Remove-Malware.com Forums

[jmc333]

Also, after i make sure my pc is totally clean how do you suggest i check to see if anything else is corrupted on my pc, and if there are other things corrupted, any tools you would suggest i use to correct them? Thanks Diesel

[Tweak]

userinit.exe and its path may have been altered as is one of those things which occur when some infections occur. Checkout this for further information. http://www.justtext.com/processes-tasks ... t-exe.html What matter most here is that you take notice of the paths: "File or folder location: You will find this at C:\WINDOWS\system32\Userinit.exe It may also be listed at C:\WINDOWS\ServicePackFiles\i386" I have multiple times copied this file from a clean OS install and replaced the one that is damaged and it has always resolved problems for those times when this file was either infected or deleted. In some cases this was done via a WinPE enviroment (boot CD). Just some additional information to consider and check on.

You can run the system file checker also as I just saw you asked another question about potential corruption. http://www.microsoft.com/resources/docu ... x?mfr=true

[jmc333]

Tweak would running that microsoft thing replace userinit.exe for me (assuming it's corrupted), would i have to copy it from another OS like you did?

P.S. It seems Sophos quarintined the jar_cache thing, will i have to remove it from quarantine before im able to manually delete it (because sophos is part of the university install im not actually able to delete it with sophos because i dont have administrative rights)

[Tweak]

Tweak would running that microsoft thing replace userinit.exe for me (assuming it's corrupted), would i have to copy it from another OS like you did?

There are other locations as I noted above that you may be able to get the file besides another PC, I only use the other sources because they are easily available and I know they are clean, you should however be able to locate a clean copy elsewhere on your own PC and use that file. SFC is intended to correct issues and one might expect this would solve problems like this but to be honest I have not had much luck with it doing so and find I manually am able to do the repairs much quicker and easier. It is best you also check the registry for changes although it seems you may not have this issue, give it a check anyways though. Start>Run>regedit then look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and see that it states userinit.exe (don't edit to look like this but this is what you will see as the entry for this path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=C:\windows\system32\userinit.exe,) Running SFC is something you should do and it does replace some of the protected files but this one as I stated I just manually replace because it is so much simpler, you should however run the SFC through so that all gets checked. Hope this helps and is what you were looking for, remember that when you locate the other userinit.exe file there may be many and you want to replace with the one located either at C:\i386 or much more likely the one you find at C:\Windows\system32\dllcache (which is where SFC looks to for its repair procedure).

The jar related is a java based issue which we often find located in the java cache folder during scanning, manually deleting these files is what usually works. You may need to do so in Safe Mode or a boot cd if it will not (but should) work in normal mode.

[jmc333]

I deleted the jar_cache manually. And i'll move on to the corruption issue right after i clear something up (hopefully) with Gmer, when i run Gmer it gives me this:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-26 17:45:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.05.0
Running: o4t1jqhy.exe; Driver: C:\DOCUME~1\corina\LOCALS~1\Temp\awlyqpod.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 859164A8
Device \FileSystem\Ntfs \Ntfs 85A34840
Device \FileSystem\Ntfs \Ntfs 858BBA98
Device \FileSystem\Ntfs \Ntfs 85B01CC8
Device \FileSystem\Ntfs \Ntfs 8A756418

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys

Device \FileSystem\Fastfat \Fat 85930A98
Device \FileSystem\Fastfat \Fat 8A61ABB0
Device \FileSystem\Fastfat \Fat 858D77A0
Device \FileSystem\Fastfat \Fat 8A7F0688
Device \FileSystem\Fastfat \Fat 85A30F08

AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
AttachedDevice \FileSystem\Fastfat \Fat dwprot.sys
AttachedDevice \Driver\Tcpip \Device\Ip dwprot.sys
AttachedDevice \Driver\Tcpip \Device\Tcp dwprot.sys
AttachedDevice \Driver\Tcpip \Device\Udp dwprot.sys
AttachedDevice \Driver\Tcpip \Device\RawIp dwprot.sys

---- EOF - GMER 1.0.15 ----
Are those all rootkits?? and if so how do i remove them because i see no remove option. Thanks

[Tweak]

The dwprot is because you used Dr Web, no worries there. The savonaccessfilter is from Sophos so again, no problems. You should navigate to C:\Documents and Settings\YOURUSERNAMEHERE\Local Settings\Temp and delete to the Recycle Bin what you find inside which will remove awlyqpod.sys and other mess, if you see some ghosted folders like Cookies, History, and Temp Internet Files you can leave those folders but open the Temp Net Folder and drill down till you see index and desktop.ini and some randomly named folders and remove those folders as well, I actually recommend running CCleaner before scanning with MBAM and other such tools since it can sometimes remove a lot of "junk" which in some cases includes items detected as malicious or un-wanted (unless actively running and locked of course) and I have added in the custom folders to clean that path so that it is cleaned periodically, also I have dropped a batch file in my startup folder before to have some areas cleaned at every boot but seeing as I reboot only a few times per month CCleaner is the better option. Make sure you go into Control Panel and open Folder Options and click View and then adjust the options to Show Hidden Files and so you can see protected operating system files, when done set these back as they were.

[jmc333]

Wait so delete everything in the Temp folder and the Temp Net folder?

[Tweak]

Contents of the Temp folders (not folder itself obviously) yes, since I am not on XP here def ask if you are unsure, we are moving to Recycle Bin so we always can replace IF you hit something wrong but you should be fine so far, leave the Temp Net alone. Refer back to the above about specific folders you may find inside that Temp folder. To make it easy just click Start>Run> and type %Temp% and remove what you find, again less what I mentioned above, if something can't be removed it may relate to an actively running program and you would need to do it again in Safe Mode with nothing running IF it is of a concern to you.

Side note, earlier it was mentioned to remove the proxy settings, found some more elegant methods (one of which is below) if you want to call it that...take the text below and copy it into notepad and save it with .vbs as the file extension, make sure you do not save it as proxyreset.txt.vbs though.

-------------Copy only below text-------------
dim oShell
set oShell = Wscript.CreateObject("Wscript.Shell")

if msgbox("Turn Proxy off?", vbQuestion or vbYesNo) = vbYes then
oShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 0, "REG_DWORD"
oShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer", "proxy:", "REG_SZ"
else
oShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 0, "REG_DWORD"
end if

Set oShell = Nothing
-------------Copy only above text-------------

[jmc333]

Ok heres a brief update, i'm scanning right now with the comodo cleaning essentials, after that's done i think i'll uninstall sophos and set up my security system (most likely avast and....either threatfire or defense wall.) From there i'll start dealing with the corruption (or lack thereof) on my pc and fix what i can.

P.S. while comodo was scanning i cleared what i could in the temp folder and didn't worry too much about what i couldnt. Also just to make sure; so you think what Gmer found isn't anything malicious?

[Tweak]

Ok heres a brief update, i'm scanning right now with the comodo cleaning essentials, after that's done i think i'll uninstall sophos and set up my security system (most likely avast and....either threatfire or defense wall.) From there i'll start dealing with the corruption (or lack thereof) on my pc and fix what i can.

P.S. while comodo was scanning i cleared what i could in the temp folder and didn't worry too much about what i couldnt. Also just to make sure; so you think what Gmer found isn't anything malicious?

Two of the items which were repeated multiple times were from Dr Web and Sophos, the other is in the temp folder and should be removed if you haven't already, otherwise things are looking good from the replies you have been making.