[fireflypdp]

I didn't see that you edited your post to include Combo-Fix results... I'll go do that right now.

[Advertisements]

Ok.

Well we need to replace that infected userinit.

Please delete the copy of CF that you have on your desktop


then do this - Run this program in SAFEMODE

to get to safemode - reboot - tap the F8 key repeatedly as the computer starts > arrow up to safemode > use your normal account to run combo-Fix

Please download ComboFix from Here or Here to your Desktop.
**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[CatByte]

Ok.

Well we need to replace that infected userinit.

Please delete the copy of CF that you have on your desktop


then do this - Run this program in SAFEMODE

to get to safemode - reboot - tap the F8 key repeatedly as the computer starts > arrow up to safemode > use your normal account to run combo-Fix

Please download ComboFix from Here or Here to your Desktop.
**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[fireflypdp]

I couldn't boot into safe mode that way... for some reason when I hit F8 it only allows me to select a device to boot from (CD-ROM, Hard Drive, etc)... I choose my C: drive and it goes straight into booting up Windows XP normally. I had to shut down my computer while it was trying to boot up Windows XP in order to get the whole "Windows didn't shut down properly last time" message and be able to choose the "Safe Mode" option.

Another weird thing I noticed was that there was an "Administrator" account and my own account I could choose on login... when I boot into XP normally there's only my personal account. Is that normal???

Anyway, my computer is in safe mode (I'm posting this from my girlfriend's computer) and when I ran Combo-Fix it told me my avast! anti-virus scanner was still active. It doesn't show up in my tray icon and I don't see it in my Task Manager, or in my list of processes currently running. How do I know for sure that it's disabled? I don't want to get any nasty "unpredictable results" while running this...

[CatByte]

Hi

yes it's normal to show an admin acc't in safe mode.

run the CF anyway as long as you have disabled avast from the panel and system tray icon

should be OK

[fireflypdp]

I still get the same prompt as before, even in safe mode.

\Utilities\Bin\x86";C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\P
rogram Files\Microsoft DirectX 9.0 SDK (August 2005)\Utilities\Bin\x86;c:\Progra
m Files\Microsoft SQL Server\90\Tools\binn\;;F:\VDMSound;F:\VDMSound;F:\VDMSound
;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTim
e\QTSystem\;C:\Program Files\TortoiseSVN\bin" was unexpected at this time.

[CatByte]

Unusual,

that's usually the message received when trying to run CF on a 64 bit system, I need to consult with my colleagues.

Do you have your XP disk handy as we need to replace that userinit with a clean one?

[fireflypdp]

Yeah. I actually did this exact same thing sometime last week, because my userinit.exe file was infected and Windows notified me of it and changed it, which caused me to be unable to login to Windows when I rebooted. I had to go grab my XP CD and copy the userinit.exe file from the CD to the system32 folder.

[CatByte]

There was a file on your system that re-infected the new one...I have removed that file...

since you already know how to do it....try it again...let's see if it remains clean this time...

[fireflypdp]

I had to look it up online last time, but I don't remember where I found it. Could you just repeat the steps? It'd be better if I did things your way anyway.

EDIT: Nevermind I found it, I'm doing it now...

EDIT #2: Okay, I copied over the new file and rebooted. Now what?

Edited by fireflypdp, 10 May 2009 - 12:51 PM.

[fireflypdp]

One thing I just noticed...

The file you had me upload for virus scan was located in C:\Windows\system32\dllcache.

The file I copied over was put in C:\Windows\system32.

So there are two userinit.exe files... one in dllcache and one in system32.

[CatByte]

Sorry,

I'm not ignoring you, I'm doing some research and consulting with colleagues so I can give you the best possible advise, please be patient with me

Thanks

CB

[fireflypdp]

No problem, I didn't think you were.

[CatByte]

Hi,

couple of things I would like you to try:

Lets upload the file in system32 see if that is infected too...

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • C:\WINDOWS\System32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

NEXT:

try to get ComboFix to run this way:

Go to > Run > copy/paste the following single line command in the runbox & click OK
"%userprofile%\desktop\combofix.exe" /killall

• DO NOT USE your computer for any other purpose while ComboFix is running.
  
• ComboFix may restart your computer, this is normal.
  
