Yesterday, while browsing online, an error message came up saying that norton has encountered an error and the computer must restart. so i restarted the computer and then when i opend up the internet, many popups came up (popups such as antivirus 2009 and ads to buy products) and i couldn't even navigate because the website would just change. there was also an icon of the red windows shield in the icon tray on the bottom right giving off notices that '___ virus has been encountered on your computer, click here to fix it", but i did NOT click there because i suspect it to be a component of antivirus 2009. also, there was a desktop shortcut about porn, and whenever i tried dragging it into the recycle bin, it kept on coming back. eventually, after 5 tries, it finally went away. i shut my laptop and fell asleep. then, the next day, using the home computer, i downloaded superantispyware and MBAM to a USB and then installed it on my computer, all while my internet was disconnected (i had disconnected it last night). superantispyware showed these following infections:
Trojan.Vundo-Variant/Packaged-GEN (10)
Adware.Prun-A (2)
Trojan.Fake-Alert/Warning (3)
Unclassified.Unknown Origin (10)
Adware.Tracking Cookie (3)
Adware.Vundo Variant/Rel (2)
Adware.Vundo Variant (2)
it removed/quarantined them, but whenever the scan finised, a windows error message came up saying:
Generic Host Process for Win32 Services has encountered a problem and needs to close. It also said that the following files will be included in this error report: C:\DOCUME~1\Ownder\LOCALS~1\TempWERaf1e.dir00\svchost.exe.mdmp
C:\DOCUME~1\Ownder\LOCALS~1\TempWERaf1e.dir00\appcompat.txt
i did not send the error report
another error message came up saying DCOM Service Process Launcher sevice terminated unexpectedly
but this second error message does not come up now. after the computer restarted, i ran MBAM, and I have its log here:
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
12/31/2008 2:30:42 PM
mbam-log-2008-12-31 (14-30-42).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 122252
Time elapsed: 30 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\ukrhspcu.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d004cda3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ukrhspcu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ucpshrku.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekarsipfqjo.dll (Trojan.Seneka) -> Delete on reboot.
C:\Documents and Settings\Ownder\Local Settings\temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
Now norton 360 still doesnt work, and there are still popups, but not that many. the norton antivirus 2009 popup/notifications have gone away, and i can navigate the internet now. however, there is still a problem because whenever i run the scans, the windows error message about Win32 Services comes up. Help as soon as possible would be greatly appreciated.
THANKS!!
Full Version: Trojan Vundo, popups, antivirus 2009, windows defender
Hi srk_fan22,
Please update and rerun Malwarebytes and post a fresh log.
Lets see if anything is left out there.
Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
Double-click ATF-Cleaner.exe to run the program.
ATF-Cleaner must be "Run as an Administrator".
Scan with SUPERAntiSpyware as follows:
QUOTE
C:\WINDOWS\system32\ukrhspcu.dll (Trojan.Vundo.H) -> Delete on reboot.
You have several of these entries on your log. Please be sure to reboot immediately after running Malwarebytes. This gives the program it's best chance of killing the infection. Then after the reboot grab the log. Please update and rerun Malwarebytes and post a fresh log.
Lets see if anything is left out there.
Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
- Double-click SUPERAntiSypware.exe and use the default settings for installation.
- An icon will be created on your desktop. Double-click that icon to launch the program.
- If asked to update the program definitions, click "Yes". If not, update the
definitions before scanning by selecting "Check for Updates". (If you encounter
any problems while downloading the updates, manually download them from
here and
unzip into the program's folder.) - Under the "Configuration and Preferences", click the Preferences... button.
- Click the "General and Startup" tab, and under
Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked. - Click the "Scanning Control" tab, and under Scanner
Options, make sure the following are checked (leave all others unchecked):- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
- Click the "Close" button to leave the control center screen and exit the program.
- Do not run a scan just yet.
Double-click ATF-Cleaner.exe to run the program.
