Member Avatar for geoss

Hi,
I am posting a result of a Malwarebytes scan. I have done it a few times over the last week or so, and these 2 Trjan.Agent reappear. I clean and remove them with Malwarebytes, but they ap[pear again at my next scan.

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

How can I get rid of them once and for all....or is it not necessary to touch them
Thanks
George
p.s. am running Win XP pro SP3

  • 6 Contributors
  • 25 Replies
  • 468 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by gerbil

Recommended Answers

All 25 Replies

Member Avatar for gerbil

Userinit is normally a value [name] in the Winlogon key, and not a subkey of Winlogon. It's data entry would be C:\Windows\system32\userinit.exe
Could you export and post that Winlogon key please [before you rerun MBAM]?

Member Avatar for geoss

Hi,
This is the hijack-this report, and I do not know how to post Winlogon info you request?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:08 AM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 1354 bytes

Member Avatar for gerbil

This will get the Winlogon key for us:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s >>C:\showkey.txt
start C:\showkey.txt
pause

Post the notepad that opens.

Member Avatar for jbennet

Also:
temporarialy disable system restore
reboot
run malwarebytes
reboot
re-enable system restore
reboot yet again
check again with malwarebytes

trojans can keep reappearing because they can hide in the system restore folder

Member Avatar for geoss

I hope this is what you needed?


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ GEORGE-6JXTPIR4
DefaultUserName REG_SZ George
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 0x1
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 0x1
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 0x1
ShowLogonOptions REG_DWORD 0x0
AltDefaultUserName REG_SZ George
AltDefaultDomainName REG_SZ GEORGE-6JXTPIR4
AutoAdminLogon REG_SZ 0
System REG_SZ
ChangePasswordUseKerberos REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}
<NO NAME> REG_SZ Wireless
DllName REG_EXPAND_SZ gptext.dll
NoGPOListChanges REG_DWORD 0x1
NoUserPolicy REG_DWORD 0x1
ProcessGroupPolicy REG_SZ ProcessWIRELESSPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}
<NO NAME> REG_SZ Folder Redirection
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyEx
DllName REG_EXPAND_SZ fdeploy.dll
NoMachinePolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x0
NoBackgroundPolicy REG_DWORD 0x0
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
EventSources REG_MULTI_SZ (Folder Redirection,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<NO NAME> REG_SZ Microsoft Disk Quota
NoMachinePolicy REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
RequiresSuccessfulRegistry REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x0
DllName REG_EXPAND_SZ dskquota.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}
<NO NAME> REG_SZ QoS Packet Scheduler
ProcessGroupPolicy REG_SZ ProcessPSCHEDPolicy
DllName REG_EXPAND_SZ gptext.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}
<NO NAME> REG_SZ Scripts
ProcessGroupPolicy REG_SZ ProcessScriptsGroupPolicy
ProcessGroupPolicyEx REG_SZ ProcessScriptsGroupPolicyEx
GenerateGroupPolicy REG_SZ GenerateScriptsGroupPolicy
DllName REG_EXPAND_SZ gptext.dll
NoSlowLink REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
NotifyLinkTransition REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
<NO NAME> REG_SZ Internet Explorer Zonemapping
DllName REG_EXPAND_SZ iedkcs32.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicyForZoneMap
NoGPOListChanges REG_DWORD 0x1
RequiresSucessfulRegistry REG_DWORD 0x1
DisplayName REG_EXPAND_SZ @iedkcs32.dll,-3051

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessSecurityPolicyGPO
GenerateGroupPolicy REG_SZ SceGenerateGroupPolicy
ExtensionRsopPlanningDebugLevel REG_DWORD 0x1
ProcessGroupPolicyEx REG_SZ SceProcessSecurityPolicyGPOEx
ExtensionDebugLevel REG_DWORD 0x1
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ Security
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x1
MaxNoGPOListChangesInterval REG_DWORD 0x3c0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
DllName REG_SZ iedkcs32.dll
<NO NAME> REG_SZ Internet Explorer Branding
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x1
NoMachinePolicy REG_DWORD 0x1
DisplayName REG_EXPAND_SZ @iedkcs32.dll,-3014

