Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32.backdoor-DNM


  • Please log in to reply
27 replies to this topic

#1 jweezy

jweezy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 03 March 2009 - 01:12 PM

I haven't been infected with anything since I switched to Firefox a few years back. Now, while using StumbleUpon, I got the error message from "Windows Security Alert" telling me that win32.backdoor-DNM has invaded my system, is a keylogger, can take screenshots, and send this information to 3rd parties (summarized).

I followed the advice from this thread already:

http://www.bleepingcomputer.com/forums/top...ml#entry1157042

Each time I rescan now, there are residual infections in the system32/userinit.exe file.

I believe this is a necessary function of Windows and I cannot delete this. I could be wrong. But this thing is resilient.

I've gone through HijackThis, ATFcleaner, Flash Disinfector, Malwarebytes, and nothing...

Does anybody know how to clean this thing from my desktop? I've already gone through and changed my passwords for my banking websites in case they were compromised.

How bad is this thing? Should I really never use my desktop for transactions anymore? That is a last resort because I use it on a secure network, whereas my laptop is on an unsecured network I use at school.

Thank you guys in advance for any and all help you can give me.

J-Weezy

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:01 AM

Posted 03 March 2009 - 02:20 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


After running SDFix, update MBAM and run a quick scan

I would like to see both logs
Chewy

No. Try not. Do... or do not. There is no try.

#3 jweezy

jweezy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 03 March 2009 - 03:41 PM

I will do this as soon as I get home. I would like to firstly apologize for not adhering to the posting rules.

So for some additional information, I am running XP SP1 (my Dell fried a hard drive installing XP2 so I have been afraid to ever do it again).

The message that appeared was as follows: “DNM is a worm trojan that records keystrokes and take screen shots of the computer, stealing personal information”.

I ran an AVG scan - nothing. AdAware - nothing. SpyBot S&D - nothing. I tried the fixes in the aforementioned post of mine.

On researching this, there is a smitfraud remover called XoftSpySE. It is apparently a free fix for worms of this sort. I saw this on this web page: http://cantalktech.com/2009/02/25/smitfrau...fraud-fix-tool/

I don't know if that is worthwhile. I have the HijackThis and the Malwarebytes log files saved to a flash drive if posting those will aid in the diagnostic.

I'll report back in a few hours when I get home from school. Thanks again - that was a quick response I wasn't expecting :thumbsup:

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:01 AM

Posted 03 March 2009 - 03:53 PM

On researching this, there is a smitfraud remover called XoftSpySE.


There's a lot of bad software out there, I am always wary of programs reccoemended by these fly by night web sites

Google is your friend
Chewy

No. Try not. Do... or do not. There is no try.

#5 jweezy

jweezy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 03 March 2009 - 10:45 PM

OK... Here's my SDFix log:

SDFix: Version 1.240
Run by Justin on Wed 03/04/2009 at 21:02

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Infected userinit.exe Found!

userinit.exe File Locations:

"C:\WINDOWS\system32\userinit.exe" 8704 02/23/2009 18:38
"C:\WINDOWS\system32\dllcache\userinit.exe" 22016 09/03/2002 12:08

LDPinch Infected File Listed Below:

C:\WINDOWS\SYSTEM32\USERINIT.EXE

File copied to Backups Folder
Attempting to replace userinit.exe with original version

Unable To Replace Infected File!

"C:\WINDOWS\system32\userinit.exe" 8704 02/23/2009 18:38
"C:\WINDOWS\system32\dllcache\userinit.exe" 22016 09/03/2002 12:08


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 22:27:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :



Files with Hidden Attributes :

Mon 23 Feb 2009 8,704 A..H. --- "C:\Documents and Settings\Justin\a.exe"
Mon 23 Feb 2009 8,704 A..H. --- "C:\WINDOWS\system32\userinit.exe"
Wed 17 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Soccer Ball.JUSTIN\Local Settings\Temp\FOR7.tmp"
Wed 17 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\Soccer Ball.JUSTIN\Local Settings\Temp\FOR8.tmp"
Wed 17 Dec 2008 26,760 ...H. --- "C:\Documents and Settings\Soccer Ball.JUSTIN\Local Settings\Temp\ZTR6.tmp"
Wed 17 Dec 2008 25,436 ...H. --- "C:\Documents and Settings\Soccer Ball.JUSTIN\Local Settings\Temp\ZTR7.tmp"
Sun 16 Apr 2006 1,914 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Mon 22 Oct 2007 109,056 ...H. --- "C:\Documents and Settings\Justin\Application Data\Microsoft\Templates\~WRL0277.tmp"
Tue 2 Oct 2007 102,912 ...H. --- "C:\Documents and Settings\Justin\Application Data\Microsoft\Templates\~WRL1814.tmp"

Finished!

