Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to remove unknown malware after using laptop in public Wifi places.


  • This topic is locked This topic is locked
44 replies to this topic

#1 wellen44

wellen44

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 26 June 2013 - 11:52 PM

Please refer to previous posts at http://www.bleepingcomputer.com/forums/t/498915/used-public-wifi-lots-and-lots-of-problems-now-newbie-needs-help/ . I have been directed to continue my posting in this new forum after running dds.com .

 

 

 

 



BC AdBot (Login to Remove)

 


#2 wellen44

wellen44
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 26 June 2013 - 11:54 PM

Here is the dds.txt info ---

 

 

Internet Explorer: 10.0.9200.16611  BrowserJavaVersion: 10.25.2
Run by elizabeth at 11:47:06 on 2013-06-27
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3518.2516 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\WUDFHost.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Users\elizabeth\AppData\Roaming\mjusbsp\magicJack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: {878B8524-AED5-4870-9A96-A515440DAC75} - <orphaned>
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [cdloader] "c:\users\elizabeth\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Search Protection] c:\programdata\search protection\SearchProtection.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{B135E294-BFCC-466F-9CC6-12CCCBF3F212} : DHCPNameServer = 192.168.1.254
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\elizabeth\appdata\roaming\mozilla\firefox\profiles\elizabeth\
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-6-17 13560]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 MpKsl49e6b7ce;MpKsl49e6b7ce;c:\programdata\microsoft\microsoft antimalware\definition updates\{2d751ece-1a80-45b7-b044-2178fcc06900}\MpKsl49e6b7ce.sys [2013-6-27 29904]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 100328]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-6-17 41584]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-3-27 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-3-27 1343400]
.
=============== Created Last 30 ================
.
2013-06-27 15:37:36    60872    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{2d751ece-1a80-45b7-b044-2178fcc06900}\offreg.dll
2013-06-27 15:37:36    29904    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{2d751ece-1a80-45b7-b044-2178fcc06900}\MpKsl49e6b7ce.sys
2013-06-27 15:35:49    7068072    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{2d751ece-1a80-45b7-b044-2178fcc06900}\mpengine.dll
2013-06-26 23:27:54    --------    d-----w-    c:\program files\Tracker Software
2013-06-26 23:08:21    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-26 22:10:57    7068072    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-06-25 02:56:03    --------    d-----w-    c:\windows\ERUNT
2013-06-25 02:55:58    --------    d-----w-    C:\JRT
2013-06-24 19:09:07    --------    d-----w-    c:\users\elizabeth\appdata\roaming\SUPERAntiSpyware.com
2013-06-24 19:01:43    118784    ----a-w-    c:\windows\system32\MSSTDFMT.DLL
2013-06-24 19:01:20    --------    d-----w-    c:\program files\SpywareBlaster
2013-06-24 16:48:02    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-06-24 16:48:02    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-06-24 02:49:21    724464    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{c93d2f81-64d5-46ae-955c-ae4c38727d45}\gapaengine.dll
2013-06-24 02:48:43    --------    d-----w-    c:\program files\Microsoft Security Client
2013-06-24 02:40:48    7068072    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{15452c57-9cb2-4d1b-b0f9-35cd3c2ede4d}\mpengine.dll
2013-06-23 19:38:31    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-23 00:07:19    33205    ----a-w-    c:\programdata\1371946008.bdinstall.bin
2013-06-20 20:02:10    --------    d-----w-    c:\users\elizabeth\appdata\roaming\QuickScan
2013-06-19 20:53:36    --------    d--h--w-    c:\windows\AxInstSV
2013-06-19 20:33:29    --------    d-----w-    c:\users\elizabeth\appdata\roaming\CheckPoint
2013-06-19 20:26:23    --------    d-----w-    c:\programdata\CheckPoint
2013-06-17 19:33:57    41584    ----a-w-    c:\windows\system32\drivers\gfiark.sys
2013-06-17 17:32:48    --------    d-----w-    c:\users\elizabeth\appdata\roaming\LavasoftStatistics
2013-06-17 17:26:32    --------    d-----w-    c:\programdata\Downloaded Installations
2013-06-17 17:25:24    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
2013-06-17 16:56:33    --------    d-----w-    c:\program files\Panda Security
2013-06-17 02:33:52    --------    d-----w-    c:\programdata\PCPitstop
2013-06-17 02:33:20    --------    d-----w-    c:\program files\PCPitstop
2013-06-12 07:02:13    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-06-12 07:02:13    218112    ----a-w-    c:\program files\internet explorer\sqmapi.dll
2013-06-12 06:08:11    3913576    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-12 06:08:10    3968872    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-12 06:08:09    903168    ----a-w-    c:\windows\system32\certutil.exe
2013-06-12 06:08:09    43008    ----a-w-    c:\windows\system32\certenc.dll
2013-06-12 06:08:09    140288    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-12 06:08:09    1160192    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-12 06:08:09    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-12 06:08:07    492544    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-12 06:08:06    1293672    ----a-w-    c:\windows\system32\drivers\tcpip.sys
.
==================== Find3M  ====================
.
2013-06-26 23:38:11    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-26 23:38:11    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-23 00:31:31    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-23 00:31:15    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-17 01:25:57    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-05-17 01:25:27    2877440    ----a-w-    c:\windows\system32\jscript9.dll
2013-05-17 01:25:26    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-05-17 01:25:26    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-05-14 08:40:13    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-05-02 06:06:08    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-30 07:01:48    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-12 13:45:29    1211752    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18:40    728424    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18:40    218984    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14:06    2347520    ----a-w-    c:\windows\system32\win32k.sys
.
============= FINISH: 11:47:26.26 ===============
 


Edited by wellen44, 27 June 2013 - 10:50 AM.


#3 wellen44

wellen44
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 26 June 2013 - 11:58 PM

Sorry but I can't figure out how to attach this other file, so I am just pasting it here ---

 

.
 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/27/2013 5:32:07 PM
System Uptime: 6/27/2013 11:00:34 AM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0YP696
Processor: AMD Athlon™ Dual Core Processor 4450B | Socket M2  | 2300/1000mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 409.717 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP32: 6/12/2013 2:07:08 AM - Windows Update
RP33: 6/12/2013 3:00:13 AM - Windows Update
RP34: 6/19/2013 11:59:09 PM - Scheduled Checkpoint
RP35: 6/20/2013 8:54:23 PM - Windows Update
RP36: 6/23/2013 10:40:14 PM - Windows Update
RP37: 6/24/2013 2:18:08 AM - Windows Update
RP38: 6/26/2013 6:45:26 PM - Removed Adobe Reader X (10.1.4).
RP39: 6/26/2013 7:07:35 PM - Installed Java 7 Update 25
RP40: 6/26/2013 7:29:00 PM - Removed Java 7 Update 25
RP41: 6/26/2013 7:37:59 PM - Installed Java 7 Update 25
RP42: 6/27/2013 11:35:30 AM - Windows Update
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 11 Plugin
Google Earth Plug-in
Google Update Helper
IrfanView (remove only)
Java 7 Update 25
Java Auto Updater
Legacy 7.5
magicJack
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Firefox 21.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Control Panel 307.83
NVIDIA Graphics Driver 307.83
NVIDIA Install Application
NVIDIA Update 1.10.8
NVIDIA Update Components
PDF-Viewer
SpywareBlaster 4.5
.
==== Event Viewer Messages From Past Week ========
.
6/27/2013 6:00:42 AM, Error: Microsoft-Windows-HAL [12]  - The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.
6/26/2013 5:40:39 AM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.      New Signature Version:       Previous Signature Version: 1.153.463.0      Update Source: Microsoft Update Server      Update Stage: Search      Source Path: http://www.microsoft.com      Signature Type: AntiVirus      Update Type: Full      User: NT AUTHORITY\SYSTEM      Current Engine Version:       Previous Engine Version: 1.1.9607.0      Error code: 0x80072f76      Error description: The requested header was not found
6/25/2013 8:57:58 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.      New Signature Version:       Previous Signature Version: 1.153.463.0      Update Source: Microsoft Update Server      Update Stage: Search      Source Path: http://www.microsoft.com      Signature Type: AntiVirus      Update Type: Full      User: NT AUTHORITY\SYSTEM      Current Engine Version:       Previous Engine Version: 1.1.9607.0      Error code: 0x80072f76      Error description: The requested header was not found
6/25/2013 8:47:42 PM, Error: Service Control Manager [7023]  - The Server service terminated with the following error:  Not enough storage is available to complete this operation.
6/25/2013 8:47:42 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The service has not been started.
.
==== End Of File ===========================
 


