Author Topic: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]  (Read 29799 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #30 on: September 19, 2010, 09:00:26 PM »
When you just search for the three items ? that is wierd

Could you type in the following to the custom scans and fixes area then run scan

/md5start
explorer.exe
winlogon.exe
wininit.exe   
/md5stop

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #31 on: September 19, 2010, 10:20:26 PM »
Yes I've tried it. There is one difference from your instruction. After running the program it asks me to select windows folder. I choose c:\windows and after that it asks: "do you wish to load remote user profile(s) ommiting "remote registry". And one more difference. I cannot choose this file as you have told me but rather open it, copy and paste whole script.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #32 on: September 19, 2010, 10:24:05 PM »
Could you copy and paste then please - I am still reading on the latest updates to the programme

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #33 on: September 20, 2010, 12:10:36 AM »
O.K. I did the such procedure.
1. I double-clicked on OTLPE icon
2. In a pop-up window I selected c:\windows as a windows folder
3. In next window "Do you wish to load remote user profile(s)" I choose "yes"
4. I chose one profile from a list (it was impossible to choose more)
and left "Automatically Load All Remaining Users" checked is it was already.
5. OTL started.
6a. I tried to drag and drop scan.txt to the "Custom Scans/Fixes" box
7a. It says "Error! Not a valid fix file"
6b. I tried to double click on "Custom Scans/Fixes". And in new window, that has opened, I tried to change location to find my desktop where I previously saved scan.txt.
7b. It wrote: "Error! Access violation at address 7CA0936 in module 'SHELL32.dll'. Read of address 00000006" and crashed
8. I opened the file in notepad.exe and copied Ctrl+A, Ctrl+C and pasted Ctrl+V (or otherwise I simply rewrote it).
9. I pressed Run Scan button
10. It proceeded for some time and when it came to: "Manual File Scan - Getting folder structure..." it poped up: "Error! out of memory"

There is one more thing. It does detect my USB-disc (after sticking it into, there pops an icon in sys-tray "Safely Remove Hardware", but sometimes it don't show it in My computer). To copy scan.txt I use command-line:

copy e:\scan.txt b:\documents and settings\default user\desktop\

It has generally some problems with file system. Maybe you have previous version?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #34 on: September 20, 2010, 09:09:40 PM »
Unfortunately old versions are not kept as they can be dangerous

Do you have a windows disc ? As it looks like we may need the repair option

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #35 on: September 20, 2010, 11:00:28 PM »
With Vista? No, It is OEM version. And there was no CD-ROM attached. Instead there is a bootable hidden partition with Windows PE on it (labelled: HP_Recovery). I previously downloaded and burnt Windows Automated Installation Kit (AIK).

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #36 on: September 20, 2010, 11:22:07 PM »
OK there is a way to create a Vista recovery console

Go here and follow the instruction to create the cd http://www.vistax64.com/tutorials/141820-create-recovery-disc.html?ltr=C

This will enable you to access the Vista start up repair function

With WAIK you need a copy of the Vista CD to get it to work so not much use to you I am afraid

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #37 on: September 20, 2010, 11:33:31 PM »
Update Dch48 has hosted an ISO here which will negate the need for using a torrent http://www.adrive.com/public/09a07828c4a98ff6552455ec242eb6136a98730169be36b8650f85c231527a19.html

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #38 on: September 21, 2010, 12:24:35 AM »
Thank you. I'd rather choose .iso file. I'm downloading it now. Will you be staying for a long time active today? I'm asking because in Poland it's 0:20 AM now and I need at least half an hour to download and burnt it. So maybe we will continue tomorrow, shall we. But of course I can make myself a cup of strong coffee unless you are tired.

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #39 on: September 21, 2010, 12:52:39 AM »
Vista Recovery Disc is ready.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #40 on: September 21, 2010, 10:00:20 PM »
OK boot from the CD then select start up repair and see if that cures the userinit/winlogon problem

If that fails then select System restore and select a restore point prior to the problem

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #41 on: September 22, 2010, 12:39:51 AM »
I did "start up repair" and it found error "files system corrupted" then booted again but it didn't changed anything. System still have a problem with log on. And OTL still says: "out of memory" System restore is also usless in this case I'm affraid :-[

And what about my erlier ask to run a TDSSKiller from safe mode/Win PE mode. I know we haven't got any scans so it would have to be done blindly. But overall is it a bad idea? What may go wrong? And what has left except from re-installation?

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #42 on: September 22, 2010, 12:48:42 AM »
And one more question. What about running OTL.exe (in a stand-alone version) from a hard drive (the same trick ???)
Or maybe HDD can be taken out from that laptop and used as "a slave"?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #43 on: September 22, 2010, 08:59:57 PM »
The problem with using other tools is that need to be run from the active drive and not a PE environment

In this case it might be a better option to remove everything that you want from the drive using reatogo and then going for a re-install

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #44 on: September 22, 2010, 09:46:47 PM »
So, I did back-up earlier. Now I'm not much emotionally involved with repairing this system. And if there is no other option I can at least try and then prepare for re-installation. Thank you Essexboy for your time, help and patience and to all of you guys for reading and commenting too.

The last question. I assume if it was infection of system files. There is still small chance for having infected MBR section of a disc. Haw much propable it is? And does the virus can survive in that case?

That's it. Crusade is finished before it's been started.