Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.UserInit


  • This topic is locked This topic is locked
3 replies to this topic

#1 shichiiiya

shichiiiya

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 26 April 2009 - 03:43 PM

I've been infected with vundo before, but I easily removed it with spybot s&d and booting in safe mode.
Its strange, I don't exactly know how I got these infections. Three minutes before my movie download from a friend finishes, a randomly named program with the command prompt interface excutes itself. I notice my system's starting to slow down, I check task manager and find a bunch of randomly named .exes. I try to go to a system restore point...i had a bunch for the past year, it undid all of them. Luckily I still have some old clean registries backed up from erunt. I did a scan with malwarebytes, and it removed mostly everything. I cannot access the official website of malwarebytes and i just uninstalled spybot s&d because it wouldn't run or update anymore. I downloaded combofix, and vundofix also. When I ran combofix, it gave me an alert message. Saying the program has been compromised and I might have a virut? infection. When I try and reboot now and I click on my user it logs me on, and then off. Especially when i set killbox to delete and replace the infected files or when malwarebytes tries to delete on reboot. Here's what I have from my scans. Doing some of my own research on this...seems almost impossible to remove if I do have a Virut infection.

And at the moment I cannot back up anything because I have no spare disks or usb memory sticks. I want to save as much as I can from this.

I would appreciate some help as soon as possible, I need to do some schoolwork on the computer, its almost too unstable to do anything.

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 28 April 2009 - 03:25 AM

Hello, my name is fenzodahl512 and welcome to Bleeping Computer.. Please do the following....



Please download The Comedian.exe to your desktop
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
If you see "random" name, just leave it.. If you see "GMER", please rename GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 shichiiiya

shichiiiya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 28 April 2009 - 05:58 PM

Eh, sorry for the late reply.
I forgot to mention any attempts in deleting the video.dll, audio.dll, and ntos.exe on reboot caused login/log off loops. It changed the registry. All in all the login/logoff loop was just too frustrating. I just decided to restore to manufacturer's point. Thanks for you help anyway!

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 29 April 2009 - 01:19 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HJT Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users