Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of wininit.exe


  • This topic is locked This topic is locked
40 replies to this topic

#1 bwrighttwo

bwrighttwo

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 PM

Posted 17 March 2014 - 07:45 PM

Hi I am unable to copy and paste or attach my DNS logs.  I started a topic with the same title in "Am I infected".  Please advise.
 
Mod edit ~~boopme
Original AII topic
http://www.bleepingcomputer.com/forums/t/527706/cant-get-rid-of-wininitexe/#entry3316838
 
 
EDIT II DDS log
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521
Run by felix at 20:21:00 on 2014-03-17
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7649.5932 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\System32\slui.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\IPS\ipsbho.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{A658D3F9-DB47-485E-809F-188AD0279BB8} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{A658D3F9-DB47-485E-809F-188AD0279BB8}\65562796A7F6E602D494649443531303C4021483830302355636572756 : DHCPNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.1.0.18\CoIEPlg.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.1.0.18\CoIEPlg.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2013-3-31 82600]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2013-3-31 42664]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1501000.012\SymDS64.sys [2014-3-2 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1501000.012\SymEFA64.sys [2014-3-2 1147480]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140214.001\BHDrvx64.sys [2014-2-14 1526488]
R1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1501000.012\ccSetx64.sys [2014-3-2 162392]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140314.001\IDSviA64.sys [2014-3-15 524504]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1501000.012\Ironx64.sys [2014-3-2 264280]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1501000.012\symnets.sys [2014-3-2 590936]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-10-24 204288]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-3-16 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-3-16 701512]
R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe [2014-3-2 264360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-3-15 137648]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-3-16 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-16 533096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-11 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-3-15 19456]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2014-3-9 31800]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-3-15 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-3-15 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-3-1 1255736]
S4 RalinkRegistryWriter;Ralink Registry Writer;C:\Program Files (x86)\Belkin\F9L1103\v1\Common\RaRegistry.exe [2008-1-2 374112]
S4 RalinkRegistryWriter64;Ralink Registry Writer 64;C:\Program Files (x86)\Belkin\F9L1103\v1\Common\RaRegistry64.exe [2008-1-2 451936]
.
=============== Created Last 30 ================
.
2014-03-17 03:47:39 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-03-17 03:47:18 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-03-17 02:47:33 -------- d-----w- C:\Program Files (x86)\ESET
2014-03-17 02:32:13 -------- d-----w- C:\Windows\ERUNT
2014-03-17 02:18:24 -------- d-----w- C:\AdwCleaner
2014-03-17 01:30:15 0 ----a-w- C:\Windows\ativpsrm.bin
2014-03-17 01:28:23 -------- d-----w- C:\Windows\Migration
2014-03-17 01:27:26 -------- d-----w- C:\450f9b1e67e8945fcb5b88ea16df
2014-03-16 21:44:38 -------- d-----w- C:\Users\felix\AppData\Roaming\Malwarebytes
2014-03-16 21:44:35 -------- d-----w- C:\ProgramData\Malwarebytes
2014-03-16 21:44:34 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-16 21:44:34 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-16 20:04:24 67072 ----a-w- C:\Windows\splwow64.exe
2014-03-16 20:04:24 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2014-03-16 20:04:24 2871808 ----a-w- C:\Windows\explorer.exe
2014-03-16 20:04:24 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe
2014-03-15 22:36:18 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2014-03-15 22:34:21 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2014-03-15 22:34:21 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2014-03-15 22:34:20 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2014-03-15 22:34:20 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2014-03-15 22:34:20 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2014-03-15 22:34:20 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2014-03-15 22:34:20 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2014-03-15 22:25:56 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2014-03-15 22:19:48 461312 ----a-w- C:\Windows\System32\scavengeui.dll
2014-03-15 20:59:33 -------- d-sh--w- C:\found.000
2014-03-09 22:34:10 -------- d-----w- C:\Program Files\Defraggler
2014-03-09 19:26:54 16384 ----a-w- C:\Users\felix\~DF2FCEAC6EFCB44ECC.TMP
2014-03-09 05:34:02 -------- d-----w- C:\Users\felix\AppData\Local\Zemana
