Really need help getting rid of userinit file!

So i recently got a trojan, and using malwarebytes anti malware i got rid of most of the files pretty easily ( i dont remember the name of the trojan)
But now, i have 1 file left that keeps coming up on MBAM and it replaces itself each time it gets deleted within like a minute, and keeps coming back on reboot.

the file is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe

malwarebytes scan



4/27/2009 8:41:40 PM
mbam-log-2009-04-27 (20-41-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 117479
Time elapsed: 12 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

i ran the scan 3 times now and it keeps picking it up, but keeps coming back very fast and i dont know what to do, could anyone help me please?

Reinstalling Service Pack 3 should solve this problem (I'm assuming you have Windows XP).

wow... i left my computer running overnight and apparently this problem turned worse, i now have 23 things on it and i havent even downloaded anything at all

Malwarebytes' Anti-Malware 1.36
Database version: 2053
Windows 5.1.2600 Service Pack 3

4/28/2009 7:28:07 AM
mbam-log-2009-04-28 (07-28-07).txt

Scan type: Quick Scan
Objects scanned: 72381
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Failed to unload process.

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\tyler\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\tyler\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tyler\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.


i was getting Antivirus XP Pro pop ups i believe when i woke up also and saw all this

edit: once i deleted all those files i was left with the userinit file again and some C:\windows\system32\win32hlp.cnf file, which i think that maybe these files keep loading up those other files or something? Both these files are considered Trojan.Agents

Edited by MrBoo, 28 April 2009 - 07:34 AM.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/28/2009 at 05:57 PM

Application Version : 4.26.1000

Core Rules Database Version : 3869
Trace Rules Database Version: 1817

Scan type : Complete Scan
Total Scan Time : 00:17:11

Memory items scanned : 482
Memory threats detected : 0
Registry items scanned : 4042
Registry threats detected : 7
File items scanned : 18489
File threats detected : 18

Trojan.Agent/Gen-SpamTool
[] C:\WINDOWS\TEMP\UAT4UOA01I.EXE
C:\WINDOWS\TEMP\UAT4UOA01I.EXE
[Windows Resurections] C:\WINDOWS\TEMP\UAT4UOA01I.EXE
[] C:\WINDOWS\TEMP\UAT4UOA01I.EXE
[Windows Resurections] C:\WINDOWS\TEMP\UAT4UOA01I.EXE
C:\WINDOWS\TEMP\ARAG4QGFGDF.EXE

Adware.Tracking Cookie
C:\Documents and Settings\tyler\Cookies\tyler@server.iad.liveperson[3].txt
C:\Documents and Settings\tyler\Cookies\tyler@ad.bodybuilding[1].txt
C:\Documents and Settings\tyler\Cookies\tyler@kaspersky.122.2o7[1].txt
C:\Documents and Settings\tyler\Cookies\tyler@mediaplex[1].txt
C:\Documents and Settings\tyler\Cookies\tyler@server.iad.liveperson[2].txt
C:\Documents and Settings\tyler\Cookies\tyler@chitika[1].txt
C:\Documents and Settings\tyler\Cookies\tyler@questionmarket[2].txt
C:\Documents and Settings\tyler\Cookies\tyler@statse.webtrendslive[2].txt
C:\Documents and Settings\tyler\Cookies\tyler@ads.bleepingcomputer[1].txt
C:\Documents and Settings\tyler\Cookies\tyler@atdmt[2].txt
C:\Documents and Settings\tyler\Cookies\tyler@doubleclick[1].txt
C:\Documents and Settings\tyler\Cookies\tyler@revsci[1].txt
C:\Documents and Settings\tyler\Cookies\tyler@ads.techguy[1].txt

Rogue.Component/Trace
HKU\S-1-5-21-1343024091-1229272821-839522115-1003\Software\Microsoft\FIAS4057

Trojan.Downloader-Gen/Temp
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#Windows Resurections [ C:\WINDOWS\TEMP\uat4uoa01i.exe ]
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#Windows Resurections [ C:\WINDOWS\TEMP\uat4uoa01i.exe ]

Trace.Known Threat Sources
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UR4JS7A5\winlogon[1].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4HM72H8R\warning[1].gif
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S9U9YN8P\loads[1].htm

Now run another Malwarebytes scan.

Malwarebytes' Anti-Malware 1.36
Database version: 2053
Windows 5.1.2600 Service Pack 3

4/28/2009 7:51:02 PM
mbam-log-2009-04-28 (19-51-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 118409
Time elapsed: 13 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\tyler\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tyler\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tyler\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.



Some things came back i guess

I think it's time to head on over to the HijackThis forum for a closer look.

Preparation Guide for use before posting a HijackThis Log

Go straight to Step 6. Be sure to include a link to this thread so they can see what has already been tried.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

THIS IS MY OPINION, I AM NOT A HELPER OF THIS FORUM!!
You May have the W32/Virut virus or a variant. From the names of the files, and what is apparently a polymorphic action, that would be my best guess.