dgrrr
asked on
infected computer keeps getting re-infected (logs attached)
The computer is a windows xp home sp3 desktop. I've fixed an infection of "Antivirius 2009" (The rogue2008 one) using a combination of combofix and malwalrebytes. plus spybot for good measure.
Computer got infected a second time, and I did the same.
Then last week it was infected for a third time. AVG 8 resident shield kept complaining about
____
avg resident shield alert
accessed file is infected
file name: c:\windows\system32\userin it.exe
ignore
process name: c:\windows\system32\winlog on.exe
____
Client was running malwarebytes to no avail. I did an updated malwarebytes quick scan and then a combofix. Afterward when I rebooted I no longer got the resident shield alert. I wanted to do updated full mbam scans, spybot scan, adaware scans, and also update windows xp completely But to save him money I told the guy how do those himself, and I rebooted several times, and got no AVG resident shield alerts. I left.
AT that point, when I left, I did a hijackthis log, which is attached as HJT-b.txt
Now (the next day) he says he's getting the same infection notice from AVG Resident Shield regarding userinit.exe.
Can you guys look at the last HJT log I did (HJT-b.txt) and see if you can spot anything?
Obviously I'll try to get the guy to send me a current mbam log to add to this.
thx
(He has teenage kids who might be reinfecting the computer, but if it's my failure to clean it I feel bad)
Computer got infected a second time, and I did the same.
Then last week it was infected for a third time. AVG 8 resident shield kept complaining about
____
avg resident shield alert
accessed file is infected
file name: c:\windows\system32\userin
ignore
process name: c:\windows\system32\winlog
____
Client was running malwarebytes to no avail. I did an updated malwarebytes quick scan and then a combofix. Afterward when I rebooted I no longer got the resident shield alert. I wanted to do updated full mbam scans, spybot scan, adaware scans, and also update windows xp completely But to save him money I told the guy how do those himself, and I rebooted several times, and got no AVG resident shield alerts. I left.
AT that point, when I left, I did a hijackthis log, which is attached as HJT-b.txt
Now (the next day) he says he's getting the same infection notice from AVG Resident Shield regarding userinit.exe.
Can you guys look at the last HJT log I did (HJT-b.txt) and see if you can spot anything?
Obviously I'll try to get the guy to send me a current mbam log to add to this.
thx
(He has teenage kids who might be reinfecting the computer, but if it's my failure to clean it I feel bad)
I don't see a log attached anywhere, but:
1. Load SpywareBlaster (free) to protect Internet Explorer
2. Make sure the PC is patched with all Microsoft updates, not just SP3
3. The teens should be running with standard user rights (not Administrators). If this is not possible, a program such as SandboxIE might be needed to shield Internet Explorer from the rest of the system
4. I cringe every time I see AVG mentioned. A paid anti-virus program such as NOD32 or F-secure might be a better option. Lots of workplaces have a corporate licensing agreements with their AV provider with free home use provisions. He might want to check to see if that is the case where he works.
1. Load SpywareBlaster (free) to protect Internet Explorer
2. Make sure the PC is patched with all Microsoft updates, not just SP3
3. The teens should be running with standard user rights (not Administrators). If this is not possible, a program such as SandboxIE might be needed to shield Internet Explorer from the rest of the system
4. I cringe every time I see AVG mentioned. A paid anti-virus program such as NOD32 or F-secure might be a better option. Lots of workplaces have a corporate licensing agreements with their AV provider with free home use provisions. He might want to check to see if that is the case where he works.
I swear by AVG, especially the corporate versions. But you will find debates like this all day long, which is the best, which one is the worst. Some people even still LOVE Symantec.......What works for one, doesnt always work for others......
Have him send you the latest combofix log and attach it here.
Sounds like he may be having a virut or sality file infectors and that's not very good. I usually suggest a reformat when dealing with virut infection (specially when it's been in the system for awhile).
Sounds like he may be having a virut or sality file infectors and that's not very good. I usually suggest a reformat when dealing with virut infection (specially when it's been in the system for awhile).
Disable system restore
scan with avast
scan with avast
try scanning with quickheal total security 2009
You also need to set up a "Surf" account on that computer (Limited account - no privs) for the kid to go to his websites (which will remain unnamed).
Put a password on the Customer's account and tell him save some money (and frustration) by keeping his password private.
Put a password on the Customer's account and tell him save some money (and frustration) by keeping his password private.
with reference to the deleted link above, you need to download or create a mini pe bootable CD with the below mentioned tools.
i.e. RegEditPE
If we can get the ComboFix log posted here, one of the Experts can write a script which will remove all of the infected files.
There is no need to manually search and delete any files.
There is no need to manually search and delete any files.
ASKER
Hmm, I kept attaching the files. I must be doing it wrong.
I also wonder why so many people respond with generic posts, not reading the ordiginal post, just copying and pasting a bunch of fixes that have already been done...
anyway - to you others -- I'll try attaching again here
mbam-a.txt
mbab-b.txt
hjt-a.txt
I also wonder why so many people respond with generic posts, not reading the ordiginal post, just copying and pasting a bunch of fixes that have already been done...
anyway - to you others -- I'll try attaching again here
mbam-a.txt
mbab-b.txt
hjt-a.txt
ASKER
your highjackthis log seems clean,
try the following
use something like ccleaner to clean all temps
then download and run SDfix in safe mode.
run combofix and malewarebytes again.
repost all logs
a guide to using sdfix can be found here:
http://www.bleepingcomputer.com/forums/topic131299.html
try the following
use something like ccleaner to clean all temps
then download and run SDfix in safe mode.
run combofix and malewarebytes again.
repost all logs
a guide to using sdfix can be found here:
http://www.bleepingcomputer.com/forums/topic131299.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ill let rpggamergirl handle the scripting and be lazy.... :)
My original post was answered in your CF logfile......
[color=blue]Infected copy of c:\windows\system32\userin it.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcac he\userini t.exe[/COL OR]
Still, you need to make sure that the current "c:\windows\system32\useri nit.exe" is legit, signed by MS and around 21-24kb in size. If the infection actually copied an infected one to the DLLCache, then it will fool windows into thinking it is restoring a backup of a corrupted file.....
My original post was answered in your CF logfile......
[color=blue]Infected copy of c:\windows\system32\userin
Restored copy from - c:\windows\system32\dllcac
Still, you need to make sure that the current "c:\windows\system32\useri
The userinit.exe from the DLLCache should be okay because Combofix will only replace a patched userinit.exe IF it finds a clean replacement.
If it doesn't find a clean copy, it has a built-in safety check and will modify the registry loading point from userinit to point to explorer.exe
As far as I know... if CF can't find a clean replacement.... we should see these entries(below) in the CF log.
c:\windows\system32\userin it.exe . . . is infected!!
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon ]
"Userinit"="c:\windows\exp lorer.exe, "
dgrrr, I suggest you download the latest version of Combofix.
If it doesn't find a clean copy, it has a built-in safety check and will modify the registry loading point from userinit to point to explorer.exe
As far as I know... if CF can't find a clean replacement.... we should see these entries(below) in the CF log.
c:\windows\system32\userin
[HKEY_LOCAL_MACHINE\softwa
"Userinit"="c:\windows\exp
dgrrr, I suggest you download the latest version of Combofix.
Thanks for that... You know me, I just dont like Automated script deleting files, and restoring as well, without having a good set of HUMAN eyes on it.....
Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?
Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?
<<Ill let rpggamergirl handle the scripting and be lazy.... :)>>
I'll let her handle it - to make sure it is done right!
LOL!
That stuff is way over my head.
I'll let her handle it - to make sure it is done right!
LOL!
That stuff is way over my head.
ASKER
OK, sorry for the long delay. I am going back to the client today because they have another infection.
will try the above & get bak to u!
will try the above & get bak to u!
dgrrr,
You cannot simply walk away from an open question for several weeks and then expect everyone to automatically try to help when you finally decide to return.
Good luck with your problem, but I am unsubscribing.
You cannot simply walk away from an open question for several weeks and then expect everyone to automatically try to help when you finally decide to return.
Good luck with your problem, but I am unsubscribing.
ASKER
Um, Im not sure by what you mean by "automatically"... I was unable to give you any more info because the user did not send me the updated log files as asked.
Anyway, 've jsut done a bunch of work and willpost it below - and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.
I don't expect responses immedaitely, I just hope they come before the next time tihs guy gets another infection.
Anyway, 've jsut done a bunch of work and willpost it below - and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.
I don't expect responses immedaitely, I just hope they come before the next time tihs guy gets another infection.
ASKER
Got to computer, had a bunch of windnows showing infection by
Antivirus System Pro
also ie6 redirected to this
had to rename all mbam & combofix executables to get them to work initially.
I couldlnt do much til I did a new mbam quick scan. then had room to move.
Did a hjt scan
then Did the first combofix scan
rebooted to safe mode, did
sdfix
rebooted, did second combofix scan
WITH THE CFSCRIPT.TXT item mentioned above
then did mbam quick scan again
then another hjt log
NOTE - would have done mbam full scans, but was concerned about customer expense
for same reason, instructing user to do
- updated spybot &
- updated avg scans
- go to
windowsupdate.microsoft.co m/
http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
& update ie6 and all other updates
because he's not got xp sp3 yet or ie7
- also use mozilla firefox 3.0.10 instead of ie
Threre should be 2 posts aftre this - first one contains the BEFORE set of logs, the latter, the AFTER set of logs. But they were done in the order described above.
Antivirus System Pro
also ie6 redirected to this
had to rename all mbam & combofix executables to get them to work initially.
I couldlnt do much til I did a new mbam quick scan. then had room to move.
Did a hjt scan
then Did the first combofix scan
rebooted to safe mode, did
sdfix
rebooted, did second combofix scan
WITH THE CFSCRIPT.TXT item mentioned above
then did mbam quick scan again
then another hjt log
NOTE - would have done mbam full scans, but was concerned about customer expense
for same reason, instructing user to do
- updated spybot &
- updated avg scans
- go to
windowsupdate.microsoft.co
http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
& update ie6 and all other updates
because he's not got xp sp3 yet or ie7
- also use mozilla firefox 3.0.10 instead of ie
Threre should be 2 posts aftre this - first one contains the BEFORE set of logs, the latter, the AFTER set of logs. But they were done in the order described above.
ASKER
On second thought, here's the logs - I have numbered them and named them to go in order and be clear as to how they happened.
01---MBAM-quick-scan-a.txt
01---MBAM-quick-scan-a.txt
ASKER
Whoops. Here are ALL the files. (disregard the log above)
01---MBAM-quick-scan-a.txt
02---HIJACKTHIS-A.txt
03---COMBOFIX-A.txt
04---SDFix.txt
05---COMBOFIX-B.txt
06---COMBOFIX-C--with-CFScript.t.txt
07---MBAM-quick-scan-b.txt
08---HIJACKTHIS-B.txt
01---MBAM-quick-scan-a.txt
02---HIJACKTHIS-A.txt
03---COMBOFIX-A.txt
04---SDFix.txt
05---COMBOFIX-B.txt
06---COMBOFIX-C--with-CFScript.t.txt
07---MBAM-quick-scan-b.txt
08---HIJACKTHIS-B.txt
ASKER
PS - All files (mbam installer, combofix, sdfix) were all new (downloaded the same day). Also when I left I had the user do FULL mbam scans in addition to the spybot & avg scans, and doing all microsoft updates. (XP sp3 and internet explorer updates were the next in the queue)
ASKER
WARNING!
Forgive me guys - I screwed up the order of the attached files above. Also one came from a previous visit. I double checked and am reuploading now. Sorry for the confusion.
Also, I forgot to add in my notes that I did replace userinit with a copy from my own xp machine.
01---HIJACKTHIS.txt
02---MBAM-quick-scan.txt
03---COMBOFIX.txt
04---SDFix.txt
05---COMBOFIX--with-CFScript.txt.txt
06---HIJACKTHIS.txt
07---MBAM-quick-scan.txt
Forgive me guys - I screwed up the order of the attached files above. Also one came from a previous visit. I double checked and am reuploading now. Sorry for the confusion.
Also, I forgot to add in my notes that I did replace userinit with a copy from my own xp machine.
01---HIJACKTHIS.txt
02---MBAM-quick-scan.txt
03---COMBOFIX.txt
04---SDFix.txt
05---COMBOFIX--with-CFScript.txt.txt
06---HIJACKTHIS.txt
07---MBAM-quick-scan.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>
Sorry must've missed the alerts on posts before.
Your guess is as good as mine... I'd say the filesize, hash and other factors are among the ones that determined if userinit is infected.
Sorry must've missed the alerts on posts before.
Your guess is as good as mine... I'd say the filesize, hash and other factors are among the ones that determined if userinit is infected.
ASKER
rpggamergirl, I forwarded that info about java to the user, thanks, and I will research vundo & how it operates.
FYI the user sent me the following email about AVG finding infections aftrer multiple scans. I'm assuming I can disregard the tracking cookies, right? But what about the HP patches files, do they look innocient to you? Also, the user said in a separate email that the HP patches files had no option to be cleaned or moved, and that AVG was sometimes giving the msg: MOVED OBJECT IS BIGGER THAN THE ARCHIVE SIZE LIMIT, which I researched here at experts exchange, and told user to manually delete the files - but you can see the result below)
_________________________
(FROM THE USER:)
These are the warnings that come up when running the AVG scan.
C:\Documents and Settings\HP_Owner\Applicat ion Data\Mozilla\Firefox\Profi les\whgq28 1f.default \cookies.s qlite";"Fo und Tracking cookie.Realmedia";"Healed"
"C:\Documents and Settings\HP_Owner\Applicat ion Data\Mozilla\Firefox\Profi les\whgq28 1f.default \cookies.s qlite:\rev sci.net.50 e13b1b";"F ound Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Applicat ion Data\Mozilla\Firefox\Profi les\whgq28 1f.default \cookies.s qlite:\rea lmedia.com .855b46d"; "Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Applicat ion Data\Mozilla\Firefox\Profi les\whgq28 1f.default \cookies.s qlite:\ser ving-sys.c om.c9034af 6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
These are the infections which seem to be growing in number. (And which don't show the option to clean or heal)
"D:\I386\drv\APP07399\App0 7399.exe:\ hp\tmp\src \igfxcfg.e xe";"Troja n horse BackDoor.Generic11.TDY";"I nfected"
"D:\I386\drv\APP07399\App0 7399.exe"; "Trojan horse BackDoor.Generic11.TDY";"I nfected"
"D:\hp\patches\51WW1ITG\In tel_Video_ B6_6_14_10 _3889_ALL_ ALL_WW-01. exe:\hp\tm p\src\igfx cfg.exe";" Trojan horse BackDoor.Generic11.TDY";"I nfected"
"D:\hp\patches\51WW1ITG\In tel_Video_ B6_6_14_10 _3889_ALL_ ALL_WW-01. exe";"Troj an horse BackDoor.Generic11.TDY";"I nfected"
"C:\hp\patches\51WW1ITG\In tel_Video_ B6_6_14_10 _3889_ALL_ ALL_WW-01. exe:\hp\tm p\src\igfx cfg.exe";" Trojan horse BackDoor.Generic11.TDY";"I nfected"
"C:\hp\patches\51WW1ITG\In tel_Video_ B6_6_14_10 _3889_ALL_ ALL_WW-01. exe";"Troj an horse BackDoor.Generic11.TDY";"I nfected"
When I try to locate the specific file to delete it, it keeps changing the location of where it is. One minute it's located under D:\hp\ and other times it's under C:\hp\patches\51WW1ITG. Or this one D:\I386\. Not sure which ones are safe to delete as it says that it's a recovery file for the computer.
FYI the user sent me the following email about AVG finding infections aftrer multiple scans. I'm assuming I can disregard the tracking cookies, right? But what about the HP patches files, do they look innocient to you? Also, the user said in a separate email that the HP patches files had no option to be cleaned or moved, and that AVG was sometimes giving the msg: MOVED OBJECT IS BIGGER THAN THE ARCHIVE SIZE LIMIT, which I researched here at experts exchange, and told user to manually delete the files - but you can see the result below)
_________________________
(FROM THE USER:)
These are the warnings that come up when running the AVG scan.
