Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected userinit.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 canary1962

canary1962

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 25 March 2009 - 02:46 PM

I was infected with Spyware Protect 2009. I thought I had everything gone, but every time I reboot AVG finds unserinit.exe infected. I don't know what else to do and have no idea what I did to get this virus. The only other thing I can think to do now is format the drive and I'm hoping to avoid that if at all possible. Here is a copy of the dds:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Sharon at 12:41:54.06 on Wed 03/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.820 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Sharon\My Documents\DOWNLOADS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: goodsearch: {4e7bd74f-2b8d-469e-95ba-ed6db186be32} - c:\progra~1\goodse~1\GOODSE~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: goodsearch: {4e7bd74f-2b8d-469e-95ba-ed6db186be32} - c:\progra~1\goodse~1\GOODSE~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [PROMon.exe] PROMon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet v series\bin\hpoant07.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~2.lnk - c:\windows\installer\{9e266e6a-3a1e-11d3-a3e4-00c04f7989d8}\378E453F.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sharon\applic~1\mozilla\firefox\profiles\xahybdkd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - GoodSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-20 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-20 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-20 107912]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-20 298264]

=============== Created Last 30 ================

2009-03-25 08:04 0 a------- C:\LOG1B.tmp
2009-03-24 10:14 <DIR> --d----- c:\docume~1\sharon\applic~1\Malwarebytes
2009-03-24 10:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 10:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 10:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 10:14 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-03-23 13:23 0 a------- C:\LOG5A.tmp
2009-03-20 12:08 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-20 11:49 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-20 11:49 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-20 11:49 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-20 11:48 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-20 11:48 <DIR> --d----- c:\program files\AVG
2009-03-20 11:48 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\avg8
2009-03-19 15:54 0 a------- C:\LOG4B.tmp
2009-03-18 10:46 0 a------- C:\LOG2C.tmp
2009-03-18 09:48 0 a------- C:\LOG26.tmp
2009-03-18 08:14 0 a------- C:\LOG8.tmp
2009-03-16 08:30 0 a------- C:\LOG6.tmp
2009-03-13 09:27 0 a------- C:\LOGE.tmp
2009-03-12 15:17 154 a------- c:\windows\wininit.ini
2009-03-12 14:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-12 14:42 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-03-12 14:29 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-12 11:22 26,112 a------- c:\windows\system32\stu2.exe
2009-03-12 07:59 0 a------- C:\LOG81.tmp
2009-03-11 15:40 0 a------- C:\LOG105.tmp
2009-03-11 08:03 0 a------- C:\LOG82.tmp
2009-03-10 08:20 0 a------- C:\LOG95.tmp
2009-03-09 08:09 0 a------- C:\LOG7C.tmp
2009-03-06 10:37 0 a------- C:\LOG80.tmp
2009-03-05 09:17 0 a------- C:\LOG7B.tmp
2009-03-04 08:56 0 a------- C:\LOG7A.tmp
2009-03-03 10:35 0 a------- C:\LOG86.tmp
2009-03-02 09:00 0 a------- C:\LOG7F.tmp
2009-02-27 09:08 0 a------- C:\LOG76.tmp
2009-02-26 10:54 0 a------- C:\LOG79.tmp
2009-02-25 09:31 0 a------- C:\LOG75.tmp
2009-02-24 09:15 0 a------- C:\LOG73.tmp

==================== Find3M ====================

2009-03-19 09:35 8,704 a------- c:\windows\system32\userinit.exe
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-06 09:26 410,984 a------- c:\windows\system32\deploytk.dll
2007-05-03 09:14 77,088 a------- c:\docume~1\sharon\applic~1\GDIPFONTCACHEV1.DAT
2007-04-24 09:20 87,608 a------- c:\docume~1\sharon\applic~1\ezpinst.exe
2007-04-24 09:20 47,360 a------- c:\docume~1\sharon\applic~1\pcouffin.sys
2008-08-26 08:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 12:42:24.26 ===============

Attached Files


Edited by canary1962, 25 March 2009 - 03:17 PM.


BC AdBot (Login to Remove)

 


#2 canary1962

canary1962
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 26 March 2009 - 04:42 PM

I think I finally found a fix for this headache. An entry on another site had two userinit.exe files so I searched. I have one file in the system32 folder and one in the i386. AVG immediately came up with the infection warning, which is what I expected. As soon as I highlighted the file in system32 folder, I got an infection warning. The fix, which seems to have worked so far was to copy c:\windows\ServicePackFiles\i386\userinit.exe and overwrite the userinit.exe in the system32 file. I was getting so frustrated, I figured it would either fix it or I would have to format. I rebooted (successfully ) :thumbup2: and now when I highlight the userinit file nothing happens. YEA!!

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:45 AM

Posted 29 March 2009 - 11:25 PM

If you think you're are fixed, I will close this thread.


This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users