mustardgas Posted February 21, 2009 ID:58451 Share Posted February 21, 2009 Got a virus the other day. Sometime my desktop will load, but most of the time I get the Data Execution PreventionTo help protect your computer, Windows has closed this program.Name: Userinit Logon ApplicationPublisher: Microsoft Corporationerror. I was looking through the forums and thought I should post my logs. If more info is required, let me know. Thanks -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.34Database version: 1785Windows 5.1.2600 Service Pack 22009-02-21 12:30:22mbam-log-2009-02-21 (12-30-19).txtScan type: Full Scan (C:\|)Objects scanned: 128609Time elapsed: 13 minute(s), 43 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 40Memory Processes Infected:C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\restore (Rootkit.Agent) -> No action taken.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Program Files\Common Files\Windows Live\.cache\83e7ac141c972e6\dotnetfx.exe (Backdoor.Bot) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir (Trojan.Downloader) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\hogxfa.dll.vir (Trojan.Vundo) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\hs78344kjkfd.dll.vir (Trojan.FakeAlert) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\klpoihwl.dll.vir (Trojan.Vundo) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJDuvWN.dll.vir (Trojan.Vundo) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\tpszxyd.sys.vir (Worm.Refpron) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjvopkmlh.dll.vir (Trojan.TDSS) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\udxfytw.sys.vir (Worm.Refpron) -> No action taken.C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\protect.sys.vir (Trojan.NtRootkit.Agent) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0010139.dll (Trojan.TDSS) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011151.dll (Trojan.Downloader) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011155.sys (Worm.Refpron) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011156.sys (Worm.Refpron) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011167.dll (Trojan.Vundo) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011170.dll (Trojan.Vundo) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011171.dll (Trojan.Vundo) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0011219.sys (Rootkit.Agent) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0013217.sys (Rootkit.Agent) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0014225.sys (Rootkit.Agent) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP63\A0015225.sys (Rootkit.Agent) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP64\A0016225.sys (Rootkit.Agent) -> No action taken.C:\System Volume Information\_restore{B924B97D-381C-4540-8DBB-31B75742FEBA}\RP64\A0017225.sys (Rootkit.Agent) -> No action taken.C:\WINDOWS\ServicePackFiles\i386\wextract.exe (Backdoor.Bot) -> No action taken.C:\WINDOWS\system32\wextract.exe (Backdoor.Bot) -> No action taken.C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> No action taken.C:\WINDOWS\services.exe (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\windres.exe (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> No action taken.C:\Documents and Settings\Mustard\reader_s.exe (Trojan.Agent) -> No action taken.C:\WINDOWS\temp\BN1.tmp (Trojan.Agent) -> No action taken.C:\WINDOWS\system32\nxtepad.exe (Backdoor.Bot) -> No action taken.C:\WINDOWS\services.ex_ (Heuristics.Reserved.Word.Exploit) -> No action taken.C:\WINDOWS\system32\drivers\restore.sys (Rootkit.Agent) -> No action taken.-------------------------------------------------------------------------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:34, on 2009-02-21Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: Safe mode with network supportRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\TEMP\BN1.tmpC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\services.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\services.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\services.exeC:\WINDOWS\System32\reader_s.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\services.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\services.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\services.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\netsh.exeC:\WINDOWS\services.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\netsh.exeO4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)--End of file - 1824 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 22, 2009 Root Admin ID:58600 Share Posted February 22, 2009 Who had you run Combofix? If someone is assisting you then you should remain working with that Helper.If you ran Combofix on your own, then that was not very smart. It's quite possible for CF to remove your entire System32 folder and really damage the system. Many HELPERS will not assist you if you've run this tool on your own. For any others reading this post DO NOT run Combofix on your own.It only takes a short while to sign up and post asking for someone to help you instead of taking the chance of making things worse for your system.Please let me know your status and I'll see if I can help you if no one else is. Link to post Share on other sites More sharing options...
mustardgas Posted February 22, 2009 Author ID:58624 Share Posted February 22, 2009 Sorry, it was my own decision before seeking help. I didn't understand how big of a problem it could have caused. On the other hand, I did some further research and found I was dealing with Virut. Apparently there is very low chance of removing Virut, so I've decided to reformat.I apologize for wasting your time and good luck. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 22, 2009 Root Admin ID:58672 Share Posted February 22, 2009 No problem, thank you for the follow-up. I'll close the post now.Good luck and make sure you have up to date Anti-Virus on the new system build. Link to post Share on other sites More sharing options...
Recommended Posts