• When finished, it will produce a log, ComboFix.txt.
  
• Pleasepost ComboFix.txt in your next reply.

[fireflypdp]

Here's the results of the scan on C:\Windows\system32\userinit.exe...

VirSCAN.org Scanned Report :
Scanned time : 2009/05/10 17:19:27 (CDT)
Scanner results: 3% Scanner(1/38) found malware!
File Name : userinit.exe
File Size : 22016 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e931e0a2b8bf0019db902e98d03662cb
SHA1 : 13bb65053ee54ae66cad52acf5a15d12cfe1c1c7
Online report : http://virscan.org/r...4e35e8facd.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090510154251 2009-05-10 1.95 -
AhnLab V3 2009.05.10.00 2009.05.10 2009-05-10 0.68 -
AntiVir 8.2.0.166 7.1.3.179 2009-05-10 0.18 -
Antiy 2.0.18 20090510.2386484 2009-05-10 0.12 -
Arcavir 2009 200905101202 2009-05-10 0.03 -
Authentium 5.1.1 200905102017 2009-05-10 1.15 -
AVAST! 4.7.4 090505-0 2009-05-05 0.00 -
AVG 8.5.286 270.12.24/2107 2009-05-10 3.27 -
BitDefender 7.81008.2902637 7.25322 2009-05-11 2.70 -
CA (VET) 9.0.0.143 31.6.6496 2009-05-09 10.21 -
ClamAV 0.95 9349 2009-05-09 0.01 -
Comodo 3.8 1157 2009-05-08 1.16 -
CP Secure 1.1.0.715 2009.05.10 2009-05-10 8.93 -
Dr.Web 4.44.0.9170 2009.05.10 2009-05-10 4.50 -
F-Prot 4.4.4.56 20090510 2009-05-10 1.17 -
F-Secure 5.51.6100 2009.05.09.02 2009-05-09 5.39 -
Fortinet 2.81-3.117 10.375 2009-05-10 0.17 -
GData 19.5141/19.326 20090510 2009-05-10 2.76 -
ViRobot 20090509 2009.05.09 2009-05-09 0.41 -
Ikarus T3.1.01.49 2009.05.10.72695 2009-05-10 2.88 -
JiangMin 11.0.706 2009.05.10 2009-05-10 3.75 -
Kaspersky 5.5.10 2009.05.10 2009-05-10 0.08 -
KingSoft 2009.2.5.15 2009.5.10.21 2009-05-10 2.50 -
McAfee 5.3.00 5611 2009-05-10 2.87 -
Microsoft 1.4602 2009.05.10 2009-05-10 7.47 -
mks_vir 2.01 2009.05.11 2009-05-11 2.77 Trojan.Exploit.Iis.Printeroverflow.C
Norman 6.01.05 6.01.00 2009-05-08 4.00 -
Panda 9.05.01 2009.05.10 2009-05-10 1.57 -
Trend Micro 8.700-1004 6.120.35 2009-05-10 0.03 -
Quick Heal 10.00 2009.05.09 2009-05-09 1.21 -
Rising 20.0 21.28.62.00 2009-05-10 0.95 -
Sophos 2.86.0 4.41 2009-05-11 2.29 -
Sunbelt 5128 5128 2009-05-08 0.67 -
Symantec 1.3.0.24 20090510.003 2009-05-10 0.17 -
nProtect 20090510.01 3595619 2009-05-10 5.13 -
The Hacker 6.3.4.1 v00324 2009-05-09 1.07 -
VBA32 3.12.10.4 20090509.1027 2009-05-09 1.95 -
VirusBuster 4.5.11.10 10.105.22/1344615 2009-05-10 1.65 -

Only one result. Just for comparison's sake, here's the results of the one you had me scan earlier
(C:\Windows\system32\dllcache\userinit.exe)...

