infected computer keeps getting re-infected (logs attached)

The computer is a windows xp home sp3 desktop. I've fixed an infection of "Antivirius 2009" (The rogue2008 one) using a combination of combofix and malwalrebytes. plus spybot for good measure.

Computer got infected a second time, and I did the same.

Then last week it was infected for a third time. AVG 8 resident shield kept complaining about
avg resident shield alert
accessed file is infected
file name: c:\windows\system32\userinit.exe
process name: c:\windows\system32\winlogon.exe

Client was running malwarebytes to no avail. I did an updated malwarebytes quick scan and then a combofix. Afterward when I rebooted I no longer got the resident shield alert. I wanted to do updated full mbam scans, spybot scan, adaware scans, and also update windows xp completely But to save him money I told the guy how do those himself, and I rebooted several times, and got no AVG resident shield alerts. I left.

AT that point, when I left, I did a hijackthis log, which is attached as HJT-b.txt

Now (the next day) he says he's getting the same infection notice from AVG Resident Shield regarding userinit.exe.

Can you guys look at the last HJT log I did (HJT-b.txt) and see if you can spot anything?

Obviously I'll try to get the guy to send me a current mbam log to add to this.


(He has teenage kids who might be reinfecting the computer, but if it's my failure to clean it I feel bad)
Who is Participating?

Improve company productivity with a Business Account.Sign Up

rpggamergirlConnect With a Mentor Commented:
I wouldn't suggest SDFix at the moment... it hasn't been updated for over 5 months.

If you could please delete your version of combofix and download the latest version, there's a version newer than the one you have.

Combofix log is showing an AWF infection(a file imposter which replaces legit file by itself and moves the original to the bak folder). I haven't seen this infection in awhile.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\QuickTime\bak\qttask.exe

3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

If you are cleaning the av2009.exe files, and the infected files from system32, chances are you havent cleaned /restored a good copy of the userinit.exe inside c:\windows\system32....

If the file is not signed by MS (upon a right click), and not 24kb (on an sp2, and sp3 XP Image) then it isnt teh right one. Either get a good copy of it from c:\windows\system32\dllcache, or another working pc.....
Adam LeinssSenior Desktop EngineerCommented:
I don't see a log attached anywhere, but:

1. Load SpywareBlaster (free) to protect Internet Explorer

2. Make sure the PC is patched with all Microsoft updates, not just SP3

3. The teens should be running with standard user rights (not Administrators).  If this is not possible, a program such as SandboxIE might be needed to shield Internet Explorer from the rest of the system

4. I cringe every time I see AVG mentioned.  A paid anti-virus program such as NOD32 or F-secure might be a better option.  Lots of workplaces have a corporate licensing agreements with their AV provider with free home use provisions.  He might want to check to see if that is the case where he works.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

I swear by AVG, especially the corporate versions. But you will find debates like this all day long, which is the best, which one is the worst. Some people even still LOVE Symantec.......What works for one, doesnt always work for others......
Have him send you the latest combofix log and attach it here.

Sounds like he may be having a virut or sality file infectors and that's not very good. I usually suggest a reformat when dealing with virut infection (specially when it's been in the system for awhile).
Disable system restore
scan with avast
try scanning with quickheal total security 2009
You also need to set up a "Surf" account on that computer (Limited account - no privs) for the kid to go to his websites (which will remain unnamed).

Put a password on the Customer's account and tell him save some money (and frustration) by keeping his password private.
with reference to the deleted link above, you need to download or create a mini pe bootable CD with the below mentioned tools.
i.e. RegEditPE
If we can get the ComboFix log posted here, one of the Experts can write a script which will remove all of the infected files.
There is no need to manually search and delete any files.
dgrrrAuthor Commented:
Hmm, I kept attaching the files. I must be doing it wrong.

I also wonder why so many people respond with generic posts, not reading the ordiginal post, just copying and pasting a bunch of fixes that have already been done...

anyway - to you others -- I'll try attaching again here
dgrrrAuthor Commented:
Oops here's the rest...
your highjackthis log seems clean,
try the following
use something like ccleaner to clean all temps
then download and run SDfix in safe mode.
run combofix and malewarebytes again.

repost all logs

a guide to using sdfix can be found here:

younghvConnect With a Mentor Commented:
A couple of comments seem in order.

First of all - your HJT log is not "clean".
If nothing else, run the updates you told you customer to do (as mentioned in your first post). You're not saving anyone money by allowing this problem to continue and good computer security always starts with OS/application updates.

Why is the Symantec 'LiveUpdate' service still running? It looks as though someone did an incomplete removal when they installed AVG.

Have you run any commands (such as from msconfig) to reduce the processes that run at startup?

More importantly, please take the time to look at the 'Profile' of the people offering you advice. Unlike many forums, EE allows anyone to post in any Zone - regardless of their lack of qualifications.

It is unfortunate, but true that we have way too many 'point-chasers' who jump into questions with their one-line crap about 'run this' - or worse - those who have created their multi-paragraph lists of instructions as macros, and then run around pasting the same cookie-cutter posts all over the place.

johnb6767 & rpggamergirl both have a long history of helping other Members and of giving their detailed attention - one question at a time.

You can safely ignore all the rest of the posts in the question (including mine).
Ill let rpggamergirl handle the scripting and be lazy....   :)

My original post was answered in your CF logfile......

[color=blue]Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe[/COLOR]

Still, you need to make sure that the current "c:\windows\system32\userinit.exe" is legit, signed by MS and around 21-24kb in size. If the infection actually copied an infected one to the DLLCache, then it will fool windows into thinking it is restoring a backup of a corrupted file.....
The userinit.exe from the DLLCache should be okay because Combofix will only replace a patched userinit.exe IF it finds a clean replacement.

If it doesn't find a clean copy, it has a built-in safety check and will modify the registry loading point from userinit to point to explorer.exe

As far as I know... if CF can't find a clean replacement.... we should see these entries(below) in the CF log.

c:\windows\system32\userinit.exe . . . is infected!!

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

dgrrr, I suggest you download the latest version of Combofix.

Thanks for that... You know me, I just dont like Automated script deleting files, and restoring as well, without having a good set of HUMAN eyes on it.....

Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?
<<Ill let rpggamergirl handle the scripting and be lazy....   :)>>

I'll let her handle it - to make sure it is done right!
That stuff is way over my head.
dgrrrAuthor Commented:
OK, sorry for the long delay. I am going back to the client today because they have another infection.

will try the above & get bak to u!
You cannot simply walk away from an open question for several weeks and then expect everyone to automatically try to help when you finally decide to return.
Good luck with your problem, but I am unsubscribing.
dgrrrAuthor Commented:
Um, Im not sure by what you mean by "automatically"... I was unable to give you any more info because the user did not send me the updated log files as asked.

Anyway, 've jsut done a bunch of work and willpost it below - and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.

I don't expect responses immedaitely, I just hope they come before the next time tihs guy gets another infection.
dgrrrAuthor Commented:
Got to computer, had a bunch of windnows showing infection by
Antivirus System Pro
also ie6 redirected to this

had to rename all mbam & combofix executables to get them to work initially.

I couldlnt do much til I did a new mbam quick scan. then had room to move.
Did a hjt scan
then Did the first combofix scan

rebooted to safe mode, did

rebooted, did second combofix scan
WITH THE CFSCRIPT.TXT item mentioned above

then did mbam quick scan again
then another hjt log

NOTE - would have done mbam full scans, but was concerned about customer expense

for same reason, instructing user to do
- updated spybot & 
- updated avg scans
- go to
           & update ie6 and all other updates
                 because he's not got xp sp3 yet or ie7
- also use mozilla firefox 3.0.10 instead of ie

Threre should be 2 posts aftre this - first one contains the BEFORE set of logs, the latter, the AFTER set of logs. But they were done in the order described above.
dgrrrAuthor Commented:
On second thought, here's the logs - I have numbered them and named them to go in order and be clear as to how they happened.
dgrrrAuthor Commented:
PS - All files (mbam installer, combofix, sdfix) were all new (downloaded the same day). Also when I left I had the user do FULL mbam scans in addition to the spybot & avg scans, and doing all microsoft updates. (XP sp3 and internet explorer updates were the next in the queue)
dgrrrAuthor Commented:
Forgive me guys - I screwed up the order of the attached files above. Also one came from a previous visit. I double checked and am reuploading now.  Sorry for the confusion.

