Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got some Malware....


  • Please log in to reply
9 replies to this topic

#1 djay72

djay72

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 September 2009 - 09:17 AM

I had posted a problem I was having with my windows XP Pro. I was having pop-ups, nothing overly bad just stupid windows telling me about fonts that I needed(go to this site, or this site, etc...) Well I ran Malware bytes, and came up with 11 infected files, I removed them, and went to reboot. Only when I rebooted, when I got to the login screen I couldn't see anything (blue login screen with a blue colored bar, nothing else.) So I hit enter, and was taken to the Desktop..only I didn't have any icons and no Taskbar?? Worked at it, and finally got an OS system disk and inserted it...that fixed the userinit.exe file that somehow was corrupted. BUT now I still have the pop-ups, and I am still showing 11 infected files. I don't want to remove something if it is going to cause a userinit problem again.

So can someone give me some advise as to how to proceed.....Thanks a lot, Jeff

BC AdBot (Login to Remove)

 


#2 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 September 2009 - 02:02 PM

Also I have noticed that I get a "bong" like some program is running in the background...I esp. notice it when I am on youtube. But I have a program called EnditAll I use for Flight Simulator...and I have shut down nonessential programs...so this is running way in the background.

#3 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 22 September 2009 - 02:14 PM

Download SAS Free (SuperantiSpyware Free Edition) then update it. Run a full scan and post the results here please.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:01 PM

Posted 22 September 2009 - 04:10 PM

Hello,please post that MBAM log..
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Follow ...Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please post back the old and new MBAm plus the SAS log,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 September 2009 - 04:32 PM

Here is the Mbam log...

Malwarebytes' Anti-Malware 1.35
Database version: 1925
Windows 5.1.2600 Service Pack 1

2009-09-22 17:27:17
mbam-log-2009-09-22 (17-27-05).txt

Scan type: Quick Scan
Objects scanned: 86294
Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\fujehone.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c2f4af54-b0d0-4f17-b906-00314e596719} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dadamaliz (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2f4af54-b0d0-4f17-b906-00314e596719} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pesuzajol (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fujehone.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fujehone.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\fujehone.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sirifiwi.dll (Trojan.Vundo) -> No action taken.


here is a screenshot of what it wants me to delete....the bottom one is the one I deleted, which started the whole userinit.exe problem. (at least I am pretty sure it was this one, as it is the one that always comes up even after deleting the others. ie...run Malware remove infected files, reboot, and re-run. Make sense?)

Posted Image

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:01 PM

Posted 22 September 2009 - 07:29 PM

Hello. They ALL need to be deleted. Then Reboot the PC.
Did you run the ATF and SAS yet? Please do.

Now this is the top of your log. It shows you need to update the MBAM...

Malwarebytes' Anti-Malware 1.35 ....now at 1.41
Database version: 1925............................now at 2843
Windows 5.1.2600 Service Pack 1

>>> when we finish everything you need to update your Service Pack

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Post back the New <MBAM and SAS logs. Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 September 2009 - 09:39 PM

Will do all you ask except update... Which isn't because I don't want to...it's that I can't. I have tried to run windows update about a million times with the same error. I get about 60-70% done and it tells me it cannot complete the update and removes everything back to the original sp1?

#8 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 23 September 2009 - 11:28 AM

I meant update (and im guessing boopme did to) the anti-malware program. Mbam free relies on signatures to find viruses. So if you don't update the program then it will have old signatures which might not detect what you have.

#9 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 23 September 2009 - 12:34 PM

Ive done all of the above as directed...and I want to thank you guys for all of your help...but in talking with an IT friend of mine, and since I cannot update XP beyond SP1. Ive decided to blow out my OS partition and reinstall XP from scratch and go from there. What was happening was that I was running out of room on my OS partition....so as of tonight its gone. Sounds a bit drastic for some malware...but its been coming for a long time, again due to space, and I figured it was a good a time as any to do it.

So thanks for all of the help...you guys are real saviors when it comes to helping with these wonderful problems....THANKS, Jeff :thumbsup: :flowers: :trumpet: :inlove: :huh: :huh:

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:01 PM

Posted 23 September 2009 - 01:55 PM

Thanks for letting us know. Not an unwise decision to make. Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users