"Spyware Protect 2009" hacked me...

I got whacked with an infection from the "Spyware Protect 2009" program when visiting a New Zealand wine website (of all places) yesterday afternoon. I had Spybot SD Tea TImer running then which stopped a lot of the crap from installing but enough got past it and so my PC got infected.
So I was able to remove the "Spyware Protect 2009" stuff manually following the instructions from another website as well as a WINDOWS\services.exe app that kept trying to install (but was being blocked by Tea Timer) using Symantect Corporate AV, auotruns, and Spybot.
It was after that and I was still having issues (couldn't start Windows Firewall for example and was always being redirected when using IE) that I discovered your website very late last night and so I methodically followed all your instructions for cleaning and taking logs. I now have all the logs in place and so need your advice on what is needed to get my PC perfectly clean to be 100% safe. I know that my Network Connections app is still not working correctly for example (always says that I am disconnected when I know I am not). The 3 basic logs are attached. Thank you for your help!

 

No worries TimW, it is now attached.
-BillM

 

I did not make any changes to the userinit.exe file. I did notice this file after the infection as it was modified at exactly the same time that I was attacked - Feb 13 2009 at 4:50pm. Hence, when I looked in the system32 folder and arranged the files by "date modified", i saw that userinit.exe was grouped in with all the malware files that were created at the same time (and that I have since deleted). Note that when I was first attacked, the malware did shut down my system and so I had to reboot. Is it possible the hack edited this file then? Why? If so, can I delete it and create a new one that I know is safe?

I did turn off the hp wireless assistant - issues with the wireless connection whenever I use a wireless phone nearby - which didn't work by the way! Should I turn it back on?

ALso note that the Wireless Network Connection and Wired Network Connection icons in the Network Connections group do not update with my connection status - they both always show that the PC is not connected and show no IP address even if I am connected (with a valid Ip address as shown by IPCONFIG). I only saw this since I was attacked so is this related to the hack?

Thanks for your help. Good news that the logs came up essentially clean though...

 

Will do on replacing the userinit.exe file in the system32 folder with the one in the i386 folder. I am guessing the other file is the right size?
So am I 100% malware and virus free then - the hack editing my original userinit.exe file is nothing to be too concerned about?

I will work on reinstalling the Network drivers etc to see if I can get that issue fixed separately.

Thanks!

 

It appears that I actually have 2 userinit.exe files in my System32 folder :confused - one that was seemingly 'created' by the hack on 2/13/09 @ 4:50pm that is 22KB in size and the other which is seemingly genuine (and is an exact replica of the file in the i386 folder) that is 26KB in size, is registered to Microsoft Corp, and is version 5.1.2600.5512. So I simply renamed the hacked version and deleted it from the folder. IS that OK? I want to be sure before I reboot the system...

 

Tim,

Yes all is good now. I reinstalled the wired and wireless network connection drivers and that took care of the updating issue!

Thanks for the help! First time being hacked like that and so a little scary on how to deal with it all...
-Bill

 

Sorry to bother you again but I need to check quickly if I am still suffering from the hack of last week. As I told you, I have had problems with the Wired and Wireless Internet Connections which i seemingly fixed by uninstalling and reinstalling the drivers. However, the problem reappeared yesterday (ie, the icons don't update to the current connection status) and so today I decided to do a complete clean and start over (besides just uninstalling the drivers) by physically deleting the relevant SYS files in the WINDOWS\system32\DRIVERS folder. The wireless driver deletes no problem but whenever i delete the wired driver, it reappears almost immediately in the DRIVERS folder :confused. I have no experience with this but is this normal? Doesn't seem so to me so I am worried that the malware is still around doing this (for whatever reason - and I am sure it is not good!!).
Any ideas?

 

Which log do I post - the sysclean.log or report.log?

Note that the wired driver still appears after deleting even after running sysclean and that the wired and wireless connection icons still do not update. In fact the wireless connection is not working at all - i am sending this from another computer till i get the connection issue fixed.

 

OK, I got the wireless connection working (even though i am told that it is disconnected??) and am posting the sysclean.log. Fingers crossed that it tells you what is going on here as this is very frustrating - and a little scary if indeed my connection drivers have been hacked??

 

Yes, I removed the 'stus.exe' file first. Was this linked to the bogus init.exe file that was installed by the malware?

After deleting, I ran sysclean.

 

Bummer on only finding cookies as an issue. Now what?

OK, a search suggested using WinSockFix.exe to fix faulty network connections after cleaning up a malware infection. Is this a good idea in your opinion? I hope you know about this program...

 

Hi again. I just installed PC Tools Firewall Plus and found that "userinit.exe", the file that was originally hacked by the malware a week or so ago, is trying to access the internet using Symantec User Session (I have Norton AV Corporate 10 installed).
I did a quick search and found that userinit.exe should apparently not be trying to access the internet so do i still have a problem here?

 

I am guessing you are asking about the userinit.exe. file, correct? Here are the details of the file located in the system32 folder right now:
It is 25.5KB in size, is registered to Microsoft Corp, and is version 5.1.2600.5512 (making it exactly the same when I last checked as shown in Message 8 of this thread.)
Is the fact that it is trying to access the internet a problem then?

Also note that when I initially installed PC Tools Firewall Plus on this PC, an error came up saying that Norton Worm Protection needed to be switched off before proceeding with the install (I ignored it and installed anyway). First, i don't have that program installed on my PC (just Symantec AV 10, Corporate Edition) and second, i did not get this message when installing the Firewall on another PC in my office here (which also has the same Symantec AV program running). This may be important...or it may be not, but I thought it could help if there is still a problem!

 

Oh, I just can't read the Property details properly. Right clicking on the userinit.exe file and selecting "Properties" gave the following data:
Size: 25.5 KB (26,112bytes)
Size on disk: 28.0 KB (28,672bytes)

So it has the size that I quoted originally (25.5KB) as well as the size you expected (26,112bytes). So no problems there after all, right? :-D However, the "dates" are not the same for the 2 files...in the i386 folder, userinit.exe was created on July 18, 2008 and modified on April 13, 2008 (before it was created??) whereas in the system32 folder, it was created on August 4, 2004 and modified on April 13, 2008. Is this strange?

And is it a problem that userinit.exe is trying to access the internet?

I will go ahead and remove the system32 file anyways and replace with the i386 file and see what happens after rebooting (ie, does it try to access the internet again)....

 

OK then Tim. It appears that the system32/userinit.exe file is a problem as it reappears in the system32 folder as soon as I delete it. So I cannot install the i386 file in the system32 folder (even when i say overwrite the original when copying, it is still the file created in 2004 that is there!)...:confused