Solved

infected computer keeps getting re-infected (logs attached)

Posted on 2009-04-10
38
1,083 Views
Last Modified: 2013-12-06
The computer is a windows xp home sp3 desktop. I've fixed an infection of "Antivirius 2009" (The rogue2008 one) using a combination of combofix and malwalrebytes. plus spybot for good measure.

Computer got infected a second time, and I did the same.

Then last week it was infected for a third time. AVG 8 resident shield kept complaining about
____
avg resident shield alert
accessed file is infected
file name: c:\windows\system32\userinit.exe
ignore
process name: c:\windows\system32\winlogon.exe
____


Client was running malwarebytes to no avail. I did an updated malwarebytes quick scan and then a combofix. Afterward when I rebooted I no longer got the resident shield alert. I wanted to do updated full mbam scans, spybot scan, adaware scans, and also update windows xp completely But to save him money I told the guy how do those himself, and I rebooted several times, and got no AVG resident shield alerts. I left.

AT that point, when I left, I did a hijackthis log, which is attached as HJT-b.txt

Now (the next day) he says he's getting the same infection notice from AVG Resident Shield regarding userinit.exe.

Can you guys look at the last HJT log I did (HJT-b.txt) and see if you can spot anything?

Obviously I'll try to get the guy to send me a current mbam log to add to this.

thx

(He has teenage kids who might be reinfecting the computer, but if it's my failure to clean it I feel bad)
0
Comment
Question by:dgrrr
  • 11
  • 8
  • 6
  • +5
38 Comments
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
If you are cleaning the av2009.exe files, and the infected files from system32, chances are you havent cleaned /restored a good copy of the userinit.exe inside c:\windows\system32....

If the file is not signed by MS (upon a right click), and not 24kb (on an sp2, and sp3 XP Image) then it isnt teh right one. Either get a good copy of it from c:\windows\system32\dllcache, or another working pc.....
0
 
LVL 22

Expert Comment

by:Adam Leinss
Comment Utility
I don't see a log attached anywhere, but:

1. Load SpywareBlaster (free) to protect Internet Explorer

2. Make sure the PC is patched with all Microsoft updates, not just SP3

3. The teens should be running with standard user rights (not Administrators).  If this is not possible, a program such as SandboxIE might be needed to shield Internet Explorer from the rest of the system

4. I cringe every time I see AVG mentioned.  A paid anti-virus program such as NOD32 or F-secure might be a better option.  Lots of workplaces have a corporate licensing agreements with their AV provider with free home use provisions.  He might want to check to see if that is the case where he works.
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
I swear by AVG, especially the corporate versions. But you will find debates like this all day long, which is the best, which one is the worst. Some people even still LOVE Symantec.......What works for one, doesnt always work for others......
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Have him send you the latest combofix log and attach it here.

Sounds like he may be having a virut or sality file infectors and that's not very good. I usually suggest a reformat when dealing with virut infection (specially when it's been in the system for awhile).
0
 
LVL 2

Expert Comment

by:pankaj0079
Comment Utility
Disable system restore
scan with avast
0
 
LVL 2

Expert Comment

by:pankaj0079
Comment Utility
try scanning with quickheal total security 2009
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
You also need to set up a "Surf" account on that computer (Limited account - no privs) for the kid to go to his websites (which will remain unnamed).

Put a password on the Customer's account and tell him save some money (and frustration) by keeping his password private.
0
 
LVL 3

Expert Comment

by:RobDating
Comment Utility
with reference to the deleted link above, you need to download or create a mini pe bootable CD with the below mentioned tools.
0
 
LVL 3

Expert Comment

by:RobDating
Comment Utility
i.e. RegEditPE
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
If we can get the ComboFix log posted here, one of the Experts can write a script which will remove all of the infected files.
There is no need to manually search and delete any files.
0
 

Author Comment

by:dgrrr
Comment Utility
Hmm, I kept attaching the files. I must be doing it wrong.

I also wonder why so many people respond with generic posts, not reading the ordiginal post, just copying and pasting a bunch of fixes that have already been done...

anyway - to you others -- I'll try attaching again here
mbam-a.txt
mbab-b.txt
hjt-a.txt
0
 

Author Comment

by:dgrrr
Comment Utility
Oops here's the rest...
Combofix.txt
hjt-b.txt
0
 
LVL 1

Expert Comment

by:Edgnett
Comment Utility
your highjackthis log seems clean,
try the following
use something like ccleaner to clean all temps
then download and run SDfix in safe mode.
run combofix and malewarebytes again.

repost all logs

a guide to using sdfix can be found here:
http://www.bleepingcomputer.com/forums/topic131299.html

0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 100 total points
Comment Utility
dgrrr,
A couple of comments seem in order.

First of all - your HJT log is not "clean".
If nothing else, run the updates you told you customer to do (as mentioned in your first post). You're not saving anyone money by allowing this problem to continue and good computer security always starts with OS/application updates.

Why is the Symantec 'LiveUpdate' service still running? It looks as though someone did an incomplete removal when they installed AVG.

Have you run any commands (such as from msconfig) to reduce the processes that run at startup?

More importantly, please take the time to look at the 'Profile' of the people offering you advice. Unlike many forums, EE allows anyone to post in any Zone - regardless of their lack of qualifications.

It is unfortunate, but true that we have way too many 'point-chasers' who jump into questions with their one-line crap about 'run this' - or worse - those who have created their multi-paragraph lists of instructions as macros, and then run around pasting the same cookie-cutter posts all over the place.

johnb6767 & rpggamergirl both have a long history of helping other Members and of giving their detailed attention - one question at a time.

You can safely ignore all the rest of the posts in the question (including mine).
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 300 total points
Comment Utility
I wouldn't suggest SDFix at the moment... it hasn't been updated for over 5 months.

If you could please delete your version of combofix and download the latest version, there's a version newer than the one you have.

Combofix log is showing an AWF infection(a file imposter which replaces legit file by itself and moves the original to the bak folder). I haven't seen this infection in awhile.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\f5087.dat
c:\windows\f23567.dat

AWF::
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system\bak\hpsysdrv.DAT
c:\program files\QuickTime\bak\qttask.exe

------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Ill let rpggamergirl handle the scripting and be lazy....   :)

My original post was answered in your CF logfile......

[color=blue]Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe[/COLOR]

Still, you need to make sure that the current "c:\windows\system32\userinit.exe" is legit, signed by MS and around 21-24kb in size. If the infection actually copied an infected one to the DLLCache, then it will fool windows into thinking it is restoring a backup of a corrupted file.....
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
The userinit.exe from the DLLCache should be okay because Combofix will only replace a patched userinit.exe IF it finds a clean replacement.

If it doesn't find a clean copy, it has a built-in safety check and will modify the registry loading point from userinit to point to explorer.exe

As far as I know... if CF can't find a clean replacement.... we should see these entries(below) in the CF log.

c:\windows\system32\userinit.exe . . . is infected!!

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"


dgrrr, I suggest you download the latest version of Combofix.

0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Thanks for that... You know me, I just dont like Automated script deleting files, and restoring as well, without having a good set of HUMAN eyes on it.....

Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 38

Expert Comment

by:younghv
Comment Utility
<<Ill let rpggamergirl handle the scripting and be lazy....   :)>>

I'll let her handle it - to make sure it is done right!
LOL!
That stuff is way over my head.
0
 

Author Comment

by:dgrrr
Comment Utility
OK, sorry for the long delay. I am going back to the client today because they have another infection.

will try the above & get bak to u!
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
dgrrr,
You cannot simply walk away from an open question for several weeks and then expect everyone to automatically try to help when you finally decide to return.
Good luck with your problem, but I am unsubscribing.
0
 

Author Comment

by:dgrrr
Comment Utility
Um, Im not sure by what you mean by "automatically"... I was unable to give you any more info because the user did not send me the updated log files as asked.

Anyway, 've jsut done a bunch of work and willpost it below - and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.

I don't expect responses immedaitely, I just hope they come before the next time tihs guy gets another infection.
0
 

Author Comment

by:dgrrr
Comment Utility
Got to computer, had a bunch of windnows showing infection by
Antivirus System Pro
also ie6 redirected to this

had to rename all mbam & combofix executables to get them to work initially.

I couldlnt do much til I did a new mbam quick scan. then had room to move.
Did a hjt scan
then Did the first combofix scan

rebooted to safe mode, did
sdfix

rebooted, did second combofix scan
WITH THE CFSCRIPT.TXT item mentioned above

then did mbam quick scan again
then another hjt log

NOTE - would have done mbam full scans, but was concerned about customer expense

for same reason, instructing user to do
- updated spybot &
- updated avg scans
- go to
        windowsupdate.microsoft.com/
        http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
           & update ie6 and all other updates
                 because he's not got xp sp3 yet or ie7
- also use mozilla firefox 3.0.10 instead of ie


Threre should be 2 posts aftre this - first one contains the BEFORE set of logs, the latter, the AFTER set of logs. But they were done in the order described above.
0
 

Author Comment

by:dgrrr
Comment Utility
On second thought, here's the logs - I have numbered them and named them to go in order and be clear as to how they happened.
01---MBAM-quick-scan-a.txt
0
 

Author Comment

by:dgrrr
Comment Utility
0
 

Author Comment

by:dgrrr
Comment Utility
PS - All files (mbam installer, combofix, sdfix) were all new (downloaded the same day). Also when I left I had the user do FULL mbam scans in addition to the spybot & avg scans, and doing all microsoft updates. (XP sp3 and internet explorer updates were the next in the queue)
0
 

Author Comment

by:dgrrr
Comment Utility
WARNING!
Forgive me guys - I screwed up the order of the attached files above. Also one came from a previous visit. I double checked and am reuploading now.  Sorry for the confusion.

Also, I forgot to add in my notes that I did replace userinit with a copy from my own xp machine.
01---HIJACKTHIS.txt
02---MBAM-quick-scan.txt
03---COMBOFIX.txt
04---SDFix.txt
05---COMBOFIX--with-CFScript.txt.txt
06---HIJACKTHIS.txt
07---MBAM-quick-scan.txt
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 300 total points
Comment Utility
I'm with younghv, we can't leave a question open for longer than 3 weeks as it will be considered abandoned.


<<<" and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.">>>

The system had a vundo file infector which is now gone base on those logs.
The logs look clean.

But that system has a a version of java(j2re1.4.2_09) that is prone to all kinds of infection especially vundo infection, so until the user updates his java to the later or latest version the system is very vulnerable to infection. With vundo, the system could get reinfected straightaway while using that version.

Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click "Remove".

Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>

Sorry must've missed the alerts on posts before.
Your guess is as good as mine... I'd say the filesize, hash and other factors are among the ones that determined if userinit is infected.
0
 

Author Comment

by:dgrrr
Comment Utility
rpggamergirl, I forwarded that info about java to the user, thanks, and I will research vundo & how it operates.

FYI the user sent me the following email about AVG finding infections aftrer multiple scans. I'm assuming I can disregard the tracking cookies, right? But what about the HP patches files, do they look innocient to you?  Also, the user said in a separate email that the HP patches files had no option to be cleaned or moved, and that AVG was sometimes giving the msg: MOVED OBJECT IS BIGGER THAN THE ARCHIVE SIZE LIMIT, which I researched here at experts exchange, and told user to manually delete the files - but you can see the result below)

_________________________
(FROM THE USER:)
These are the warnings that come up when running the AVG scan.

C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite";"Found Tracking cookie.Realmedia";"Healed"

"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"


These are the infections which seem to be growing in number. (And which don't show the option to clean or heal)

"D:\I386\drv\APP07399\App07399.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\I386\drv\APP07399\App07399.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"C:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"C:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"


When I try to locate the specific file to delete it, it keeps changing the location of where it is.  One minute it's located under D:\hp\  and other times it's under C:\hp\patches\51WW1ITG.  Or this one D:\I386\.  Not sure which ones are safe to delete as it says that it's a recovery file for the computer.




0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Almost sounds like Virut, which is a poly morphic file infector... Fun one to play with, finally got one in my hands and it was a DOOZIE, especially doing removals by hand......

<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>

Go by the Signature, and the Date Modified. It should be 24-26kb in size, and with a date probably pre 2004 (2006 for sp3 I believe...)

If it is unsigned, then you are assured it is viral, no more questions....

HP Patches are usually in the form of an sp999999.exe format..... Plus if it is a valid patch, they can be downloaded again from hp.com

Also...

"D:\I386\drv\APP07399\App07399.exe"

There shouldnt be a i386\DRV folder, if legit it would be "D:\I386\drW\APP07399\App07399.exe"
1 letter off......

Personally, I am not a fan of MBAM. I am a SuperAntiSpyware.com guy, as Mbam has been too unreliable (yes there are occassions where it finds more...). Thats the problem with malware scanners. They are only as good as thier updates.....No single scanner finds everything...... Even had Combofix totally skip a rootkit once.... It happens...Still a great tool though....

Ill look at the logs as well, see if I can spot anything....


0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Also.....

RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner.....

0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Go ahead and try Autoruns as well, and save an export of the scan as a .arn file, and upload it here please.....

http://live.sysinternals.com/autoruns.exe
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Oh, and one last thing....

Talking about legit System files like userinit.exe....

Also, check svchost.exe, explorer.exe, logonui.exe and winlogon.exe, as those are some of the main ones that get targeted for infection.....
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
To check for file infector virut, try DrWebCureIt,  and if it does find virut we can also run other virut scanners.
http://www.freedrweb.com/


Sality is also another file infector similar to virut, you can check for that as well.
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889



0
 

Author Comment

by:dgrrr
Comment Utility
Thanks you guys.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now