Advise from MVP's Please

[Daniel Mokoy]

Can anyone in the US advise me on these entries Im
working on a infected pc for someone in the US but im in
the UK so cannot be sure if these are bogus or genuine

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Search Bar
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desk
top

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Start Page
http://www.comcast.net/

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=deskto
p

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desk
top

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Search Bar
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desk
top

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Start Page
http://www.comcast.net/

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?
prd=ie&pver=6&ar=msnhome

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desk
top

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Search\SearchAssistant
http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchcust.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Search\CustomizeSearch
http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchcust.htm


The pc is a HP and i know they use comcast and AOL but
any feedback on this would help me alot Theres a never
ending amount of scumware on this
pc.Worms,Viruses,Adware,Spyware all sorts of scum files
but these entries are bothering me and the only people i
can email about this are in the uk also and For me i just
have yahoo as a search page and this amount of entries
seems alot

We have removed alot of scum
Webrebates,Wildtangent,Iproposmedia,ISTbar,Windupdates,Dea
lHelper,SideFind,Virtual Bouncer,Elite Sidebar to name a
few but also keylogging worms and viruses so im sure im
missing something but cannot find the problem if it still
remains


Thanks Danny

 

[Bill Sanderson]

Interspersed:

Can anyone in the US advise me on these entries Im
working on a infected pc for someone in the US but im in
the UK so cannot be sure if these are bogus or genuine

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm

Hmm - no opinion--probably should have one, but I don't find that file on my
xp sp2 system. There is an inbuilt blank page, but about:blank is also a
nasty hijack, and I'm not the right one to tell you for sure what it looks
like on the ground.

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

This is a legit default entry

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Search Bar
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desk
top

Don't have a presario to look at, but this looks OK.

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Start Page
http://www.comcast.net/

This also looks OK

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=deskto
p

See above--looks OK to me.

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desk
top Ditto


HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm

See the first comment--probably fine.

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

This is OK

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Search Bar
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desk
top

I think this is fine, as above

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Start Page
http://www.comcast.net/

This is fine.

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?
prd=ie&pver=6&ar=msnhome

Looks OK to me.

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desk
top

Looks reasonable.

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Search\SearchAssistant
http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchcust.htm

This one is a standard default.

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Search\CustomizeSearch
http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchcust.htm

Looks good

All in all--I believe you when you say it may still have something in place,
but I don't see anything in these settings to prove it, except for the
blank.htm, which may well be legitimate.

 

[Andre Da Costa]

Everything looks good to me too.
;-D

 

[Daniel Mokoy]

Thank you for the reply Bill That very kind of you to
help me out,Its a relief these are genuine i know if you
go to internet options you get a option to use blank so
this is probably what the first one relates to but it was
the rest that bothered me so youve answered that for me.

Maybe im being abit over cautious on this but they are
the only entries i wasnt sure about.

The pc is showing clean now on lots of scanners but had a
entry before which said it was detected as A1 adware so
was thinking maybe something was still present

I must admit ive not heard of A1 adware and thought MS
Antispy was dubbed A1 at some stage which they have
installed but im only guessing on this.apart from that
everything else is working well and the user is really
happy with the difference in speed and booting up but i
just didnt want to leave them with any problems so
thought this forum would be best as i know it has a lot
of US users

Thanks again Bill

Have a great night

Danny

 

[DanielMokoy]

Thanks also to Andre for the second opinion its good to
know there's people on here who will help

The only other thing that bothered me was this entry in
hijack this log

F2 - REG:system.ini: UserInit=userinit.exe

Ive not seen a F2 entry before and know this is used for
windows log on but think it may not be genuine.I know we
cannot touch it though as if its genuine all the hard
work has gone in a flash if they cannot log on anymore
but know this isnt for hijack logs so i'll just see how
the user gets on with it still listed



Take Care


Danny

 

[Gunilla]

Here you have a good webpage with links to explain.
http://forums.thetechguys.com/showthread.php?t=5652
I would think that one is not quite right but are not certain.

Good luck!

Gunilla.

 

[Bill Sanderson]

I think that's OK. I'm not accustomed to looking at HijackThis logs, but
here's what Microsoft Antspyware says about the UserInit entry on my XPSP2
machine (Tools, advanced tools, system explorers, startup programs:

Microsoft Userinit Logon Application

File name: userinit.exe

Description: Userinit Logon Application

Publisher: Microsoft Corporation

File path: e:\windows\system32\userinit.exe

File version: 5.1.2600.2180

This is a known spyware free process that uses autostart properties to run.

Location details: Program located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit

Technical Details:

Original file name: USERINIT.EXE

MD5: 39b1ffb03c2296323832acbae50d2aff

 

[Bill Sanderson]

Hmm - I've now read Gunilla's post. I don't have any such entry in
system.ini
What Windows version?

 

[Gunilla]

I found yet another one here with a better point of view
http://www.bleepingcomputer.com/forums/tutorial42.html

 

[Bill Sanderson]

Not sure what the A1 reference is. I did read up a bit given your
reference:

http://www.microsoft-watch.com/article2/0,1995,1747802,00.asp

I think A1 isn't what we are testing, but my guess is that A1 will include
the capabilities seen here, and lots more.

I'm backtracking on my OK on your userinit entry. I want to know where
that's coming from and what OS version. I'm not familiar enough with
HijackThis logs to be sure this is the same entry I am seeing as a
legitimate userinit entry on XP--the system.ini string worries me.

 

[Gunilla]

I have just sent him another link to bleepingcomputer.com forums with an
excellent explaination over HJT's log. Hope that will help him.

Gunilla.

 

[Bill Sanderson]

Thanks - I looked at the HJT tutorial example of how a userinit entry should
read, and it looks good to me.

 

[Bill Sanderson]

And I'll backtrack again. I've read Gunilla's cited HJT tutorial at
Bleeping computer, and the userinit entry looks proper to me. I don't see
anything to worry about in what you've posted here.

 

[Gunilla]

And thanks to you who are so kind and helpful. )
Goodnight...the time is late here now and the birds will wake me up in just
some hours.

Gunilla.

 

[DanielMokoy]

Thankyou Bill & Gunilla you both have really gone out of
your way to help me on this and i really appreciate this.

Sorry i didnt reply Im in the UK and it was late last
night when i posted and ive just finished a 13 hour shift
so have just got back on the pc to read your replies

The pc which had all the infections is Windows XP Home
with Service pack 2

Ive not had time yet to see if they are having any more
problems but some of the worms found were very nasty and
opened backdoors and set restrictions for the user.also
system restore and antivirus programs wouldnt work and
online scanners and all the usual adaware,cwshredder and
spybot were all shutting down while they scanned

Ive been helping on this for over a week now and was
goning to just say format the pc and do a fresh install
but they really didnt want to do that and said they
wanted to try contain it,so we took all the scum files
off one by one and run various programs to identify the
malware.(dll compare,silent runner,hijack
this,l2mfix,Microworlds escan,deldomains etc..) and think
we have cleaned it all up as now the pc is working alot
faster and all scans are working and showing clear and
everything has been reset,but its hard to know if there
is anything i missed and i am at the point now where id
like to say thats it job done but these entries still
bother me abit so wanted to get a second opinion on
them,Ive used hijack this a lot and havent seen a F2
entry before so this is what made me think it may not be
genuine but can pretty much rule out the rest as being
part of her system or essential programs.I know one of
the worms involved uses window filenames and terminates
alot of genuine files so its abit of guess work if the
system32 files are the genuine ones and not replaced with
malware files,I told them to run SFC /SCANNOW but not
sure they have followed that advise but the only entries
i really cannot be sure of is these:

