Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

userinit.exe has a trojan


  • This topic is locked This topic is locked
23 replies to this topic

#16 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 29 May 2009 - 11:56 AM

First you MUST BACK UP the registry. This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start » Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File » Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File » Exit.

Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.


Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #128 and click "Desktop and Screensaver Tabs" in the right column. Go to File, choose "Save page as" All Files and save desktoptab.reg to your desktop. Double-click on that file and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.

Edited by boopme, 29 May 2009 - 11:57 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

BC AdBot (Login to Remove)

 


#17 delusional

delusional
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 29 May 2009 - 02:50 PM

Didn't work. I still had to manually start explorer.exe after the reboot. After having a look at the processes running on start up....I don't think we're out of the woods yet.

#18 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 29 May 2009 - 03:18 PM

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:
Security Info
Warning Message
Security Desktop
Warning Homepage
Privacy Protection
Desktop Uninstall

If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done, go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.


What processes are consuming a lot or CPU?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#19 delusional

delusional
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 29 May 2009 - 04:14 PM

There was nothing listed under the web tab and lock desktop items was unchecked.

It looks like I'm running 9 versions of svchost, in system, local service and network service. lsass.exe is running, not sure about that one, as I'd seen it mentioned with a virus once before. As far as processes taking up system usage, it looks fairly normal....firefox, teatimer (that's a big one), system, explorer, and mysqld-nt....after that I don't recognize much of anything else.

Edited by delusional, 29 May 2009 - 04:14 PM.


#20 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 29 May 2009 - 07:57 PM

Hello.. The Task Manager looks fine..except that TeaTimer is running It should have been disabled for the scans and restarted after if wanted. so we may want to do that and rescan.
Why Are There So Many svchost.exes Running

If you've ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.

Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.


If needed
In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Fix the desktop
Now get your XP cd then go ti Start >> Run
type sfc /scannow >> there's a space between c and /
Let it run insert CD when asked
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#21 delusional

delusional
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 29 May 2009 - 10:24 PM

I had teatimer disabled when I did all the scans. I can't do the sfc thing, as my Windows CD is about 2000 miles away from me. Also, all by it's little lonesome, my system clock decided to go into military format. Not a huge issue, but one I found odd.

#22 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 29 May 2009 - 10:35 PM

Ooops i did ask that already didn't I.
o fix the clock display:

Go toStart >> Control Panel.
Select Regional and Language Options.
In the Standards and Formats section... next to the language you are using... click the Customize...button
Press the Time...tab.
In the Time Format...box, for 12 hour time display... change the format to:

h mm ss tt
or
hh mm ss tt


Select the other display options you want... separator, AM, PM...
When done...click Apply and OK as needed.

I feel we need to let HJT find this userinit issue.
We need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#23 delusional

delusional
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 29 May 2009 - 11:15 PM

I was afraid it would come to this. It's creeping up towards midnight here so, I'll get started on it in the morning, probably finishing up later that night as I work a wonderful 12-8 shift tomorrow. Thanks for the help thusfar, and I'll keep you posted.

#24 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,062 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:33 PM

Posted 30 May 2009 - 06:08 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/230461/userinitexe-infected-with-sheur2acax/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users