Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer crashes after removal of malware


  • Please log in to reply
9 replies to this topic

#1 DanteHec

DanteHec

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 13 August 2009 - 02:57 AM

Okay I had malware, so I used spybot, avg, to get ride of some then I used Malwarebyte to completely clean everything. Now when I startup it says "userinit.exe- corrupt file" and my computer randomly restarts. I already changed the settings to not restart on crash but when I did that it completely froze. I have lurked in this site a lot but now I need help. And I am pretty sure it deleted login files and stuff like that. Thanks in advance guys.

I have a HP xp media center edition 2005

Edited by DanteHec, 13 August 2009 - 03:38 AM.


BC AdBot (Login to Remove)

 


#2 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:04:28 AM

Posted 13 August 2009 - 09:39 AM

Dante,

Are you 100% certain that you've cleaned out any infection. It is very possible that you may still have a malware issue that is causing problems. What were you infected with to start with, and what gives you full certainty that you aren't still infected, aside from not seeing any results from scans that you ran? You may need to look into that first.


Thanks,
Eric
I would never ask a person to do something that I wouldn't do myself.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:28 AM

Posted 13 August 2009 - 02:27 PM

Hello DanteHec,

Some kinds of malware corrupt the userinit file. I am shifting this topic to the Am I Infected forum.

If you can, please post the log from MBAM that was produced when you used it.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 DanteHec

DanteHec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 13 August 2009 - 04:17 PM

Thanks for the move. I had Virtumonde because while i was scanning i saw that name appear a lot. what should i do? I turned it on and it stayed frozen on the desktop... :thumbsup:

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:28 AM

Posted 13 August 2009 - 04:19 PM

Try starting in Safe Mode and try to access the log.
Computer Pro

#6 DanteHec

DanteHec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 13 August 2009 - 04:33 PM

i had done a quick scan because i dont have enough time, it restarts randomly. i managed to get the log without safemode


Malwarebytes' Anti-Malware 1.40
Database version: 2610
Windows 5.1.2600 Service Pack 3

8/12/2009 5:44:36 AM
mbam-log-2009-08-12 (05-44-36).txt

Scan type: Quick Scan
Objects scanned: 113796
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR09.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\chrome\amba.jar (Trojan.Hanam) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Delete on reboot.

#7 DanteHec

DanteHec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 13 August 2009 - 05:28 PM

I just tried to start it in safe mode. it wont work.. safe mode safe mode with network and with command prompt none of them work. my computer just restarts and takes my back to the screen. what do I do? :thumbsup:

#8 DanteHec

DanteHec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 14 August 2009 - 12:44 AM

Still no luck with safe mode or the random restarting. I tried lurking and looking for something similar but i don't know how to use those programs, they look like pretty powerful tools.

#9 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:04:28 AM

Posted 14 August 2009 - 03:14 PM

Dante,

You might try running SuperAntiSpyware if you can get it to install.

Download it HERE or HERE or HERE.

If you get it downloaded and cannot get the installer to run, you may need to change the name. Change it to DanteHec.exe if you have trouble, then it may open. Once it is installed, check for updates and then run a scan on your system. When you're done, post the results of the scan here. You can find the results by going to Preferences from the program's console, under the tab "Statistics/Logs" and it would be the first entry and probably only entry.
I would never ask a person to do something that I wouldn't do myself.

#10 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:04:28 AM

Posted 14 August 2009 - 03:15 PM

PS - You don't have to do that in Safe Mode.
I would never ask a person to do something that I wouldn't do myself.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users