F2 - REG:system.ini: UserInit=userinit.exe

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32
\igfxsrvc.dll


I know ive added a extra one but to be honest im not sure
about this either,I know the file name is used by Intel
Corp' but if thats the case i dont think it should be in
the system 32 folder and the 020 entry is another which
isnt shown often in a hijack log,except for look2me and
VX2 malware but im sure there's genuine entries sometimes
under this also,I appreciate the help you guys have given
me and think the main problems are under control but if i
could clear these up id feel alot better but im going
down a blind alley so to speak as ive not seen these
entries before in a hijack this log so dont want to guess
one way or the other for now.I know theres forums who
help with hijack this but they are all getting swamped
with problems so think id have to wait a week or two to
get a reply which isnt that helpfull if they then say
they dont know for sure.

But thanks again bill and gunilla you have helped alot
with the advise and the links you gave so will check them
later tonight as its 8pm here and ive just got in from
work


Thanks Danny

 

[Gunilla]

You are most welcome!

Hope all will be good but I wonder if you have been here
http://www.subratam.org/?page=removal as they have a good collection of
removal tools but have to be used with the most careful respect to their
effectiveness.

Best regards....Gunilla.

 

[Bill Sanderson]

Daniel - I'm having some trouble pinning down the IGFX stuff.

My optimistic side says they are Intel Graphics adapter related, but that
may be just what someone else wants.

IGFXCUI can definitely be a legitimate registry entry for an Intel context
menu handler.

I would recommend that the user use either Explorer or Microsoft
Antispyware's system explorers to examine the igfxsrvc.dll and see whether
it has appropriate copyright details, etc, indicating an Intel source.

It would also be comforting to know that they are running a motherboard with
an Intel chipset and Intel video adapter hardware.

 

[DanielMokoy]

Hi Again Bill

What would This Microsoft forum be like without you? I
can see your posts everywhere on here and you are helping
so many people.All i can say is thankyou very much your
very kind to offer your time and experience to help us.

Also Andre,Gunilla and the other Helpers Thanks for
making this a trusted place to get advice,Thers's not
many forums like this around in my experience and i hope
Microsoft really appreciate everything you are doing to
help their users.

With my hijack this doubts i think i will get them to
upload of both files to jotti's site to scan them:

http://virusscan.jotti.org/

Then also take your advise bill and see what the files
exactly say,I dont think the user is aware of whats
exactly in their pc,They are learning alot from this
malware experience like we all have in the past.So its
good they will now know the signs things are not going
well

They seemed to let them all build up to a point where the
system couldnt cope and things were conflicting
everywhere,Id love to get their pc for a day and just
sort the stuff out but with advising through emails its
hard to always get the right response from them and they
seem to miss alot of the steps i advise them on and are
looking for a quick fix,They keep downloading stuff that
says it fixes this or that and to me this seems half
their problem as they dont know the source alot of the
time.But hey its there pc so i can only advise on this.

I'll pass on your advise and see how it goes and try
uploading them to jotti's site to be sure then i think
ive done my good deed for the day with that one and will
offer my help to them if they ever need it again.

Once again thankyou for making this site so friendly and
helpfull from what i can see it wouldnt be that way
without you main guys so you all deserve a present from
microsoft in my view as in a ton of free software and a
few free shares in MS ;o)

All the best to you

Danny

 

[Bill Sanderson]

Thanks. Jotti's site is a test--I'm not sure I'd say a good test yet-- I
don't have a clear picture of the extent to which the included scanners
cover spyware. In the few submissions I've done since this beta started, at
least one was detected as spyware, but only by one vendor out of the bunch,
as I recall.

 

[DannyMokoy]

Hi Again Bill yeah im really not sure to be honest about
these entries and the user has said that Sysytem.ini is
showing up in there start up tab on Msconfig so this
makes me now believe its not genuine,they also have
MediaPass and WildTangent showing in a registry log we
did so think theres still some work to do,Ive just got in
from work and have received a log from them from
Microworlds Escan and Reg Mechanic so i will see how they
look then take out the malicius entries and then take it
from there.

Thanks for the advise anyway bill

Cheers Danny