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessEFSRecoveryGPO
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ EFS recovery
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
RequiresSuccessfulRegistry REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}
<NO NAME> REG_SZ 802.3 Group Policy
DisplayName REG_EXPAND_SZ @dot3gpclnt.dll,-100
ProcessGroupPolicyEx REG_SZ ProcessLANPolicyEx
GenerateGroupPolicy REG_SZ GenerateLANPolicy
DllName REG_EXPAND_SZ dot3gpclnt.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}
<NO NAME> REG_SZ Microsoft Offline Files
DllName REG_EXPAND_SZ %SystemRoot%\System32\cscui.dll
EnableAsynchronousProcessing REG_DWORD 0x0
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x0
NoMachinePolicy REG_DWORD 0x0
NoSlowLink REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
RequiresSuccessfulRegistry REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<NO NAME> REG_SZ Software Installation
DllName REG_EXPAND_SZ appmgmts.dll
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyObjectsEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
NoBackgroundPolicy REG_DWORD 0x0
RequiresSucessfulRegistry REG_DWORD 0x0
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
EventSources REG_MULTI_SZ (Application Management,Application)\0(MsiInstaller,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}
<NO NAME> REG_SZ IP Security
ProcessGroupPolicy REG_SZ ProcessIPSECPolicy
DllName REG_EXPAND_SZ gptext.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ %SystemRoot%\System32\dimsntfy.dll
Startup REG_SZ WlDimsStartup
Shutdown REG_SZ WlDimsShutdown
Logon REG_SZ WlDimsLogon
Logoff REG_SZ WlDimsLogoff
StartShell REG_SZ WlDimsStartShell
Lock REG_SZ WlDimsLock
Unlock REG_SZ WlDimsUnlock

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 0x258
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
EulaAccepted REG_DWORD 0x0
Logon REG_SZ WLEventLogon
Logoff REG_SZ WLEventLogoff
Startup REG_SZ WLEventStartup
Shutdown REG_SZ WLEventShutdown
StartScreenSaver REG_SZ WLEventStartScreenSaver
StopScreenSaver REG_SZ WLEventStopScreenSaver
Lock REG_SZ WLEventLock
Unlock REG_SZ WLEventUnlock
StartShell REG_SZ WLEventStartShell
PostShell REG_SZ WLEventPostShell
Disconnect REG_SZ WLEventDisconnect
Reconnect REG_SZ WLEventReconnect
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x0
SafeMode REG_DWORD 0x1
MaxWait REG_DWORD 0xffffffff
DllName REG_EXPAND_SZ WgaLogon.dll
Event REG_DWORD 0x0
InstallEvent REG_SZ 1.8.0031.9

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings
<NO NAME> REG_SZ
Data REG_BINARY 01000000D08C9DDF0115D1118C7A00C04FC297EB010000009D9AFB1981461847A55F9F7C217A259604000000040000005300000003660000A800000010000000213DCF555732C840E3BA3E3E38183DA30000000004800000A000000010000000C6439CBFD7DBEF0EA8026F6615105265B0010000363F58BD84F18013DCDF01155251F01D37114B39153A90ABB3CE42CA8C48943C02D4E0329BCDA00D62C8E475C068AB0105324528432E35A3847893010423D1AE4F326ECD2DBFA84262C34F99FF49871622077AC74652160300B4F4833FDE4721F581F4C71D8574CFA10C5464BE50197A46A3E9CB34513DFFA6A0ABD95AFAC2C11D88F809222F4B16C9CB89447CC82289406949E93FBF08F6C1C9E8310024ACEFC2437D87B12C3B02AA47B57A7D1B888A18337D67172FF3A99560CCF2F0FC2577F23979A331D4103209589E0F4E4539B1D613A74CD71AD89DBE01411A23BC9A95D878C346F23CD7CD010F37FFAC9103B7AAAA61F7B5A063F96D973A3924A4EAED1CD5B1E0411AD07082BCE83DD1054AA03AED75740BBAB26A050A7BFBF70295B96FD3946EE830416555D2AFA2E1F16D88A71485D748922EF39E0999055509E9EB48965F52A06819CA01287355BEA152E2E181427465DB333BEFEBE6C092CDD74F47FDEC8F08A6CE7A041C810EC89CBFEF0A57A24A4DBB776858B4A627C361A07D6C5230158B2619B369625737EB6EB73A6175C420C44224D29F4199920D425D341FD1A17AC72C2371E4FE3151D259FE2F14000000ADC7218640ADD34D0637E9D2338745CBC08548B5

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
HelpAssistant REG_DWORD 0x0
TsInternetUser REG_DWORD 0x0
SQLAgentCmdExec REG_DWORD 0x0
NetShowServices REG_DWORD 0x0
IWAM_ REG_DWORD 0x10000
IUSR_ REG_DWORD 0x10000
VUSR_ REG_DWORD 0x10000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ GEORGE-6JXTPIR4
DefaultUserName REG_SZ George
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 0x1
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 0x1
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 0x1
ShowLogonOptions REG_DWORD 0x0
AltDefaultUserName REG_SZ George
AltDefaultDomainName REG_SZ GEORGE-6JXTPIR4
AutoAdminLogon REG_SZ 0
System REG_SZ
ChangePasswordUseKerberos REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}
<NO NAME> REG_SZ Wireless
DllName REG_EXPAND_SZ gptext.dll
NoGPOListChanges REG_DWORD 0x1
NoUserPolicy REG_DWORD 0x1
ProcessGroupPolicy REG_SZ ProcessWIRELESSPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}
<NO NAME> REG_SZ Folder Redirection
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyEx
DllName REG_EXPAND_SZ fdeploy.dll
NoMachinePolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x0
NoBackgroundPolicy REG_DWORD 0x0
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
EventSources REG_MULTI_SZ (Folder Redirection,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<NO NAME> REG_SZ Microsoft Disk Quota
NoMachinePolicy REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
RequiresSuccessfulRegistry REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x0
DllName REG_EXPAND_SZ dskquota.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}
<NO NAME> REG_SZ QoS Packet Scheduler
ProcessGroupPolicy REG_SZ ProcessPSCHEDPolicy
DllName REG_EXPAND_SZ gptext.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}
<NO NAME> REG_SZ Scripts
ProcessGroupPolicy REG_SZ ProcessScriptsGroupPolicy
ProcessGroupPolicyEx REG_SZ ProcessScriptsGroupPolicyEx
GenerateGroupPolicy REG_SZ GenerateScriptsGroupPolicy
DllName REG_EXPAND_SZ gptext.dll
NoSlowLink REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
NotifyLinkTransition REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
<NO NAME> REG_SZ Internet Explorer Zonemapping
DllName REG_EXPAND_SZ iedkcs32.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicyForZoneMap
NoGPOListChanges REG_DWORD 0x1
RequiresSucessfulRegistry REG_DWORD 0x1
DisplayName REG_EXPAND_SZ @iedkcs32.dll,-3051

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessSecurityPolicyGPO
GenerateGroupPolicy REG_SZ SceGenerateGroupPolicy
ExtensionRsopPlanningDebugLevel REG_DWORD 0x1
ProcessGroupPolicyEx REG_SZ SceProcessSecurityPolicyGPOEx
ExtensionDebugLevel REG_DWORD 0x1
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ Security
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x1
MaxNoGPOListChangesInterval REG_DWORD 0x3c0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
DllName REG_SZ iedkcs32.dll
<NO NAME> REG_SZ Internet Explorer Branding
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x1
NoMachinePolicy REG_DWORD 0x1
DisplayName REG_EXPAND_SZ @iedkcs32.dll,-3014

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessEFSRecoveryGPO
DllName REG_EXPAND_SZ scecli.dll
<NO NAME> REG_SZ EFS recovery
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
RequiresSuccessfulRegistry REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}
<NO NAME> REG_SZ 802.3 Group Policy
DisplayName REG_EXPAND_SZ @dot3gpclnt.dll,-100
ProcessGroupPolicyEx REG_SZ ProcessLANPolicyEx
GenerateGroupPolicy REG_SZ GenerateLANPolicy
DllName REG_EXPAND_SZ dot3gpclnt.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}
<NO NAME> REG_SZ Microsoft Offline Files
DllName REG_EXPAND_SZ %SystemRoot%\System32\cscui.dll
EnableAsynchronousProcessing REG_DWORD 0x0
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x0
NoMachinePolicy REG_DWORD 0x0
NoSlowLink REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
RequiresSuccessfulRegistry REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<NO NAME> REG_SZ Software Installation
DllName REG_EXPAND_SZ appmgmts.dll
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyObjectsEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
NoBackgroundPolicy REG_DWORD 0x0
RequiresSucessfulRegistry REG_DWORD 0x0
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
EventSources REG_MULTI_SZ (Application Management,Application)\0(MsiInstaller,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}
<NO NAME> REG_SZ IP Security
ProcessGroupPolicy REG_SZ ProcessIPSECPolicy
DllName REG_EXPAND_SZ gptext.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ %SystemRoot%\System32\dimsntfy.dll
Startup REG_SZ WlDimsStartup
Shutdown REG_SZ WlDimsShutdown
Logon REG_SZ WlDimsLogon
Logoff REG_SZ WlDimsLogoff
StartShell REG_SZ WlDimsStartShell
Lock REG_SZ WlDimsLock
Unlock REG_SZ WlDimsUnlock

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 0x258
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
EulaAccepted REG_DWORD 0x0
Logon REG_SZ WLEventLogon
Logoff REG_SZ WLEventLogoff
Startup REG_SZ WLEventStartup
Shutdown REG_SZ WLEventShutdown
StartScreenSaver REG_SZ WLEventStartScreenSaver
StopScreenSaver REG_SZ WLEventStopScreenSaver
Lock REG_SZ WLEventLock
Unlock REG_SZ WLEventUnlock
StartShell REG_SZ WLEventStartShell
PostShell REG_SZ WLEventPostShell
Disconnect REG_SZ WLEventDisconnect
Reconnect REG_SZ WLEventReconnect
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x0
SafeMode REG_DWORD 0x1
MaxWait REG_DWORD 0xffffffff
DllName REG_EXPAND_SZ WgaLogon.dll
Event REG_DWORD 0x0
InstallEvent REG_SZ 1.8.0031.9

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings
<NO NAME> REG_SZ
Data REG_BINARY 01000000D08C9DDF0115D1118C7A00C04FC297EB010000009D9AFB1981461847A55F9F7C217A259604000000040000005300000003660000A800000010000000213DCF555732C840E3BA3E3E38183DA30000000004800000A000000010000000C6439CBFD7DBEF0EA8026F6615105265B0010000363F58BD84F18013DCDF01155251F01D37114B39153A90ABB3CE42CA8C48943C02D4E0329BCDA00D62C8E475C068AB0105324528432E35A3847893010423D1AE4F326ECD2DBFA84262C34F99FF49871622077AC74652160300B4F4833FDE4721F581F4C71D8574CFA10C5464BE50197A46A3E9CB34513DFFA6A0ABD95AFAC2C11D88F809222F4B16C9CB89447CC82289406949E93FBF08F6C1C9E8310024ACEFC2437D87B12C3B02AA47B57A7D1B888A18337D67172FF3A99560CCF2F0FC2577F23979A331D4103209589E0F4E4539B1D613A74CD71AD89DBE01411A23BC9A95D878C346F23CD7CD010F37FFAC9103B7AAAA61F7B5A063F96D973A3924A4EAED1CD5B1E0411AD07082BCE83DD1054AA03AED75740BBAB26A050A7BFBF70295B96FD3946EE830416555D2AFA2E1F16D88A71485D748922EF39E0999055509E9EB48965F52A06819CA01287355BEA152E2E181427465DB333BEFEBE6C092CDD74F47FDEC8F08A6CE7A041C810EC89CBFEF0A57A24A4DBB776858B4A627C361A07D6C5230158B2619B369625737EB6EB73A6175C420C44224D29F4199920D425D341FD1A17AC72C2371E4FE3151D259FE2F14000000ADC7218640ADD34D0637E9D2338745CBC08548B5

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
HelpAssistant REG_DWORD 0x0
TsInternetUser REG_DWORD 0x0
SQLAgentCmdExec REG_DWORD 0x0
NetShowServices REG_DWORD 0x0
IWAM_ REG_DWORD 0x10000
IUSR_ REG_DWORD 0x10000
VUSR_ REG_DWORD 0x10000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

Member Avatar for gerbil

Yep. Here in the last line of this block is the correct entry for userinit.exe:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ GEORGE-6JXTPIR4
DefaultUserName REG_SZ George
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

Unfortunately the key that your MBAM keeps finding and removing "...CurrentVersion\Winlogon\Userinit" is not there, meaning that it has not re-occurred since last removed.
Do you have a file: \Windows\system32\ntos.exe?

Member Avatar for gerbil

Yep. Here in the last line of this block is the correct entry for userinit.exe:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ GEORGE-6JXTPIR4
DefaultUserName REG_SZ George
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

Unfortunately the key that your MBAM keeps finding and removing "...CurrentVersion\Winlogon\Userinit" is not there, meaning that it has not re-occurred since last removed.
I think that there is another file being referenced in that trojan Userinit key, it is a rootkit and so is hidden. Possibly.
Please:
==Download [with IE only!!] the latest standalone version of Blacklight from ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe - Start it, accept the agreement and Scan.
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Member Avatar for patelrg

Before you do anything, make sure you backup your registry and if the following is successful, you should delete that registry backup.
What you should try is download SpyHunter's Malware scanner and have try to remove the trojan.agent files. It is the most successful, but there is still no guarantee. Also, try using spybot search and destroy.

Member Avatar for geoss

Hi,
when combo fix was running a memo came up that I did not have "Windows recovery Console" on my machine-do i want to download..........I said "No".....and the scan continued.
Here is the F-scan and the combo fix.......thanks


12/04/08 11:05:00 [Info]: BlackLight Engine 2.2.1092 initialized
12/04/08 11:05:00 [Info]: OS: 5.1 build 2600 (Service Pack 3)
12/04/08 11:05:00 [Note]: 7019 4
12/04/08 11:05:00 [Note]: 7005 0
12/04/08 11:05:05 [Note]: 7006 0
12/04/08 11:05:05 [Note]: 7011 1568
12/04/08 11:05:06 [Note]: 7035 0
12/04/08 11:05:06 [Note]: 7026 0
12/04/08 11:05:06 [Note]: 7026 0
12/04/08 11:05:08 [Note]: FSRAW library version 1.7.1024
12/04/08 12:49:31 [Note]: 7007 0

ComboFix 08-12-03.04 - George 2008-12-04 12:57:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.522 [GMT -5:00]
Running from: c:\documents and settings\George.GEORGE-6JXTPIR4\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\temp\vtmp2
c:\temp\vtmp2\ktnv33.log
c:\windows\system32\amrdinav.ini
c:\windows\system32\grouppolicy\machine\scripts\scripts.ini
c:\windows\Tasks\djbmupyn.job

----- BITS: Possible infected sites -----

hxxp://auf-jeder.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 09:48 . 2008-12-04 09:48 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 09:48 . 2008-12-04 09:48 <DIR> d-------- c:\program files\Adobe Media Player
2008-12-03 18:40 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL
2008-12-03 18:40 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE
2008-12-03 18:40 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb
2008-12-03 18:39 . 2008-12-03 21:14 <DIR> d-------- c:\program files\Comodo
2008-12-03 06:14 . 2008-12-03 06:21 <DIR> d-------- c:\program files\SpeedBit Video Accelerator
2008-12-03 06:14 . 2008-12-03 06:14 172,032 --a------ c:\windows\system32\AniGIF.ocx
2008-12-02 20:13 . 2008-12-02 20:13 <DIR> d-------- c:\program files\Windows Defender
2008-11-30 18:12 . 2008-11-30 18:12 <DIR> d-------- c:\windows\system32\unknown
2008-11-28 06:58 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\stu2.exe
2008-11-26 20:09 . 2008-11-26 20:09 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-26 20:07 . 2008-11-26 20:50 <DIR> d-------- c:\program files\Sony Ericsson
2008-11-22 13:21 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-11-22 13:21 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-11-22 13:14 . 2008-11-22 13:14 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Sunbelt
2008-11-22 13:14 . 2008-11-22 13:14 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Sunbelt
2008-11-22 13:13 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2008-11-22 13:12 . 2008-11-22 13:12 <DIR> d-------- c:\program files\Sunbelt Software
2008-11-22 11:37 . 2008-11-22 11:19 26,112 --a------ c:\windows\system32\iiffEvWP.dll.vir
2008-11-22 08:10 . 2008-11-22 08:10 <DIR> d-------- c:\program files\Webroot
2008-11-22 08:10 . 2008-11-22 08:10 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Webroot
2008-11-15 13:29 . 2008-11-15 13:29 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-15 13:29 . 2007-09-04 11:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-15 08:21 . 2008-11-15 08:21 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-15 08:21 . 2008-11-15 08:21 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-15 08:02 . 2008-11-15 08:04 <DIR> d-------- c:\program files\WhatsRunning
2008-11-13 05:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 05:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 15:37 . 2008-10-03 12:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-09 15:37 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-09 15:37 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-09 15:37 . 2008-08-26 02:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-09 15:37 . 2008-08-26 02:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-09 15:37 . 2008-08-26 02:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-09 15:37 . 2008-08-26 02:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-09 15:37 . 2008-08-26 02:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-09 15:37 . 2008-08-25 03:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-09 00:00 . 2008-12-04 07:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-09 00:00 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 00:00 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-08 15:01 . 2008-11-08 15:01 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-08 14:55 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-11-05 11:46 . 2008-11-05 12:03 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 22:10 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-12-03 00:07 --------- d-----w c:\program files\Trojan Remover
2008-12-02 10:18 --------- d-----w c:\program files\MSECACHE
2008-11-28 11:58 10,752 ----a-w c:\windows\system32\userinit.exe
2008-11-19 11:28 --------- d-----w c:\program files\IrfanView
2008-11-02 20:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-10-30 02:23 124 ----a-w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\netstat.bat
2008-10-28 21:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-26 14:57 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Image Zone Express
2008-10-26 03:11 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 20:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 09:09 92,464 ----a-w c:\windows\system32\drivers\SBREDrv.sys
2008-10-20 09:56 0 ----a-w C:\jfidoj.exe
2008-10-19 16:00 34,816 ----a-w c:\windows\system32\BGData.bin
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 17:50 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Lavasoft
2008-10-11 17:10 --------- d-----w c:\program files\CCleaner
2008-10-11 16:46 --------- d-----w c:\documents and settings\Default User.WINDOWS\Application Data\DivX
2008-10-10 22:26 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Uniblue
2008-10-10 11:29 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Matrox
2008-10-08 10:46 --------- d-----w c:\program files\Free Window Registry Repair
2008-10-06 20:02 --------- d-----w c:\program files\QuickTime
2008-10-06 20:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-05-30 18:37 97,916 ----a-w c:\program files\dxupdate.cab
2008-05-30 18:36 4,165,878 ----a-w c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 18:36 13,267,416 ----a-w c:\program files\dxnt.cab
2008-05-30 18:36 1,805,306 ----a-w c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 18:36 1,803,408 ----a-w c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 18:34 528,392 ----a-w c:\program files\DXSETUP.exe
2008-02-04 17:02 228,207 ----a-w c:\program files\address book.WAB
2008-02-03 18:48 54,784 --sha-w c:\program files\Thumbs.db
2007-08-01 21:12 1,156,096 ----a-w c:\program files\iview400_setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60bded7d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc7unj0erbg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk SE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prunnet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 14:49 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox Powerdesk]
--a------ 2008-10-13 17:28 684032 c:\windows\system32\PDesk\pdesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-21 15:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\DRIVERS\avgntmgr.sys [2008-10-22 22336]
R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-10-22 45376]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-11-22 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-11-22 202928]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;"c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe" [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-11-22 69168]
S1 streamm;streamm; []
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 SBRE;SBRE;\??\c:\windows\System32\drivers\SBREdrv.sys [2008-10-23 92464]
S3 UtilNT;UtilNT;\??\c:\windows\system32\drivers\UtilNT.sys [2008-10-09 5533]
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2008-12-02 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
MSConfigStartUp-MGA_CD_Install - F:\mgasetup.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 13:02:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-12-04 13:07:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 18:06:55

Pre-Run: 10,620,186,624 bytes free
Post-Run: 11,501,821,952 bytes free

206 --- E O F --- 2008-12-03 23:28:19

Member Avatar for cohen

OK,

Pls run Malware Bytes and Update it as well... and run it again.

Post the Malware Bytes log and also run hijackthis again and post a fresh log.

Thanks,

Cohen :)

Member Avatar for gerbil

Hi, geoss. Recovery Console takes up about 350Mb on your C: drive. It is a very worthwhile thing to have, especially if you do not have an installation cd.
Combofix warns about its absence and offers the facility of installing it cos sometimes combofix [or the user] goes haywire. 1/100 the odds....
Right. What is inside this folder, nothing? c:\windows\system32\unknown
This file is your ORIGINAL userinit.exe: c:\windows\system32\stu2.exe
-it was renamed to this by the malware. First, check that it is the MS file from its properties... vsn5.1.2600.2180, size 24,576 bytes, in Version tab, original filename should be USERINIT.EXE
-if this is all correct, rename it to userinit.exe
Right, you have a worm and a net traffic interceptor which was hidden by a rootkit.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
c:\windows\system32\iiffEvWP.dll.vir
C:\jfidoj.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc7unj0erbg]

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

Your Java is way out of date. Keep it updated for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.11 is current....
I use manual updates, check it when M$ comes around each month with security updates.
Now update and run MBAM, post that log plus a fresh hijackthis log, please.

Member Avatar for geoss

Hi,
I am not sure I went to the right place, but I found the file "Stu2" in C: Win: System32,,,, and this was file version it said: 5.1.2600.5512 (xpsp.080413-2113) Size: 25.5 KB (26,112 bytes)
When you say to rename it to "userinit.exe" do I right click the file and click on Rename? Then type in userinit.exe?

I will be doing the scan and sending..thanks
George

Here is the ComboFix results. I did wanna say that I ran Trojan Remover program about 2 hours ago or so.....anyway:

ComboFix 08-12-04.04 - George 2008-12-04 22:44:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.559 [GMT -5:00]
Running from: c:\documents and settings\George.GEORGE-6JXTPIR4\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\George.GEORGE-6JXTPIR4\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\jfidoj.exe
c:\windows\system32\iiffEvWP.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\jfidoj.exe
c:\windows\system32\iiffEvWP.dll.vir

