LookinAround
Posts: 6,429 +186
Hmmm.. I can tell you where I see issues and remnants of the infection. And I can tell you where I would look and what I would do if I were the one scrubbing my own system clean… But don’t know if that’s the best advice for you, as I don’t know how much experience you have prowling around the internals and judiciously creating backups and restore points to recover should you make a mistake (happens to even the most experienced)
So, consider submitting an HJT log again. The people trained to review them are also familiar with automated tools to fix the problems (i.e. they’re not as dangerous as manually going under the hood to fix everything). And are you sure you submitted an HJT log before? I see some entries that “scream” infection. I wouldn’t think the regular HJT reviewers could miss them.
All that said, here’s where I see problems and where I’d also go checking
So, consider submitting an HJT log again. The people trained to review them are also familiar with automated tools to fix the problems (i.e. they’re not as dangerous as manually going under the hood to fix everything). And are you sure you submitted an HJT log before? I see some entries that “scream” infection. I wouldn’t think the regular HJT reviewers could miss them.
All that said, here’s where I see problems and where I’d also go checking
- As I understand HJT logs, you’re win.ini file has been hacked. It contains instuctions to load and run scvhost.exe. I’d scrub the win.ini file. And I’d also look at sys.ini just to be cautious.
- Scvhost has also been hacked into the Local Machine Group Policy so it's run at user logon (HKLM\..\Policies\Explorer\Run). I’m guessing is ok to delete this single key but is just my guess. Can’t say for certain.
- You have a hosts file entry that maps all requests for domain jessemerz.dynalias.com to IP 75.164.230.87. (It will always be mapped here and not by a Domain Name Server). Don’t know if this is a legit entry (but that domain isn’t resolved by DNS when I tried it. Maybe is an old one you once registered?)
- I’d also scan the registry for any references to scvhost
- And check the Winlogon value for userinit.. I didn't see it in HJT after all.
- Not sure what you meant when you say you scanned for explorer.exe and found four identical references to C:/Windows/explorer.exe.. You checked the option to “Include non-indexed, hidden and system files” right? Did you mean the “Name” the search return included the string explorer.exe (e.g. explorer.exe.lnk). Could you copy/paste the four references?