Also, I forgot to add in my notes that I did replace userinit with a copy from my own xp machine.
rpggamergirlConnect With a Mentor Commented:
I'm with younghv, we can't leave a question open for longer than 3 weeks as it will be considered abandoned.

<<<" and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.">>>

The system had a vundo file infector which is now gone base on those logs.
The logs look clean.

But that system has a a version of java(j2re1.4.2_09) that is prone to all kinds of infection especially vundo infection, so until the user updates his java to the later or latest version the system is very vulnerable to infection. With vundo, the system could get reinfected straightaway while using that version.

Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click "Remove".

Then Download and install the newest version from here:
<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>

Sorry must've missed the alerts on posts before.
Your guess is as good as mine... I'd say the filesize, hash and other factors are among the ones that determined if userinit is infected.
dgrrrAuthor Commented:
rpggamergirl, I forwarded that info about java to the user, thanks, and I will research vundo & how it operates.

FYI the user sent me the following email about AVG finding infections aftrer multiple scans. I'm assuming I can disregard the tracking cookies, right? But what about the HP patches files, do they look innocient to you?  Also, the user said in a separate email that the HP patches files had no option to be cleaned or moved, and that AVG was sometimes giving the msg: MOVED OBJECT IS BIGGER THAN THE ARCHIVE SIZE LIMIT, which I researched here at experts exchange, and told user to manually delete the files - but you can see the result below)

These are the warnings that come up when running the AVG scan.

C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite";"Found Tracking cookie.Realmedia";"Healed"

"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"

These are the infections which seem to be growing in number. (And which don't show the option to clean or heal)

"D:\I386\drv\APP07399\App07399.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\I386\drv\APP07399\App07399.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"C:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"C:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"

When I try to locate the specific file to delete it, it keeps changing the location of where it is.  One minute it's located under D:\hp\  and other times it's under C:\hp\patches\51WW1ITG.  Or this one D:\I386\.  Not sure which ones are safe to delete as it says that it's a recovery file for the computer.

Almost sounds like Virut, which is a poly morphic file infector... Fun one to play with, finally got one in my hands and it was a DOOZIE, especially doing removals by hand......

<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>

Go by the Signature, and the Date Modified. It should be 24-26kb in size, and with a date probably pre 2004 (2006 for sp3 I believe...)

If it is unsigned, then you are assured it is viral, no more questions....

HP Patches are usually in the form of an sp999999.exe format..... Plus if it is a valid patch, they can be downloaded again from



There shouldnt be a i386\DRV folder, if legit it would be "D:\I386\drW\APP07399\App07399.exe"
1 letter off......

Personally, I am not a fan of MBAM. I am a guy, as Mbam has been too unreliable (yes there are occassions where it finds more...). Thats the problem with malware scanners. They are only as good as thier updates.....No single scanner finds everything...... Even had Combofix totally skip a rootkit once.... It happens...Still a great tool though....

Ill look at the logs as well, see if I can spot anything....


RootRepeal - RootRepeal - Rootkit Detector

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner.....

Go ahead and try Autoruns as well, and save an export of the scan as a .arn file, and upload it here please.....
Oh, and one last thing....

Talking about legit System files like userinit.exe....

Also, check svchost.exe, explorer.exe, logonui.exe and winlogon.exe, as those are some of the main ones that get targeted for infection.....
To check for file infector virut, try DrWebCureIt,  and if it does find virut we can also run other virut scanners.

Sality is also another file infector similar to virut, you can check for that as well.

dgrrrAuthor Commented:
Thanks you guys.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.