Help un-Hijack my browser

waddler_8

F2 - REG:system.ini: UserInit=userinit.exe,C:\Program Files (x86)\cpbcugbj\kvsofjka.exe,

highrisklowreturn wrote: »

I clicked fix selected item - on hijack this - on that particular thing, and it said problem fixed. But browser is still hijacking.

That entry may be an indicator of what is wrong rather than the actual cause.

Due to the random naming of the folder/file it's difficult at this stage for this to be anything but conjecture but mbam has detected similar entries - same load point, same location - as Spyware.Passwords.XGen, which can also be an indicator of the Ramnit virus.

From your previous topic linked to by closed:

Crucially I've lost a large amount of business records.

As above, the infections are capable of stealing data. Not an infection you want on a PC you have business dealings on - especially not for months on end.

highrisklowreturn

Nothing on malbytes




Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.26.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Adam :: ADAM-PC [administrator]
27/11/2012 10:02:58
mbam-log-2012-11-27 (10-02-58).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: Heuristics/Extra
Objects scanned: 39508
Time elapsed: 3 minute(s), 57 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

waddler_8

Download aswMBR and save it to your Desktop.

http://public.avast.com/~gmerek/aswMBR.exe

• Right click aswMBR.exe & choose "Run as Administrator" to run it.
• Click YES to the prompt to download Avast virus definitions
• When the virus definitions have downloaded, click the Scan button.
• Wait till the scan reports "Scan finished successfully"
• Click Save log & save the log to your desktop.
• Click OK
• Two files will be created, aswMBR.txt & a file named MBR.dat
• Click EXIT.
• Copy & Paste the contents of aswMBR.txt into your next reply.

Don't click to fix anything, just post the log

dogmaryxx

You could consider using Malwarebytes Anti-Rootkit (have used for a scan but not a clean) if you accept a slight risk as you have no backup.

Wait for waddler8 to comment.

waddler_8

It's a possibility, I used it to remove ZeroAccess yesterday (Though it is still BETA).

Lets see what aswMBR gives us.

highrisklowreturn

Can't use it - I downloaded it, only to find it crashes half way through searching.

waddler_8

aswMBR?


Download TDSSkiller from the link below and save it to your desktop

LINK

• Right click TDSSKiller.exe and choose "Run as Administrator" to run it.
• Allow any UAC prompt
• Click Change parameters
• Under Objects to scan check Loaded modules in addition to those already checked.
• Click Reboot now when prompted.
• After reboot when TDSSKiller has re-loaded, click Start scan and allow it to scan.

• If Malicious objects are detected, the default action will be Cure, ensure Cure is selected then click Continue
• If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue

• It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
• A log will be created at the root of your C: drive: TDSSKiller.Version_Date_Time_log.txt.:
• If no reboot is required, click on Report. A log file should appear.
• Post the contents in your next reply

Stesnees

I had the same problem a couple of months ago, I downloaded Hitman Pro free version and it shifted it straight away.
Worth a try.

highrisklowreturn

Downloaded tdskiller but it won't open, including when I attempt using it as admin...

waddler_8

highrisklowreturn wrote: »

Downloaded tdskiller but it won't open, including when I attempt using it as admin...

It would seem the infection is interfering with the tools that would detect/remove it - that's not uncommon. You have options but it depends how far you want to go.

It's always an option to reinstall/restore Windows - But, depending on the infection & type of restore this isn't always 100% successful but is in the vast majority of cases.

You can scan outside of the Windows OS using a linux based boot disk such as Kaspersky Rescue disk.

http://support.kaspersky.com/viruses/rescuedisk


Or we can obtain a diagnostic log outside of the Windows OS.

Download Farbar Recovery Scan Tool (FRST 64-bit version)from the link below and save it to a flash drive.

LINK

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    
    Select Command Prompt
    
    Once in the Command Prompt:
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type efrst64.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Copy and paste it in your next reply.