12-13 06:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-11 00:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 00:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-09 02:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 02:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-08 11:01 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-06 10:40 741,702 a--sh--- c:\windows\system32\gNoYHkkj.ini2
2008-12-01 06:56 408,248 a------- c:\docume~1\admini~1\applic~1\FNTCACHE.BIN
2008-11-29 20:26 991,232 a------- c:\windows\system32\VSFilter.dll
2008-11-28 14:11 585 a------- c:\docume~1\admini~1\applic~1\perfc012.dat
2008-09-17 13:16 549,159 a--shr-- c:\program files\Norton2009Reset.exe
2007-09-18 01:34 82 a------- c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2007-02-12 19:10 2,682,880 -------- c:\documents and settings\all users\VCREDI~3.EXE

============= FINISH: 5:54:04.01 ===============

Attached Files


Edited by hitemuprobbo, 10 February 2009 - 01:14 AM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:51 PM

Posted 17 February 2009 - 01:00 PM

Hi,

If you still need help with this post a fresh dds report making sure that notepad's word wrap is disabled first.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:51 PM

Posted 23 February 2009 - 03:43 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users