And my MBAM log here:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 1

3/4/2009 7:42:54 AM
mbam-log-2009-03-04 (07-42-43).txt

Scan type: Quick Scan
Objects scanned: 77087
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:01 AM

Posted 03 March 2009 - 10:53 PM

Let me refer this thread to someone

userinit is a critical system file
Chewy

No. Try not. Do... or do not. There is no try.

#7 jweezy

jweezy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 03 March 2009 - 11:05 PM

Thank you very much...

Any reassurances for me? lol

My comp maybe ISNT destroyed?

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:01 AM

Posted 03 March 2009 - 11:47 PM

We need to wait and see
Chewy

No. Try not. Do... or do not. There is no try.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 04 March 2009 - 04:23 PM

Hello.

When userinit.exe is infected I suggest you post a topic in the HJT-Malware Removal forum. When system files are infected "normal" tools we use cannot deal with this infection or replace it. Especially since we are dealing with the system file "userinit.exe". What is userinit.exe?.

If something goes wrong, then you may not be able to boot into windows anymore. First take a read below and consider FORMATING your computer.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunately One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.


If you want to continue you should start another topic in the Malware Removal forum, however I would like to see if you have any "clean" copies of that file on your system before you start a topic there. If not, then you will need your Disk to repair those files.

Just a FYI, we could try to replace that file using the Recovery Console, however I think it would be better if you could start a topic in the Malware Removal forum since even if we repair that file, there are probably a lot more things on your computer that needs to be fixed and cleaned.

Q: Do you have your OS disk available currently?

Please perform the following step to see if you do have a clean version of "userinit.exe".

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :file
    C:\windows\system32\userinit.exe
    :filefind 
    userinit.exe
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Post back with the:
-SystemLook log
-Answer to my question


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 jweezy

jweezy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 04 March 2009 - 05:22 PM

If I let my bank know my passwords may be compromised, will they lock my accounts?

#11 jweezy

jweezy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 04 March 2009 - 05:26 PM

Also, having run Flash Disinfector, am I to feel confident that saving programs from my clean computer to try to clean the infected one is okay?

In other words, should I worry about infecting my laptop when transferring these antivirus tools from the clean comp to the dirty one?


Lastly, if I format this dirty computer, or just get a new HD altogether, can I take any files from the dirty comp, so long as it's not the infected userinit.exe?

Specifically I ask regarding my photos and papers.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 04 March 2009 - 05:37 PM

Hello.

If I let my bank know my passwords may be compromised, will they lock my accounts?

To be honest, I do not know because I'm don't have a bank account yet. Sorry. :thumbsup:

If you have some spare CD's and a CDBurner that would be the best option instead of using removable drives even if you ran flash-drive disinfector. Also, when running flash-drive disinfector you can run it on your clean machine or infected machine. Best if you run it on your clean make sure you hold the SHIFT button when plugging your flash-drive to prevent any autorun worm infections that spread..

Specifically I ask regarding my photos and papers.

Yes. If you want to backup files you can backup your photos, document etc... Also, you should not backup ANY system files.

I only have 2 rules when backing up.

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 jweezy

jweezy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 04 March 2009 - 08:02 PM

Here's my SystemLook log:

SystemLook v1.0 by jpshortstuff (02.03.09)
Log created at 19:49 on 05/03/2009 by Justin (Administrator - Elevation successful)

========== file ==========

c:\windows\system32\userinit.exe - File found and opened.
MD5: 8D82C411CB3748DFEFCBD4277DB7FBFD
Created at 17:08 on 03/09/2002
Modified at 23:38 on 23/02/2009
Size: 8704 bytes
Attributes: --ah--
No version information available.

========== filefind ==========

Searching for "userinit.exe"
C:\WINDOWS\system32\dllcache\userinit.exe --a--c 22016 bytes [17:08 03/09/2002] [17:08 03/09/2002] E931E0A2B8BF0019DB902E98D03662CB
C:\WINDOWS\system32\userinit.exe --ah-- 8704 bytes [17:08 03/09/2002] [23:38 23/02/2009] 8D82C411CB3748DFEFCBD4277DB7FBFD

-=End Of File=-


-------------------------

And to answer your question, I have the reinstall CD for XP SP1.

Thanks, extremeboy and DaChew. I appreciate you guys' time and assistance.

Edited by jweezy, 04 March 2009 - 08:06 PM.


#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:01 AM

Posted 04 March 2009 - 08:11 PM

Altho we are not at that point yet, I would suggest that you make a slipstreamed CD with sp3 integrated into the XPsp1 cab files.

You will need a clean computer with a cdburner and a broadband connection

Details will come later if required
Chewy

No. Try not. Do... or do not. There is no try.

#15 jweezy

jweezy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 04 March 2009 - 08:22 PM

Can you detail me instructions on how to do that? I have another computer with a CD burner, etc.

I don't know what "slipstreamed" is and also am ignorant as far as incorporating into .cab files.

Is it making a copy of the reinstall CD but replacing the files of SP1 with SP3?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users