Jump to content

marsboy900

Members
 View Profile  See their activity

  • Posts

    1

  • Joined

  • Last visited

 Content Type 

Posts posted by marsboy900

    Found Hj.Name- userinit.exe PUM.Policies and PUM.DesktopIcons with rougue killer

    in Resolved Malware Removal Logs

    Posted

    Hy ,i've scanned  yesterday my computer  cause i had problems with the internet connection always falling ,scanned with avira and malwarebytes,spybot plus adwcleaner  tdss  killer  and found nothing ,i did a scan with combofix  too (didnt knew then i should wait for someone to ask me to use combofix  because i found out later  ,so i did it ) ,after i did a scan with rougue killer in safe mode and found the pum policies and pum desktop icons ,are they dangerous?To be more precise  i found some time ago pum dns too with rougue killer but since they are noted as pums and since my other antivirus and antimalware programs havent found anything i didnt worried about them but i keep getting them all the time

     

    Here is the Rk report of the first scan :

     

    RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Safe mode with network support
    User : Laptopp [Admin rights]
    Mode : Scan -- Date : 07/21/2014  01:12:13

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 4 ¤¤¤
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
    [PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3810790722-2108214571-1548943505-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
    [PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3810790722-2108214571-1548943505-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000035f]) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: Hitachi HTS547550A9E384 ATA Device +++++
    --- User ---
    [MBR] 898bd0634d7edf5350965830762252a9
    [bSP] 530116f578351fadf0c81087e96517e4 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 66709 MB
    2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 136826880 | Size: 410130 MB
    User = LL1 ... OK
    User = LL2 ... OK


    ============================================
    RKreport_DEL_07012014_160519.log - RKreport_DEL_07012014_232542.log - RKreport_DEL_07032014_010434.log - RKreport_DEL_07032014_012049.log
    RKreport_DEL_07162014_223327.log - RKreport_DEL_07162014_230742.log - RKreport_SCN_07012014_160322.log - RKreport_SCN_07012014_231456.log
    RKreport_SCN_07032014_005641.log - RKreport_SCN_07032014_011145.log - RKreport_SCN_07032014_011642.log - RKreport_SCN_07162014_223100.log
    RKreport_SCN_07162014_230720.log

     

     

     

     

     

     

     

     

     

     

     

     

    Update 2: then i did another scan after a few hours with Rk in normal startup mode with avira's security settings like autorun block and host protection turned on and came up with this hj.name,userinit.exe marked red so i got scared :

     

     

     

     

    RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Laptopp [Admin rights]
    Mode : Scan -- Date : 07/21/2014  04:37:43

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [Hj.Name] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit : userinit.exe,  -> FOUND
    [PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3810790722-2108214571-1548943505-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
    [PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3810790722-2108214571-1548943505-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

    ¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
    [Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-1 : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\System32\DRIVERS\cmderd.sys)

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: Hitachi HTS547550A9E384 ATA Device +++++
    --- User ---
    [MBR] 898bd0634d7edf5350965830762252a9
    [bSP] 530116f578351fadf0c81087e96517e4 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 66709 MB
    2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 136826880 | Size: 410130 MB
    User = LL1 ... OK
    User = LL2 ... OK


    ============================================
    RKreport_DEL_07012014_160519.log - RKreport_DEL_07012014_232542.log - RKreport_DEL_07032014_010434.log - RKreport_DEL_07032014_012049.log
    RKreport_DEL_07162014_223327.log - RKreport_DEL_07162014_230742.log - RKreport_DEL_07212014_011304.log - RKreport_SCN_07012014_160322.log
    RKreport_SCN_07012014_231456.log - RKreport_SCN_07032014_005641.log - RKreport_SCN_07032014_011145.log - RKreport_SCN_07032014_011642.log
    RKreport_SCN_07162014_223100.log - RKreport_SCN_07162014_230720.log - RKreport_SCN_07212014_011213.log - RKreport_SCN_07212014_041927.log

     

     

     

    - I deleted the pums again but the hj.name couldnt be deleted because avira was protecting the host files so i unchecked the host protection and block autorun security functions in avira ,restarted ,scanned again with Rk and deleted the hj.name too   ,but on this second scan the atapi filter wasnt recognize as possible malware .So im thinking the filter could have been the avira block autorun  option?and was userinit.exe part of avira too   and a false positive or a virus ?  it was marked with red

    Here is the last report without the filter being detected    after i disabled avira security protection but with hj.name still there:

     

     

     

     

    RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Laptopp [Admin rights]
    Mode : Scan -- Date : 07/21/2014  05:11:40

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 1 ¤¤¤
    [Hj.Name] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit : userinit.exe,  -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: Hitachi HTS547550A9E384 ATA Device +++++
    --- User ---
    [MBR] 898bd0634d7edf5350965830762252a9
    [bSP] 530116f578351fadf0c81087e96517e4 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 66709 MB
    2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 136826880 | Size: 410130 MB
    User = LL1 ... OK
    User = LL2 ... OK


    ============================================
    RKreport_DEL_07012014_160519.log - RKreport_DEL_07012014_232542.log - RKreport_DEL_07032014_010434.log - RKreport_DEL_07032014_012049.log
    RKreport_DEL_07162014_223327.log - RKreport_DEL_07162014_230742.log - RKreport_DEL_07212014_011304.log - RKreport_DEL_07212014_044312.log
    RKreport_DEL_07212014_045018.log - RKreport_DEL_07212014_050007.log - RKreport_SCN_07012014_160322.log - RKreport_SCN_07012014_231456.log
    RKreport_SCN_07032014_005641.log - RKreport_SCN_07032014_011145.log - RKreport_SCN_07032014_011642.log - RKreport_SCN_07162014_223100.log
    RKreport_SCN_07162014_230720.log - RKreport_SCN_07212014_011213.log - RKreport_SCN_07212014_041927.log - RKreport_SCN_07212014_043743.log
    RKreport_SCN_07212014_044348.log - RKreport_SCN_07212014_045004.log - RKreport_SCN_07212014_045952.log

     

     

     

     

     

     

     

     

     

     

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.