Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected userinit.exe From MS Antivirus


  • Please log in to reply
6 replies to this topic

#1 ajptaylor

ajptaylor

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 30 March 2009 - 04:55 PM

Hey guys,

I'll try to be as detailed as possible and break down my post into two sections to explain the problem:

THE SITUATION:
Yesterday my computer was infected with the MS Antivirus Virus. I discovered the problem after I came home from work, all the popups "Warning you have a virus" crap and the little red "X" virus warning near the clock. The whole 9 yards. I traced it back to a video played from some Polish site by a family member earlier in the day... :flowers:. If they had to clean this crap up it'd sure fix the yearning to muck about on shady sites.

WHAT I HAVE DONE SO FAR:

1. I ran an AVG scan. Removed the suggested files. When I rebooted the problem still existed.

2. Ran Superantispyware. Found a couple threats, possibly unrelated. Rebooted, problem still existed.

3. Traced down the time stamp of one of the infected files found in AVG and did a manual search for all files created at that exact minute. I found about 4 more suspect files mostly numbered .exe files (4179.exe, 19473.exe, etc). I deleted those files. Also, this is where I discovered the Polish site connection in a cookie, not that it really mattered other than to trace the virus to the guilty family member's actions.

4. I read a forum post mentioning Malwarebytes, so I downloaded it and ran a scan. Rebooted. This program smoked out many symptoms of the virus (ie the red "X" near the clock, certain popups). In fact, I was certain the virus was gone. Then 5 minutes later I had a popup. I suppose each .exe was responsible for a specific popup, because it was now only the same one again and again. I went to task manager to see what process called it up: userinit.exe. My earlier manual search (from step 3) did reveal that my userinit.exe was among those files created/modified at the same time stamp the virus hit. But I read that this was a necessary system file so I didn't delete it at that time.

5. I ran Malwarebytes again, and viola, Trojan agent at C:\winnt\system32\userinit.exe

6. Hit the sack in frustration... :thumbsup:

That is where I am at now. Infected system files are new territory for me in my virus fighting battles. I don't want to crash my system with my usual method of trial and error I employ when the stakes are not so high.

So what is the best angle to approach cleaning up my userinit.exe?

Thanks

AJP

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:02 PM

Posted 30 March 2009 - 06:11 PM

Would you post that last MBAM log please?
Chewy

No. Try not. Do... or do not. There is no try.

#3 ajptaylor

ajptaylor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 30 March 2009 - 07:19 PM

Sure, here it is:

Malwarebytes' Anti-Malware 1.35
Database version: 1917
Windows 5.1.2600

30/03/2009 3:01:25 AM
mbam-log-2009-03-30 (03-01-18).txt

Scan type: Quick Scan
Objects scanned: 120897
Time elapsed: 1 hour(s), 7 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\winnt\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:02 PM

Posted 30 March 2009 - 07:32 PM

Windows 5.1.2600


No service packs loaded at all?
Chewy

No. Try not. Do... or do not. There is no try.

#5 ajptaylor

ajptaylor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 30 March 2009 - 08:01 PM

I scored an XP upgrade off my buddy in college back in the day, and have been running it ever since. I recall attempting to install SP2 at some point, but ran into obvious authorization issues. At that point I just rolled with a "If it ain't broke don't fix it" attitude and continued on my way.

I know its not the ideal situation, however I have been running this system and clearing viruses without any major issues since Jan 2002. It shouldn't be a problem working around this handicap right?

#6 ajptaylor

ajptaylor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 02 April 2009 - 04:27 AM

I've waited for further instruction for a bit now, but in the meantime I have been reading the boards and came upon a certain post: http://www.bleepingcomputer.com/forums/t/215077/antivirus-2009/

Seems like this guy had a similar issue to mine.

I am guessing I should follow the same procedure?

Can anybody confirm this for me?

Thx,

AJP

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:02 PM

Posted 02 April 2009 - 05:18 AM

Yes by all means try SAS, but just like it was specified in that thread

That's one of the few examples I have seen where this MBAM detection was easily cured?
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users