----- BITS: Possible infected sites -----

hxxp://79.143.177.12
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 22:08 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-12-04 22:08 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-12-04 22:06 . 2008-12-04 22:06 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Sunbelt
2008-12-04 22:05 . 2008-12-04 22:05 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Sunbelt
2008-12-04 22:04 . 2008-12-04 22:04 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-04 22:04 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2008-12-04 14:51 . 2008-01-04 20:34 23,920 --a------ c:\windows\system32\drivers\sskbfd.sys
2008-12-03 18:40 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL
2008-12-03 18:40 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE
2008-12-03 18:40 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb
2008-12-03 18:39 . 2008-12-03 21:14 <DIR> d-------- c:\program files\Comodo
2008-12-03 06:14 . 2008-12-03 06:21 <DIR> d-------- c:\program files\SpeedBit Video Accelerator
2008-12-03 06:14 . 2008-12-03 06:14 172,032 --a------ c:\windows\system32\AniGIF.ocx
2008-11-30 18:12 . 2008-11-30 18:12 <DIR> d-------- c:\windows\system32\unknown
2008-11-28 06:58 . 2008-12-04 22:34 26,112 --a------ c:\windows\system32\stu2.exe
2008-11-26 20:09 . 2008-11-26 20:09 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-26 20:07 . 2008-11-26 20:50 <DIR> d-------- c:\program files\Sony Ericsson
2008-11-22 08:10 . 2008-12-04 18:58 <DIR> d-------- c:\program files\Webroot
2008-11-15 13:29 . 2008-11-15 13:29 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-15 13:29 . 2007-09-04 11:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-15 08:21 . 2008-11-15 08:21 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-15 08:21 . 2008-11-15 08:21 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-15 08:02 . 2008-11-15 08:04 <DIR> d-------- c:\program files\WhatsRunning
2008-11-13 05:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 05:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 15:37 . 2008-10-03 12:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-09 15:37 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-09 15:37 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-09 15:37 . 2008-08-26 02:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-09 15:37 . 2008-08-26 02:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-09 15:37 . 2008-08-26 02:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-09 15:37 . 2008-08-26 02:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-09 15:37 . 2008-08-26 02:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-09 15:37 . 2008-08-25 03:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-09 00:00 . 2008-12-04 07:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-09 00:00 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 00:00 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-08 15:01 . 2008-11-08 15:01 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-05 11:46 . 2008-11-05 12:03 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 02:54 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-12-04 22:46 --------- d-----w c:\program files\Trojan Remover
2008-12-02 10:18 --------- d-----w c:\program files\MSECACHE
2008-11-19 11:28 --------- d-----w c:\program files\IrfanView
2008-11-02 20:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-10-30 02:23 124 ----a-w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\netstat.bat
2008-10-28 21:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-26 14:57 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Image Zone Express
2008-10-26 03:11 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 20:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 09:09 92,464 ----a-w c:\windows\system32\drivers\SBREDrv.sys
2008-10-19 16:00 34,816 ----a-w c:\windows\system32\BGData.bin
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 17:50 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Lavasoft
2008-10-11 17:10 --------- d-----w c:\program files\CCleaner
2008-10-11 16:46 --------- d-----w c:\documents and settings\Default User.WINDOWS\Application Data\DivX
2008-10-10 22:26 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Uniblue
2008-10-10 11:29 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Matrox
2008-10-08 10:46 --------- d-----w c:\program files\Free Window Registry Repair
2008-10-06 20:02 --------- d-----w c:\program files\QuickTime
2008-10-06 20:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-05-30 18:37 97,916 ----a-w c:\program files\dxupdate.cab
2008-05-30 18:36 4,165,878 ----a-w c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 18:36 13,267,416 ----a-w c:\program files\dxnt.cab
2008-05-30 18:36 1,805,306 ----a-w c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 18:36 1,803,408 ----a-w c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 18:34 528,392 ----a-w c:\program files\DXSETUP.exe
2008-02-04 17:02 228,207 ----a-w c:\program files\address book.WAB
2008-02-03 18:48 54,784 --sha-w c:\program files\Thumbs.db
2007-08-01 21:12 1,156,096 ----a-w c:\program files\iview400_setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_13.05.30.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\CONFLICT.3\FP_AX_CAB_INSTALLER.exe
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\CONFLICT.4\FP_AX_CAB_INSTALLER.exe
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\CONFLICT.5\FP_AX_CAB_INSTALLER.exe
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\CONFLICT.6\FP_AX_CAB_INSTALLER.exe
- 2008-11-22 18:13:04 297,086 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\ARPPRODUCTICON.exe
+ 2008-12-05 03:04:30 297,086 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\ARPPRODUCTICON.exe
- 2008-11-22 18:13:04 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut2_339C927BB4B547F9804FDF51F01D2D57.exe
+ 2008-12-05 03:04:30 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut2_339C927BB4B547F9804FDF51F01D2D57.exe
- 2008-11-22 18:13:04 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut21_339C927BB4B547F9804FDF51F01D2D57.exe
+ 2008-12-05 03:04:30 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut21_339C927BB4B547F9804FDF51F01D2D57.exe
- 2008-11-29 20:30:12 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-05 02:36:58 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-29 20:30:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-05 02:36:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
- 2008-12-04 14:46:42 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-12-05 03:13:34 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-11-28 11:58:19 10,752 ----a-w c:\windows\system32\userinit.exe
+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 14:49 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox Powerdesk]
--a------ 2008-10-13 17:28 684032 c:\windows\system32\PDesk\pdesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-21 15:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\DRIVERS\avgntmgr.sys [2008-10-22 22336]
R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-10-22 45376]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-04 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-04 202928]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;"c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe" [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-04 69168]
S1 streamm;streamm; []
S3 SBRE;SBRE;\??\c:\windows\System32\drivers\SBREdrv.sys [2008-10-23 92464]
S3 UtilNT;UtilNT;\??\c:\windows\system32\drivers\UtilNT.sys [2008-10-09 5533]
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2008-12-02 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 22:48:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3100)
c:\program files\Sunbelt Software\VIPRE\oehook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-12-04 22:53:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 03:53:07
ComboFix2.txt 2008-12-04 18:07:11

Pre-Run: 11,404,541,952 bytes free
Post-Run: 11,579,846,656 bytes free

213 --- E O F --- 2008-12-03 23:28:19

Member Avatar for jholland1964

-------\Legacy_TDSSSERV.SYS

Antivirus XP 2008 and tdssserv.sys trojan

Member Avatar for gerbil

Geoss, yes, that version number 5.1.2600.5512 (xpsp.080413-2113) is for SP3. If you go back to system32\stu2.exe, in its properties > Version tab, you would also see its Original filename. It should be USERINIT.EXE - what is its filesize, to the exact byte?
Is the same information in system32\userinit.exe? What is its filesize, to the byte?
Now, we have to be careful here because the genuine file is protected by Windows File Protection System, and a counterfeit copy should have been automatically replaced. But the malware may have caused its own reworked version of userinit.exe to be placed into the cache also. It can do that by simply deleting the genuine copy in the cache. So:
-do you have this file: C:\Windows\Driver Cache\i386\SP3.cab
Let me know.

Member Avatar for jbennet

Now, we have to be careful here because the genuine file is protected by Windows File Protection System, and a counterfeit copy should have been automatically replaced. But the malware may have caused its own reworked version of userinit.exe to be placed into the cache also. It can do that by simply deleting the genuine copy in the cache. So:
-do you have this file: C:\Windows\Driver Cache\i386\SP3.cab
Let me know.

If you put in an XP cd with SP3 integrated while running SFC, it will check against the version from there

Member Avatar for gerbil

Hi, jb... I am wondering what the exact situation is with stu2.exe and userinit.exe. If userinit.exe is corrupted Combofix should have said so.
An XP cd with SP3 would make things so simple. But atm I hesitate to just use COPY to replace userinit.exe with stu2.exe. Geoss could still start into safe mode, though, if it failed.

Geoss, please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixui.bat to your desktop; dclick it to run.

COPY /Y c:\windows\system32\stu2.exe c:\windows\system32\userinit.exe

Restart your sys, and say how things are.

Member Avatar for geoss

Hi,
I'll answer the first response first.

1. Yes, I do have the SP.3 cab (23,294 Kb) also have SP2.cab(21,724 kb)

2. In System 32 under properties the userinit.exe is 26, 112 bytes

3. In USERINIT.EXE in STU2, the size is 26, 112 bytes

will wait for reply to see if I should do the other things you said and post.
George

P.S. I did save the fixui.bat to the desktop, and when I double clicked, it flashed for a second a MS Dos type of screen, then returned to normal screen....don't know if it did anything????

Member Avatar for gerbil

Ok, Geoss.. SP2 userinit.exe filesize is 24576 bytes. But your SP3 userinit.exe filesize should be 26112 bytes. Check that the same file exists in your system32\dllcache directory [you will need to go to Tools > Folder options > View, and uncheck Hide Protected Operating System files..
Yes, when you ran that batch file all you would have sen is a small black cmd.exe window flash briefly. It copied stu2.exe into userinit.exe. So all is good.
This will give you a chance to see the cmd window as stu2.exe is deleted:
Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixui.bat to your desktop; dclick it to run.

DEL c:\windows\system32\stu2.exe
pause

Say how things are, and post a fresh hijackthis scan log, please.

Member Avatar for geoss

Hi,
Did as was instructed, but after double clicking the batch file it gave me a black screen with...paraphrasing:
Could not find c:\windows\system32\stu2.exe
'pauseDel' is not recognized as internal or external command, operable program or batch file.....................

when I checked system 32, I did not see a "Stu" file, but there was a userinit file.....I think that is good?
Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:06 PM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 1326 bytes
Thanks,,,,,,george

Member Avatar for gerbil

Hi, George... I don't know how pauseDEL got into that last batch command... :) .. it should have had just pause as the second command. But no matter. And i did not see where stu2.exe got deleted in our procedure...
Any further occurrences of the two trojans?

Member Avatar for geoss

Hi,
I ran Malwarebytes full scan this morning and No trojan.agent appeared.
Should i run it in safe mode with files "not hidden"? or anything else...
Thanks
George

Member Avatar for gerbil

I would be satisfied, george, with where you are at now. The hidden files thing is just a presentation option for explorer... it does not actually set attributes on a file that are not already there. Other pgms can see them. Do a quick scan in safe mode if you wish, but any keys present would be found in normal mode; you would be hoping to spot a rootkit only that had not started up.

Member Avatar for geoss

Hi,
Did another scan last night and nothing appeared..thank you, again, very, very much. I really appreciate your time and effort!. Have a great day.
George

Member Avatar for gerbil

You are welcome, George.
Please go Start, Run, and type or paste in:
combofix /u
-this will remove combofix and its quarantine folder with malware contents.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.