Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe Trojan - Infected Registry Items


  • Please log in to reply
18 replies to this topic

#1 blackvinyl

blackvinyl

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 03 March 2009 - 08:38 PM

Hi BC -

Windows XP, Media Center Edition, SP3
IE 7.0.5730.13, Update versions: 0

While surfing, everything froze up and got one of those "you have a virus, run this crap" warnings. I cold powered down and rebooted, found myself with a "computer is infected by virus" wallpaper.

No internet connection.
Task Manager access blocked.
Ran Restore Wizard - unable to restore to several previous restore points.

Ran MBAM (couldn't update), and got rid of the wall paper and several Trojans.

I am now able to access Task Manager, but no internet (no access to router either) and unable to revert to earlier restore point.

Tried ATF Cleaner, SDFix (safe mode) and Dr. Web scanner. No change - trojans reappear in MBAM log after reboot and MBAM run.

MBAM log:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/3/2009 8:17:21 PM
mbam-log-2009-03-03 (20-17-21).txt

Scan type: Quick Scan
Objects scanned: 67591
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===========

Although log on the infected registry keys says "Quarantined and deleted successfully", they return on reboot.

I have internet access via this backup laptop, but not on the infected machine.

Thanks for your ongoing valuable service, BC!

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 03 March 2009 - 10:11 PM

If you encounter any problems while downloading the updates for Malwarebytes, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 blackvinyl

blackvinyl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 03 March 2009 - 10:33 PM

Good info, Budapest. I'll give that a try first. Thanks.

#4 blackvinyl

blackvinyl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 03 March 2009 - 11:08 PM

Looks like the MBAM "rules" update on the compromised machine worked fine, but the same two registry trojan entries show up on each run of MBAM, despite "successful" removal indications, and without a reboot inbetween. This thing is a persistent zombie.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 03 March 2009 - 11:14 PM

Did you run DrWeb-CureIt in Safe Mode? If not, try that.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 blackvinyl

blackvinyl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 04 March 2009 - 09:04 PM

Here's My Dr. Web Cureit log, run in safe mode. I rebooted into full mode following the Cureit run.

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Scott\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Scott\Desktop;Archive contains infected objects;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0019907.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP142;Trojan.Fakealert.4005;Deleted.;
A0020308.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP146;Tool.Prockill;;
A0020309.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP146;Tool.ShutDown.14;;
A0020310.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP146;Tool.Prockill;;
A0020371.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Tool.Prockill;;
A0020372.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Tool.Prockill;;
A0020373.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Tool.ShutDown.14;;
A0020374.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Tool.Prockill;;
A0020375.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147\A0020375.exe;Tool.Prockill;;
A0020375.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Archive contains infected objects;Moved.;
A0020376.exe\data005;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147\A0020376.exe;Tool.Prockill;;
A0020376.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Archive contains infected objects;Moved.;
A0020377.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147\A0020377.exe;Tool.Prockill;;
A0020377.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147\A0020377.exe;Tool.ShutDown.14;;
A0020377.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Archive contains infected objects;Moved.;
A0020378.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147\A0020378.exe;Tool.Prockill;;
A0020378.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Archive contains infected objects;Moved.;
A0020379.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147\A0020379.exe;Tool.Prockill;;
A0020379.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP147;Archive contains infected objects;Moved.;

Edited by blackvinyl, 04 March 2009 - 09:06 PM.


#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 04 March 2009 - 09:53 PM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 blackvinyl

blackvinyl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 04 March 2009 - 11:37 PM

Here's my SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/04/2009 at 11:25 PM

Application Version : 4.25.1014

Core Rules Database Version : 3782
Trace Rules Database Version: 1739

Scan type : Complete Scan
Total Scan Time : 00:41:20

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 6247
Registry threats detected : 0
File items scanned : 30968
File threats detected : 1

Adware.Media-Codec/ZLob
C:\Program Files\Applications

Edited by blackvinyl, 04 March 2009 - 11:40 PM.


#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 05 March 2009 - 04:06 PM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

If Malwarebytes is still finding these two, the problem should be solved by reinstalling SP3.

Here's a link to download SP3:

http://www.softwarepatch.com/windows/winxpsp3-security.html

I would download it and save it to the desktop. Then, disconnect your computer from the internet and shut down your firewall, antivirus and any other software running in the background. Uninstall SP3 from Add and Remove Programs in the Control Panel. Double-click the SP3 file you downloaded earlier to reinstall it.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 blackvinyl

blackvinyl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 05 March 2009 - 08:35 PM

Two trojans did come back on an MBAM scan, so:

Removed SP3. Reinstalled SP3 from link.

MBAM log looks good, but still no internet access, nor browser access to the connected router. Router wireless is working fine, so I assume my network settings on the affected machine might have gotten hammered?

MBAM log:

Malwarebytes' Anti-Malware 1.34
Database version: 1822
Windows 5.1.2600 Service Pack 3

3/5/2009 8:24:04 PM
mbam-log-2009-03-05 (20-24-04).txt

Scan type: Quick Scan
Objects scanned: 69482
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 05 March 2009 - 09:56 PM

Log on as an administrator, go Start > Run and type: "cmd". In the window that appears type: "netsh winsock reset". When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." Close the command box and reboot your computer.

Go Start > Run > type: "cmd" In the window that appears type: "ipconfig /flushdns". Close the command box.

Go Start > Control Panel > Network Connections. Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties. Double-click on the Internet Protocol (TCP/IP) item. Select the radio button that says "Obtain DNS servers automatically". Reboot.

Warning: Some Internet Service Providers need specific DNS settings. You need to make sure that you know if such DNS settings are required before you make this change.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 blackvinyl

blackvinyl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 05 March 2009 - 11:54 PM

Good, internet and browser router access is back; Microsoft sent some updates, I was able to update MBAM and the subsequent MBAM scan was clean.

Are there any other steps I should take before setting a new Restore Point, blowing away the old ones, running Windows Update and downloading Firefox?

Thanks!

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 06 March 2009 - 12:09 AM

Go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 blackvinyl

blackvinyl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 06 March 2009 - 12:15 AM

Java 6 Update 2 (134MB)

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 06 March 2009 - 12:23 AM

That is out-of-date. You should uninstall it and then download the latest from here:

http://java.com/getjava/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users