bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
2 edits | reply to Annmarie
Re: HJT Log - fake alerts
If MBAM or Combofix request or force a reboot, allow them to do so. Some malware infectors can only be removed during the reboot process, as they are then in an inactive state.
1. Open HijackThis again, System scan only. Checkmark these items:
O4 - HKCU\..\Run: [AdmApiCmd] C:\WINDOWS\system32\gbuvidsp.exe
Click "Fix checked" and when the log panel clears exit HijackThis.
2. We need to run Combofix again.
Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" or as above use your Mouse to do a Copy/Paste:
Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:
When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
3. Run MBAM again, just as instructed earlier above. It should report a clean result.
4. Run HijackThis again, and save the log file.
Submit to the Forum:
• You new MBAM log result;
• The contents of C:\Combofix.txt;
• The new HijackThis log.
Now, a favor. I want you to submit for anlysis this file:
c:\windows\system32\userinit.exe
I regularly submit (on-line) files to be scanned for malware. These two sites are my favorites, and use multiple AV programs for their scans -- up to 32 different major AV products are used to scan the file:
• Jotti's Virus Scan
»virusscan.jotti.org/
• VirusTotal
»www.virustotal.com/
These servers can be busy, but the whole process is surprisingly fast for such extensive AV testing. There is the added "Good Citizenship" factor -- if the file is found suspicious it automatically alerts the antivirus vendors of a new malware to include in their definition files.
Submit to both, and report the results back to the Forum. I appreciate this extra step on your part.
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
