Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows startup virus


  • This topic is locked This topic is locked
63 replies to this topic

#31 kevinmcgreal

kevinmcgreal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berea OH
  • Local time:03:22 AM

Posted 14 March 2013 - 09:14 PM

No change after combofix.  Can't delete Ad-Aware.  Same deal as AVG.  I tried, it won't let me uninstall it or delete the directory with the files.

 

Tried to run c:\vssadmin list shadows.  Couldn't do that either.  Said I need to have administrator privileges. 



BC AdBot (Login to Remove)

 


#32 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:22 AM

Posted 14 March 2013 - 09:57 PM

I modified the instructions for the cmd steps. Please retry.
Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#33 kevinmcgreal

kevinmcgreal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berea OH
  • Local time:03:22 AM

Posted 16 March 2013 - 12:25 PM

Gary, I tried the modified instructions.  When I right click on cmd I do not get an administrator option. Kevin



#34 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:22 AM

Posted 16 March 2013 - 03:14 PM

Hi Kevin,

Sorry we are having such difficulties. Please do this.

===================================================

Taking Ownership of C:\ Drive

--------------------
  • Boot into Safe Mode from an Administrator account
  • Right click on Start then select Open Windows Explorer
  • Right click on Local Disk (C:) and select Properties
  • Click the Security tab then click Advanced
  • Click the Owner tab then select Change Permissions...
  • Left click on Administrators then select Edit
  • Under Full control check Allow then click OK
  • Click OK again then Yes to the warning screen
  • You will see a Setting Security information on: window
  • Click Continue on any error screens that pop up
  • Once completed, reboot your computer into Normal Mode
  • Attempt to launch a program that would not launch properly
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Were the permissions reset?

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#35 kevinmcgreal

kevinmcgreal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berea OH
  • Local time:03:22 AM

Posted 16 March 2013 - 03:48 PM

No.  Still not working.  Full control was already set to allow.  I unchecked and rechecked allow and booted system.  Same issues.  There were several error screens that I hit continue at for directories that could not be reset including the program files directory. 

 

Also, something is definitely going on in the background.  Every once in a while, a command prompt window opens, executes something and closes.  Too fast to stop or see what it is.   



#36 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:22 AM

Posted 16 March 2013 - 04:34 PM

Hi Kevin,

Thanks for the additional information about the process running in the background. :thumbup2:

Please run these two programs for me.

===================================================

Running TDSSKiller with Changed Parameters

--------------------
  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now

2012081514h0118.png

  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue

tds6.jpg

  • Click Reboot computer
  • Please zip and attach in your reply the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)
===================================================

aswMBR

--------------------
  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

aswMBR1.png

  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

aswMBR2.png

  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Zipped TDSSKiller log
  • aswMBR log

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#37 kevinmcgreal

kevinmcgreal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berea OH
  • Local time:03:22 AM

Posted 16 March 2013 - 04:58 PM

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-03-16 17:52:53
-----------------------------
17:52:53.857    OS Version: Windows x64 6.1.7601 Service Pack 1
17:52:53.857    Number of processors: 4 586 0x2505
17:52:53.857    ComputerName: KJM-HPDV5  UserName: 
17:52:54.700    Initialize success
17:53:24.059    AVAST engine download error: 0
17:53:49.580    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:53:49.580    Disk 0 Vendor: ST932032 0005 Size: 305245MB BusType: 3
17:53:49.596    Disk 0 MBR read successfully
17:53:49.596    Disk 0 MBR scan
17:53:49.596    Disk 0 unknown MBR code
17:53:49.612    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
17:53:49.627    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       271190 MB offset 409600
17:53:49.674    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        33751 MB offset 555806720
17:53:49.690    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 624928768
17:53:49.752    Disk 0 scanning C:\Windows\system32\drivers
17:54:00.688    Service scanning
17:54:27.395    Modules scanning
17:54:27.410    Disk 0 trace - called modules:
17:54:27.488    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll 
17:54:27.488    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800529d060]
17:54:27.504    3 CLASSPNP.SYS[fffff88000e3b43f] -> nt!IofCallDriver -> [0xfffffa8005131b10]
17:54:27.504    5 hpdskflt.sys[fffff880019ec289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004fc5050]
17:54:27.520    Scan finished successfully
17:54:53.447    Disk 0 MBR has been saved successfully to "C:\Users\Kevin J McGreal\Desktop\MBR.dat"
17:54:53.463    The log file has been saved successfully to "C:\Users\Kevin J McGreal\Desktop\aswMBR.txt"

Attached Files



#38 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:22 AM

Posted 16 March 2013 - 05:10 PM

Hi Kevin,

Nothing helpful there. Please run this tool.

===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • When the Status box shows Scan Finished click Delete
  • Click Report
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • RogueKiller log

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#39 kevinmcgreal

kevinmcgreal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berea OH
  • Local time:03:22 AM

Posted 16 March 2013 - 05:26 PM

RogueKiller V8.5.3 [Mar 16 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Kevin J McGreal [Admin rights]
Mode : Remove -- Date : 03/16/2013 18:23:10
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST9320325AS +++++
--- User ---
[MBR] b5db89c587992258a4d14e95c59a81eb
[BSP] 1c291c92239241a9f1c325ccd9ab0d1f : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 271190 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 555806720 | Size: 33751 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 624928768 | Size: 103 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[10]_D_03162013_02d1823.txt >>
RKreport[10]_D_03162013_02d1823.txt ; RKreport[1]_S_03072013_02d2057.txt ; RKreport[2]_D_03072013_02d2059.txt ; RKreport[3]_SC_03072013_02d2101.txt ; RKreport[4]_S_03082013_02d0108.txt ; 
RKreport[5]_D_03082013_02d0112.txt ; RKreport[6]_H_03082013_02d0114.txt ; RKreport[7]_S_03082013_02d0122.txt ; RKreport[8]_H_03082013_02d0122.txt ; RKreport[9]_S_03162013_02d1822.txt


#40 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:22 AM

Posted 16 March 2013 - 05:34 PM

Hi Kevin,

We need to go even deeper into your computer. What we are going to do is extract information about your operating system even before Windows is loaded. Please do this for me.

===================================================

Ubuntu MRB and Driver Report Using a USB

--------------
  • You will need a USB device with at least 2 GB of space. Warning: During this process all information will be removed from your USB device.
  • Download Ubuntu Live Ubuntu 12.04 LTS (either 64 or 32 bit) and save it to your desktop. This is a large file so allow it some time to download.
  • Download Pen Drive Linux's USB Installer and save it to your desktop
  • Double click the Universal-USB-Installer icon, select Run, then I Agree
  • On the dropdown list under Step 1 select Ubuntu 12.04 Desktop you downloaded to your desktop

create-usb-windows-1-12.png

  • Select the Browse button under Step 2, locate, and double click the Ubuntu file you downloaded to your desktop

create-usb-windows-2-12.png
create-usb-windows-3.png

  • Select your USB device under Step 3

create-usb-windows-4-12.png

  • Place a check mark in the Format (your USB drive letter, i.e E):\ Drive (Erases Content) box
  • Disregard Step 4
  • Click Create, then Yes
  • Once the process has completed click Close
  • Download udriver.sh to your USB device
  • With the USB device inserted into the infected computer restart your computer
  • If your computer does not automatically boot from the USB device please see here
  • Select Run from USB device
  • Please allow the program to automatically load to the Ubuntu desktop
  • Select English, then click Try Ubuntu
  • Click on the Dash Home icon located just underneath the Ubuntu Desktop title bar at the top
  • Type terminal in the search box then press Enter
  • A command prompt window will open
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

sudo dd if=/dev/sda of=mbr.txt bs=512 count=1

  • A mbr.txt file will be created in your Home folder
  • Type Exit then press Enter
  • Click on the Home Folder which is most likely the third icon down on the left
  • Under Devices please click the USB device (if that is not present remove the USB device and plug it back in)
  • Locate the udriver.sh icon listed in the USB contents window, right click, select Move to, then click Home
  • Close any open windows
  • Click the Dash Home icon (1st icon on left)
  • Select the Terminal icon
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh

  • Wait until report.txt pops up or the command line indicates the search is finished. This can take a while, so please be patient!
  • The report.txt file will be located in the Home folder (same folder as mbr.txt)
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh -af

  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the last search is complete please type Exit and press Enter
  • Click the Home Folder
  • Right click on filefind.txt, and select Send to...
  • Click the drop down list next to Send as:, select Removable disks and shares, click the USB device (may be there by default), then click Send
  • Repeat these steps for report.txt
  • Remove the USB device from your computer
  • In the upper right hand corner of your screen select the icon just to the right of the time
  • Click Shut down..., then Restart
  • Your computer should reboot into Windows
  • Insert the USB device back into your computer
  • Zip the report.txt file and attach it to your reply. Attach but do not zip the mbr.txt and filefind.txt files.
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • report.zip
  • mbr.txt
  • filefind.txt

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#41 kevinmcgreal

kevinmcgreal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berea OH
  • Local time:03:22 AM

Posted 16 March 2013 - 08:24 PM

3ÀŽÐ¼ |ûŽÀŽØ‹ô¿ ¹ üó¤ê`      RecoveryMgr  ð !                              
    W   ÿÿÿÿÿÿÿÿ†L½¾0¬´3ÛÍ
ÀuõãþSSèm ë6¸_fºQPH_Í€ãt ë$‹lúf¡¿T±òf¯ût
¡=  Âƒø$væ°„Àu»Æ}f‹7f‹>,f;÷t€Ãsîë»(ë»Â}€ü x€Ãsõëþfÿwè ÿäÈ  ´²€ÍŠÁ$?þÆŠØöæÀé†ÍA‘÷á9V‹V‹Fs÷ñ‘’öó†ÍÀáÌAŠð¸» |†&ëƒÄRPh |jj‹ô¸ B²€ÍÉ PS» $ˆGä`<àt<t<*t<6t<8t„Àyfƒ' ëþˆ[Xê                                                     ~Ù¶n  € ! ~%   8  ~&þÿÿ @  °! þÿÿþÿÿ ð ! ¸ þÿÿþÿÿ ¨?%°: Uª
 
 
Search results for Winlogon.exe
 
1151b1baa6f350b1db6598e0fea7c457  /media/D2B0B541B0B52D3B/Windows/System32/winlogon.exe
382K Nov 20  2010 
 
132328df455b0028f13bf0abee51a63a  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c/winlogon.exe
380K Jul 14  2009 
 
da3e2a6fa9660cc75b471530ce88453a  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad/winlogon.exe
381K Nov 19  2010 
 
a93d41a4d4b0d91c072d11dd8af266de  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_cc522fd507b468f8/winlogon.exe
381K Nov 19  2010 
 
1151b1baa6f350b1db6598e0fea7c457  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636/winlogon.exe
382K Nov 20  2010 
 
22101a85b3ca2fe2be05fe9a61a7a83d  /media/D2B0B541B0B52D3B/Program Files (x86)/Malwarebytes' Anti-Malware/Chameleon/winlogon.exe
212K Dec 14 21:49 
 
 
Search results for volsnap.sys
 
0d08d2f3b3ff84e433346669b5e0f639  /media/D2B0B541B0B52D3B/Windows/System32/drivers/volsnap.sys
289K Nov 20  2010 
 
0d08d2f3b3ff84e433346669b5e0f639  /media/D2B0B541B0B52D3B/Windows/System32/DriverStore/FileRepository/volume.inf_amd64_neutral_df8bea40ac96ca21/volsnap.sys
289K Nov 20  2010 
 
58f82eed8ca24b461441f9c3e4f0bf5c  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_71aba92815c60174/volsnap.sys
289K Jul 14  2009 
 
0d08d2f3b3ff84e433346669b5e0f639  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_73dcbcf012b4850e/volsnap.sys
289K Nov 20  2010 
 
 
Search results for explorer.exe
 
8b88ebbb05a0e56b7dcc708498c02b3e  /media/D2B0B541B0B52D3B/Windows/SysWOW64/explorer.exe
2.5M Feb 25  2011 
 
332feab1435662fc6c672e25beb37be3  /media/D2B0B541B0B52D3B/Windows/explorer.exe
2.8M Feb 25  2011 
 
c235a51cb740e45ffa0ebfb9bafcda64  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566/explorer.exe
2.8M Jul 14  2009 
 
15bc38a7492befe831966adb477cf76f  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761/explorer.exe
2.5M Jul 14  2009 
 
b95eeb0f4e5efbf1038a35b3351cf047  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9/explorer.exe
2.5M Nov 19  2010 
 
2626fc9755be22f805d3cfa0ce3ee727  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202/explorer.exe
2.5M Nov 19  2010 
 
2af58d15edc06ec6fdacce1f19482bbf  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_b816eb59c7bb4020/explorer.exe
2.5M Feb 26  2011 
 
f170b4a061c9e026437b193b4d571799  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae/explorer.exe
2.8M Nov 19  2010 
 
9aaaec8dac27aa17b053e6352ad233ae  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007/explorer.exe
2.8M Nov 19  2010 
 
0862495e0c825893db75ef44faea8e93  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_adc24107935a7e25/explorer.exe
2.8M Feb 26  2011 
 
700073016dac1c3d2e7e2ce4223334b6  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c/explorer.exe
2.8M Nov 19  2010 
 
b8ec4bd49ce8f6fc457721bfc210b67f  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7/explorer.exe
2.8M Nov 19  2010 
 
e38899074d4951d31b4040e994dd7c8d  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_ae79ed04ac56c4a9/explorer.exe
2.8M Feb 26  2011 
 
ac4c51eb24aa95b77f705ab159189e24  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900/explorer.exe
2.8M Nov 20  2010 
 
332feab1435662fc6c672e25beb37be3  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba/explorer.exe
2.8M Feb 25  2011 
 
3b69712041f3d63605529bd66dc00c48  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332/explorer.exe
2.8M Feb 26  2011 
 
9ff6c4c91a3711c0a3b18f87b08b518d  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617/explorer.exe
2.5M Nov 19  2010 
 
c76153c7eca00fa852bb0c193378f917  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2/explorer.exe
2.5M Nov 19  2010 
 
255cf508d7cfb10e0794d6ac93280bd8  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_b8ce9756e0b786a4/explorer.exe
2.5M Feb 26  2011 
 
40d777b7a95e00593eb1568c68514493  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb/explorer.exe
2.5M Nov 20  2010 
 
8b88ebbb05a0e56b7dcc708498c02b3e  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5/explorer.exe
2.5M Feb 25  2011 
 
0fb9c74046656d1579a64660ad67b746  /media/D2B0B541B0B52D3B/Windows/winsxs/wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d/explorer.exe
2.5M Feb 26  2011 
 
 
Search results for Userinit.exe
 
bafe84e637bf7388c96ef48d4d3fdd53  /media/D2B0B541B0B52D3B/Windows/System32/userinit.exe
30K Nov 20  2010 
 
61ac3efdfacfdd3f0f11dd4fd4044223  /media/D2B0B541B0B52D3B/Windows/SysWOW64/userinit.exe
26K Nov 20  2010 
 
6f8f1376a13114cc10c0e69274f5a4de  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_381dabbceb60feb2/userinit.exe
30K Jul 14  2009 
 
bafe84e637bf7388c96ef48d4d3fdd53  /media/D2B0B541B0B52D3B/Windows/winsxs/amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c/userinit.exe
30K Nov 20  2010 
 
6de80f60d7de9ce6b8c2ddfdf79ef175  /media/D2B0B541B0B52D3B/Windows/winsxs/x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c/userinit.exe
26K Jul 14  2009 
 
61ac3efdfacfdd3f0f11dd4fd4044223  /media/D2B0B541B0B52D3B/Windows/winsxs/x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116/userinit.exe
26K Nov 20  2010 

Attached Files



#42 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:22 AM

Posted 16 March 2013 - 08:41 PM

Hi Kevin,

The MBR report needs to be attached. It requires a special program to read it.
Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#43 kevinmcgreal

kevinmcgreal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berea OH
  • Local time:03:22 AM

Posted 16 March 2013 - 08:58 PM

mbr attached



filefind attached

Attached Files



#44 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 15,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:22 AM

Posted 16 March 2013 - 09:23 PM

Hi Kevin,

So far everything looks fine.

Are you logged in as an Administrator?

Please run this fix for me to see if we can repair the right click Run as Administrator option.

===================================================

Adding Run as Administrator in Context Menu for Windows 7

--------------------
  • Download Restore_Run_as_administrator.reg and save it to your desktop
  • Double click the icon and select Yes
  • You should receive confirmation the information was successfully added
  • Reboot your computer and check its performance
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Is the Run as Administrator option available?

Edited by Oh My, 16 March 2013 - 09:24 PM.

Regards,
Gary

If I do not respond to you within 24 hours of your post please send me a Personal Message .


"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#45 kevinmcgreal

kevinmcgreal
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berea OH
  • Local time:03:22 AM

Posted 16 March 2013 - 10:44 PM

The run as admin option is available for most programs.  Not for "Run" though.  I am able to load many of the programs using run as admin that wouldn't otherwise run at all. Some work, some don't.  iTunes will load but not play anything.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users