Question

infected computer keeps getting re-infected (logs attached)

Asked by: dgrrr

The computer is a windows xp home sp3 desktop. I've fixed an infection of "Antivirius 2009" (The rogue2008 one) using a combination of combofix and malwalrebytes. plus spybot for good measure.

Computer got infected a second time, and I did the same.

Then last week it was infected for a third time. AVG 8 resident shield kept complaining about
____
avg resident shield alert
accessed file is infected
file name: c:\windows\system32\userinit.exe
ignore
process name: c:\windows\system32\winlogon.exe
____


Client was running malwarebytes to no avail. I did an updated malwarebytes quick scan and then a combofix. Afterward when I rebooted I no longer got the resident shield alert. I wanted to do updated full mbam scans, spybot scan, adaware scans, and also update windows xp completely But to save him money I told the guy how do those himself, and I rebooted several times, and got no AVG resident shield alerts. I left.

AT that point, when I left, I did a hijackthis log, which is attached as HJT-b.txt

Now (the next day) he says he's getting the same infection notice from AVG Resident Shield regarding userinit.exe.

Can you guys look at the last HJT log I did (HJT-b.txt) and see if you can spot anything?

Obviously I'll try to get the guy to send me a current mbam log to add to this.

thx

(He has teenage kids who might be reinfecting the computer, but if it's my failure to clean it I feel bad)

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-04-10 at 21:23:18ID24314110
Topics

Anti-Spyware

,

Desktop Anti-Virus

,

HijackThis Software

Participating Experts
7
Points
400
Comments
38

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. ComboFix and HijackThis log analysis required
    I recently suffered from a Trojan infection and followed instructions to another user from this site to use ComboFix. Having done that it has removed the main issue (Google, Hotmail, etc. being hijacked) but now I am having the occasional crash that seems to come from Firefo...
  2. Cannot run HiJackThis or Combofix
    The broadband has been very slow for a couple of days with download speed of 640kbps (normally around 7600) and upload 448kbps (no difference). A change of DSL filter gave a temporary reprise increasing download to 4600kbps. However, a day later and it was slow again. It seem...
  3. Can't run or install Combofix and Hijackthis
    Hi, Hope someone can help as I've got a trojan or something on my PC - I am unable to install or run combofix, hijackthis or Malwarebytes. My browser's (opera and ie8) are getting redirected to some other site so it's probably a new bunch of critters as AVG hasnt detected t...
  4. HijackThis and Combofix logs
    Help please! A PC has just started showing the Cyber Security alerts and trying to get payment for fraudalent AV software. It is running Trend Internet Security 2009 with constant auto updates. (Although something seems to have recently turned off the protection) I can not p...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: johnb6767Posted on 2009-04-10 at 22:05:33ID: 24120913

If you are cleaning the av2009.exe files, and the infected files from system32, chances are you havent cleaned /restored a good copy of the userinit.exe inside c:\windows\system32....

If the file is not signed by MS (upon a right click), and not 24kb (on an sp2, and sp3 XP Image) then it isnt teh right one. Either get a good copy of it from c:\windows\system32\dllcache, or another working pc.....

 

by: aleinssPosted on 2009-04-10 at 22:17:21ID: 24120932

I don't see a log attached anywhere, but:

1. Load SpywareBlaster (free) to protect Internet Explorer

2. Make sure the PC is patched with all Microsoft updates, not just SP3

3. The teens should be running with standard user rights (not Administrators).  If this is not possible, a program such as SandboxIE might be needed to shield Internet Explorer from the rest of the system

4. I cringe every time I see AVG mentioned.  A paid anti-virus program such as NOD32 or F-secure might be a better option.  Lots of workplaces have a corporate licensing agreements with their AV provider with free home use provisions.  He might want to check to see if that is the case where he works.

 

by: johnb6767Posted on 2009-04-10 at 22:30:24ID: 24120960

I swear by AVG, especially the corporate versions. But you will find debates like this all day long, which is the best, which one is the worst. Some people even still LOVE Symantec.......What works for one, doesnt always work for others......

 

by: rpggamergirlPosted on 2009-04-10 at 23:00:24ID: 24121004

Have him send you the latest combofix log and attach it here.

