10 minutes after startup I checked Avast real time shields and checked wininit.ini. Inside c:\windows\wininit.ini is…
[Rename]
NUL=C:\DOCUMEN~1\user name\LOCALS~1\TEMP\BETTER~1.EXE
…I not find anything about this. Is this infection?
After startup I also checked my task manager in Cmd but also Cntrl alt delt, and netview and ccleaner.
File created and modified same time April 26, 2012 at 11:21pm.
Another file in c\windows called jf3.ini…
[JF3_Info]
Install Directory=C:\JF3
Platinum=Yes
…Sorry for my worries, it is just that this is my computer for work until I buy new replacement.
if you suspect infection follow this guide. http://forum.avast.com/index.php?topic=53253.0
The executable is part of transponder adware malcode. This is a browser hijacker that came via an ActiveX download.
Follow the steps proposed by Pondus and wait for the assistance of a qualified malware removal expert,
polonus
When I look in the named folder inside the ini, it is empty. And the ini not been modified or changed since April 26, 2012. Also I boot mode scanned with avast, malwarebytes, spybot s&d, ms malware removal tool and ms safety scan. All clean.
Is there still reason to think I am still infected?
When I look in the named folder inside the ini, it is empty. And the ini not been modified or changed since April 26, 2012. Also I boot mode scanned with avast, malwarebytes, spybot s&d, ms malware removal tool and ms safety scan. All clean.
Is there still reason to think I am still infected?
I not see any .exe in the file written inside the .ini
Is there still a problem, because I did have adware toolbars 1 or 2 years ago, but I cleaned those 1 or 2 years ago.
should I post a hijack this?
should I post a hijack this?no, we have a better tool in the guide i gave you above
Run OTL and attach the log
Scanned and then pressed delete button and reboot with adwcleaner. Now starting OTL scan. Here is log after deletion…
AdwCleaner v2.112 - Logfile created 02/20/2013 at 18:07:30
Updated 10/02/2013 by Xplode
Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
User : Username - HP-8510W
Boot Mode : Normal
Running from : C:\Documents and Settings\Username\Desktop\adwcleaner0.exe
Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Program Files\AGI
***** [Registry] *****
Key Deleted : HKCU\Software\AGI
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\Software\AGI
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\I Want This
Key Deleted : HKLM\Software\Tarma Installer
***** [Internet Browsers] *****
-\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
AdwCleaner[R1].txt - [2278 octets] - [20/02/2013 18:06:28]
AdwCleaner[S1].txt - [2093 octets] - [20/02/2013 18:07:30]
########## EOF - C:\AdwCleaner[S1].txt - [2153 octets] ##########
Here are OTL.txt and Extras.txt. And aswMBR.txt.
Should I clcik “run fix” for OTL?
Also, should I click FIXMBR after finish scan?
Also, should I do this in boot mode or normal mode?
Roguekiller “Delete” and “Shortcut Fix” logs, and Farbar Service Scanner “Scan” log.
Also, why in hosts does it show obviously infected or pornographic sites with my internal IP number? Is it part of spybot s&D’s immunization?
I see they deleted remains of adware toolbars that my laptop had before 1 or 2 years ago before I cleaned them. But wininit.ini is still showing…
[Rename]
NUL=C:\DOCUMEN~1\user name\LOCALS~1\TEMP\BETTER~1.EXE
I just now finished Malwarebytes quick scan and SpybotS&D scan and immunization. Spybot showed not threats, but did show traces and logs that I could delete, for the first time ever I chose yes. Now the wininit.ini is changed showing only…
[Rename]
nul=c:\tempjunk6354.tmp
c:\tempjunk6354.tmp=C:\WINDOWS\SchedLgU.Txt
I restarted computer. Now COMMAND.COM window quickly appears and disappears at startup. Though I think this is from Spybot deleting files at startup. But the tempjunk is always there now. Why wininit.ini not empty? I did everything on the virus topic thread.
Now when I startup, it shows…
[Rename]
nul=c:\tempjunk3081.tmp
c:\tempjunk6354.tmp=C:\WINDOWS\SchedLgU.txt
c:\tempjunk3081.tmp=C:\WINDOWS\SchedLgU.txt
My main question is why the writing in wininit.ini changed?
And why is wininit.ini always there?
If helps, when I click schedlgu.txt it write about started “task scheduler service” and “avast emergency update.job”.
Should I clcik "run fix" for OTL?maybe later.....the removal specialist have to create a fix to run first. ;) something he will do after checking the log
Also, should I click FIXMBR after finish scan?no.....the removal specialist have to check log to see if there is any need for it first
See my above about the wininit.ini change writing. Curious any ideas what it could be? Maybe FP?