Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

userinit logon applictaion


  • This topic is locked This topic is locked
6 replies to this topic

#1 mustardgas

mustardgas

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 21 February 2009 - 03:01 PM

DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Mustard at 14:54:20.09 on 2009-02-21
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1661 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe C:\WINDOWS\TEMP\VRT7.tmp
C:\WINDOWS\system32\i386kd.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mustard\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\temp\init.exe
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [reader_s] c:\documents and settings\mustard\reader_s.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [services] c:\windows\services.exe
dRun: [reader_s] c:\documents and settings\mustard\reader_s.exe
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mustard\applic~1\mozilla\firefox\profiles\ihc812xb.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-2-21 18944]
S1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
S1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
S3 cpuz130;cpuz130;\??\c:\docume~1\mustard\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\mustard\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-02-21 14:28 14 a------- c:\windows\system32\Partizan.RRI
2009-02-21 14:28 42,497 a------- c:\windows\services.exe
2009-02-21 14:28 64,000 a------- c:\windows\system32\i386kd.exe
2009-02-21 14:28 67,585 a------- c:\windows\system32\D.tmp
2009-02-21 14:28 25,601 a------- c:\windows\system32\C.tmp
2009-02-21 14:28 168 a------- c:\windows\system32\B.tmp
2009-02-21 14:25 2 a--shrot c:\windows\winstart.bat
2009-02-21 14:25 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-02-21 14:23 64,000 a------- c:\windows\system32\c++.exe
2009-02-21 14:23 67,585 a------- c:\windows\system32\A.tmp
2009-02-21 14:23 25,601 a------- c:\windows\system32\9.tmp
2009-02-21 14:23 168 a------- c:\windows\system32\8.tmp
2009-02-21 14:22 64,000 a------- c:\windows\system32\makehm.exe
2009-02-21 14:20 15,841 a------- c:\windows\system32\7.tmp
2009-02-21 14:20 168 a------- c:\windows\system32\3.tmp
2009-02-21 14:16 64,000 a------- c:\windows\system32\idaw64.exe
2009-02-21 13:54 <DIR> --d----- C:\RootRepeal
2009-02-21 13:49 30,208 a------- c:\documents and settings\mustard\reader_s.exe
2009-02-21 13:49 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-02-21 13:49 64,000 a------- c:\windows\system32\codeblocks.exe
2009-02-21 13:27 47,104 a------- c:\windows\system32\reader_s.exe
2009-02-21 13:27 41,473 a------- c:\windows\services.ex_
2009-02-21 13:26 64,000 a------- c:\windows\system32\deviceemulator.exe
2009-02-21 13:26 67,585 a------- c:\windows\system32\6.tmp
2009-02-21 13:26 24,577 a------- c:\windows\system32\5.tmp
2009-02-21 13:26 168 a------- c:\windows\system32\4.tmp
2009-02-21 11:29 <DIR> --d----- C:\lllllllll
2009-02-20 20:27 <DIR> --d----- c:\docume~1\mustard\applic~1\SUPERAntiSpyware.com
2009-02-20 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-20 20:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-20 20:22 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-20 19:42 <DIR> --d----- c:\docume~1\mustard\applic~1\Malwarebytes
2009-02-20 18:29 179,712 a------- c:\windows\SWREG.exe
2009-02-20 18:29 115,712 a------- c:\windows\sed.exe
2009-02-20 18:11 208 a------- c:\windows\system32\10.tmp
2009-02-20 17:06 <DIR> --d----- c:\program files\Trend Micro
2009-02-20 17:03 8,704 a------- c:\windows\system32\sporder.dll
2009-02-20 16:52 6 a------- c:\windows\_id.dat
2009-02-20 16:52 128 a------- c:\windows\adobe.bat
2009-02-20 16:51 <DIR> --d----- c:\documents and settings\mustard\WINDOWS
2009-02-20 16:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-20 16:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-20 16:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 16:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 16:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 16:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-20 15:58 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-02-20 15:57 43,520 a------- c:\windows\system32\grcrt2.exe
2009-02-20 15:57 40,960 a------- c:\windows\system32\grcrt.dll
2009-02-20 15:57 676,352 a------- c:\windows\system32\rtl60.bpl
2009-02-20 15:56 344,064 a------- c:\windows\callsysnt.exe
2009-02-20 15:56 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-02-20 15:56 <DIR> --d----- c:\windows\system32\inf
2009-02-19 23:33 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-19 23:19 <DIR> --d----- c:\program files\VstPlugins
2009-02-19 23:19 <DIR> --d----- c:\program files\Toontrack
2009-02-19 17:16 <DIR> --d----- c:\docume~1\mustard\applic~1\Acoustica
2009-02-19 17:15 34,308 a------- c:\windows\system32\Chip.dll
2009-02-19 17:15 22,004 a------- c:\windows\system32\Pvt.tmp
2009-02-19 16:56 57,344 a------- c:\windows\system32\Wnaspint.dll
2009-02-19 16:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Acoustica
2009-02-19 16:50 348,160 a------- c:\windows\system32\msvcr71.dll
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-02 17:11 <DIR> --d----- c:\docume~1\mustard\applic~1\OpenOffice.org
2009-02-02 17:06 <DIR> --d----- c:\program files\JRE
2009-02-02 17:06 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-02-01 18:10 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{DE097E60-7F86-4350-B083-1F09B6906C92}

==================== Find3M ====================

2009-02-21 13:48 90,112 a------- c:\windows\DUMP371d.tmp
2009-02-21 12:34 64,000 a------- c:\windows\system32\regwiz.exe
2009-02-21 11:28 90,112 a------- c:\windows\DUMP3ba1.tmp
2009-02-20 20:25 90,112 a------- c:\windows\DUMP3d66.tmp
2009-02-20 18:05 90,112 a------- c:\windows\DUMP43b0.tmp
2009-02-20 15:58 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-01-24 12:52 34 a------- c:\documents and settings\mustard\jagex_runescape_preferences.dat
2009-01-22 23:13 138,624 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-22 23:13 222,832 a------- c:\windows\system32\PnkBstrB.exe
2009-01-10 16:42 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-01-10 01:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-09 21:57 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-09 19:13 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-10 19:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 21:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 21:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 21:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 21:28 57,344 a------- c:\windows\system32\dpv11.dll

============= FINISH: 14:54:24.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 21 February 2009 - 07:05 PM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut (or variant). In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mustardgas

mustardgas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 21 February 2009 - 10:37 PM

lol that sucks. Not the first time I've had to do this. Thanks for you time and the guidance. =)

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 22 February 2009 - 05:05 AM

Just make sure this won't happen again; so..

Please read my Prevention page with lots of info and tips how to prevent this in the future.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mustardgas

mustardgas
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 22 February 2009 - 11:31 AM

It was kind of a fluke. I asked a friend to torrent a program for me, and out of all the 500mb files, he decided to go for the 1.5gb file which was a .rar :thumbup2:

I will check out those pages you linked. Thanks again for all the help/advice.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 22 February 2009 - 11:36 AM

You're most welcome.

Torrents, P2P in general, ALWAYS a risk. Especially since Virut is doing its round. All people who are getting infected with this one and have P2P software installed, all the files they are sharing will be infected as well. That explains why this one spreads so fast and almost everyone who download via P2P programs get infected with Virut.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:07 AM

Posted 24 February 2009 - 08:43 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users