• Welcome to BirdForum, the internet's largest birding community with thousands of members from all over the world. The forums are dedicated to wild birds, birding, binoculars and equipment and all that goes with it.

    Please register for an account to take part in the discussions in the forum, post your pictures in the gallery and more.
ZEISS DTI thermal imaging cameras. For more discoveries at night, and during the day.

Trojan Horse help needed (1 Viewer)

Roy C

Roy C

Occasional bird snapper
Somehow I have picked up a Trojan horse BackDoor Agent and it is driving me nuts. I always keep AVG up to date and also use Ccleaner on a very regular basis. I also use a registry scanner/cleaner regularly.

AVG's Resident Shield is picking up the BackDoor agent in the file C\windows\System32\userinit.exe which is a genuine windows file and cannot be deleted or healed - It is also turning off the Windows Firewall (which I turn back on again).

Anyone know how to get rid of this virus ?

P.S. when I run a full AVG scan it does not pick anything up.
 
Hi RoyC, I have had problems with trojans before and have found the free trial version of Malwarebytes Anti-Malware to be the best first option to try. Downloadable from this link:

http://www.malwarebytes.org/mbam.php

Once you install it, update it and then do a quick scan. If it finds anything click fix all or fix checked (something like that) and let it do it. May ask you to reboot to completely get rid of anything. This is a good anti-malware programme.

Dave
 
d.steeley said:
Hi RoyC, I have had problems with trojans before and have found the free trial version of Malwarebytes Anti-Malware to be the best first option to try. Downloadable from this link:

http://www.malwarebytes.org/mbam.php

Once you install it, update it and then do a quick scan. If it finds anything click fix all or fix checked (something like that) and let it do it. May ask you to reboot to completely get rid of anything. This is a good anti-malware programme.

Dave
Click to expand...
Thanks for the link Dave, I will give it a try.
 
Wonder if there is a case for posting on a specialist help forum?

If you're gonna run MalwareBytes' Anti-Malware don't forget to make a careful note of names the scanner assigns to malware it finds. Also carefully check what files the scanner proposes deleting or "quarantining".
If you let it delete the userinit.exe file it will stop Windows booting. You then may be forced to boot off the Windows installation CD, run the Windows Recovery Console and "expand" the compressed file on the installation disk into the relevant folder.

After you've (hopefully) nuked the nasties, replacing corrupted Windows files is maybe easier done with System File Checker :
http://en.wikipedia.org/wiki/System_File_Checker
 
Roy C said:
Thanks for the link Dave, I will give it a try.
Click to expand...

I have to say Roy, I use the current 'Malewarebytes' program that have been mentioned by Dave Steeley, and I have no problems with it at all. I am all for this link too:

http://www.malwarebytes.org/mbam.php

It will let you if you have any 'nasties' at all and give a new log file each time for your information.

I got a 'Fake Trojan' not so long ago, and the first thing I did was simply set the AVG to scan the whole computer straight away.

Note: I did not respond to any icons to ask me to download anything. :eek!:
That is the whole problem - you need to ignore any convincing copies of an icon box on your screen saying 'please download me otherwise your PC's Hard-drive will be corrupted. You need a Virus program now blah blah (or words close to that effect).

I just calmly went straight into AVG, clicked the scan whole PC, and it killed off what was on my screen without any hesitation, and added the offending Trojan to my 'Virus Vault' to be removed. It was removed prompto :t:

Then I used 'suggested' Malewares for good measure to remove the Trojan, and all was removed as with AVG in the same manner.

No more problems to this day. By the way I use Vista. :t:

Hope this helps you :t:
 
Last edited:
Hi RoyC

I think one of the best software you can get is Spyware Doctor, it is not free I am afraid but it does find a lot more spyware than most of the other anti spyware software on the market. My daughter who lives in America had a particularily bad virus called A360, Norton said her computer was clean so I suggested buying Spyware Doctor which she did and it detected and removed this virus, it also detected other malware and spyware which she did not realise was on her computer.
Hope this helps
Greg
 
If you let it delete the userinit.exe file it will stop Windows booting.

Hi Norm, is this something that has happened before? I have been using MBAM for around a year updating and running it at least weekly without any problems. It certainly helped me get rid of Trojan Fake Alert and a couple of other nasties, neither of which were picked up by Adaware or SpyBot S+D.

Dave
 
Thanks for the suggestions guys, I have tried a few and will let you know how I get on.
I have been using several progs on a regular basis like AVG, Spybot, Adaware, Eusing, Windows defender, Ccleaner and others and I run full system scans just about every day and have done so for several years. I am an ex IT manager and am fanatical about PC security.
This time last week I would have responded to a thread like this saying that I have had no problems whatsoever for 5 years so this is just a warning that it could happen to anyone :eek!:
Thanks again for the responses.

P.S. Norm and Dave, I realise you cannot delete the userinit.exe file - not that AVG would let you anyway as it is on the Whitelist.
 
Last edited:
d.steeley said:
If you let it delete the userinit.exe file it will stop Windows booting.

Hi Norm, is this something that has happened before? I have been using MBAM for around a year updating and running it at least weekly without any problems. It certainly helped me get rid of Trojan Fake Alert and a couple of other nasties, neither of which were picked up by Adaware or SpyBot S+D.

Dave
Click to expand...

It shouldn't do I guess but things happen. A post a month or so ago from developer of SUPERAntiSpyware (SAS) regarding a false positive which resulted in a sytem file on some Vista PCs being deleted making the machine unbootable :
http://www.wilderssecurity.com/showpost.php?p=1394691&postcount=37
Always best to check what files the software intends nuking. And everything is always so much more scary if there is no backup in place :eek!:

Actually last month a relative deleted userinit.exe from her XP machine using either SAS or MalwareBytes' AntiMalware (MBAM) (I think the former). I suspect this was no false positive though since the copy in the dll cache was dodgy. Had to user recovery console to restore from Windows CD. Incidentally at that time the two scanners mentioned failed to remove the Seneka rootkit that had infected the PC and had to resort to using Combofix.

It does seem that SAS and MBAM are generally the first ports of call these days for dealing with malware that your antivirus struggles with. a-squared free might be a third choice :
http://www.emsisoft.com/en/software/free/
That's not to say that some of the old favourites like Ad-Aware and Spybot Search and Destroy won't pick up something the others miss.
 
Actually last month a relative deleted userinit.exe from her XP machine using either SAS or MalwareBytes' AntiMalware (MBAM) (I think the former). I suspect this was no false positive though since the copy in the dll cache was dodgy. Had to user recovery console to restore from Windows CD. Incidentally at that time the two scanners mentioned failed to remove the Seneka rootkit that had infected the PC and had to resort to using Combofix.


Hi Norm, SAS and MBAM are the most regular of my defences along with Firewall and AV and several other progs that lurk in the background (Win Defender). I'm a keen
non-technical amateur and have never used Combofix but if I had to I would do so with the assistance from one of the many good Malware Forums such as Spywarehammer.

Cheers

Dave
 
d.steeley said:
I would do so with the assistance from one of the many good Malware Forums such as Spywarehammer.
Click to expand...
Hi Dave. Maybe that would be a good recommendation for Roy if those scanners still have trouble (hopefully not).

BTW didn't mean to imply I'm competent enough to be using Combofix |:D| It's just that talking through over the phone while I read the online instructions would have been easier for my sis' than her trying to communicate through a forum. I didn't check any log files just got it to delete the rootkit and hoped other scanners would fix the rest. Her PC seems to be behaving OK now but got me to change her online account passwords on my PC.

Just spotted Greg's post above. There's a free version of Spyware Doctor available in the "Google Pack" with time limited real-time protection. I'd certainly consider using it if was infected. It's a bit more involved to use than the others perhaps because it isn't an "on demand" only scanner by default.
 
Just an update guys. I have run Stinger (turning off sytem restore) and it picked up one Trojan. Also downloaded and MalwareBytes' AntiMalware (MBAM) and have ran it 4 or 5 times times now (couple of times in safe mode) and it pick's up infections each times. The last couple of times it has been this userinit file HKEY_LOCAL_MACHINE\software\Windows NT\currentVersion\userinit each time it picks up two versions of this same file. I will soldier on.

Cheers
Roy
 
Using Explorer (and assuming you are using Windows XP with Service Pack 3 in place) these two files :

C:\WINDOWS\System32\userinit.exe
C:\WINDOWS\ServicePackFiles\i386\userinit.exe

should be the same and have the following attributes :

Version 5.1.2600.5512
26,112 bytes
Created 14 April 2008
 
d.steeley said:
Hi Roy, I just looked on Bleeping Computers (see link) This thread seems to mirror your problems. It seemed to solve the problem so might be an idea to post your problem on this forum.

http://www.bleepingcomputer.com/forums/topic196297.html

Dave
Click to expand...
Hi Dave, this looks interesting. Although my symptoms are not the same it is the same userinit files that are infected. I will gives it a go.

For info I have installed and run both Malwarebytes and SpyDocter several times inc in safe mode and with the system restore turned off. They pick up the Trojans every time but cannot get rid of them. Thought I have got there yesterday when I had a clean scan but today it is back with a vengeance.
I am getting ready for a complete system reformat :C:C:C

Thanks for your help
Roy
 
A complete reinistall could be a good idea : often an easier option than disinfection and you'll have more confidence in the fresh install. Recall that was the option Dave took. If you don't currently have a spare partition on the hard disk might be worth making one where you can do quick system disk backup every once in a while using disk imaging software. That could save a lot of time if this happens again. Separate partitons for system and data would also be a help.

Incidentally the thread I referred to when trying to remove the Seneka rootkit was this :
http://www.techsupportforum.com/sec...-help-possible-seneka-root-kit-infection.html

As you see, the helper's first reaction to the logs involved several exclamation marks and the recommendation to reinstall (wasn't an option in my case). And I used this page to talk through using combofix :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Actually at the time this happened, the author of SUPERAntiSpyware claimed on another forum that he had a Beta release (subsequently upped to general release I believe) that would nuke the Seneka rootkit. The then version of MBAM then would see the rootkit in normal mode but fail to remove it, and not see it at all in safe mode.

Sorry for the trouble you've had, Roy.
 
Roy C said:
Just an update guys. I have run Stinger (turning off sytem restore) and it picked up one Trojan. Also downloaded and MalwareBytes' AntiMalware (MBAM) and have ran it 4 or 5 times times now (couple of times in safe mode) and it pick's up infections each times. The last couple of times it has been this userinit file HKEY_LOCAL_MACHINE\software\Windows NT\currentVersion\userinit each time it picks up two versions of this same file. I will soldier on.

Cheers
Roy
Click to expand...

hi Roy (edit)

I do not want to put you off your trail to sort out your problem but I had an PC infection of my own on the 13th picked up by with Malewares - similar to yours

This is the listing that I got

I set up my own Maleware to do a full scan on the 13th of this month (eeeeekkkkk the 13th .......) and was surprised when it picked up 7 infections to do with (HKEYS)

No sign of any problems picked up on AVG at all. So it shows that AVG has its limitations too.

Maleware listing:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{XXXXXXXXXX} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{XXXXXXXXXXXXXXX} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{XXXXXXXXXXXXXXX} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{XXXXXXXXXXXXXXX} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully

What is HKEY - is it is to do with 'current up to date' Registry? Could someone explain the importance of HKEY?

Is this listing close to yours Roy?
 
Last edited:
Warning! This thread is more than 15 years ago old.
It's likely that no further discussion is required, in which case we recommend starting a new thread. If however you feel your response is required you can still do so.

Similar threads

C
Help with compact 30/32mm Alpha Choice
2
Replies
21
Views
3K
Binocollector
B
S
Ecuador, Mindo & Antisana - August 2023
Replies
3
Views
1K
Shumi
S
wolfbirder
Morocco Marvels and Meanderings 21 - 28 March 2023
2 3
Replies
41
Views
5K
wolfbirder
wolfbirder
wolfbirder
Hardcore Madeira Madness - 15 - 20 June 2022
2 3
Replies
59
Views
9K
wolfbirder
wolfbirder
J
Review, test in nature: Hawke Frontier APO 10x42 vs Nikon Monarch HG 8x42
2
Replies
21
Views
10K
Jessie-66
J

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
Back
Top