Jump to content

rundll32.exe fails to initialise properly / userinit.exe fails to initialise properly


Recommended Posts

Hi,

Recently, my computer was discovered to have an Trojan.Vundo infestation. I ran the Malwarebyte's program and it found most of it (a later scan - detailed underneth found some remaining elements of the Trojan.

However, after running the program my Version of windows (XP) is unstable and in some cases unusable.

Upon login, the message userinit.exe failed to initialise properly appears and causes the system to hang. I manually have to open Task Manager and run "explorer.exe" to enable the computer to run.

When opening any windows based program (System Restore for example), I get a message "Rundll32.exe failed to initialise". I believe the file may have been corupted or changed by the virus/malwarebyte program.

I would welcome any assistance you can provide. If you need anymore information, please give me a call.

SCAN 1:

Malwarebytes' Anti-Malware 1.23

Database version: 985

Windows 5.1.2600 Service Pack 2

7:56:57 AM 29/07/2008

mbam-log-7-29-2008 (07-56-57).txt

Scan type: Quick Scan

Objects scanned: 53996

Time elapsed: 17 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 9

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\hgGyYPgf.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\hixipbfk.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\tuvVNHww.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{020e521a-9153-46ef-9d9b-842d66a07857} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{020e521a-9153-46ef-9d9b-842d66a07857} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a8c43087-ac23-4c6d-91e5-d49d744f6e02} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvvnhww (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a8c43087-ac23-4c6d-91e5-d49d744f6e02} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggyypgf -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggyypgf -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hgGyYPgf.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\fgPYyGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fgPYyGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hixipbfk.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\kfbpixih.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Aaron 3\Local Settings\Temporary Internet Files\Content.IE5\O5DLNU3C\kb456456[1] (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\wineij32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tuvVNHww.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\qoMgddAT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

SCAN 2:

Malwarebytes' Anti-Malware 1.23

Database version: 1006

Windows 5.1.2600 Service Pack 2

9:08:53 PM 29/07/2008

mbam-log-7-29-2008 (21-08-53).txt

Scan type: Quick Scan

Objects scanned: 17804

Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 5

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\hgGyYPgf.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\wnqugtrg.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\tuvVNHww.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4444f899-d67f-4150-b3ef-de86c6d2613d} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{4444f899-d67f-4150-b3ef-de86c6d2613d} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a8c43087-ac23-4c6d-91e5-d49d744f6e02} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a8c43087-ac23-4c6d-91e5-d49d744f6e02} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvvnhww (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b496013f (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a8c43087-ac23-4c6d-91e5-d49d744f6e02} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggyypgf -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggyypgf -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hgGyYPgf.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\fgPYyGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fgPYyGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wnqugtrg.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\grtguqnw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tuvVNHww.dll (Trojan.Vundo) -> Delete on reboot.

Link to post
Share on other sites

Hi azza14 and welcome to Malwarebytes. Are you rebooting to remove? Like it says in the log? Please follow the instructions here and we will see what's going on.

Hi, Yes, I am rebooting on completion of the scan but I did not run PandaScan or HJT. I will complete these two other steps and post the logs as required. Thanks

Link to post
Share on other sites

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.