Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

infected computer keeps getting re-infected (logs attached)

Posted on 2009-04-10
38
Medium Priority
?
1,098 Views
Last Modified: 2013-12-06
The computer is a windows xp home sp3 desktop. I've fixed an infection of "Antivirius 2009" (The rogue2008 one) using a combination of combofix and malwalrebytes. plus spybot for good measure.

Computer got infected a second time, and I did the same.

Then last week it was infected for a third time. AVG 8 resident shield kept complaining about
____
avg resident shield alert
accessed file is infected
file name: c:\windows\system32\userinit.exe
ignore
process name: c:\windows\system32\winlogon.exe
____


Client was running malwarebytes to no avail. I did an updated malwarebytes quick scan and then a combofix. Afterward when I rebooted I no longer got the resident shield alert. I wanted to do updated full mbam scans, spybot scan, adaware scans, and also update windows xp completely But to save him money I told the guy how do those himself, and I rebooted several times, and got no AVG resident shield alerts. I left.

AT that point, when I left, I did a hijackthis log, which is attached as HJT-b.txt

Now (the next day) he says he's getting the same infection notice from AVG Resident Shield regarding userinit.exe.

Can you guys look at the last HJT log I did (HJT-b.txt) and see if you can spot anything?

Obviously I'll try to get the guy to send me a current mbam log to add to this.

thx

(He has teenage kids who might be reinfecting the computer, but if it's my failure to clean it I feel bad)
0
Comment
Question by:dgrrr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
  • 6
  • +5
38 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 24120913
If you are cleaning the av2009.exe files, and the infected files from system32, chances are you havent cleaned /restored a good copy of the userinit.exe inside c:\windows\system32....

If the file is not signed by MS (upon a right click), and not 24kb (on an sp2, and sp3 XP Image) then it isnt teh right one. Either get a good copy of it from c:\windows\system32\dllcache, or another working pc.....
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 24120932
I don't see a log attached anywhere, but:

1. Load SpywareBlaster (free) to protect Internet Explorer

2. Make sure the PC is patched with all Microsoft updates, not just SP3

3. The teens should be running with standard user rights (not Administrators).  If this is not possible, a program such as SandboxIE might be needed to shield Internet Explorer from the rest of the system

4. I cringe every time I see AVG mentioned.  A paid anti-virus program such as NOD32 or F-secure might be a better option.  Lots of workplaces have a corporate licensing agreements with their AV provider with free home use provisions.  He might want to check to see if that is the case where he works.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24120960
I swear by AVG, especially the corporate versions. But you will find debates like this all day long, which is the best, which one is the worst. Some people even still LOVE Symantec.......What works for one, doesnt always work for others......
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24121004
Have him send you the latest combofix log and attach it here.

Sounds like he may be having a virut or sality file infectors and that's not very good. I usually suggest a reformat when dealing with virut infection (specially when it's been in the system for awhile).
0
 
LVL 2

Expert Comment

by:pankaj0079
ID: 24121112
Disable system restore
scan with avast
0
 
LVL 2

Expert Comment

by:pankaj0079
ID: 24121122
try scanning with quickheal total security 2009
0
 
LVL 38

Expert Comment

by:younghv
ID: 24121980
You also need to set up a "Surf" account on that computer (Limited account - no privs) for the kid to go to his websites (which will remain unnamed).

Put a password on the Customer's account and tell him save some money (and frustration) by keeping his password private.
0
 
LVL 3

Expert Comment

by:RobDating
ID: 24125771
with reference to the deleted link above, you need to download or create a mini pe bootable CD with the below mentioned tools.
0
 
LVL 3

Expert Comment

by:RobDating
ID: 24125778
i.e. RegEditPE
0
 
LVL 38

Expert Comment

by:younghv
ID: 24125924
If we can get the ComboFix log posted here, one of the Experts can write a script which will remove all of the infected files.
There is no need to manually search and delete any files.
0
 

Author Comment

by:dgrrr
ID: 24135533
Hmm, I kept attaching the files. I must be doing it wrong.

I also wonder why so many people respond with generic posts, not reading the ordiginal post, just copying and pasting a bunch of fixes that have already been done...

anyway - to you others -- I'll try attaching again here
mbam-a.txt
mbab-b.txt
hjt-a.txt
0
 

Author Comment

by:dgrrr
ID: 24135538
Oops here's the rest...
Combofix.txt
hjt-b.txt
0
 
LVL 1

Expert Comment

by:Edgnett
ID: 24135601
your highjackthis log seems clean,
try the following
use something like ccleaner to clean all temps
then download and run SDfix in safe mode.
run combofix and malewarebytes again.

repost all logs

a guide to using sdfix can be found here:
http://www.bleepingcomputer.com/forums/topic131299.html

0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 400 total points
ID: 24136424
dgrrr,
A couple of comments seem in order.

First of all - your HJT log is not "clean".
If nothing else, run the updates you told you customer to do (as mentioned in your first post). You're not saving anyone money by allowing this problem to continue and good computer security always starts with OS/application updates.

Why is the Symantec 'LiveUpdate' service still running? It looks as though someone did an incomplete removal when they installed AVG.

Have you run any commands (such as from msconfig) to reduce the processes that run at startup?

More importantly, please take the time to look at the 'Profile' of the people offering you advice. Unlike many forums, EE allows anyone to post in any Zone - regardless of their lack of qualifications.

It is unfortunate, but true that we have way too many 'point-chasers' who jump into questions with their one-line crap about 'run this' - or worse - those who have created their multi-paragraph lists of instructions as macros, and then run around pasting the same cookie-cutter posts all over the place.

johnb6767 & rpggamergirl both have a long history of helping other Members and of giving their detailed attention - one question at a time.

You can safely ignore all the rest of the posts in the question (including mine).
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1200 total points
ID: 24137372
I wouldn't suggest SDFix at the moment... it hasn't been updated for over 5 months.

If you could please delete your version of combofix and download the latest version, there's a version newer than the one you have.

Combofix log is showing an AWF infection(a file imposter which replaces legit file by itself and moves the original to the bak folder). I haven't seen this infection in awhile.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\f5087.dat
c:\windows\f23567.dat

AWF::
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system\bak\hpsysdrv.DAT
c:\program files\QuickTime\bak\qttask.exe

------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24141202
Ill let rpggamergirl handle the scripting and be lazy....   :)

My original post was answered in your CF logfile......

[color=blue]Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe[/COLOR]

Still, you need to make sure that the current "c:\windows\system32\userinit.exe" is legit, signed by MS and around 21-24kb in size. If the infection actually copied an infected one to the DLLCache, then it will fool windows into thinking it is restoring a backup of a corrupted file.....
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24155240
The userinit.exe from the DLLCache should be okay because Combofix will only replace a patched userinit.exe IF it finds a clean replacement.

If it doesn't find a clean copy, it has a built-in safety check and will modify the registry loading point from userinit to point to explorer.exe

As far as I know... if CF can't find a clean replacement.... we should see these entries(below) in the CF log.

c:\windows\system32\userinit.exe . . . is infected!!

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"


dgrrr, I suggest you download the latest version of Combofix.

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24161222
Thanks for that... You know me, I just dont like Automated script deleting files, and restoring as well, without having a good set of HUMAN eyes on it.....

Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?
0
 
LVL 38

Expert Comment

by:younghv
ID: 24162409
<<Ill let rpggamergirl handle the scripting and be lazy....   :)>>

I'll let her handle it - to make sure it is done right!
LOL!
That stuff is way over my head.
0
 

Author Comment

by:dgrrr
ID: 24540843
OK, sorry for the long delay. I am going back to the client today because they have another infection.

will try the above & get bak to u!
0
 
LVL 38

Expert Comment

by:younghv
ID: 24542644
dgrrr,
You cannot simply walk away from an open question for several weeks and then expect everyone to automatically try to help when you finally decide to return.
Good luck with your problem, but I am unsubscribing.
0
 

Author Comment

by:dgrrr
ID: 24543430
Um, Im not sure by what you mean by "automatically"... I was unable to give you any more info because the user did not send me the updated log files as asked.

Anyway, 've jsut done a bunch of work and willpost it below - and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.

I don't expect responses immedaitely, I just hope they come before the next time tihs guy gets another infection.
0
 

Author Comment

by:dgrrr
ID: 24543503
Got to computer, had a bunch of windnows showing infection by
Antivirus System Pro
also ie6 redirected to this

had to rename all mbam & combofix executables to get them to work initially.

I couldlnt do much til I did a new mbam quick scan. then had room to move.
Did a hjt scan
then Did the first combofix scan

rebooted to safe mode, did
sdfix

rebooted, did second combofix scan
WITH THE CFSCRIPT.TXT item mentioned above

then did mbam quick scan again
then another hjt log

NOTE - would have done mbam full scans, but was concerned about customer expense

for same reason, instructing user to do
- updated spybot & 
- updated avg scans
- go to
        windowsupdate.microsoft.com/
        http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
           & update ie6 and all other updates
                 because he's not got xp sp3 yet or ie7
- also use mozilla firefox 3.0.10 instead of ie


Threre should be 2 posts aftre this - first one contains the BEFORE set of logs, the latter, the AFTER set of logs. But they were done in the order described above.
0
 

Author Comment

by:dgrrr
ID: 24543534
On second thought, here's the logs - I have numbered them and named them to go in order and be clear as to how they happened.
01---MBAM-quick-scan-a.txt
0
 

Author Comment

by:dgrrr
ID: 24551614
PS - All files (mbam installer, combofix, sdfix) were all new (downloaded the same day). Also when I left I had the user do FULL mbam scans in addition to the spybot & avg scans, and doing all microsoft updates. (XP sp3 and internet explorer updates were the next in the queue)
0
 

Author Comment

by:dgrrr
ID: 24551732
WARNING!
Forgive me guys - I screwed up the order of the attached files above. Also one came from a previous visit. I double checked and am reuploading now.  Sorry for the confusion.

Also, I forgot to add in my notes that I did replace userinit with a copy from my own xp machine.
01---HIJACKTHIS.txt
02---MBAM-quick-scan.txt
03---COMBOFIX.txt
04---SDFix.txt
05---COMBOFIX--with-CFScript.txt.txt
06---HIJACKTHIS.txt
07---MBAM-quick-scan.txt
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1200 total points
ID: 24553471
I'm with younghv, we can't leave a question open for longer than 3 weeks as it will be considered abandoned.


<<<" and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.">>>

The system had a vundo file infector which is now gone base on those logs.
The logs look clean.

But that system has a a version of java(j2re1.4.2_09) that is prone to all kinds of infection especially vundo infection, so until the user updates his java to the later or latest version the system is very vulnerable to infection. With vundo, the system could get reinfected straightaway while using that version.

Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click "Remove".

Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24553496
<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>

Sorry must've missed the alerts on posts before.
Your guess is as good as mine... I'd say the filesize, hash and other factors are among the ones that determined if userinit is infected.
0
 

Author Comment

by:dgrrr
ID: 24586277
rpggamergirl, I forwarded that info about java to the user, thanks, and I will research vundo & how it operates.

FYI the user sent me the following email about AVG finding infections aftrer multiple scans. I'm assuming I can disregard the tracking cookies, right? But what about the HP patches files, do they look innocient to you?  Also, the user said in a separate email that the HP patches files had no option to be cleaned or moved, and that AVG was sometimes giving the msg: MOVED OBJECT IS BIGGER THAN THE ARCHIVE SIZE LIMIT, which I researched here at experts exchange, and told user to manually delete the files - but you can see the result below)

_________________________
(FROM THE USER:)
These are the warnings that come up when running the AVG scan.

C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite";"Found Tracking cookie.Realmedia";"Healed"

"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"


These are the infections which seem to be growing in number. (And which don't show the option to clean or heal)

"D:\I386\drv\APP07399\App07399.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\I386\drv\APP07399\App07399.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"C:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"C:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"


When I try to locate the specific file to delete it, it keeps changing the location of where it is.  One minute it's located under D:\hp\  and other times it's under C:\hp\patches\51WW1ITG.  Or this one D:\I386\.  Not sure which ones are safe to delete as it says that it's a recovery file for the computer.




0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24669442
Almost sounds like Virut, which is a poly morphic file infector... Fun one to play with, finally got one in my hands and it was a DOOZIE, especially doing removals by hand......

<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>

Go by the Signature, and the Date Modified. It should be 24-26kb in size, and with a date probably pre 2004 (2006 for sp3 I believe...)

If it is unsigned, then you are assured it is viral, no more questions....

HP Patches are usually in the form of an sp999999.exe format..... Plus if it is a valid patch, they can be downloaded again from hp.com

Also...

"D:\I386\drv\APP07399\App07399.exe"

There shouldnt be a i386\DRV folder, if legit it would be "D:\I386\drW\APP07399\App07399.exe"
1 letter off......

Personally, I am not a fan of MBAM. I am a SuperAntiSpyware.com guy, as Mbam has been too unreliable (yes there are occassions where it finds more...). Thats the problem with malware scanners. They are only as good as thier updates.....No single scanner finds everything...... Even had Combofix totally skip a rootkit once.... It happens...Still a great tool though....

Ill look at the logs as well, see if I can spot anything....


0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24669449
Also.....

RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner.....

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24669462
Go ahead and try Autoruns as well, and save an export of the scan as a .arn file, and upload it here please.....

http://live.sysinternals.com/autoruns.exe
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24669471
Oh, and one last thing....

Talking about legit System files like userinit.exe....

Also, check svchost.exe, explorer.exe, logonui.exe and winlogon.exe, as those are some of the main ones that get targeted for infection.....
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24717611
To check for file infector virut, try DrWebCureIt,  and if it does find virut we can also run other virut scanners.
http://www.freedrweb.com/


Sality is also another file infector similar to virut, you can check for that as well.
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889



0
 

Author Comment

by:dgrrr
ID: 24718061
Thanks you guys.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question