ahmaden 0 Posted May 12, 2015 Share Posted May 12, 2015 hi im using eset smart secutiy 7 with latest update i encountered this problem just now , eset quarantine everything in SYSTEM32 and SYSWOW64 folder on the other side i found this problem too , for example when i click on some file picture etc i get following error the parameter is incorrect server execution failed eset even quarantine some legit files like svchost.exe and even some other files that needed for windows boot up . any suggestion for my situation ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted May 12, 2015 Administrators Share Posted May 12, 2015 It sounds like system files got infected with a virus. Please post complete recent records from your threat log for better understanding of what was detected. Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 12, 2015 Author Share Posted May 12, 2015 where i can find threat log ? you mean in tools>log file ? i see around 100 legit files detected by realtime&start up scanner (all of them located in system32 ) can you please help me by remote dekstop or team viewer ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted May 12, 2015 Administrators Share Posted May 12, 2015 you mean in tools>log file ? i see around 100 legit files detected by realtime&start up scanner (all of them located in system32 ) Right. Select the recent records, then select Copy from the right-click context menu and paste the records here. Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 12, 2015 Author Share Posted May 12, 2015 (edited) cant paste them in here get an error here saying "post too long " Edited May 12, 2015 by ahmaden Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 12, 2015 Author Share Posted May 12, 2015 i paste it in pastebin : hxxp://www.pastebin.ca/3001833 Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 12, 2015 Author Share Posted May 12, 2015 i exported it to .xml file : 12.5.2015.xml Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted May 12, 2015 Administrators Share Posted May 12, 2015 My assumption is that you had your computer protected with Malwarebytes and the system got infected with Virut. After you'd installed ESET, it started to detect attempts to re-infect system executables by mbam.exe: 5/12/2015 3:55:12 PM Real-time file system protection file C:\WINDOWS\SYSTEM32\WKSPRT.EXE Win32/Virut.NBP virus cleaned - quarantined Event occurred on a file modified by the application: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe I'd suggest creating a rescue Live CD (iso downloadable from ESET's website) and using it to clean your system completely. Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 13, 2015 Author Share Posted May 13, 2015 (edited) no im using eset more than a year along with malwarrbyte ARE YOU sure this file wksprt.exe is the one that infected my system now i cant boot in windows i get an error saying 'logon process initialization failure' i tried to boot im safe mode but same error Edited May 13, 2015 by ahmaden Link to comment Share on other sites More sharing options...
Maniac 2 Posted May 13, 2015 Share Posted May 13, 2015 (edited) Hello ahmaden, These answers from Marcos are based to log file that you provided above. According to ESET Smart Security, Win32/Virut.NBP is in an advanced stage, it has managed to reach a number of important system files and damaged them, which has led to many problems both with the stability and performance of your system. For example, here some of them: 5/12/2015 7:25:56 PM Startup scanner file C:\Windows\system32\cmd.exe Win32/Virut.NBP virus cleaned - quarantined 5/12/2015 7:25:56 PM Startup scanner file C:\Windows\system32\SystemPropertiesPerformance.exe Win32/Virut.NBP virus cleaned - quarantined 5/12/2015 7:25:55 PM Startup scanner file C:\Windows\system32\rundll32.exe Win32/Virut.NBP virus cleaned - quarantined 5/12/2015 7:25:50 PM Startup scanner file C:\Windows\system32\dllhost.exe Win32/Virut.NBP virus cleaned - quarantined Specific of this virus except that is file infector, but that is polymorphic. This makes it extremely difficult to clean. You have two options: You could try to clean your system with ESET SysRescue Live as Marcos already recommended. You could reformat your system. About first option, it is important to know that there is no guarantee that all traces of Virut will be removed as they may not find all the remnants. About second option, reformat your system following these instructions. It is possible to make a backup your information, but skip these file types to prevent re-infection of the system: .exe, .scr, .htm, .php, .asp. More information about this threat: Win32/Virut.NBP . If you have any further questions, feel free to ask in this thread. Edited May 13, 2015 by Maniac Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 13, 2015 Author Share Posted May 13, 2015 hi maniac , thanks for your post im scanning my pc with eset sysrescue live but as i mentioned above i cant boot in my OS ,since i get error during windows boot 'logon process initialization failure' its because eset quarantined too many files from SYSTEM32 folder , can i restore them from quarantine? (considering i cant boot in in OS ) i tried safe mode but same error is there a way to restore files that eset quarantined without loging in? if there is no way , so how can i recover system32 files ? ( plelease dont recomend new OS installation ) i heard there's a method called 'sfc' (system file checker ) , will it help ? Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 13, 2015 Author Share Posted May 13, 2015 (edited) eset sysrescue found 1184 files in : windows/system32 windows/winsxs/ windows/syswow64 and quarantined them . scan log : hxxp://pastebin.ca/3002335 Edited May 13, 2015 by ahmaden Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 13, 2015 Author Share Posted May 13, 2015 can i find which one is the main malware that caused all these system files to infect ? Link to comment Share on other sites More sharing options...
