Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • This topic is locked This topic is locked
2 replies to this topic

#1 Fugu


  • Members
  • 3 posts
  • Local time:08:45 AM

Posted 21 March 2009 - 10:12 AM

OS: Windows XP Home SP3

Hello all, long time lurker, first time poster.
I came home today to find that my personal desktop had been used while I was gone, unfortunately a common problem in this household. When I booted up the computer, it became immediately evident that my computer had been infected with some variant of Antivirus 2009 (I believe the exact one was Antivirus XP Pro or something to that effect). As I am by no means an expert my first response was to run MBAM, which actually seemed to clean up the infection nicely -- but it also picked up another virus, Trojan.Agent, but more on that later. After a restart it said it had deleted all of the infected files, although running MBAM again would always cause it to produce two infected files that it would delete and then would simply be remade (log posted below). So I figured I'd investigate for myself these registry keys only to find that regedit and task manager had been disabled; on the recommendation of a friend I installed and ran RRT to restore these. I figured that maybe another restart would do the trick which was when I discovered one of two remaining symptoms, so to speak, of this infection: Short of a driver/software combo for a USB wirless network adapter I'd used prior to obtaining drivers for my motherboard's ethernet port, nothing else ran at start up (I could, however, simply launch these programs afterwards and they would work fine). This was, as I understood it, as a result of the fact that the files this virus had infected were affiliated with userinit.exe. My final attempt to battle this virus was a program called SDFix that had produced great results in the past on a friend's computer; after running it in safe mode, it, much to my surprise, successfully rebooted windows with itself intact which had me praying that all of my boot-related problems (and subsequently the trojan causing them) had been whisked away. It's at this time that I noticed the second system: Windows Update no longer functioned. Security Center reports that Windows Update is off, while accessing control panel lists it as having it on notify but do not download (the setting it had been on prior), and Security Center reports that it is unable to change these settings. The exact error reads (I can provide a screenshot if necessary):

"We're sorry. The Security Center could not change your Automatic Updates settings. To try changing these settings yourself, go to system in Control Panel. On the Automatic Updates panel, select Automatic (Recommended), and then click OK."

My most recent MBAM log:
[codebox]Malwarebytes' Anti-Malware 1.34
Database version: 1845
Windows 5.1.2600 Service Pack 3

3/21/2009 10:47:25 AM
mbam-log-2009-03-21 (10-47-25).txt

Scan type: Quick Scan
Objects scanned: 67148
Time elapsed: 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: f:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

If any more info is necessary (which I'm sure it will be) I'll be happy to oblige; thanks for your time.

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:08:45 AM

Posted 21 March 2009 - 10:39 AM


userinit.exe is an important windows process and will not be terminated by MBAM. This is a nasty infection. If there is a legit userinit.exe on your computer then it could be replaced but from what you have already tried and talked about I doubt there is.

You may need to do a repair install or use sfc /scannow to repair windows file using your Windows XP Disk.

If you want to continue, I think we should move you to the HJT-Malware Removal forum now as this seems to be a nasty infection and will require stronger tools or other tools that are restricted or not as common in this forum.

1st Step: Preparation Guide Before Starting a Topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
2nd Step: Starting a Topic in the HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Good Luck!

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,111 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:45 AM

Posted 21 March 2009 - 10:25 PM

Hello Fugu,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/212859/trojanagent/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users