- Under Main "Select Files to Delete" choose:
Select All. - Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt. - If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt. - Click Exit on the Main menu to close the program.
ATF-Cleaner must be "Run as an Administrator".
Scan with SUPERAntiSpyware as follows:
- Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
- On the left, make sure you check C:\Fixed Drive.
- On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
- After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
- Make sure everything has a checkmark next to it and click "Next".
- A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
- If asked if you want to reboot, click "Yes" and reboot normally.
- To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
- Click Close to exit the program.
thanks! but whenever i run an mbam scan, the same five infections always come up...like in every one of the scans, even if i have deleted them in the previous mbam scan. after reboot, if i run the mbam scan again, then the same infections show up. the infections are: malware.trace (category registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan), trojan.vundo (category registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System), trojan.agent (category file, C:\WINDOWS\system32\seneka.dat), trojan.agent (trojan.agent (category file, C:\WINDOWS\system32\senekaadf.dat), and trojan.agent (category file, C:\WINDOWS\system32\senekalog.dat). heres the log for these 5 infections:
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
1/2/2009 1:43:11 AM
mbam-log-2009-01-02 (01-43-11).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 122342
Time elapsed: 37 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
also, whenver i go online, there are still some pop ups, but definitely not as frequently as before. and also, the window for norton 360 still doesn't come up, but i think the process is still running. so is there anything wrong with norton? should i switch my security system?
heres the log for mbam (in safe mode):
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
1/1/2009 2:48:53 AM
mbam-log-2009-01-01 (02-48-53).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 122110
Time elapsed: 30 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
and heres the log for superantispyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/01/2009 at 06:16 PM
Application Version : 4.24.1004
Core Rules Database Version : 3692
Trace Rules Database Version: 1668
Scan type : Complete Scan
Total Scan Time : 03:39:45
Memory items scanned : 164
Memory threats detected : 0
Registry items scanned : 8117
Registry threats detected : 0
File items scanned : 72446
File threats detected : 3
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\24B2C5A72209F99D
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\7C931B47B3D9FB2
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\EE03C2C11D5E6B88
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
1/2/2009 1:43:11 AM
mbam-log-2009-01-02 (01-43-11).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 122342
Time elapsed: 37 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
also, whenver i go online, there are still some pop ups, but definitely not as frequently as before. and also, the window for norton 360 still doesn't come up, but i think the process is still running. so is there anything wrong with norton? should i switch my security system?
heres the log for mbam (in safe mode):
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
1/1/2009 2:48:53 AM
mbam-log-2009-01-01 (02-48-53).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 122110
Time elapsed: 30 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
and heres the log for superantispyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/01/2009 at 06:16 PM
Application Version : 4.24.1004
Core Rules Database Version : 3692
Trace Rules Database Version: 1668
Scan type : Complete Scan
Total Scan Time : 03:39:45
Memory items scanned : 164
Memory threats detected : 0
Registry items scanned : 8117
Registry threats detected : 0
File items scanned : 72446
File threats detected : 3
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\24B2C5A72209F99D
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\7C931B47B3D9FB2
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\EE03C2C11D5E6B88
QUOTE
also, whenver i go online, there are still some pop ups, but definitely not as frequently as before. and also, the window for norton 360 still doesn't come up, but i think the process is still running. so is there anything wrong with norton? should i switch my security system?
You may end up reloading Norton. Let's do a few more scans and see what happens.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
- Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
- When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
- If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
- Please copy and paste the contents of Report.txt in your next reply.
- Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
heres the report:
SDFix: Version 1.240
Run by Ownder on Sat 01/03/2009 at 03:32 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP10.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP11.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP12.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP14.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP16.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP19.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1A.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1B.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1C.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1D.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP2.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP3.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP4.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP5.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP6.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP7.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMPE.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMPF.tmp - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 15:45:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...
disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Ownder\ntuser.dat, 0
scanning hidden files ...
disk error: C:\WINDOWS\
please note that you need administrator rights to perform deep scan
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 3 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 14 Dec 2008 50,176 ...H. --- "C:\Documents and Settings\Ownder\My Documents\English\literature junior year\~WRL3657.tmp"
Mon 29 Dec 2008 44,544 ...H. --- "C:\Documents and Settings\Ownder\My Documents\History\history junior year\~WRL0001.tmp"
Finished!
SDFix: Version 1.240
Run by Ownder on Sat 01/03/2009 at 03:32 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP10.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP11.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP12.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP14.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP16.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP19.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1A.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1B.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1C.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1D.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP2.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP3.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP4.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP5.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP6.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP7.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMPE.tmp - Deleted
C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMPF.tmp - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 15:45:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...
disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Ownder\ntuser.dat, 0
scanning hidden files ...
disk error: C:\WINDOWS\
please note that you need administrator rights to perform deep scan
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 3 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 14 Dec 2008 50,176 ...H. --- "C:\Documents and Settings\Ownder\My Documents\English\literature junior year\~WRL3657.tmp"
Mon 29 Dec 2008 44,544 ...H. --- "C:\Documents and Settings\Ownder\My Documents\History\history junior year\~WRL0001.tmp"
Finished!
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
Then update and rerun Malwarebytes - post a fresh log.
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
Then update and rerun Malwarebytes - post a fresh log.
i tried to update malwarebytes, but a message keeps on popping up saying "Update failed. make sure you are connected to the internet and your firewall is set to allow malwarebytes' anti-malware to access the internet." i don't understand why because the windows firewall isn't in the way either and i am connected to the internet.
heres the report for F-Secure:
Scanning Report
Saturday, January 03, 2009 22:56:41 - 23:33:43
Computer name: 71AEB1941296405
Scanning type: Scan system for malware, rootkits
Target: C:\
--------------------------------------------------------------------------------
Result: 6 malware found
AdWare.Win32.SuperJuan (spyware)
System
INI/Vundo.A (virus)
C:\WINDOWS\SYSTEM32\XFILLUVW.INI
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 32716
System: 3942
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 6
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-03
F-Secure AVP: 7.0.171, 2009-01-02
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics
also, heres the log for malwarebytes (when i ran an un-updated scan)-->i think these 5 infected items are the same ones as before:
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
1/4/2009 12:34:30 AM
mbam-log-2009-01-04 (00-34-30).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 124623
Time elapsed: 31 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
heres the report for F-Secure:
Scanning Report
Saturday, January 03, 2009 22:56:41 - 23:33:43
Computer name: 71AEB1941296405
Scanning type: Scan system for malware, rootkits
Target: C:\
--------------------------------------------------------------------------------
Result: 6 malware found
AdWare.Win32.SuperJuan (spyware)
System
INI/Vundo.A (virus)
C:\WINDOWS\SYSTEM32\XFILLUVW.INI
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 32716
System: 3942
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 6
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-03
F-Secure AVP: 7.0.171, 2009-01-02
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics
also, heres the log for malwarebytes (when i ran an un-updated scan)-->i think these 5 infected items are the same ones as before:
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
1/4/2009 12:34:30 AM
mbam-log-2009-01-04 (00-34-30).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 124623
Time elapsed: 31 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
QUOTE
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
These files are being protected by a rootkit. I think our best path would be to refer you to the HJT forums.
Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.
If you need any help with the guide, please let me know. Best wishes - you are in good hands...
thank you for all your help. i really appreciate it
You are welcome. I wish we could have cleaned everything, but some malware requires more powerful tools.
http://www.bleepingcomputer.com/forums/ind...amp;pid=1075821
Since you now have an open topic, please follow only the advise of the HJT Team member who takes your log.
This topic is now closed...
Take care
http://www.bleepingcomputer.com/forums/ind...amp;pid=1075821
Since you now have an open topic, please follow only the advise of the HJT Team member who takes your log.
This topic is now closed...
Take care
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.