Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop and Browser Hijacked


  • Please log in to reply
12 replies to this topic

#1 Gangelbaby

Gangelbaby

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 10 February 2009 - 05:39 PM

I have been having problems with my computer for the last couple of months... to the point of a system recovery once last month. I am running an HP Pavillion with XP Home Media Edition. At first it was just small things like an occassional redirect of my browser, or the browser just closing suddenly on its own. Then the problems started getting worse and more frequent. The recovery seemed to have helped short term, but then the same things started happening again. I have always used Windows Defender and AVG Free to protect my pc, however, neither of them were picking anything up out of the ordinary. So, I downloaded Spybot Search and Destroy.. it found malware .. vundo, however, couldnt get rid of it. Then I downloaded Malwarebytes program, same problem, it found the nasty stuff, but could never fix it completely. Seems it helped some, however the problem is back full force now. Currently, I am using Norton Anti-Virus, which, again is picking tons of stuff up, but only healing a fraction of it. It says it has quaranteened stuff, however, my computer is still doing its own thing. Last nite I couldnt stay online, was getting win32 errors and computer kept rebooting itself. After using Norton today, I seem to have at least temporary fixed that, however, I traded it for more problems. My Documents keep coming up for no reason, my desktop is hi-jacked with some big flashing warning thing on a black screen that says "WARNING Danger Spyware, many viruses were found on your computer such as: TrojanHorse, PassCapture, etc. Your personal information can fall into the "third hands". Please check up the computer with a special software. Thank. " I dont think this is from my system, and when i right click to properties, my Desktop tab is frozen... I cannot change it to anything else. Also, every time I click to open a file on my computer, it freezes up temporarily and then opens my browser to some site that is alerting me to problems on my computer. Its just really insane, and i have absolutely no idea what to do besides a system recovery, which I am afraid will only temporarily fix it. Is there anything I can do, or any suggestions? I have downloaded HiJackThis and installed it in my programs... ran a report, however, I really am afraid of doing much, as I have no idea what Im doing when it comes to these files. Any help would be greatly appreciated.

Thank You,

ang

Edited by The weatherman, 10 February 2009 - 05:42 PM.
Moved to a more appropriate forum~TW


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:11:37 PM

Posted 10 February 2009 - 08:05 PM

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

Now SAS,may need an hour
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Gangelbaby

Gangelbaby
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 12 February 2009 - 08:11 AM

Ok .. after i posted that problem, I ran the ATF Cleaner, then ran Malwarebytes again.... that seemed to have given me control back of my pc at least. However, i had a feeling some residual was still lurking, just seemed too easy. I have ran Malwarebytes a couple of times since then and every time i do, its still picking up something in my system32.... userinit.exe, which from what i can tell is a pretty vital application, so not sure what to do about that. But Malwarebytes heals it each time and it seems to not be an issue. When i saw Your post, as soon as i returned after running those, I went ahead and ran the SAS and it appears it found a whole new list of issues. Logs came back as below. (I did forget to run the ATF Cleaner again before I started though, but like I said, I only ran it before the Malwarebytes.) Thank you very much for your help, and please let me know if there are more steps I should take. For the moment it seems to be alright, but I want to be sure.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/12/2009 at 06:15 AM

Application Version : 4.25.1012

Core Rules Database Version : 3754
Trace Rules Database Version: 1718

Scan type : Complete Scan
Total Scan Time : 03:46:45

Memory items scanned : 210
Memory threats detected : 0
Registry items scanned : 5965
Registry threats detected : 9
File items scanned : 285509
File threats detected : 60

Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@apmebf[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@realmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@interclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@casalemedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@media6degrees[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.pointroll[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@statcounter[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@insightexpressai[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adopt.euroclick[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@fastclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adtracker.socialmedia[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@rocku.adbureau[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@questionmarket[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@bs.serving-sys[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atdmt[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@richmedia.yahoo[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@iacas.adbureau[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@hotlocalsexdates[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@revsci[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@statse.webtrendslive[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.bleepingcomputer[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adrevolver[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.ad4game[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@socialmedia[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@a1.interclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@warnerbros.112.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cgi-bin[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@247realmedia[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@112.2o7[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@serving-sys[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@mediaplex[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@journalregistercompany.122.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@tribalfusion[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@hitbox[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@stats.townnews[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@content.yieldmanager.edgesuite[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adinterax[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@zedo[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@burstnet[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@advertising[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@media.adrevolver[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ehg-usoc.hitbox[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ak[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@doubleclick[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.socialreach[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@content.yieldmanager[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.burstnet[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adbrite[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@track.mtrgsrv[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@members.realsexdates[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@clicksense[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@avgtechnologies.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@wmvmedialease[1].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\20DB667C
HKLM\Software\Microsoft\20DB667C#20db667c
HKLM\Software\Microsoft\20DB667C#Version
HKLM\Software\Microsoft\20DB667C#20dbcbfc
HKLM\Software\Microsoft\20DB667C#20dba219
HKU\S-1-5-21-4036478607-2285362774-1446435239-1007\Software\Microsoft\CS41275
HKU\S-1-5-21-4036478607-2285362774-1446435239-1007\Software\Microsoft\FIAS4018

Rogue.RapidAntivirus
HKU\.DEFAULT\Software\Rapid Antivirus
HKU\S-1-5-18\Software\Rapid Antivirus

Rogue.FakeAlert/Wallpaper
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K1ENS9QJ\WARNING[1].GIF
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\UNS18Z0T\WARNING[1].GIF

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\O9I74HEJ\WINLOGON[1].HTM
C:\WINDOWS\SYSTEM32\998.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\UZEFYD4F\WINLOGON[1].HTM

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:37 PM

Posted 12 February 2009 - 08:38 AM

Would you post 2 or 3 of the MBAM logs that show some of the infection?
Chewy

No. Try not. Do... or do not. There is no try.

#5 Gangelbaby

Gangelbaby
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 12 February 2009 - 01:20 PM

This was the first one i got, after this, i seemed to regain my pc back....

Malwarebytes' Anti-Malware 1.33
Database version: 1744
Windows 5.1.2600 Service Pack 3

2/10/2009 5:37:57 PM
mbam-log-2009-02-10 (17-37-57).txt

Scan type: Quick Scan
Objects scanned: 75779
Time elapsed: 21 minute(s), 47 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ftutil2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaknbngsqj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaulcedalq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\senekajwhgkikx.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekamuwgbmji.dat (Trojan.Agent) -> Quarantined and deleted successfully.








Since then, this is what i get every time..... (note the userinit.exe that is just bugging the heck out of me lol)



Malwarebytes' Anti-Malware 1.33
Database version: 1744
Windows 5.1.2600 Service Pack 3

2/10/2009 6:41:15 PM
mbam-log-2009-02-10 (18-41-15).txt

Scan type: Quick Scan
Objects scanned: 75333
Time elapsed: 22 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







Malwarebytes' Anti-Malware 1.33
Database version: 1744
Windows 5.1.2600 Service Pack 3

2/12/2009 1:34:20 AM
mbam-log-2009-02-12 (01-34-20).txt

Scan type: Quick Scan
Objects scanned: 83443
Time elapsed: 22 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:37 PM

Posted 12 February 2009 - 03:08 PM

You have a very nasty infection.

Procede cautiously and back up anything you would loose with a clean install.

http://www.bleepingcomputer.com/forums/t/200801/vicious-virus/

Edited by DaChew, 12 February 2009 - 03:12 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 Gangelbaby

Gangelbaby
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 12 February 2009 - 03:11 PM

LOL... ya think? *winks* How close am i to getting it fixed though? Any words of wisdom? Right now, it isnt acting up at all that i can tell, but im paranoid its not overwith.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:37 PM

Posted 12 February 2009 - 03:22 PM

My money is on the infection
Chewy

No. Try not. Do... or do not. There is no try.

#9 Gangelbaby

Gangelbaby
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 12 February 2009 - 03:33 PM

Thanks for the optimistic vote of confidence... lol... and seriously, thanks for the link. I did go ahead before I started all this and backed up everything to an external, also have scanned that to make sure i wasnt just moving it around, just didnt proceed with a recovery because i wasnt sure how much good it would do me. If I go ahead with a recovery before its overwith, what would your advise be on how to prevent it from happening again?... and, would the recovery solve the issues at this point?

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:37 PM

Posted 12 February 2009 - 03:33 PM

That is MBAM detecting infected userinit but not hitting the file because of system file protection (in MBAM) . We leave the userinit reg hit so that you know that the file needs to be replaced . The reg info listed is just MBAM replacing the load key with the default as it does there is anything wrong with userinit .

MBAM cant delete userinit even if it is infected because it does not have the ability to reach the results list .

In about 50% of cases dllcache version is also replaced so it can be tough finding a clean backup .



Here's an explaination from the number 2 man at MBAM of why you see those registry entries repeating in a MBAM scan



and a newer link discussing these infections


http://blog.trendmicro.com/virux-cases-escalate/
Chewy

No. Try not. Do... or do not. There is no try.

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:37 PM

Posted 12 February 2009 - 03:42 PM

and, would the recovery solve the issues at this point?


I would use a windows repair disk if possible at this point

http://www.michaelstevenstech.com/XPrepairinstall.htm

a recovery meaning clean install would be the best option

Depending upon your setup there are other options, replacing any infected system files would be the first order tho
Chewy

No. Try not. Do... or do not. There is no try.

#12 Gangelbaby

Gangelbaby
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 12 February 2009 - 04:00 PM

Hmmmm, interesting http://blog.trendmicro.com/bogus-microsoft...-file-infector/

Think i recall doing something like that, but Im not sure. A lot of the jargon in these is like greek to me, regretfully.

Thank you for the information and advise, its greatly appreciated. Thank god for people that know what they are doing lol.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:37 PM

Posted 13 February 2009 - 08:59 AM

You have two options: Further investigation and attempt to remove the malware or reformattting.

Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

In case you need help with this, please review:These links include step-by-step instructions with screenshots:Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, personal data files and photos. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr) or autorun (.ini) files because they may be infected by malwareware appending itself to the executable. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of files so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Note: If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it.

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.

Alternative if you want to give removal of the infection a try, please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users