Jump to content

Suspicious runtime errors; Frontpage client warnings (yet MBAM reports clean)


Recommended Posts

I'm going to attach pictures of everything I mention below to this message:

I have a user's machine which, upon logging in, shows this error, titled "Data Execution Prevention:"

--

To help protect your computer, Windows has closed this program.

Name: Microsoft FrontPage Server Administrator Client

Publisher: Microsoft Corporation

--

If you click Close Message, then you get a seemingly infinite amount of these types of errors:

--

A Runtime Error has occurred. Do you wish to debug?

Line: 14

Error: document.body is null or not an object

--

--

A Runtime Error has occurred. Do you wish to debug?

Line: 34

Error: Object required

--

As I tried to close these windows, I also got constant pop-ups to install Flash.

I scanned with MBAM and got several instances of Rogue.Multiple, Trojan.FakeAlert, Malware.Trace, and Disabled.Security. Symantec's quarantine had flagged AntivirusXP but I never saw such a window appear.

After removing the infections and rebooting, the behavior above remains the same, but MBAM is reporting a clean machine.

This machine was reformatted YESTERDAY and was in perfect working order, so I know the user's been to sites he should've have (he's notorious for this). However, I don't know what to make of the Frontpage/runtime errors, as the machine functions normally once I can get to the desktop...it's not behaving like typical malware. Any ideas?

Brian

post-4351-1239657814_thumb.jpg

post-4351-1239657820_thumb.jpg

post-4351-1239657824_thumb.jpg

post-4351-1239657814_thumb.jpg

post-4351-1239657820_thumb.jpg

post-4351-1239657824_thumb.jpg

Link to post
Share on other sites

Please follow these instructions (skipping any steps you are unable to complete) for posting in our Malware Removal - HijackThis Logs forum. If you cannot follow any of those steps, then please create a new topic in that forum explaining what happened when you tried to run each of the tools in the instructions, and the expert who helps you will be able to suggest steps to take to get the tools working.

Link to post
Share on other sites

Hey Arthur,

Thanks for your reply. However, today I ran DrWebCureIt and it found an infected c:\windows\system32\userinit.exe. By booting into Safe Mode with Command Prompt and copying over a good userinit.exe from my PC, the machine booted clean as a whistle next time around.

I still have a copy of the infected userinit.exe (renamed userinit.bad). Does someone at MBAM want a copy of it? MBAM did NOT detect this infection.

Thanks,

Brian

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.