C:\Documents and Settings\HP_Owner\Applicat
"C:\Documents and Settings\HP_Owner\Applicat
"C:\Documents and Settings\HP_Owner\Applicat
"C:\Documents and Settings\HP_Owner\Applicat
These are the infections which seem to be growing in number. (And which don't show the option to clean or heal)
"D:\I386\drv\APP07399\App0
"D:\I386\drv\APP07399\App0
"D:\hp\patches\51WW1ITG\In
"D:\hp\patches\51WW1ITG\In
"C:\hp\patches\51WW1ITG\In
"C:\hp\patches\51WW1ITG\In
When I try to locate the specific file to delete it, it keeps changing the location of where it is. One minute it's located under D:\hp\ and other times it's under C:\hp\patches\51WW1ITG. Or this one D:\I386\. Not sure which ones are safe to delete as it says that it's a recovery file for the computer.
Almost sounds like Virut, which is a poly morphic file infector... Fun one to play with, finally got one in my hands and it was a DOOZIE, especially doing removals by hand......
<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>
Go by the Signature, and the Date Modified. It should be 24-26kb in size, and with a date probably pre 2004 (2006 for sp3 I believe...)
If it is unsigned, then you are assured it is viral, no more questions....
HP Patches are usually in the form of an sp999999.exe format..... Plus if it is a valid patch, they can be downloaded again from hp.com
Also...
"D:\I386\drv\APP07399\App0 7399.exe"
There shouldnt be a i386\DRV folder, if legit it would be "D:\I386\drW\APP07399\App0 7399.exe"
1 letter off......
Personally, I am not a fan of MBAM. I am a SuperAntiSpyware.com guy, as Mbam has been too unreliable (yes there are occassions where it finds more...). Thats the problem with malware scanners. They are only as good as thier updates.....No single scanner finds everything...... Even had Combofix totally skip a rootkit once.... It happens...Still a great tool though....
Ill look at the logs as well, see if I can spot anything....
<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>
Go by the Signature, and the Date Modified. It should be 24-26kb in size, and with a date probably pre 2004 (2006 for sp3 I believe...)
If it is unsigned, then you are assured it is viral, no more questions....
HP Patches are usually in the form of an sp999999.exe format..... Plus if it is a valid patch, they can be downloaded again from hp.com
Also...
"D:\I386\drv\APP07399\App0
There shouldnt be a i386\DRV folder, if legit it would be "D:\I386\drW\APP07399\App0
1 letter off......
Personally, I am not a fan of MBAM. I am a SuperAntiSpyware.com guy, as Mbam has been too unreliable (yes there are occassions where it finds more...). Thats the problem with malware scanners. They are only as good as thier updates.....No single scanner finds everything...... Even had Combofix totally skip a rootkit once.... It happens...Still a great tool though....
Ill look at the logs as well, see if I can spot anything....
Also.....
RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/
Under each tab, hit the Scan button, and see if you get any RED files/services/processes/d rivers in the list, or just look for the summary, for any hidden files/services/processes/d rivers in the lower left hand corner.....
RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/
Under each tab, hit the Scan button, and see if you get any RED files/services/processes/d
Go ahead and try Autoruns as well, and save an export of the scan as a .arn file, and upload it here please.....
http://live.sysinternals.com/autoruns.exe
http://live.sysinternals.com/autoruns.exe
Oh, and one last thing....
Talking about legit System files like userinit.exe....
Also, check svchost.exe, explorer.exe, logonui.exe and winlogon.exe, as those are some of the main ones that get targeted for infection.....
Talking about legit System files like userinit.exe....
Also, check svchost.exe, explorer.exe, logonui.exe and winlogon.exe, as those are some of the main ones that get targeted for infection.....
To check for file infector virut, try DrWebCureIt, and if it does find virut we can also run other virut scanners.
http://www.freedrweb.com/
Sality is also another file infector similar to virut, you can check for that as well.
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889
http://www.freedrweb.com/
Sality is also another file infector similar to virut, you can check for that as well.
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889
ASKER
Thanks you guys.
If the file is not signed by MS (upon a right click), and not 24kb (on an sp2, and sp3 XP Image) then it isnt teh right one. Either get a good copy of it from c:\windows\system32\dllcac