Jump to content

Recommended Posts

Got a virus the other day. Sometime my desktop will load, but most of the time I get the

Data Execution Prevention

To help protect your computer, Windows has closed this program.

Name: Userinit Logon Application

Publisher: Microsoft Corporation

error. I was looking through the forums and thought I should post my logs. If more info is required, let me know. Thanks <_<

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.34

Database version: 1785

Windows 5.1.2600 Service Pack 2

2009-02-21 12:30:22

mbam-log-2009-02-21 (12-30-19).txt

Scan type: Full Scan (C:\|)

Objects scanned: 128609

Time elapsed: 13 minute(s), 43 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 40

Memory Processes Infected:

C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\restore (Rootkit.Agent) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Common Files\Windows Live\.cache\83e7ac141c972e6\dotnetfx.exe (Backdoor.Bot) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir (Trojan.Downloader) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\hogxfa.dll.vir (Trojan.Vundo) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\hs78344kjkfd.dll.vir (Trojan.FakeAlert) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\klpoihwl.dll.vir (Trojan.Vundo) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJDuvWN.dll.vir (Trojan.Vundo) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tpszxyd.sys.vir (Worm.Refpron) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjvopkmlh.dll.vir (Trojan.TDSS) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\udxfytw.sys.vir (Worm.Refpron) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\protect.sys.vir (Trojan.NtRootkit.Agent) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0010139.dll (Trojan.TDSS) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011151.dll (Trojan.Downloader) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011155.sys (Worm.Refpron) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011156.sys (Worm.Refpron) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011167.dll (Trojan.Vundo) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011170.dll (Trojan.Vundo) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011171.dll (Trojan.Vundo) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011219.sys (Rootkit.Agent) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0013217.sys (Rootkit.Agent) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0014225.sys (Rootkit.Agent) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0015225.sys (Rootkit.Agent) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP64\A0016225.sys (Rootkit.Agent) -> No action taken.

C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP64\A0017225.sys (Rootkit.Agent) -> No action taken.

C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\wextract.exe (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> No action taken.

C:\WINDOWS\services.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\windres.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Mustard\reader_s.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\temp\BN1.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\nxtepad.exe (Backdoor.Bot) -> No action taken.

C:\WINDOWS\services.ex_ (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\system32\drivers\restore.sys (Rootkit.Agent) -> No action taken.

-------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:34, on 2009-02-21

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\TEMP\BN1.tmp

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\services.exe

C:\WINDOWS\System32\reader_s.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\netsh.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\netsh.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)

--

End of file - 1824 bytes

Link to post
Share on other sites

  • Root Admin

Who had you run Combofix? If someone is assisting you then you should remain working with that Helper.

If you ran Combofix on your own, then that was not very smart. It's quite possible for CF to remove your entire System32 folder and really damage the system. Many HELPERS will not assist you if you've run this tool on your own. For any others reading this post DO NOT run Combofix on your own.

It only takes a short while to sign up and post asking for someone to help you instead of taking the chance of making things worse for your system.

Please let me know your status and I'll see if I can help you if no one else is.

Link to post
Share on other sites

Sorry, it was my own decision before seeking help. I didn't understand how big of a problem it could have caused.

On the other hand, I did some further research and found I was dealing with Virut. Apparently there is very low chance of removing Virut, so I've decided to reformat.

I apologize for wasting your time and good luck.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.