Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

userinit.exe is infected


  • Please log in to reply
10 replies to this topic

#1 khushman

khushman

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 20 May 2009 - 05:45 AM

Hi,

Couple of nights ago, accidently pressed on an online scan and a lot of problems started straightaway. MBAM and AVG Free removed most of the afflictions but AVG did not even quarantined the infected userinit.exe but displayed a comment, ' Object is white-listed (Critical/System file that should not be removed). MBAM quarantined the 2 items it could not get rid of and asked to reboot which I did. When I reran MBAM quick scan it again showed those 2 items and same process was repeated. I have done it 5 or 6 times but on every rescan this problem keep showing up. I have viewed some of the postings here concerning Userinit.exe and they seem to be very similar to what I am experiencing. I am posting the latest MBAM log below and will appreciate any help to clean my computer.

I might be asked why I have Windows XP Home SP1 and not SP2/SP3. I had a virus a while ago which asked me to log on with a user id and password when I have not set up a user/password! A friend somehow fixed that problem but when I tried to install downloaded SP2, it will stop mid way and would just sit there for hours - after many attempts I simply gave up! As you can deduct from these 2 paragraphs I am not very computer savvy!!!



Malwarebytes' Anti-Malware 1.36
Database version: 2142
Windows 5.1.2600 Service Pack 1

5/20/2009 8:10:10 PM
mbam-log-2009-05-20 (20-10-10).txt

Scan type: Quick Scan
Objects scanned: 93780
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Dropper) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:50 AM

Posted 20 May 2009 - 10:45 AM

So you are saying you cannot install SP2 and / or 3? These provide many patches and fixes to security leaks..

Run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 khushman

khushman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 21 May 2009 - 08:39 AM

Hi,

Everything seems to be okay for the moment. After following everything I was directed to, I ran MBAM scan and it found 3 items which were quarantined and after the reboot another MBAM scan found nothing. I then ran AVG scan and it also found nothing. PC seems to be running better and faster.
It is frustrating that I can not install sp2 and sp3. What I might do is back up my data and then uninstall/install windows afresh - that way I should be able to install sp2 and sp3.
Thank you very much for your help and guidance. I am attaching both Super and MBAM logs below... Thanks once again!!!!!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/21/2009 at 09:13 PM

Application Version : 4.26.1002

Core Rules Database Version : 3904
Trace Rules Database Version: 1849

Scan type : Complete Scan
Total Scan Time : 02:11:43

Memory items scanned : 201
Memory threats detected : 0
Registry items scanned : 4632
Registry threats detected : 7
File items scanned : 76395
File threats detected : 38

Trojan.Unknown Origin
[autochk] C:\WINDOWS\SYSTEM32\AUTOCHK.DLL
C:\WINDOWS\SYSTEM32\AUTOCHK.DLL
[autochk] C:\DOCUME~1\LOCALS~1\PROTECT.DLL
C:\DOCUME~1\LOCALS~1\PROTECT.DLL
[autochk] C:\DOCUME~1\KHUSH~1.KHU\PROTECT.DLL
C:\DOCUME~1\KHUSH~1.KHU\PROTECT.DLL
[autochk] C:\DOCUME~1\LOCALS~1\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\KHUSH.KHUSH-222OQMRE1\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\KHUSH.KHUSH-222OQMRE1\START MENU\PROGRAMS\STARTUP\CHKDISK.DLL
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\PROTECT.DLL
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\PROTECT.DLL
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\START MENU\PROGRAMS\STARTUP\CHKDISK.DLL

Trojan.Dropper/Sys-NV
HKLM\System\ControlSet016\Services\AshEvtSvc
C:\WINDOWS\SYSTEM32\ASHEVTSVC.EXE
HKLM\System\ControlSet016\Enum\Root\LEGACY_AshEvtSvc

Trojan.Fake-Alert/Trace
C:\Documents and Settings\khush.KHUSH-222OQMRE1\Local Settings\Temporary Internet Files\fbk.sts

Rogue.Component/Trace
HKU\S-1-5-21-1123561945-1767777339-682003330-1007\Software\Microsoft\FIAS4057

Adware.Tracking Cookie
.e-2dj6wbkosidpcgq.stats.esomniture.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.ads.clicksor.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
linkto.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
linkto.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
linkto.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
linkto.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
linkto.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.adecn.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.adecn.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
adstats.cdfreaks.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
display.mediafire.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.precisionclick.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.dmtracker.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.mediaonenetwork.net [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.mediaonenetwork.net [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.comicrack.cyolito.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.comicrack.cyolito.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
mediamgr.ugo.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.myroitracking.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\khush\Application Data\Mozilla\Firefox\Profiles\ihrz8ffq.default\cookies.txt ]

Trojan.Dropper/UserInit-Fake
C:\WINDOWS\SYSTEM32\USERINIT.EXE
*****************************************************************
Malwarebytes' Anti-Malware 1.36
Database version: 2142
Windows 5.1.2600 Service Pack 1

5/21/2009 9:27:11 PM
mbam-log-2009-05-21 (21-27-11).txt

Scan type: Quick Scan
Objects scanned: 87636
Time elapsed: 2 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\khush.KHUSH-222OQMRE1\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
:thumbsup:

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:50 AM

Posted 21 May 2009 - 07:17 PM

That's a good plan.. If you are not going to do that for a while then,

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 khushman

khushman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 23 May 2009 - 07:55 AM

Latest....

I spent most of Friday night and most of today (SAT) running multiple MBAM, AVG Free 8.5 and Super Anti Spyware scans. After every reboot Malware Doctor will start and would not go away. Task Manager is disabled and I am not allowed to create a new Restore point and I should not create one at the moment as I am still infected. Below is the latest Super Anti Spyware sacn log. Please any help to get rid of this nasty would be highly appreciated. Thanks

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/23/2009 at 10:13 PM

Application Version : 4.26.1002

Core Rules Database Version : 3904
Trace Rules Database Version: 1849

Scan type : Complete Scan
Total Scan Time : 01:19:15

Memory items scanned : 202
Memory threats detected : 0
Registry items scanned : 4632
Registry threats detected : 13
File items scanned : 62062
File threats detected : 8

Trojan.Unknown Origin
[autochk] C:\WINDOWS\SYSTEM32\AUTOCHK.DLL
C:\WINDOWS\SYSTEM32\AUTOCHK.DLL
[autochk] C:\DOCUME~1\LOCALS~1\PROTECT.DLL
C:\DOCUME~1\LOCALS~1\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\KHUSH.KHUSH-222OQMRE1\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\KHUSH.KHUSH-222OQMRE1\START MENU\PROGRAMS\STARTUP\CHKDISK.DLL
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\PROTECT.DLL

Trojan.Dropper/Gen-NV
[Malware Doctor] C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\916653139.EXE
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\916653139.EXE
[Malware Doctor] C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\916653139.EXE

Trojan.Unclassified-Packed/Suspicious
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}
HKCR\CLSID\{F30B5E7E-CFBB-44FB-A947-226E5A7A4290}
HKCR\CLSID\{F30B5E7E-CFBB-44FB-A947-226E5A7A4290}
HKCR\CLSID\{F30B5E7E-CFBB-44FB-A947-226E5A7A4290}\InprocServer32
HKCR\CLSID\{F30B5E7E-CFBB-44FB-A947-226E5A7A4290}\InprocServer32#ThreadingModel
HKCR\CLSID\{F30B5E7E-CFBB-44FB-A947-226E5A7A4290}\ProgID
HKCR\CLSID\{F30B5E7E-CFBB-44FB-A947-226E5A7A4290}\TypeLib
HKCR\MS
HKCR\TypeLib\{8DAFE20B-F1B8-4dcc-8995-2882DAD0A622}
C:\WINDOWS\SYSTEM32\JHXM32.DLL

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\SFT.RES

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:50 AM

Posted 24 May 2009 - 08:01 PM

task manager is disabled.

for the task manager....
This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start » Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File » Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File » Exit.

Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.
******

Now run SDFix:Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 khushman

khushman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 26 May 2009 - 07:46 AM

Hi,

I have run SDFix as you asked me and the report is below. I tried to update MBAM but it just sits there and do nothing ( last update was 22/05 ) so I have not run a MBAM scan. Please let me know if want me to do a MBAM scan and post it here.

PS: Does this sentence in the report mean that I don't have administrative rights - I thought my friend set me up as an administrator!!!!! :thumbsup:

' please note that you need administrator rights to perform deep scan '


SDFix Report


SDFix: Version 1.240
Run by khush on Tue 05/26/2009 at 10:07 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\setting.ini - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-26 22:16:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\khush.KHUSH-222OQMRE1\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 26 Jun 2007 205,312 ...H. --- "C:\Documents and Settings\khush\My Documents\~WRL3629.tmp"
Sun 24 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1.tmp"
Tue 26 May 2009 23,552 A.SH. --- "C:\WINDOWS\system32\config\systemprofile\protect.dll"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\khush.KHUSH-222OQMRE1\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#8 khushman

khushman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 26 May 2009 - 09:53 AM

I managed to update MBAM and ran a scan. MBAM scan report and avg scan report are below. I first ran avg and then MBAM:

AVG Scan

"Scan ""Scan specific files or folders"" was finished."
"Infections";"4";"4";"0"
"Folders selected for scanning:";"C:\WINDOWS;"
"Scan started:";"Wednesday, 27 May 2009, 12:09:58 AM"
"Scan finished:";"Wednesday, 27 May 2009, 12:23:42 AM (13 minute(s) 44 second(s))"
"Total object scanned:";"47906"
"User who launched the scan:";"khush"

"Infections"
"File";"Infection";"Result"
"C:\WINDOWS\system32\autochk.dll";"Trojan horse Agent2.IBE";"Moved to Virus Vault"
"C:\WINDOWS\system32\config\systemprofile\protect.dll";"Trojan horse Agent2.IBE";"Moved to Virus Vault"
"C:\WINDOWS\system32\lmn_setup.exe";"Trojan horse Agent2.IBG";"Moved to Virus Vault"
"C:\WINDOWS\Temp\msb.dll";"Trojan horse Agent2.IBE";"Moved to Virus Vault"

=========================

MBAM Scan

Malwarebytes' Anti-Malware 1.36
Database version: 2181
Windows 5.1.2600 Service Pack 1

5/27/2009 12:41:09 AM
mbam-log-2009-05-27 (00-41-09).txt

Scan type: Quick Scan
Objects scanned: 89669
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\pp10.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ty667.ty667mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{437a43d5-e5c3-4959-bbd0-f2bfb1edc6fd} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{437a43d5-e5c3-4959-bbd0-f2bfb1edc6fd} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ty667.ty667mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sysloc\sysloc.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\pp10.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Delete on reboot.
C:\WINDOWS\st_1243350587.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1243371615.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\khush.KHUSH-222OQMRE1\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.


:thumbsup:
Going to bed now, its 1am in the morning!!!!!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:50 AM

Posted 26 May 2009 - 01:46 PM

Ok we are making progress.. You should install Service Pack 2 if you use IE as your browser.

You also have a backdoor bot.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.




Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 khushman

khushman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 27 May 2009 - 07:42 AM

I don't use IE, instead I have been using Firefox for couple of years now. Funnily when I tried to go to internet just before, Firefox showed ' Proxy Server refused connection ' I fixed that and am using Firefox at the moment..

I will take your advice and reformat and reinstall windows but before I do that I need to get some data ( photos, files ) etc from this infected PC. How risky would it be to use a USB stick (8gb) or an external hard drive to retrieve this data - could the infections from this pc transfer to these devices?? Should I burn the required data to a dvd??

If it is not too much bother to kill this identified trojan then I would like to do it, before I reformat and reinstall!!!!

You have been brilliant and I highly appreciate all your help and guidance...

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:50 AM

Posted 27 May 2009 - 11:26 AM

Hi, we can post in the HJT forum if you like and let them clean it... I'll provide that and some reformatting info that should answer your questions..

To run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.


...
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users