Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Super Persistent Viruses | userini.exe | virut? ...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Super Persistent Viruses | userini.exe | virut? ...

Unread postby InvinceZ » November 6th, 2009, 8:58 am

Story:
My fren's lappy has been infected with viruses. I try removing it..but fail.

What i did:
01. Normal startup. Show all hidden files + os files, and delete all of viruses files. Restart, and there it goes, a BSOD until hv to use "Last working config". The viruses is back. IE keep open and closes non-stop. :x
02. Safe mode/nromal startup. Show all hidden files + os files, and delete all of viruses files. Restart, and there it goes, a BSOD until hv to use "Last working config". The viruses is back. IE keep open and closes non-stop. :x
03. Safe mode/nromal startup. Show all hidden files + os files, and delete all of viruses files. Run msconfig. Disable all suspected-to-be-viruses start at boot entries. Restart, and there it goes, a BSOD until hv to use "Last working config". The viruses is back. :x
04. Safe mode/nromal startup. Run msconfig. Disable all suspected-to-be-viruses start at boot entries. Restart. The entries reverted to previous one + svchost.exe error non-stop. :x
05. Safe mode/normal startup. Manually run regedit (cannot use run, coz it was over-written by viruses to run its own version of regedit which if run, will add entries to registry to check and add its own entries). Search and delete suspected viruses entries. Restart. Fail!! Registry back to previous one. :x
06. Install kaspersky. Run it...but all protection was disabled. Update cannot start. A quick look at registry, I found that the viruses block kaspersky to run normally and prevent it from updating (same to all other AV). Delete the registry entry...but its back after restart. :x
07. Use cccleaner. clean everything. Fail. :x
08. Clean up disk...delete all Recycler folder contents (apparently some cannot be deleted). Restart. The viruses is back. :x
09. Combination of any or all 01-08. Fail miserably Image
10. Fedup!!! Close the lappy...play game for couple of hours. and then sleep. :lol:

Things to keep in mind:
01. When viruses files are deleted, windows startup will produce BSOD (after logon screen). Only safe mode and "Last working config" can be use.
02. If "Last working config" is selected, viruses files will be restored...viruses startup entries will be restored...viruses registry entries will be restored. THEY ARE SUPER PERSISTENT!!! :bruce:
03. After all that try and error, the viruses seem to be more dangerous. They actively monitor hidden files and os files showing or not showing. If showing they will straight disable it. this is more active if i open C:\WINDOWS and all other folder in it. They straight disable after a few seconds. True even in safe mode o.0
04. Lappy is Windows XP Pro SP2 version 2600 rtm.040803-2158
05. Normal logon is restricted. all .exe is prevented from running by the viruses/malware. only safe mode available for fixing and tweaking.

Errors:
01. BSOD.
02. IE keep open and closes non-stop.
03. svchost.exe error windows pop-up non-stop
04. all. exe cannot run if normal logon. only safe mode available.

* if u hv any queries, feel free to ask.


checkbox filled with red = suspected viruses entries

svchost.exe error log
Code: Select all
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date:		11/6/2009
Time:		2:19:05 PM
User:		N/A
Computer:	EILHAM-0FD620B4
Description:
Faulting application svchost.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x24696c9a.

For more information, see Help and Support Center at [url=http://go.microsoft.com/fwlink/events.asp]http://go.microsoft.com/fwlink/events.asp[/url].
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 73 76 63   ure  svc
0018: 68 6f 73 74 2e 65 78 65   host.exe
0020: 20 35 2e 31 2e 32 36 30    5.1.260
0028: 30 2e 32 31 38 30 20 69   0.2180 i
0030: 6e 20 75 6e 6b 6e 6f 77   n unknow
0038: 6e 20 30 2e 30 2e 30 2e   n 0.0.0.
0040: 30 20 61 74 20 6f 66 66   0 at off
0048: 73 65 74 20 32 34 36 39   set 2469
0050: 36 63 39 61 0d 0a         6c9a..  


Trend Micro HijackThis 2.0.2 log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:14 PM, on 11/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
F3 - REG:win.ini: load=C:\WINDOWS\system\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\mEiLhAm\LOCALS~1\Temp\init.exe
O2 - BHO: (no name) - {0040a6fb-2ecf-491e-8ed6-764fc718c783} - C:\WINDOWS\system32\uysqnrdi.dll
O2 - BHO: IDM Helper - {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IDMIECC.dll
O2 - BHO: (no name) - {020537d8-2ecf-491e-8ed6-764fc718c783} - C:\WINDOWS\system32\uysqnrdi.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {86e25736-febb-4c09-b636-5cb028898184} - c:\windows\system32\dtoknld.dll
O2 - BHO: link filter bho - {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IDMan.exe /onboot
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe
O4 - HKCU\..\Run: [PopRock] C:\DOCUME~1\mEiLhAm\LOCALS~1\Temp\b.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: download all links with idm - C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IEGetAll.htm
O8 - Extra context menu item: download flv video content with idm - C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IEGetVL.htm
O8 - Extra context menu item: download with idm - C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248fe82-7fcb-46ac-b270-339f08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll <-- i think this what prevent KIS from running normal. it was forced to run..but under limited function
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: URLs c&heck - {ccf151d8-d089-449f-a5a4-d9909053f20f} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll <-- i think this what prevent KIS from running normal. it was forced to run..but under limited function
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: adqfqpoe - C:\WINDOWS\SYSTEM32\dtoknld.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)

O23 - Service: avp - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 8228 bytes


blue = files was deleted manually
red = suspected to be entries created by the viruses
purple = by gnush85
You do not have the required permissions to view the files attached to this post.
InvinceZ
Active Member
 
Posts: 1
Joined: November 6th, 2009, 8:42 am
Advertisement
Register to Remove

Re: Super Persistent Viruses | userini.exe | virut? ...

Unread postby NonSuch » November 7th, 2009, 6:42 pm

You currently appear to be running a cracked version of the Windows operating system and therefore are not eligible for assistance from this site.

This site does not support the use of cracked/pirated software of any kind. Note that the use of such software is likely the source of your system's current infection. Further, we regard the use of such software as being the same as theft.

This topic is now closed.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware