Author Topic: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]  (Read 29775 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #45 on: September 22, 2010, 10:07:11 PM »
You can run an MBR check as soon as you have reinstalled using this programme.  If the MBR is infected it will repair it for you, although there were no indications of it on the basic OTL log

 Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window similar to this should open on your desktop:



  • If you are prompted with options, enter N at the prompt and press Enter[/i]
  • Press Enter[/i] again
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #46 on: September 22, 2010, 11:24:38 PM »
I succeed to start in normal mode (restore point from 12.09.10)
Here are OTL scans

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #47 on: September 22, 2010, 11:27:17 PM »
I used other version of OTL.exe (3.2.12.1)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #48 on: September 22, 2010, 11:35:24 PM »
Glad to see that you got the restore to work  ;D

A few bits that I can see and then a deep check for those that I can't.  Once this run is complete can you let me know what problems you have remaining 

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :OTL
    O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O33 - MountPoints2\{318e0241-e081-11dd-b7c9-0021866ef504}\Shell\AutoRun\command - "" = F:\ZERAVICA\\\\\LONDON.exe -- File not found
    O33 - MountPoints2\{318e0241-e081-11dd-b7c9-0021866ef504}\Shell\explore\command - "" = F:\ZERAVICA\\\\\\LONDON.exe -- File not found
    O33 - MountPoints2\{318e0241-e081-11dd-b7c9-0021866ef504}\Shell\open\command - "" = F:\ZERAVICA\\\\\\LONDON.exe -- File not found
    O33 - MountPoints2\{5265b054-1783-11de-8fcc-0021866ef504}\Shell\AutoRun\command - "" = wbj.exe
    O33 - MountPoints2\{5265b054-1783-11de-8fcc-0021866ef504}\Shell\open\Command - "" = wbj.exe
    O33 - MountPoints2\{c8bb09be-8019-11de-8947-0021866ef504}\Shell\AutoRun\command - "" = ZERAVICA\\\\\\\\\\LONDON.exe
    O33 - MountPoints2\{c8bb09be-8019-11de-8947-0021866ef504}\Shell\explore\command - "" = ZERAVICA\\\\\\\\\\\\LONDON.exe
    O33 - MountPoints2\{c8bb09be-8019-11de-8947-0021866ef504}\Shell\open\command - "" = ZERAVICA\\\\\\\\\\\\LONDON.exe

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #49 on: September 22, 2010, 11:59:59 PM »
These are files: one showed after fix has been applied (restart) and OTL.log after quick scan

The process sp7zkv.exe is because I changed a name from OTL.exe to sp7zkv.exe

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #50 on: September 23, 2010, 12:26:31 AM »
Log from ComboFix, unfortunatelly in Polish again;)

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #51 on: September 23, 2010, 11:44:19 PM »
Thank you very much again! I did scans with Avast! (it found 1 light threat), MBAM (0), SAS Pro (mainly cookies) . I updated Avast, Java, Installed SP2 and some actualisations. It seems it's OK now. I can attach logs of MBAM and SAS if you want me to do so to the next post. I really appreciate your help. I think I learnt something:)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #52 on: September 24, 2010, 08:38:18 PM »
Do you use flash drive regularly ? As a new mountpoint has been added - so I will remove that.  Otherwise it looks good any problems ?

As for the language the reports come in a standard format, so I don't really need to know the language

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :OTL
    O33 - MountPoints2\{25a7d67b-7f8e-11df-bc2f-0021866ef504}\Shell\AutoRun\command - "" = lcw.exe
    O33 - MountPoints2\{25a7d67b-7f8e-11df-bc2f-0021866ef504}\Shell\open\Command - "" = lcw.exe

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

kricxjo

  • Guest
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #53 on: September 24, 2010, 10:07:23 PM »
Hello, here I attach today's log from OTL and yesterday's MBAM and SAS.
I didn't noticed anything suspicious for now. I use Flash-drives a lot,
 as it is my computer for work.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]
« Reply #54 on: September 24, 2010, 10:41:23 PM »
You will need to scan every flash drive with Avast and MBAM before you run it- as that is the probable route of your infection

Looking at that I am a happy bunny  :)

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

SPRING CLEAN
 
Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave: