ie4uinit.exe [RESOLVED]

[qim]

I have a new problem on a different computer with Comodo Firewall going 'mad' asking for permission for everything despite running normally since I installed it a couple of years ago.

I uninstalled it and installed Outpost free.  Then, I did several scans and found in Hijack Hunter ie4uinit.exe which according to many instamces in Google is some sort of virus.

Could you, please, have a look at the attached log?

[Pondus]

upload the file to www.virustotal.com and test it with 43 malware scanners
when you have the result, copy the url in the address bar and post it here




also check your computer for Malware with

Malwarebytes Anti-Malware 1.50 http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have latest database before you scan
click the remove selected button to quarantine anything found
please post the scan log here if anything is found

[qim]

Malwarebytes did not find anything in a full scan. Neither did VirusTotal.  The problem with the file is there are dozens of entries in the system. I am attaching a screenshot.

[essexboy]

Hi this is a legitimate file ie4uinit.exe

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

[qim]

I am unable to run OTL. Half-way through a box pos up stating: Exception Processing Message c0000013 Parametars 75b6bf7c4...etc

What now?

qim

[essexboy]

OK plan 2 

Download Combofix from any of the links below. You must rename it before saving  rename it to svchost before saving it to your desktop.

Link 1
Link 2


==================================


Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt so we can continue cleaning the system.

[qim]

Hi Essexboy

I am always nervous about ComboFix... Does this mean that you KNOW there is something lurking?  The computer seems to fine, other than the occasional blip, like with OTL.

Having said all this, I am totally in your capable hands and will follow your advice to the letter, if you say so.

Thanks

qim

[essexboy]

Well up until now I have never broken a machine

If you do not wish to run Combofix we can try OTL's big brother - from safe mode if necessary 

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[qim]

...and I'm sure you won't break my machine either.  I was just wondering if you DID find something in my system and this was the removal process, or still looking for some intrusion.

Anyway, as I tried to download OTS I got a box saying that it was a dangerous download. So, I decided to go into safe mode, and while there tride OTL again. As before the box came up, but this time, somehow, (I opened the Task manager with CTRL/Alt/Delete and the box disappeared and the prog resumed. Please, see the attached log, and let me know the next plan of action.

Thanks

qim

[essexboy]

Comodo left a hanger on behind trying to run - let me know if this eases it 

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:80
  IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:80
  O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe File not found
  [2010/12/09 21:46:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Filt
  
  :Files
  ipconfig /flushdns /c
  C:\Program Files\COMODO
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[qim]

Hi Essexboy

Please, find attached the two logs I got from following your instructions.  I am still getting that box about Exception Processing Message, every time I run OTL.  It seems to stop always in the same place: HKCU/Software/MS/Wind/Cur Ver/Explorer/MountPoint2/---long string---

[essexboy]

Hmm that would suggest that something within the mountpoint area is not recording

Could you now run combofix please as per previous instructions

[qim]

Hi.

Problems

ComboFix did its thing, rebooted and then took a long, long time to sort out the log. Now the blue screen is still there saying 'Combofix's log will be located ...etc (In fact log just arrived!)

But I have all sorts of messages from Outpost that Catchme.cfxxe is attempting to load an unsigned kernel-mode driver or service.

What shall I do?

[qim]

Deleted message

[essexboy]

Drivers and MBR look good - so the problem with explorer now looks to be driver or RAM associated

So lets clear my tools and give a bit of TLC and see if the problem remains

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [CLEARALLRESTOREPOINTS]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

.
Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

SPRING CLEAN
 
Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
  Malwarebytes.  Run weekly to keep your system clean
  

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave: