Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning! You have a security problem! Malware


  • Please log in to reply
22 replies to this topic

#1 staypuft29

staypuft29

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 10:24 AM

My computer was recently infected with MS AntiSpyware2009 malware. Using old posts from this forum, I downloaded MalwareBytes anti-malware software. It found and deleted some infected files, so I rebooted the comp (as it instructed me to). However, upon restart, I still had a pop up that says "Warning! You have a security problem!" (If clicked, it takes you to a site that claims to be "scanning" your computer for malware). I tried running MalwareBytes again but it did not find anything this time.

I was previously running McAfee Antivirus software and McAfee anti-spyware software as well (I forget the exact name. Something Enterprise?) I read somewhere else that McAfee can interfere with Malwarebytes' anti-malware software so I have temporarily uninstalled McAfee and tried to run Malwarebytes again. However, it still didn't find any problems.

I am running windows XP. I think I also have Windows Defender installed.

Does anyone know how I can get rid of this thing?

Edited by staypuft29, 02 April 2009 - 10:30 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:39 PM

Posted 02 April 2009 - 10:28 AM

Hi I am moving this from the XP forum to Am I Infected for scans...

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 staypuft29

staypuft29
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 10:38 AM

Sorry for posting in the wrong forum. I realized it just after I finished posting.

Thank you for replying, I really appreciate it.

I updated Malewarebytes (not sure why it didn't before as I had the update button checked when I installed the program). I ran the scan again and this time it found new problems. Here is the log:

Malwarebytes' Anti-Malware 1.35
Database version: 1933
Windows 5.1.2600 Service Pack 3

4/2/2009 11:35:52 AM
mbam-log-2009-04-02 (11-35-52).txt

Scan type: Quick Scan
Objects scanned: 76108
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\promo.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Spencer Morgan\Local Settings\Temporary Internet Files\Content.IE5\C6B3QKJO\promo[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

Hopefully after I reboot it will take care of everything. Thanks again for your help! I'll let you know how it goes.

#4 staypuft29

staypuft29
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 10:50 AM

Just rebooted but the pop up is still there. I am running MalwareBytes again.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:39 PM

Posted 02 April 2009 - 10:53 AM

hi this does look good.. Just if you haven't after that scan reboot the PC normally . Then do this as I want to see if "userinit: comes back.
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 staypuft29

staypuft29
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 10:56 AM

Okay so checked for updates but there weren't any this time. I ran the scan again and here is what popped up:

Malwarebytes' Anti-Malware 1.35
Database version: 1933
Windows 5.1.2600 Service Pack 3

4/2/2009 11:55:42 AM
mbam-log-2009-04-02 (11-55-42).txt

Scan type: Quick Scan
Objects scanned: 76090
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\promo.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Spencer Morgan\Local Settings\Temporary Internet Files\Content.IE5\KRO7W5A8\promo[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

Now I am going to reboot normally again and let you know what happens.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:39 PM

Posted 02 April 2009 - 11:04 AM

Good.. run the SAS thing too.
The userinit isn't repairable with a scan...MBAM says it has done it's job, but actually doesn't do anything. These are system files.
You can solve the problem by uninstalling SP3, and reinstall it again. That should do the trick
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 staypuft29

staypuft29
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 11:14 AM

Sorry what is the SAS thing?

#9 staypuft29

staypuft29
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 11:16 AM

And can I uninstall the service pack in add/remove programs under the control panel? Or do I need to do something more complicated?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:39 PM

Posted 02 April 2009 - 12:38 PM

oops sorry I forget sometimes.. SAS =Superantispyware...
Yes remove it thru control Panel.. it should be simple enough.. Just in case here's the instructions.

How to remove Windows XP Service Pack 3 from your computer

Steps to take before you install Windows XP Service Pack 3

How to obtain Windows Service Pack 3

Edited by boopme, 02 April 2009 - 12:39 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 JacobHall

JacobHall

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 02 April 2009 - 01:21 PM

I was recently infected with this sort of virus but instead i had AV 2009

I noticed that those pop-ups appear in the processes list...
When i was infected with AV 2009 i noticed a ''Unusual'' process called ''53.tmp''

As i disabled that... I temporarily stopped those nasty pop-ups which allowed my system to run a bit quicker

Good Luck!
Jake

#12 staypuft29

staypuft29
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 04:04 PM

Sorry so just to clarify, do I need to rerun SAS and Malwarebytes after I uninstall SP3? Or by uninstalling and reinstalling SP3 will that take care of the problem by itself?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:39 PM

Posted 02 April 2009 - 04:16 PM

Hi rerun MBAm and SAS... Hold on the SP3..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 staypuft29

staypuft29
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 04:50 PM

I uninstalled SP3, and rebooted the computer. The popup is still there. I ran Malwarebytes, but it didn't find anything. This is the report:

Malwarebytes' Anti-Malware 1.35
Database version: 1933
Windows 5.1.2600 Service Pack 2

4/2/2009 5:43:53 PM
mbam-log-2009-04-02 (17-43-53).txt

Scan type: Quick Scan
Objects scanned: 75479
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I am currently running SAS to see if it finds anything.

#15 staypuft29

staypuft29
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 02 April 2009 - 04:53 PM

SAS didn't find anything either. I am rebooting my computer one more time.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users