Sounds like he may be having a virut or sality file infectors and that's not very good. I usually suggest a reformat when dealing with virut infection (specially when it's been in the system for awhile).

 

by: pankaj0079Posted on 2009-04-11 at 00:16:03ID: 24121112

Disable system restore
scan with avast

 

by: pankaj0079Posted on 2009-04-11 at 00:25:08ID: 24121122

try scanning with quickheal total security 2009

 

by: younghvPosted on 2009-04-11 at 06:29:45ID: 24121980

You also need to set up a "Surf" account on that computer (Limited account - no privs) for the kid to go to his websites (which will remain unnamed).

Put a password on the Customer's account and tell him save some money (and frustration) by keeping his password private.

 

by: RobDatingPosted on 2009-04-12 at 07:16:39ID: 24125771

with reference to the deleted link above, you need to download or create a mini pe bootable CD with the below mentioned tools.

 

by: RobDatingPosted on 2009-04-12 at 07:19:57ID: 24125778

i.e. RegEditPE

 

by: younghvPosted on 2009-04-12 at 08:21:45ID: 24125924

If we can get the ComboFix log posted here, one of the Experts can write a script which will remove all of the infected files.
There is no need to manually search and delete any files.

 

by: dgrrrPosted on 2009-04-14 at 00:11:20ID: 24135533

Hmm, I kept attaching the files. I must be doing it wrong.

I also wonder why so many people respond with generic posts, not reading the ordiginal post, just copying and pasting a bunch of fixes that have already been done...

anyway - to you others -- I'll try attaching again here

 

by: dgrrrPosted on 2009-04-14 at 00:12:33ID: 24135538

Oops here's the rest...

 

by: EdgnettPosted on 2009-04-14 at 00:27:24ID: 24135601

your highjackthis log seems clean,
try the following
use something like ccleaner to clean all temps
then download and run SDfix in safe mode.
run combofix and malewarebytes again.

repost all logs

a guide to using sdfix can be found here:
http://www.bleepingcomputer.com/forums/topic131299.html

 

by: younghvPosted on 2009-04-14 at 03:09:54ID: 24136424

dgrrr,
A couple of comments seem in order.

First of all - your HJT log is not "clean".
If nothing else, run the updates you told you customer to do (as mentioned in your first post). You're not saving anyone money by allowing this problem to continue and good computer security always starts with OS/application updates.

Why is the Symantec 'LiveUpdate' service still running? It looks as though someone did an incomplete removal when they installed AVG.

Have you run any commands (such as from msconfig) to reduce the processes that run at startup?

More importantly, please take the time to look at the 'Profile' of the people offering you advice. Unlike many forums, EE allows anyone to post in any Zone - regardless of their lack of qualifications.

It is unfortunate, but true that we have way too many 'point-chasers' who jump into questions with their one-line crap about 'run this' - or worse - those who have created their multi-paragraph lists of instructions as macros, and then run around pasting the same cookie-cutter posts all over the place.

johnb6767 & rpggamergirl both have a long history of helping other Members and of giving their detailed attention - one question at a time.

You can safely ignore all the rest of the posts in the question (including mine).

 

by: rpggamergirlPosted on 2009-04-14 at 05:27:23ID: 24137372

I wouldn't suggest SDFix at the moment... it hasn't been updated for over 5 months.


If you could please delete your version of combofix and download the latest version, there's a version newer than the one you have.

Combofix log is showing an AWF infection(a file imposter which replaces legit file by itself and moves the original to the bak folder). I haven't seen this infection in awhile.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\f5087.dat
c:\windows\f23567.dat

AWF::
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system\bak\hpsysdrv.DAT
c:\program files\QuickTime\bak\qttask.exe

------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

 

by: johnb6767Posted on 2009-04-14 at 11:42:43ID: 24141202

Ill let rpggamergirl handle the scripting and be lazy....   :)

My original post was answered in your CF logfile......

[color=blue]Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe[/COLOR]

Still, you need to make sure that the current "c:\windows\system32\userinit.exe" is legit, signed by MS and around 21-24kb in size. If the infection actually copied an infected one to the DLLCache, then it will fool windows into thinking it is restoring a backup of a corrupted file.....

 

by: rpggamergirlPosted on 2009-04-16 at 00:44:03ID: 24155240

The userinit.exe from the DLLCache should be okay because Combofix will only replace a patched userinit.exe IF it finds a clean replacement.

If it doesn't find a clean copy, it has a built-in safety check and will modify the registry loading point from userinit to point to explorer.exe

As far as I know... if CF can't find a clean replacement.... we should see these entries(below) in the CF log.

c:\windows\system32\userinit.exe . . . is infected!!

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

dgrrr, I suggest you download the latest version of Combofix.

 

by: johnb6767Posted on 2009-04-16 at 11:53:43ID: 24161222

Thanks for that... You know me, I just dont like Automated script deleting files, and restoring as well, without having a good set of HUMAN eyes on it.....

Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?

 

by: younghvPosted on 2009-04-16 at 13:47:15ID: 24162409

<<Ill let rpggamergirl handle the scripting and be lazy....   :)>>

I'll let her handle it - to make sure it is done right!
LOL!
That stuff is way over my head.

 

by: dgrrrPosted on 2009-06-03 at 13:18:00ID: 24540843

OK, sorry for the long delay. I am going back to the client today because they have another infection.

will try the above & get bak to u!

 

by: younghvPosted on 2009-06-03 at 17:27:29ID: 24542644

dgrrr,
You cannot simply walk away from an open question for several weeks and then expect everyone to automatically try to help when you finally decide to return.
Good luck with your problem, but I am unsubscribing.

 

by: dgrrrPosted on 2009-06-03 at 20:51:33ID: 24543430

Um, Im not sure by what you mean by "automatically"... I was unable to give you any more info because the user did not send me the updated log files as asked.

Anyway, 've jsut done a bunch of work and willpost it below - and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.

I don't expect responses immedaitely, I just hope they come before the next time tihs guy gets another infection.

 

by: dgrrrPosted on 2009-06-03 at 21:06:55ID: 24543503

Got to computer, had a bunch of windnows showing infection by
Antivirus System Pro
also ie6 redirected to this

had to rename all mbam & combofix executables to get them to work initially.

I couldlnt do much til I did a new mbam quick scan. then had room to move.
Did a hjt scan
then Did the first combofix scan

rebooted to safe mode, did
sdfix

rebooted, did second combofix scan
WITH THE CFSCRIPT.TXT item mentioned above

then did mbam quick scan again
then another hjt log

NOTE - would have done mbam full scans, but was concerned about customer expense

for same reason, instructing user to do
- updated spybot &
- updated avg scans
- go to
        windowsupdate.microsoft.com/
        http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
           & update ie6 and all other updates
                 because he's not got xp sp3 yet or ie7
- also use mozilla firefox 3.0.10 instead of ie


Threre should be 2 posts aftre this - first one contains the BEFORE set of logs, the latter, the AFTER set of logs. But they were done in the order described above.

 

by: dgrrrPosted on 2009-06-03 at 21:13:47ID: 24543534

On second thought, here's the logs - I have numbered them and named them to go in order and be clear as to how they happened.

 

by: dgrrrPosted on 2009-06-03 at 21:15:37ID: 24543538

Whoops. Here are ALL the files. (disregard the log above)

 

by: dgrrrPosted on 2009-06-04 at 14:29:40ID: 24551614

PS - All files (mbam installer, combofix, sdfix) were all new (downloaded the same day). Also when I left I had the user do FULL mbam scans in addition to the spybot & avg scans, and doing all microsoft updates. (XP sp3 and internet explorer updates were the next in the queue)

 

by: dgrrrPosted on 2009-06-04 at 14:47:15ID: 24551732

WARNING!
Forgive me guys - I screwed up the order of the attached files above. Also one came from a previous visit. I double checked and am reuploading now.  Sorry for the confusion.

Also, I forgot to add in my notes that I did replace userinit with a copy from my own xp machine.

 

by: rpggamergirlPosted on 2009-06-04 at 21:57:59ID: 24553471

I'm with younghv, we can't leave a question open for longer than 3 weeks as it will be considered abandoned.


<<<" and anyone who can give me advice on how the infection came or if it's gone, I will apprciate it.">>>

The system had a vundo file infector which is now gone base on those logs.
The logs look clean.

But that system has a a version of java(j2re1.4.2_09) that is prone to all kinds of infection especially vundo infection, so until the user updates his java to the later or latest version the system is very vulnerable to infection. With vundo, the system could get reinfected straightaway while using that version.

Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click "Remove".

Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp

 

by: rpggamergirlPosted on 2009-06-04 at 22:07:38ID: 24553496

<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>

Sorry must've missed the alerts on posts before.
Your guess is as good as mine... I'd say the filesize, hash and other factors are among the ones that determined if userinit is infected.

 

by: dgrrrPosted on 2009-06-09 at 14:59:52ID: 24586277

rpggamergirl, I forwarded that info about java to the user, thanks, and I will research vundo & how it operates.

FYI the user sent me the following email about AVG finding infections aftrer multiple scans. I'm assuming I can disregard the tracking cookies, right? But what about the HP patches files, do they look innocient to you?  Also, the user said in a separate email that the HP patches files had no option to be cleaned or moved, and that AVG was sometimes giving the msg: MOVED OBJECT IS BIGGER THAN THE ARCHIVE SIZE LIMIT, which I researched here at experts exchange, and told user to manually delete the files - but you can see the result below)

_________________________
(FROM THE USER:)
These are the warnings that come up when running the AVG scan.

C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite";"Found Tracking cookie.Realmedia";"Healed"

"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\whgq281f.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"


These are the infections which seem to be growing in number. (And which don't show the option to clean or heal)

"D:\I386\drv\APP07399\App07399.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\I386\drv\APP07399\App07399.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"D:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"C:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe:\hp\tmp\src\igfxcfg.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"
"C:\hp\patches\51WW1ITG\Intel_Video_B6_6_14_10_3889_ALL_ALL_WW-01.exe";"Trojan horse BackDoor.Generic11.TDY";"Infected"


When I try to locate the specific file to delete it, it keeps changing the location of where it is.  One minute it's located under D:\hp\  and other times it's under C:\hp\patches\51WW1ITG.  Or this one D:\I386\.  Not sure which ones are safe to delete as it says that it's a recovery file for the computer.




 

by: johnb6767Posted on 2009-06-19 at 12:53:49ID: 24669442

Almost sounds like Virut, which is a poly morphic file infector... Fun one to play with, finally got one in my hands and it was a DOOZIE, especially doing removals by hand......

<<<"Id be curious to see how it determines a userinit.exe is clean, by version, hash etc?">>>

Go by the Signature, and the Date Modified. It should be 24-26kb in size, and with a date probably pre 2004 (2006 for sp3 I believe...)

If it is unsigned, then you are assured it is viral, no more questions....

HP Patches are usually in the form of an sp999999.exe format..... Plus if it is a valid patch, they can be downloaded again from hp.com

Also...

"D:\I386\drv\APP07399\App07399.exe"

There shouldnt be a i386\DRV folder, if legit it would be "D:\I386\drW\APP07399\App07399.exe"
1 letter off......

Personally, I am not a fan of MBAM. I am a SuperAntiSpyware.com guy, as Mbam has been too unreliable (yes there are occassions where it finds more...). Thats the problem with malware scanners. They are only as good as thier updates.....No single scanner finds everything...... Even had Combofix totally skip a rootkit once.... It happens...Still a great tool though....

Ill look at the logs as well, see if I can spot anything....


 

by: johnb6767Posted on 2009-06-19 at 12:54:45ID: 24669449

Also.....

RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner.....

 

by: johnb6767Posted on 2009-06-19 at 12:56:18ID: 24669462

Go ahead and try Autoruns as well, and save an export of the scan as a .arn file, and upload it here please.....

http://live.sysinternals.com/autoruns.exe

 

by: johnb6767Posted on 2009-06-19 at 12:57:31ID: 24669471

Oh, and one last thing....

Talking about legit System files like userinit.exe....

Also, check svchost.exe, explorer.exe, logonui.exe and winlogon.exe, as those are some of the main ones that get targeted for infection.....

 

by: rpggamergirlPosted on 2009-06-25 at 19:21:26ID: 24717611

To check for file infector virut, try DrWebCureIt,  and if it does find virut we can also run other virut scanners.
http://www.freedrweb.com/


Sality is also another file infector similar to virut, you can check for that as well.
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889



 

by: dgrrrPosted on 2009-06-25 at 21:53:27ID: 24718061

Thanks you guys.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...