2014-03-09 04:33:42 -------- d-----w- C:\Users\felix\AppData\Local\VS Revo Group
2014-03-09 04:33:36 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys
2014-03-09 04:33:36 -------- d-----w- C:\ProgramData\VS Revo Group
2014-03-09 04:33:34 -------- d-----w- C:\Program Files\VS Revo Group
2014-03-08 04:35:00 10536864 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9B128DB4-BCD0-4394-918E-94EF73B6DD40}\mpengine.dll
2014-03-06 03:05:21 -------- d-----w- C:\ProgramData\AVAST Software
2014-03-04 07:11:45 78936 ----a-r- C:\Windows\System32\drivers\SymIMV.sys
2014-03-04 06:57:03 -------- d-----w- C:\Users\felix\AppData\Local\White_Sky,_Inc
2014-03-04 06:56:23 -------- d-----w- C:\Users\felix\AppData\Local\VirtualStore
2014-03-04 01:37:07 -------- d-----w- C:\Users\felix\AppData\Local\NPE
2014-03-04 01:21:33 -------- d-----w- C:\Users\felix\AppData\Local\Google
2014-03-04 01:21:28 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-04 01:21:28 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-04 01:20:47 -------- d-----w- C:\Users\felix\AppData\Local\Adobe
2014-03-03 03:44:53 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2014-03-03 03:44:48 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2014-03-03 03:44:48 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2014-03-03 03:44:35 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0600000.04A
2014-03-03 03:44:35 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64
2014-03-03 03:44:33 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard
2014-03-03 03:41:02 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2014-03-03 03:28:21 -------- d-----w- C:\Program Files (x86)\Belarc
2014-03-03 03:19:24 177752 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2014-03-03 03:19:24 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2014-03-03 03:19:03 858200 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\srtsp64.sys
2014-03-03 03:19:03 590936 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\symnets.sys
2014-03-03 03:19:03 493656 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\SymDS64.sys
2014-03-03 03:19:03 36952 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\srtspx64.sys
2014-03-03 03:19:03 264280 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\Ironx64.sys
2014-03-03 03:19:03 23568 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\SymELAM.sys
2014-03-03 03:19:03 162392 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\ccSetx64.sys
2014-03-03 03:19:03 1147480 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\SymEFA64.sys
2014-03-03 03:18:50 -------- d-----w- C:\Windows\System32\drivers\N360x64\1501000.012
2014-03-03 03:18:50 -------- d-----w- C:\Windows\System32\drivers\N360x64
2014-03-03 03:18:48 -------- d-----w- C:\Program Files (x86)\Norton Security Suite
2014-03-03 03:18:38 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2014-03-03 01:31:45 -------- d-----w- C:\ProgramData\NortonInstaller
2014-03-03 01:29:25 -------- d-----w- C:\ProgramData\Norton
2014-03-03 01:25:23 -------- d-----w- C:\ProgramData\IsolatedStorage
2014-03-03 01:24:18 -------- d-----w- C:\Users\felix\AppData\Local\Programs
2014-03-02 03:10:59 -------- d-----w- C:\Windows\System32\MRT
2014-03-02 03:06:40 -------- d-----w- C:\Windows\SysWow64\Wat
2014-03-02 03:06:40 -------- d-----w- C:\Windows\System32\Wat
2014-03-02 02:52:16 10536864 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-03-02 02:45:15 548864 ----a-w- C:\Windows\System32\vbscript.dll
2014-03-02 02:45:15 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-03-02 02:44:25 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2014-03-02 02:44:25 5120 ----a-w- C:\Windows\System32\wmi.dll
2014-03-02 02:44:25 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2014-03-02 02:39:57 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2014-03-02 02:38:57 1192448 ----a-w- C:\Windows\System32\certutil.exe
2014-03-02 02:32:01 1643520 ----a-w- C:\Windows\System32\DWrite.dll
2014-03-02 02:30:31 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2014-03-02 02:30:31 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2014-03-02 02:30:31 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2014-03-02 02:30:31 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2014-03-02 02:30:31 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2014-03-02 02:30:30 77312 ----a-w- C:\Windows\System32\packager.dll
2014-03-02 02:30:30 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2014-03-02 02:30:09 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2014-03-02 02:30:09 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2014-03-02 02:30:08 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
.
==================== Find3M  ====================
.
2014-03-16 18:43:47 661184 ----a-w- C:\autoruns.exe
2014-03-16 18:43:47 579264 ----a-w- C:\autorunsc.exe
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:32:22 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:04:22 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-27 14:58:44 270496 ------w- C:\Windows\System32\MpSigStub.exe
2013-12-24 23:09:41 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
.
============= FINISH: 20:21:27.91 ===============

Edited by boopme, 19 March 2014 - 07:20 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 PM

Posted 19 March 2014 - 07:23 PM

I put the log in...

 

http://www.bleepingcomputer.com/forums/t/527851/cant-get-rid-of-wininitexe/#entry3317917

 

You are in the 14 th position probably a day


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 PM

Posted 22 March 2014 - 07:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/527851 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 PM

Posted 23 March 2014 - 01:44 AM

 
 
N ew DDS logs.  I have discovered something new. I will give more info after I get reply.
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16521
Run by felix at 2:26:26 on 2014-03-23
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7649.6278 [GMT -4:00]
.
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\IPS\ipsbho.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{A658D3F9-DB47-485E-809F-188AD0279BB8} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{A658D3F9-DB47-485E-809F-188AD0279BB8}\65562796A7F6E602D494649443531303C4021483830302355636572756 : DHCPNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.1.0.18\CoIEPlg.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.1.0.18\CoIEPlg.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - 
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2013-3-31 82600]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2013-3-31 42664]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1501000.012\SymDS64.sys [2014-3-2 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1501000.012\SymEFA64.sys [2014-3-2 1147480]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140214.001\BHDrvx64.sys [2014-2-14 1526488]
R1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1501000.012\ccSetx64.sys [2014-3-2 162392]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140321.001\IDSviA64.sys [2014-3-21 524504]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1501000.012\Ironx64.sys [2014-3-2 264280]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1501000.012\symnets.sys [2014-3-2 590936]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-10-24 204288]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-3-16 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-3-16 701512]
R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\21.1.0.18\N360.exe [2014-3-2 264360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-3-15 137648]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-3-16 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-16 533096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-11 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-3-15 19456]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2014-3-9 31800]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-3-15 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-3-15 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-3-1 1255736]
S4 RalinkRegistryWriter;Ralink Registry Writer;C:\Program Files (x86)\Belkin\F9L1103\v1\Common\RaRegistry.exe [2008-1-2 374112]
S4 RalinkRegistryWriter64;Ralink Registry Writer 64;C:\Program Files (x86)\Belkin\F9L1103\v1\Common\RaRegistry64.exe [2008-1-2 451936]
.
=============== Created Last 30 ================
.
2014-03-23 02:42:41 10521840 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{579D8126-58A7-4D95-B06C-C03135FAB634}\mpengine.dll
2014-03-22 22:47:14 10521840 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2014-03-21 02:17:22 -------- d-----w- C:\FRST
2014-03-17 03:47:39 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-03-17 03:47:18 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-03-17 02:47:33 -------- d-----w- C:\Program Files (x86)\ESET
2014-03-17 02:32:13 -------- d-----w- C:\Windows\ERUNT
2014-03-17 02:18:24 -------- d-----w- C:\AdwCleaner
2014-03-17 01:30:15 0 ----a-w- C:\Windows\ativpsrm.bin
2014-03-17 01:28:23 -------- d-----w- C:\Windows\Migration
2014-03-17 01:27:26 -------- d-----w- C:\450f9b1e67e8945fcb5b88ea16df
2014-03-16 21:44:38 -------- d-----w- C:\Users\felix\AppData\Roaming\Malwarebytes
2014-03-16 21:44:35 -------- d-----w- C:\ProgramData\Malwarebytes
2014-03-16 21:44:34 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-16 21:44:34 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-16 20:04:24 67072 ----a-w- C:\Windows\splwow64.exe
2014-03-16 20:04:24 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2014-03-16 20:04:24 2871808 ----a-w- C:\Windows\explorer.exe
2014-03-16 20:04:24 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe
2014-03-15 22:36:18 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2014-03-15 22:34:21 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2014-03-15 22:34:21 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2014-03-15 22:34:20 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2014-03-15 22:34:20 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2014-03-15 22:34:20 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2014-03-15 22:34:20 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2014-03-15 22:34:20 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2014-03-15 22:25:56 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2014-03-15 22:19:48 461312 ----a-w- C:\Windows\System32\scavengeui.dll