Maniac 2 Posted May 13, 2015 Share Posted May 13, 2015 can i find which one is the main malware that caused all these system files to infect ? I'm afraid that it's quite difficult to identify. According to your log file, your system is infected very seriously. I recommend you go to the second option. You can make a backup of the data to save photos, videos and documents using Linux LiveCD or USB. You could create one of them from a clean system. https://help.ubuntu.com/community/LiveCD hxxp://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted May 13, 2015 Administrators Share Posted May 13, 2015 According to the log from LiveCD, all infected files have been cleaned and should be functional. Please refer to hxxp://www.techsupportforum.com/forums/f217/solved-logon-process-initialization-failure-713457.htmlfor some hints how to fix the error. Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 13, 2015 Author Share Posted May 13, 2015 marcon , scan log says files quarantined : cleaned - quarantined so i think that means all 1184 files moved from system drive to quarantine folder , so how they can function properly ?! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted May 13, 2015 Administrators Share Posted May 13, 2015 marcon , scan log says files quarantined : cleaned - quarantined so i think that means all 1184 files moved from system drive to quarantine folder , so how they can function properly ?! Nope. Legitimate files were infected with Virut which is a file infector (virus). ESET cleaned the virus from these files and the original infected copy was put to quarantine where malicious files are stored in a safe form so that you could restore them at a later time, if needed for whatever reason. Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 13, 2015 Author Share Posted May 13, 2015 (edited) marcon , scan log says files quarantined : cleaned - quarantined so i think that means all 1184 files moved from system drive to quarantine folder , so how they can function properly ?! Nope. Legitimate files were infected with Virut which is a file infector (virus). ESET cleaned the virus from these files and the original infected copy was put to quarantine where malicious files are stored in a safe form so that you could restore them at a later time, if needed for whatever reason. omg ! i tried to restore all files from quarantine then message appeared saying the file already exsit , replace ? ( i pressed yes then same message showing for next file , then i pressed yes again for couple of times , and since i cant do it for 1184 files, in some point i exhausted then i exited sysrescue .... and now im reading your post ... so what shall i do ? scan again ? Edited May 13, 2015 by ahmaden Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted May 13, 2015 Administrators Share Posted May 13, 2015 And why are you restoring infected files, overwriting those that ESET has already cleaned? Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 13, 2015 Author Share Posted May 13, 2015 And why are you restoring infected files, overwriting those that ESET has already cleaned? beacase i did that before reading your post. i thought eset will move file to quarantine entriely ,didnt know that only infected copy will go to quarantine and the cleaned file remain to its place... dont laugh at me please , when my OS was working properly and i was in eset smart security , when i saw eset quarantine important files in system32 such as svchost.exe , i restored it ! however i tried sysrescue scan again and ~20 files cleaned again , and i tried to boot in os but same error Link to comment Share on other sites More sharing options...
ahmaden 0 Posted May 16, 2015 Author Share Posted May 16, 2015 I installed new os , please tell me how to block IRC protocol in eset smart security firewall ? the description says : hxxp://www.virusradar.com/en/Win32_Virut.NBP/description 'The virus connects to the IRC network. It can be controlled remotely. ' so how can I identify which application in eset rules is using IRC protocol ? Link to comment Share on other sites More sharing options...
Recommended Posts