Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

how to repair Userinit.exe?


  • This topic is locked This topic is locked
2 replies to this topic

#1 flyingowl

flyingowl

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 04 March 2009 - 10:40 PM

recently my Malwarebytes Anti-Malware scan showed two infected objects which couldn't be cleaned after several scan and clean. I have also used SDFix to try my luck.


Malwarebytes' Anti-Malware 1.34
Database version: 1817
Windows 5.1.2600 Service Pack 3

05/03/2009 10:37:06
mbam-log-2009-03-05 (10-37-06).txt

Scan type: Quick Scan
Objects scanned: 71251
Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)



Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





SDFix log:

SDFix: Version 1.240
Run by flyingowl on 05/03/2009 at 10:47

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 10:54:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oboc8bd]
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"Type"=dword:00000001
"ImagePath"=str(2):"\SystemRoot\System32\drivers\jsh7772.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:36,75,99,51,34,95,be,81,87,22,55,04,fe,22,a7,35,81,8f,df,28,e4,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:07,71,2e,22,df,3c,2e,fd,d1,1d,87,80,7f,65,fa,99,9a,39,20,e1,50,..
"p0"="d:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:f2,3a,30,8d,3e,1d,2d,53,3c,9a,26,05,c3,7f,38,e8,cd,38,ad,55,a1,..
"a0"=hex:20,01,00,00,4e,1d,6f,a0,a7,8c,65,ce,3a,7a,c3,d7,ee,e7,62,1c,a0,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:03,1f,7a,e3,20,0f,95,ec,bd,8c,b2,32,20,c9,9b,38,27,ee,2e,b0,0f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:36,75,99,51,34,95,be,81,87,22,55,04,fe,22,a7,35,81,8f,df,28,e4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:07,71,2e,22,df,3c,2e,fd,d1,1d,87,80,7f,65,fa,99,9a,39,20,e1,50,..
"p0"="d:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:f2,3a,30,8d,3e,1d,2d,53,3c,9a,26,05,c3,7f,38,e8,cd,38,ad,55,a1,..
"a0"=hex:20,01,00,00,4e,1d,6f,a0,a7,8c,65,ce,3a,7a,c3,d7,ee,e7,62,1c,a0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:cd,0f,01,4a,e3,94,da,f2,c3,2f,84,27,c0,33,ea,dc,96,d8,21,4f,61,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:36,75,99,51,34,95,be,81,87,22,55,04,fe,22,a7,35,81,8f,df,28,e4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:07,71,2e,22,df,3c,2e,fd,d1,1d,87,80,7f,65,fa,99,9a,39,20,e1,50,..
"p0"="d:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:f2,3a,30,8d,3e,1d,2d,53,3c,9a,26,05,c3,7f,38,e8,cd,38,ad,55,a1,..
"a0"=hex:20,01,00,00,4e,1d,6f,a0,a7,8c,65,ce,3a,7a,c3,d7,ee,e7,62,1c,a0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:03,1f,7a,e3,20,0f,95,ec,bd,8c,b2,32,20,c9,9b,38,27,ee,2e,b0,0f,..

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\FlashGet\\flashget.exe"="D:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"D:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="D:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"D:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="D:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\WINDOWS\\system32\\CNAB4RPK.EXE"="C:\\WINDOWS\\system32\\CNAB4RPK.EXE:*:Enabled:Canon LBP2900 RPC Server Process"
"C:\\Documents and Settings\\flyingowl\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\flyingowl\\Desktop\\utorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\COD\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="D:\\COD\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"D:\\Program Files\\uTorrent\\uTorrent.exe"="D:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:μTorrent"
"D:\\Program Files\\Intel\\Wireless\\Bin\\ZcfgSvc.exe"="D:\\Program Files\\Intel\\Wireless\\Bin\\ZcfgSvc.exe:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 4 Mar 2009 8,157,777 A.SH. --- "C:\WINDOWS\system32\1033w.sys"
Wed 4 Mar 2009 21,504 A.SH. --- "C:\WINDOWS\system32\acelpdece.dll"
Tue 12 Aug 2008 1,004 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 15 May 2008 14,781 ...H. --- "C:\Documents and Settings\flyingowl\My Documents\~WRL3626.tmp"
Sun 29 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 19 Sep 2008 3,231,744 A..H. --- "C:\Documents and Settings\flyingowl\Application Data\Kingston\SecureTravelerB.exe"
Thu 18 Sep 2008 1,839,104 A..H. --- "C:\Documents and Settings\flyingowl\Application Data\Kingston\SecureTravelerA.exe"
Fri 19 Sep 2008 3,231,744 A..H. --- "C:\Documents and Settings\flyingowl\Application Data\Kingston\tmp\SecureTravelerB.exe"
Thu 18 Sep 2008 1,839,104 A..H. --- "C:\Documents and Settings\flyingowl\Application Data\Kingston\tmp\SecureTravelerA.exe"
Wed 9 Apr 2008 17,366 ...HR --- "C:\Documents and Settings\flyingowl\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:06 AM

Posted 05 March 2009 - 09:04 AM

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully


The userinit problems are very hard to clean. I would recommend starting in the HJT forum with this infection.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:06 AM

Posted 06 March 2009 - 06:02 PM

Hello flyingowl,

You have been receiving assistance on this issue here: http://www.bleepingcomputer.com/forums/t/208300/problems-removing-warning-dangerous-spyware/ Posting more than one topic on the same issue confuses things for everyone and can make the disinfection process more difficult.

This topic is now closed.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users