Edited by wellen44, 27 June 2013 - 10:49 AM.


#4 wellen44

wellen44
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 27 June 2013 - 06:17 PM

I'm not sure if I have done something wrong or not in posting this. The only way I can find this post is to log in and then click on 'My Content'. It doesn't show up in the list if I just try to find it in the form. What have I done wrong???



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 PM

Posted 01 July 2013 - 10:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    Link 1
    Link 2

    IMPORTANT !!! Save ComboFix.exe to your Desktop

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Do not install any other programs until this if fixed.


    How to : Disable Anti-virus and Firewall...
    http://www.bleepingcomputer.com/forums/topic114351.html

    Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
  • Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

    Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===

    Please paste the logs in your next reply DO NOT ATTACH THEM.
    Let me know what problem persists.


#6 wellen44

wellen44
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 03 July 2013 - 11:10 PM

Sorry, the past few days have been busy......

 

It 'seemed' like my computer was doing fine again, but it looks like there was still some kind of infection / problem found by the scans. I have no idea what it was or what it did to my computer.......

 

Here are the reports from the scans ---

 

RogueKiller V8.6.2 [Jul  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : elizabeth [Admin rights]
Mode : Scan -- Date : 07/03/2013 23:50:49
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : Search Protection (C:\ProgramData\Search Protection\SearchProtection.exe [x][x]) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] {CFF1BFC7-1CE9-4AE4-BDE2-DC86F74FB101} : C:\Users\elizabeth\AppData\Roaming\mjusbsp\magicJackLoader.exe [7] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST500DM0 02-1BD142 SCSI Disk Device +++++
--- User ---
[MBR] 419127bf1330aa3606fb0ded5a2f9b97
[BSP] 97dd48c8c27bbc5c995dc84191c0ba3b : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_07032013_235049.txt >>

-------------------------------------------------------------------------------------------

 

ComboFix 13-07-03.01 - elizabeth 07/03/2013  23:53:52.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3518.2400 [GMT -4:00]
Running from: c:\users\elizabeth\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1371946008.bdinstall.bin
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-04 to 2013-07-04  )))))))))))))))))))))))))))))))
.
.
2013-07-04 03:58 . 2013-07-04 03:58    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-07-04 03:58 . 2013-07-04 03:58    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-03 18:05 . 2013-06-12 01:18    7068072    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{630C6794-1E6A-4E0B-B752-37384107FF63}\mpengine.dll
2013-07-02 18:05 . 2013-06-12 01:18    7068072    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-26 23:38 . 2013-06-26 23:38    --------    d-----w-    c:\program files\Common Files\Java
2013-06-26 23:27 . 2013-06-26 23:28    --------    d-----w-    c:\program files\Tracker Software
2013-06-26 23:08 . 2013-06-26 23:38    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-26 23:08 . 2013-06-26 23:08    --------    d-----w-    c:\program files\Java
2013-06-25 02:56 . 2013-06-25 02:56    --------    d-----w-    c:\windows\ERUNT
2013-06-25 02:55 . 2013-06-25 02:55    --------    d-----w-    C:\JRT
2013-06-24 19:09 . 2013-06-24 19:09    --------    d-----w-    c:\users\elizabeth\AppData\Roaming\SUPERAntiSpyware.com
2013-06-24 19:01 . 2010-01-10 22:40    118784    ----a-w-    c:\windows\system32\MSSTDFMT.DLL
2013-06-24 19:01 . 2013-06-24 19:01    --------    d-----w-    c:\program files\SpywareBlaster
2013-06-24 16:48 . 2013-06-24 16:48    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-06-24 16:48 . 2013-04-04 18:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-06-24 02:49 . 2013-06-24 02:49    724464    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C93D2F81-64D5-46AE-955C-AE4C38727D45}\gapaengine.dll
2013-06-24 02:48 . 2013-06-24 02:48    --------    d-----w-    c:\program files\Microsoft Security Client
2013-06-24 02:40 . 2013-06-12 04:18    7068072    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{15452C57-9CB2-4D1B-B0F9-35CD3C2EDE4D}\mpengine.dll
2013-06-23 19:38 . 2013-06-23 19:48    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-20 20:02 . 2013-06-23 00:09    --------    d-----w-    c:\users\elizabeth\AppData\Roaming\QuickScan
2013-06-19 20:33 . 2013-06-25 01:38    --------    d-----w-    c:\users\elizabeth\AppData\Roaming\CheckPoint
2013-06-19 20:32 . 2013-06-20 02:01    --------    dc----w-    c:\windows\system32\DRVSTORE
2013-06-19 20:26 . 2013-06-19 20:26    --------    d-----w-    c:\programdata\CheckPoint
2013-06-17 19:33 . 2013-04-11 15:06    41584    ----a-w-    c:\windows\system32\drivers\gfiark.sys
2013-06-17 17:32 . 2013-06-19 01:30    --------    d-----w-    c:\users\elizabeth\AppData\Roaming\LavasoftStatistics
2013-06-17 17:26 . 2013-06-17 17:26    --------    d-----w-    c:\programdata\Downloaded Installations
2013-06-17 17:25 . 2013-06-17 17:25    13560    ----a-w-    c:\windows\system32\drivers\gfibto.sys
2013-06-17 16:56 . 2013-06-17 16:56    --------    d-----w-    c:\program files\Panda Security
2013-06-17 02:33 . 2013-06-19 22:06    --------    d-----w-    c:\programdata\PCPitstop
2013-06-17 02:33 . 2013-06-20 01:18    --------    d-----w-    c:\program files\PCPitstop
2013-06-12 07:02 . 2013-06-08 11:41    218112    ----a-w-    c:\program files\Internet Explorer\sqmapi.dll
2013-06-12 07:02 . 2013-06-08 11:13    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-06-12 06:08 . 2013-05-06 05:06    3913576    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-12 06:08 . 2013-05-06 05:06    3968872    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-12 06:08 . 2013-05-13 04:45    140288    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-12 06:08 . 2013-05-13 04:45    1160192    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-12 06:08 . 2013-05-13 04:45    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-12 06:08 . 2013-05-13 03:08    903168    ----a-w-    c:\windows\system32\certutil.exe
2013-06-12 06:08 . 2013-05-13 03:08    43008    ----a-w-    c:\windows\system32\certenc.dll
2013-06-12 06:08 . 2013-04-26 04:55    492544    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-12 06:08 . 2013-05-08 05:38    1293672    ----a-w-    c:\windows\system32\drivers\tcpip.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-26 23:38 . 2013-04-08 03:25    867240    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-26 23:38 . 2013-04-08 03:25    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-23 00:31 . 2013-04-14 00:25    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-23 00:31 . 2013-04-14 00:25    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 06:06 . 2013-03-27 20:11    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-30 07:02 . 2013-04-30 07:02    745472    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2013-04-30 07:02 . 2013-04-30 07:02    185344    ----a-w-    c:\windows\system32\elshyph.dll
2013-04-30 07:02 . 2013-04-30 07:02    158720    ----a-w-    c:\windows\system32\msls31.dll
2013-04-30 07:02 . 2013-04-30 07:02    138752    ----a-w-    c:\windows\system32\wextract.exe
2013-04-30 07:02 . 2013-04-30 07:02    150528    ----a-w-    c:\windows\system32\iexpress.exe
2013-04-30 07:02 . 2013-04-30 07:02    73728    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2013-04-30 07:02 . 2013-04-30 07:02    719360    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2013-04-30 07:02 . 2013-04-30 07:02    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-04-30 07:02 . 2013-04-30 07:02    523264    ----a-w-    c:\windows\system32\vbscript.dll
2013-04-30 07:02 . 2013-04-30 07:02    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2013-04-30 07:02 . 2013-04-30 07:02    38400    ----a-w-    c:\windows\system32\imgutil.dll
2013-04-30 07:02 . 2013-04-30 07:02    361984    ----a-w-    c:\windows\system32\html.iec
2013-04-30 07:02 . 2013-04-30 07:02    23040    ----a-w-    c:\windows\system32\licmgr10.dll
2013-04-30 07:02 . 2013-04-30 07:02    1441280    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-04-30 07:02 . 2013-04-30 07:02    137216    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-04-30 07:02 . 2013-04-30 07:02    12800    ----a-w-    c:\windows\system32\mshta.exe
2013-04-30 07:02 . 2013-04-30 07:02    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2013-04-30 07:01 . 2013-04-30 07:01    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-30 07:01 . 2013-04-30 07:01    906240    ----a-w-    c:\windows\system32\FntCache.dll
2013-04-30 07:01 . 2013-04-30 07:01    604160    ----a-w-    c:\windows\system32\d3d10level9.dll
2013-04-30 07:01 . 2013-04-30 07:01    5632    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-30 07:01 . 2013-04-30 07:01    5632    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-30 07:01 . 2013-04-30 07:01    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-04-30 07:01 . 2013-04-30 07:01    4096    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-30 07:01 . 2013-04-30 07:01    364544    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2013-04-30 07:01 . 2013-04-30 07:01    3584    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-30 07:01 . 2013-04-30 07:01    3419136    ----a-w-    c:\windows\system32\d2d1.dll
2013-04-30 07:01 . 2013-04-30 07:01    3072    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-30 07:01 . 2013-04-30 07:01    3072    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-30 07:01 . 2013-04-30 07:01    293376    ----a-w-    c:\windows\system32\dxgi.dll
2013-04-30 07:01 . 2013-04-30 07:01    2560    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-30 07:01 . 2013-04-30 07:01    249856    ----a-w-    c:\windows\system32\d3d10_1core.dll
2013-04-30 07:01 . 2013-04-30 07:01    2284544    ----a-w-    c:\windows\system32\msmpeg2vdec.dll
2013-04-30 07:01 . 2013-04-30 07:01    220160    ----a-w-    c:\windows\system32\d3d10core.dll
2013-04-30 07:01 . 2013-04-30 07:01    207872    ----a-w-    c:\windows\system32\WindowsCodecsExt.dll
2013-04-30 07:01 . 2013-04-30 07:01    1988096    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-04-30 07:01 . 2013-04-30 07:01    187392    ----a-w-    c:\windows\system32\UIAnimation.dll
2013-04-30 07:01 . 2013-04-30 07:01    161792    ----a-w-    c:\windows\system32\d3d10_1.dll
2013-04-30 07:01 . 2013-04-30 07:01    1504768    ----a-w-    c:\windows\system32\d3d11.dll
2013-04-30 07:01 . 2013-04-30 07:01    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-04-30 07:01 . 2013-04-30 07:01    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-04-30 07:01 . 2013-04-30 07:01    1158144    ----a-w-    c:\windows\system32\XpsPrint.dll
2013-04-30 07:01 . 2013-04-30 07:01    1080832    ----a-w-    c:\windows\system32\d3d10.dll
2013-04-30 07:01 . 2013-04-30 07:01    10752    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-04-12 13:45 . 2013-04-23 18:49    1211752    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18 . 2013-05-15 10:41    728424    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18 . 2013-05-15 10:41    218984    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14 . 2013-05-15 10:41    2347520    ----a-w-    c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\elizabeth\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-03-28 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-04-11 41584]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-03-28 1343400]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-06-17 13560]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
BullGuard_Backup    REG_MULTI_SZ       BsBackup
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-11 19:09]
.
2013-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-11 19:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\elizabeth\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Search Protection - c:\programdata\Search Protection\SearchProtection.exe
SafeBoot-BsScanner
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2013-07-04  00:01:48 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-04 04:01
.
Pre-Run: 439,665,868,800 bytes free
Post-Run: 439,617,290,240 bytes free
.
- - End Of File - - 7AB09BC53686CE923E2987BB020D9B16
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

Than you for your help!



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 PM

Posted 04 July 2013 - 06:45 AM

Please run the RogueKiller tool and delete these items.
Ignore is already done.

[RUN][SUSP PATH] HKLM\[...]\Run : Search Protection (C:\ProgramData\Search Protection\SearchProtection.exe [x][x]) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Restart the computer normally.
===

Any remaining issues?

#8 wellen44

wellen44
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 04 July 2013 - 02:02 PM

How do I delete those things? I don't see them anywhere.

 

When i run the RogueKiller again all I see that can be deleted by RK are these ----

 

FOUND: SUSP PATH     TASK    \     \CFF1BFC7-4..
FOUND: HJ POL           HKEY_LOCAL_MACHINE
FOUND: HJ SMENU      HKEY_CURRENT_USER
FOUND: HJ DESK         HKEY_LOCAL_MACHINE
FOUND: HJ DESK         HKEY_LOCAL_MACHINE

 

Should I delete those from RK?



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 PM

Posted 05 July 2013 - 06:36 AM

Forget it. You are good.

Any remaining issues with this computer?

#10 wellen44

wellen44
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 05 July 2013 - 07:39 PM

I don't see anything at the moment that seems wrong since running those last scans. I haven't used it enough yet to know if the problems of my desktop icons changing size and my curser darting around the  page have disappered or not. Does that mean this computer is fixed?

 

 

If you believe that my computer is now fixed, would you help me get the stuff off of my husband's laptop? This whole mess began when we were traveling and using public Wifi spots. Something/someone accessed his laptop and it went from there to our home desktops. I have not tried fixing his laptop yet other than running scans like MBAM, Housecall, etc. that I am familiar with.

 

Should I start a new topic or just continue here?



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 PM

Posted 06 July 2013 - 06:54 AM


If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===



As for your Husband laptop start a new topic
Post a DDS log for my review.

Then post the URL in this topic and I will expedite the matter.

#12 wellen44

wellen44
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 06 July 2013 - 01:30 PM

I'm a bit concerned about something--

 

"Every" time I run ComboFix it finds this same infected file....

 

 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache\userinit.exe

 

 

 

Why does that file keep getting re-infected? It doesn't stay fixed. Is this ok or is it a problem??

 

 

 

 

I will run the DDS on my husband's laptop and start a new topic this afternoon.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 PM

Posted 07 July 2013 - 07:01 AM

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache\userinit.exe


The last restore was from the cache. Do you always get the same message?

#14 wellen44

wellen44
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 07 July 2013 - 03:08 PM

yes, it happens each time I have run combofix.

 

My husband is currently using his laptop to do some wordprocessing, writin articles. I will do the DDS scan as soon as posible.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 PM

Posted 08 July 2013 - 06:11 AM

Lets find out what other versions are available.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    userinit.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users