Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I get rid of this?

Status
Not open for further replies.
drbtodd1971

drbtodd1971

Programmer
Mar 28, 2007
34
I have 71 problems in Malwarebytes which it removes and then keep coming back. If I remove and boot in safe mode they aren't present but boot in normal mode they come back.

I suspect they are hiding somewhere the anit virus and anti malware can't find them. Spybot finds the Haxdor trojan and says it removes it but then it comes back.

Enclosed are my malware log and hijackthis log

Files Infected:
C:\WINDOWS\explore.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\iexplorer.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\services.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\comploader.dll (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\socul.dll (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\sodahk.dll (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\unsocul.exe (Adware.BHO) -> No action taken.
C:\WINDOWS\system32\a.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\rundll.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winhost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\server.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winupd.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sksdrvr2.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\svhost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\win32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winsys.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winshow.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\winlogon.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\csrss.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\iexplore.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\msupdate.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\msmsgs.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\skybot.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\avpcc.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ctrlpan.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\msconfd.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\olehelp.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\qttasks.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> No action taken.
C:\csrss.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\svchost32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\0.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\windll.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\smss.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\sistem.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\iexplorer.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\msa64chk.dll (Trojan.Perfiler) -> No action taken.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> No action taken.
C:\WINDOWS\system32\winnb57.dll (Adware.Mirar) -> No action taken.
C:\WINDOWS\system32\filekiller.dll (Rogue.Multiple) -> No action taken.
C:\winstall.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\7search.dll (Adware.7FaSSt) -> No action taken.
C:\WINDOWS\system32\klo5.sys (Stolen.Data) -> No action taken.
C:\WINDOWS\xpupdate.exe (Trojan.Fakealert) -> No action taken.
C:\WINDOWS\system32\ipv6mons.dll (Spyware.Passwords) -> No action taken.
C:\WINDOWS\ExeDialer.exe (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\system32\egdial.dll (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\system32\ia.dll (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\system32\ieaccess2.dll (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\system32\msegcompid.dll (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\system32\mseggrpid.dll (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\system32\msklive.dll (Adware.EGDAccess) -> No action taken.
C:\WINDOWS\system32\draw32.dll (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\c3.dll (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\cm.dll (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\sdmapi.sys (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\boot32.sys (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\vdnt32.sys (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\memlow.sys (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\c3.sys (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\c4.sys (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\hm.sys (Rootkit.Haxdor) -> No action taken.
C:\WINDOWS\system32\wd.sys (Rootkit.Haxdor) -> No action taken.

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45, on 2009-03-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\FLOCK\FLOCK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

--
End of file - 9767 bytes

Can anyone see anything obvious or offer some advice on how to get rid of this? I have tried repairing windows which seemed to make things worse, I did have SP3 installed but can't install it now i've done a repair it crashes half way through!
 
Sort by date Sort by votes
I question the following:
O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} - C:\WINDOWS\system32\shdocvw.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll

Otherwise your log seems clean to me.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Upvote 0 Downvote
I question the following:
O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} - C:\WINDOWS\system32\shdocvw.dll
Click to expand...
I don't...
But it is not necessary, thus to be on the safe side, boot into SAFE MODE, and rename it to SHDOCVW.OLD and reboot...

These should be fixed, with either using the build in commands or through LSPFix from Cexx.org:

O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll

Internal Commands: open a DOS BOX (CLI or CMD Window: START >> RUN >> type CMD >> [ENTER]), then type:

netsh winsock reset catalog

To the log, there is nothing sticking out... but that does not mean there isn't anything...

probably the trojan hooks into WINLOGON.exe, which starts every time the computer gets rebooted, DL RunAlyzer from:
run it...

under the ADVANCED STARTUP TAB, check what is listed under the following KEYs:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

and post them here... Good Hunting



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Upvote 0 Downvote
Thanks for the suggestions.

Changed name of shdocvw.dll to shdocvw.old and PC then wouldn't boot in normal or safe mode. Ran Dr Web anti virus cd and then managed to boot in safe mode and rename file back to .dll. Is this the problem?

Tried the suggestions on the Unknown file problem and none of them found anything or fixed it. I think these files are related to StopZilla which I have installed but may get rid of as it is seriously slowing my system down.

In the runanalyzer listed the following:
GinaDLL
Shell explorer.exe
System
Taskman
UserInit C:\windows\system32\userinit.exe

Were both keys supposed to be the same or is there somewhere else I need to look?

Thanks

Ben (drbtodd1971)
 
Upvote 0 Downvote
Ok, there is nothing suspicious under the WINLOGON section... which is good...

yes, there was another line to look under, but I copied the wrong one...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Changed name of shdocvw.dll to shdocvw.old and PC then wouldn't boot in normal or safe mode.
Click to expand...
Sorry about that... after more research, I found out that that is an essential library... but I am glad that you where able to remedy my blunder...

Strange thing is, that I was hit by a slew of Malware myself, at work and at home... also Hakdoor, and am still cleaning up... at work I went ahead and reformatted and installed fresh, my thoughts are that you are heading down that same avenue...

That the real culprit aint showing in the HJT LOG, tells me that it is hiding pretty well, most likely a ROOTKIT...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Upvote 0 Downvote
options from other registry key

!SASWinLogon
AtiExtevgnt
avgsstarter
crypt32chain
cryptnet
cscdll
dimsntfy
PFW
SccertProp
Schedule
Sclgntfy
SensLogn
termsrv
wgaLogon
wballoon
 
Upvote 0 Downvote
The only one that I do not know is the PFW entry, it tells me nothing... could be the Firewall you are using or something totally different...

my suggestion, would be to download the Dr.Web LiveCD burn it to a CD, and boot with it, and have it check your drives (all partitions)...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Upvote 0 Downvote
I was working on something similar today that stays hidden from the normal anti-malware tools. Looking at the modified date on userinit.exe seems to be March 2, which coincides with when the user said this problem started. Autoruns shows nothing for this files publisher and description.

I took a chance and replaced it with one from the XP SP3 cd (the machine is at SP2) and the problem seems to be solved.
 
Upvote 0 Downvote
A little bit more interesting info about today's cleanup:

As part of my earlier mentioned replacing of userinit.exe, I renamed the infected version to userinit.old. After replacement, Superantispyware detected the renamed userinit.old file as Trojan.Unclassifed/Userinit-Fake and deleted it as it should. It's interesting taht it wasn't detected when it was in use as userinit.exe
 
Upvote 0 Downvote
smah: Have you reported this or submitted the file to any of the AV suppliers?


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
smah - thanks for the update there, in my case it wasn't so easy, that is why I reformatted the workstation at work...

privately, I had more luck in isolating the culprit, how I got it I am still wondering, as I had not shared any files between work and private through any medium, and my defenses where up (hardware firewall, software firewall (comodo that is how I found out it hit me and how I was able to contain it), Avira (was shut down by the malware), MBAM did nothing, SuperAntiSpyware did not find it)...

what finally got it, was booting into safemode with networking, and initiated a scan from one of my clean PCs over the network (lol did that ever take time, scanned close to 1TB)...

some info on the critter:

any infected file did not need to be executed, it was enough that explorer saw it, for it to spread...

This is what Avira told me was the culprit - could only find the Symantec website on it:


Quote:

Removal: Easy (MY FOOT! probably had a new variant)

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
161
2ffat
2ffat
Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
171
Mike Lewis
Mike Lewis
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
148
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
343
Yoko Littner
Yoko Littner
iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
184
Oorde
Oorde

Part and Inventory Search

Sponsor

Back
Top