[SOLVED]OTL Logs review request.

My Laptop was being used massively lately by some guests around the house and avast has blocked a few things over the web at this period…though i have a Default deny HIPS running and MBAM Pro…I would love to get my logs analyzed by essexboy…since he is qualified and knows better than my head ;D

I know this Laptop is clean…but anyway… ;D

Attaching my OTL logs for a review…Please tell me your opinions :slight_smile:

Thanks!

Hi true indian,

You know the drill, now wait for the qualified removal expert to lead you through the removal routines,

polonus

You need to have this checked out PRC - [2009/07/14 06:44:46 | 000,115,200 | ---- | M] () – \?\C:\Windows\System32\wbem\WMIADAP.EXE as it is not normally a global root file

Could you run aswMBR

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi essexboy.

Combofix replaced userinit.exe…for some reason i uploaded the file userinit.exe quarantined by Combofix to virustotal.com:
https://www.virustotal.com/file/538fe1012fedc72727a8de0c2c01944b3d35c29812ecef88e95aac07235e0b0b/analysis/

First seen by VirusTotal
2011-02-20 17:55:12 UTC ( 1 year, 6 months ago )

It looks like a false detection of an updated version of this system file by CF…doesnt it?

This system stays on top with win updates and software updates… ;D

PC Performance is running fast and swift as usual…

Here is AswMBR log…I normally blue screen when running it with the AV scan…so i disabled the av scan option this time…

Kind a weird…The 2 userinit.exe have the same MD5

[2010/11/20 17:47:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 – C:\Windows\System32\userinit.exe <<- combofix deemed this as malware
[2010/11/20 17:47:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 – C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe <<-- file used as replacement also has same MD5 as the one removed by CF.

Is this a false-Detection from CF??

EDIT: File is confirmed as FP by SUBs from MBAM Forum…it has been reported.

Combofix looks at more than the MD5 it also looks at additions to the main system files, I have not yet come across a bad detection

But now looks good

SUB’s said he had the same exact file on his VM and CF didnt detect it… Would it be Alright to uninstall CF now?? I guess this system cannot be anymore trusted or what??

Yes uninstall CF I can see no reason from what was on the system that would cause a loss of trust

Alright! Glad I came and got my system analyzed…Good to know this system remains clean. :slight_smile:

thanks for the help heaps! :wink: