Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Virus Removal Help -- Wininit


  • This topic is locked This topic is locked
3 replies to this topic

#1 mcfarljd

mcfarljd

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 October 2010 - 08:07 PM

Hello there, haven't been here in awhile, last computer just crapped out, and first problem in a year with the laptop. Turned on the computer the other day and boom, avg keeps having an incessant popup saying that system32\wininit.exe is infected, and it can't remove it because it is "white listed. Also says Trojan horse patched_c.JEU. I've been searching for awhile for help but everything I've found won't work (typically opening task manager and stopping process), which will just cause a blue screen. Any help would be fantastic. Thanks so much.

    Advertisements

Register to Remove


#2 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 06 October 2010 - 01:15 AM

Hello mcfarljd and :welcome:

My name is JonTom.

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

Lets get some system scans so we can get a better idea about what is going on.

If you encounter any difficulties with the scans come back and let me know.


  • Download and run OTL by Oldtimer


    • Please download OTL by Oldtimer by clicking here and save the file (called OTL.exe) to your desktop.
    • Close all open windows on your computer then Double click on the OTL.exe icon to run the program.
    • Check the boxes beside "LOP Check" and "Purity Check".
    • Under Custom Scan paste this in:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT


    • Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.

    • When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
    • Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.

  • DeFogger


    • Please download DeFogger to your desktop.
    • Click on DeFogger to run the tool.
    • The application window will appear.
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue.
    • A 'Finished!' message will appear.
    • Click OK.
    • DeFogger will now ask to reboot the machine - click OK.
      IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
      Do not re-enable these drivers until otherwise instructed.

  • Please scan your system with GMER


    Posted Image
    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please post the OTL logs and the GMER log in your next reply :)

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#3 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 09 October 2010 - 01:56 PM

Do you still need help?
Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#4 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 12 October 2010 - 02:12 PM

Due to inactivity, this topic has been closed. If you are the topic starter and need this topic reopened, please PM a staff member (include the address of this thread in your request). Everyone else please start a new topic.
Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users