2014-03-15 20:59:33 -------- d-sh--w- C:\found.000
2014-03-09 22:34:10 -------- d-----w- C:\Program Files\Defraggler
2014-03-09 19:26:54 16384 ----a-w- C:\Users\felix\~DF2FCEAC6EFCB44ECC.TMP
2014-03-09 05:34:02 -------- d-----w- C:\Users\felix\AppData\Local\Zemana
2014-03-09 04:33:42 -------- d-----w- C:\Users\felix\AppData\Local\VS Revo Group
2014-03-09 04:33:36 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys
2014-03-09 04:33:36 -------- d-----w- C:\ProgramData\VS Revo Group
2014-03-09 04:33:34 -------- d-----w- C:\Program Files\VS Revo Group
2014-03-06 03:05:21 -------- d-----w- C:\ProgramData\AVAST Software
2014-03-04 07:11:45 78936 ----a-r- C:\Windows\System32\drivers\SymIMV.sys
2014-03-04 06:57:03 -------- d-----w- C:\Users\felix\AppData\Local\White_Sky,_Inc
2014-03-04 06:56:23 -------- d-----w- C:\Users\felix\AppData\Local\VirtualStore
2014-03-04 01:37:07 -------- d-----w- C:\Users\felix\AppData\Local\NPE
2014-03-04 01:21:33 -------- d-----w- C:\Users\felix\AppData\Local\Google
2014-03-04 01:21:28 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-04 01:21:28 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-04 01:20:47 -------- d-----w- C:\Users\felix\AppData\Local\Adobe
2014-03-03 03:44:53 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2014-03-03 03:44:48 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2014-03-03 03:44:48 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2014-03-03 03:44:35 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0600000.04A
2014-03-03 03:44:35 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64
2014-03-03 03:44:33 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard
2014-03-03 03:41:02 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2014-03-03 03:28:21 -------- d-----w- C:\Program Files (x86)\Belarc
2014-03-03 03:19:24 177752 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2014-03-03 03:19:24 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2014-03-03 03:19:03 858200 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\srtsp64.sys
2014-03-03 03:19:03 590936 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\symnets.sys
2014-03-03 03:19:03 493656 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\SymDS64.sys
2014-03-03 03:19:03 36952 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\srtspx64.sys
2014-03-03 03:19:03 264280 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\Ironx64.sys
2014-03-03 03:19:03 23568 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\SymELAM.sys
2014-03-03 03:19:03 162392 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\ccSetx64.sys
2014-03-03 03:19:03 1147480 ----a-r- C:\Windows\System32\drivers\N360x64\1501000.012\SymEFA64.sys
2014-03-03 03:18:50 -------- d-----w- C:\Windows\System32\drivers\N360x64\1501000.012
2014-03-03 03:18:50 -------- d-----w- C:\Windows\System32\drivers\N360x64
2014-03-03 03:18:48 -------- d-----w- C:\Program Files (x86)\Norton Security Suite
2014-03-03 03:18:38 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2014-03-03 01:31:45 -------- d-----w- C:\ProgramData\NortonInstaller
2014-03-03 01:29:25 -------- d-----w- C:\ProgramData\Norton
2014-03-03 01:25:23 -------- d-----w- C:\ProgramData\IsolatedStorage
2014-03-03 01:24:18 -------- d-----w- C:\Users\felix\AppData\Local\Programs
2014-03-02 03:10:59 -------- d-----w- C:\Windows\System32\MRT
2014-03-02 03:06:40 -------- d-----w- C:\Windows\SysWow64\Wat
2014-03-02 03:06:40 -------- d-----w- C:\Windows\System32\Wat
2014-03-02 02:52:16 10536864 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-03-02 02:45:15 548864 ----a-w- C:\Windows\System32\vbscript.dll
2014-03-02 02:45:15 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-03-02 02:44:25 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2014-03-02 02:44:25 5120 ----a-w- C:\Windows\System32\wmi.dll
2014-03-02 02:44:25 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2014-03-02 02:39:57 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2014-03-02 02:38:57 1192448 ----a-w- C:\Windows\System32\certutil.exe
2014-03-02 02:32:01 1643520 ----a-w- C:\Windows\System32\DWrite.dll
2014-03-02 02:30:31 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2014-03-02 02:30:31 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2014-03-02 02:30:31 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2014-03-02 02:30:31 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2014-03-02 02:30:31 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2014-03-02 02:30:30 77312 ----a-w- C:\Windows\System32\packager.dll
2014-03-02 02:30:30 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2014-03-02 02:30:09 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2014-03-02 02:30:09 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2014-03-02 02:30:08 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
.
==================== Find3M  ====================
.
2014-03-16 18:43:47 661184 ----a-w- C:\autoruns.exe
2014-03-16 18:43:47 579264 ----a-w- C:\autorunsc.exe
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:32:22 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:04:22 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2013-12-24 23:09:41 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
.
============= FINISH:  2:26:48.11 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume4
Install Date: 1/2/2008 8:51:40 PM
System Uptime: 3/23/2014 2:10:33 AM (0 hours ago)
.
Motherboard: PEGATRON CORPORATION |  | 2ACD
Processor: AMD A6-3620 APU with Radeon™ HD Graphics | P0 | 2196/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 931 GiB total, 888.868 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: 
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1022&DEV_7812&SUBSYS_2ACD103C&REV_03\3&267A616A&0&81
Manufacturer: 
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1022&DEV_7812&SUBSYS_2ACD103C&REV_03\3&267A616A&0&81
Service: 
.
Class GUID: 
Description: SM Bus Controller
Device ID: PCI\VEN_1022&DEV_780B&SUBSYS_2ACD103C&REV_13\3&267A616A&0&A0
Manufacturer: 
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1022&DEV_780B&SUBSYS_2ACD103C&REV_13\3&267A616A&0&A0
Service: 
.
Class GUID: 
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1022&DEV_7812&SUBSYS_2ACD103C&REV_03\3&267A616A&0&80
Manufacturer: 
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1022&DEV_7812&SUBSYS_2ACD103C&REV_03\3&267A616A&0&80
Service: 
.
==== System Restore Points ===================
.
RP39: 3/15/2014 6:27:04 PM - Windows Update
RP40: 3/15/2014 7:02:13 PM - Windows Update
RP41: 3/16/2014 4:49:37 PM - Installed inSSIDer
RP42: 3/16/2014 5:00:36 PM - Windows Update
RP44: 3/16/2014 5:35:50 PM - Revo Uninstaller Pro's restore point - PC Speed Maximizer v3.2
RP46: 3/16/2014 5:37:15 PM - Revo Uninstaller Pro's restore point - Google Toolbar for Internet Explorer
RP48: 3/16/2014 5:38:04 PM - Revo Uninstaller Pro's restore point - inSSIDer
RP49: 3/16/2014 5:38:25 PM - Removed inSSIDer
RP51: 3/16/2014 5:39:28 PM - Revo Uninstaller Pro's restore point - Windows 7 USB/DVD Download Tool
RP52: 3/16/2014 6:46:16 PM - Windows Update
RP53: 3/16/2014 9:26:25 PM - Windows Update
RP55: 3/16/2014 9:33:27 PM - Revo Uninstaller Pro's restore point - Google Update Helper
RP56: 3/19/2014 11:55:10 PM - Installed Microsoft .NET Framework 4.5.1
RP57: 3/22/2014 6:46:27 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 12 ActiveX
Belarc Advisor 8.4
Belkin N750 Dual Band Wireless USB Adapter
Defraggler
ESET Online Scanner v3
Google Chrome
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Mozilla Firefox 27.0.1 (x86 en-US)
Mozilla Maintenance Service
Norton Bootable Recovery Tool Wizard
Norton Security Suite
Recuva
Revo Uninstaller Pro 3.0.8
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2898855v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2901110v2)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
.
==== Event Viewer Messages From Past Week ========
.
3/22/2014 6:49:15 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.169.394.0).
3/22/2014 1:08:30 AM, Error: Service Control Manager [7030]  - The ESET Uninstaller Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
3/20/2014 11:50:51 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
3/20/2014 11:50:48 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
3/20/2014 11:50:37 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000]  - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\RAIHV.dll Error Code: 21
3/20/2014 11:50:35 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
3/20/2014 11:50:35 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
3/20/2014 11:50:34 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/20/2014 11:50:28 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
3/20/2014 11:50:17 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  BHDrvx64 ccSet_N360 discache eeCtrl IDSVia64 spldr SRTSPX SymIRON SymNetS Wanarpv6
3/18/2014 7:19:30 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {D3DCB472-7261-43CE-924B-0704BD730D5F}  and APPID  {D3DCB472-7261-43CE-924B-0704BD730D5F}  to the user b-PC\b SID (S-1-5-21-1319726726-1155108264-2832584757-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
3/18/2014 7:19:29 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {145B4335-FE2A-4927-A040-7C35AD3180EF}  and APPID  {145B4335-FE2A-4927-A040-7C35AD3180EF}  to the user b-PC\b SID (S-1-5-21-1319726726-1155108264-2832584757-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
3/17/2014 6:24:25 PM, Error: Service Control Manager [7034]  - The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).
.
==== End Of File ===========================
 

 



#5 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 23 March 2014 - 02:36 AM

Hello bwrighttwo,

 

The DDS log is clean so we will have to dig deeper incase your wininit.exe is actually compromised.

 

First, please launch an Internet browser (either Internet Explorer or FireFox are fine) and go to www.virustotal.com   When there, click the "Choose File" button and locate the C:\Windows\system32\wininit.exe file. Once you have found it, press the blue "Scan it!" button. Send me the URL when the analysis is complete.

 

Next, download CCleaner Slim to your desktop.

  • Double-click ccsetup411_slim.exe to start the installation.
  • Select your language and click Next
  • In the install options, uncheck everything except for "Add Desktop Shortcut", then click Install.
  • Uncheck "View Release Notes" and press Finish.
  • This should have launched the tool. If not, there is a CCleaner shortcut icon on your desktop to launch the tool.
  • Click the Options button on the left hand side of the tool, and then click "Advanced".
  • Uncheck everything except for "Skip User Account Control" warning.
  • Now click the Cleaner button on the left hand side of the tool.
  • Press Run Cleaner on the bottom right of the tool.
  • Allow the program to close any browsers you may have open if a prompt appears.
  • Once the cleaning has completed, click the Tools button.
  • From here, click the System Restore button.
  • Delete any restore points you are able to delete from here. There should only be one remaining which you cannot remove for your own safety. The reason we are deleting these is to reduce the amount of time needed to defrag your system which I will show you how to do next.

__

 

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantineChange the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

 

Please attach the log to your next post.


Edited by thisisu, 23 March 2014 - 02:38 AM.
broken vt link


#6 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 PM

Posted 23 March 2014 - 11:25 AM

I am not sure the search is actually pulling the same file I get using a search from my start menu search. I am also posting a screen shot of what I am speaking of. I also have several other questions I will ask after I complete the rest of your instructions. Thank you for your time.

 

I guess I need to know the best way to post a file of a screen shot that is located on my desktop.

 

 

 

https://www.virustotal.com/en/file/f6b4d18fa0d3c4958711ac0d476c21a6fdf2897f989a0ad290b43f463dd8b5b0/analysis/



#7 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 PM

Posted 23 March 2014 - 11:42 AM

Just letting you know,....I have to give access to clipboard to paste. This is probably normal but thought I would let you know just in case.

 

 

 

Attached Files

  • Attached File  tdss.txt   91.42KB   0 downloads

Edited by thisisu, 23 March 2014 - 12:45 PM.


#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 23 March 2014 - 12:44 PM

Just letting you know,....I have to give access to clipboard to paste. This is probably normal but thought I would let you know just in case.

 

That doesn't sound right, but, I wanted you to attach the log, not paste it.

 

To attach a file, you click the "Choose File" and locate the file you are wanting to attach. Then once you have selected it, click the "Attach This File" button.

 

I will type out some more steps in the next post.


Edited by thisisu, 23 March 2014 - 12:46 PM.


#9 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 23 March 2014 - 12:56 PM

mbam.gif Please download and install Malwarebytes Anti-Malware.

  • Open Malwarebytes Anti-Malware and click the Update tab.
    • Then press the Check for Updates button.
  • Once you have the latest database version, click the Settings tab.
    • Now click the Scanner Settings sub-tab.
    • In the sections that say:
      • Action for potentially unwanted programs (PUP)
      • Action for potentially unwanted modifications (PUM)
      • Action for peer-to-peer software (P2P)
    • .. click the down arrow next to each field and choose: Show in results list and check for removal.
  • Now go back to the main Scanner tab and perform a Quick Scan.
  • Wait for the scan to complete and follow the prompts provided.
  • A log file will appear when finished.
  • Post the contents of this log file into your next message.
    • You can also retrieve the log from the Logs tab incase you accidentally closed the report that popped up when the scan completed.

__

 

Next, download AdwCleaner

  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select 
    "Run as administrator"
  • Click the Scan button.
  • Once the scan completes click the Clean button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[S1].txt.


#10 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 PM

Posted 23 March 2014 - 02:08 PM

I do not think I can attach or copy and paste. My previous topic I had to send all of my logs to boopme via PM.

 

I ran both and am having trouble finding the exact logs. Both were clean. If you look at my "Am I infected" topic with boopme and the same title,...there were some things ADW found. I have been using Mbam for a while and it has not found anything recently although while looking for this last log I took a look at the real time protect log and noticed something that may be important. I see the word (NULL) several times. I can post it if you think it may be something. I can also keep looking for those last 2 logs if you think I need to.


Edited by bwrighttwo, 23 March 2014 - 02:50 PM.


#11 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 23 March 2014 - 03:24 PM

I do not think I can attach or copy and paste. My previous topic I had to send all of my logs to boopme via PM.

 

What do you mean by "send"? Did you e-mail the logs to him? Be more specific please and go ahead and try to paste the contents of the logs here, in this thread.

 

I forgot you had already sent a AdwCleaner log, so you don't have to show that one again, but do update MBAM and copy/paste the latest log here in this thread.

 

PM it to me if all else fails.

 

I'm not interested in the MBAM protection log at this time, but feel free to attach the screenshot you took.


Edited by thisisu, 23 March 2014 - 03:26 PM.


#12 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 PM

Posted 23 March 2014 - 03:33 PM

 

I do not think I can attach or copy and paste. My previous topic I had to send all of my logs to boopme via PM.

 

What do you mean by "send"? Did you e-mail the logs to him? Be more specific please and go ahead and try to paste the contents of the logs here, in this thread.

 

 

 

No, I just sent PM via this site. No email. This was before I figured out I could copy and paste via clipboard.

I will try to attach new Mbam log.

The screen shot was of the properties of wininit file. I noticed that the other tabs in system look did prove it was the same wininit file. The screenshot just showed that the original file name was Win Init with a space. Sorry for the confusion.



#13 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 PM

Posted 23 March 2014 - 03:38 PM

I switched to Firefox. Still can't c&p but was able to attach.

Attached Files



#14 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 23 March 2014 - 03:51 PM

I switched to Firefox. Still can't c&p but was able to attach.

 

Ok, that's fine, just attach all your logs from now on. Attach the screenshot if you still want me to review it. Proceed to the next steps too:

 

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


#15 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 PM

Posted 23 March 2014 - 04:20 PM

I did everything I know to turn off the one Norton that is enabled. I used both Admin and regular accounts. My desktops are completely different now. I will restart and then reply again. In the meantime here is the Combofix log.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users