VirSCAN.org Scanned Report :
Scanned time : 2009/05/10 17:30:55 (CDT)
Scanner results: 74% Scanner(28/38) found malware!
File Name : userinit.exe
File Size : 104960 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 377d30af393874b63e4c9029f304e693
SHA1 : 4eb36aacbdedd78d4d283a9b8e872c15975cf541
Online report : http://virscan.org/r...a7fc6048c0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090510154251 2009-05-10 5.50 Trojan.Crypt!IK
AhnLab V3 2009.05.10.00 2009.05.10 2009-05-10 0.67 Win-Trojan/Agent.104960.CM
AntiVir 8.2.0.166 7.1.3.179 2009-05-10 0.42 TR/Crypt.XPACK.Gen
Antiy 2.0.18 20090510.2386484 2009-05-10 0.12 Trojan/Win32.Agent.cedh
Arcavir 2009 200905101202 2009-05-10 0.04 Trojan.Agent.Cemi
Authentium 5.1.1 200905102017 2009-05-10 1.10 -
AVAST! 4.7.4 090505-0 2009-05-05 0.01 Win32:Trojan-gen {Other}
AVG 8.5.286 270.12.24/2107 2009-05-10 3.22 Win32/Cryptor
BitDefender 7.81008.2902637 7.25322 2009-05-11 2.70 -
CA (VET) 9.0.0.143 31.6.6496 2009-05-09 7.21 Win32/FakeAlert.AHZ trojan.
ClamAV 0.95 9349 2009-05-09 0.02 -
Comodo 3.8 1157 2009-05-08 0.67 TrojWare.Win32.Agent.cemi
CP Secure 1.1.0.715 2009.05.10 2009-05-10 8.94 -
Dr.Web 4.44.0.9170 2009.05.10 2009-05-10 4.48 Trojan.DownLoad.33511
F-Prot 4.4.4.56 20090510 2009-05-10 1.09 -
F-Secure 5.51.6100 2009.05.09.02 2009-05-09 0.06 Trojan.Win32.Agent.cemi [AVP]
Fortinet 2.81-3.117 10.375 2009-05-10 0.25 PossibleThreat
GData 19.5141/19.326 20090510 2009-05-10 4.49 Trojan.Win32.Agent.cemi [Engine:A]
ViRobot 20090509 2009.05.09 2009-05-09 0.87 -
Ikarus T3.1.01.49 2009.05.10.72695 2009-05-10 2.83 Trojan.Crypt
JiangMin 11.0.706 2009.05.10 2009-05-10 5.58 Trojan/Agent.cikw
Kaspersky 5.5.10 2009.05.10 2009-05-10 0.04 Trojan.Win32.Agent.cemi
KingSoft 2009.2.5.15 2009.5.10.21 2009-05-10 4.18 Win32.Troj.Agent.104960
McAfee 5.3.00 5611 2009-05-10 2.86 FakeAlert-CK
Microsoft 1.4602 2009.05.10 2009-05-10 8.12 Trojan:Win32/Fakeinit
mks_vir 2.01 2009.05.11 2009-05-11 2.76 -
Norman 6.01.05 6.01.00 2009-05-08 4.01 W32/Smalltroj.dam
Panda 9.05.01 2009.05.10 2009-05-10 2.52 Adware/AntivirusXPPro
Trend Micro 8.700-1004 6.120.35 2009-05-10 0.02 TROJ_FAKEINIT.U
Quick Heal 10.00 2009.05.09 2009-05-09 1.20 Trojan.Agent.cemi
Rising 20.0 21.28.62.00 2009-05-10 1.67 Trojan.Win32.FakeInit.a
Sophos 2.86.0 4.41 2009-05-11 2.28 Mal/FakeVirPk-A
Sunbelt 5128 5128 2009-05-08 0.88 -
Symantec 1.3.0.24 20090510.003 2009-05-10 0.08 Trojan.Fakeavalert
nProtect 20090510.01 3595619 2009-05-10 11.02 -
The Hacker 6.3.4.1 v00324 2009-05-09 1.42 Trojan/Agent.cehk
VBA32 3.12.10.4 20090509.1027 2009-05-09 3.25 Trojan.Win32.Agent.cemi
VirusBuster 4.5.11.10 10.105.22/1344615 2009-05-10 1.68 -

As for ComboFix, I'm still getting the same error I always get.

So yeah, the one in dllcache is definitely bad... I can't even right-click the file or else avast! goes nuts with virus warnings.

[fireflypdp]

Also, according to file details, the one in dllcache was last modified on May 2nd, which is the day I think I first got infected.