Trojan Vundo, popups, antivirus 2009, windows defender

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Trojan Vundo, popups, antivirus 2009, windows defender, have many popups, norton 360 disabled, error notices

Options

srk_fan22 View Member Profile	Dec 31 2008, 03:04 PM Post #1
Member Group: Members Posts: 59 Joined: 15-November 06 Member No.: 95,889	Yesterday, while browsing online, an error message came up saying that norton has encountered an error and the computer must restart. so i restarted the computer and then when i opend up the internet, many popups came up (popups such as antivirus 2009 and ads to buy products) and i couldn't even navigate because the website would just change. there was also an icon of the red windows shield in the icon tray on the bottom right giving off notices that '___ virus has been encountered on your computer, click here to fix it", but i did NOT click there because i suspect it to be a component of antivirus 2009. also, there was a desktop shortcut about porn, and whenever i tried dragging it into the recycle bin, it kept on coming back. eventually, after 5 tries, it finally went away. i shut my laptop and fell asleep. then, the next day, using the home computer, i downloaded superantispyware and MBAM to a USB and then installed it on my computer, all while my internet was disconnected (i had disconnected it last night). superantispyware showed these following infections: Trojan.Vundo-Variant/Packaged-GEN (10) Adware.Prun-A (2) Trojan.Fake-Alert/Warning (3) Unclassified.Unknown Origin (10) Adware.Tracking Cookie (3) Adware.Vundo Variant/Rel (2) Adware.Vundo Variant (2) it removed/quarantined them, but whenever the scan finised, a windows error message came up saying: Generic Host Process for Win32 Services has encountered a problem and needs to close. It also said that the following files will be included in this error report: C:\DOCUME~1\Ownder\LOCALS~1\TempWERaf1e.dir00\svchost.exe.mdmp C:\DOCUME~1\Ownder\LOCALS~1\TempWERaf1e.dir00\appcompat.txt i did not send the error report another error message came up saying DCOM Service Process Launcher sevice terminated unexpectedly but this second error message does not come up now. after the computer restarted, i ran MBAM, and I have its log here: Malwarebytes' Anti-Malware 1.31 Database version: 1456 Windows 5.1.2600 Service Pack 3 12/31/2008 2:30:42 PM mbam-log-2008-12-31 (14-30-42).txt Scan type: Full Scan (C:\\|D:\\|E:\\|) Objects scanned: 122252 Time elapsed: 30 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 5 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\ukrhspcu.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d004cda3 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ukrhspcu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\ucpshrku.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekarsipfqjo.dll (Trojan.Seneka) -> Delete on reboot. C:\Documents and Settings\Ownder\Local Settings\temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully. Now norton 360 still doesnt work, and there are still popups, but not that many. the norton antivirus 2009 popup/notifications have gone away, and i can navigate the internet now. however, there is still a problem because whenever i run the scans, the windows error message about Win32 Services comes up. Help as soon as possible would be greatly appreciated. THANKS!!

rigel View Member Profile	Dec 31 2008, 05:19 PM Post #2
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	Hi srk_fan22, QUOTE C:\WINDOWS\system32\ukrhspcu.dll (Trojan.Vundo.H) -> Delete on reboot. You have several of these entries on your log. Please be sure to reboot immediately after running Malwarebytes. This gives the program it's best chance of killing the infection. Then after the reboot grab the log. Please update and rerun Malwarebytes and post a fresh log. Lets see if anything is left out there. Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet. Please download and install SUPERAntiSpyware Free Double-click SUPERAntiSypware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) Under the "Configuration and Preferences", click the Preferences... button. Click the "*General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked. Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked): Close browsers before scanning.* Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen and exit the program. Do not run a scan just yet. Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Double-click ATF-Cleaner.exe to run the program. Under Main "*Select Files to Delete" choose: Select All. Click the Empty Selected* button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Scan with SUPERAntiSpyware as follows: Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose *Perform Complete Scan* and click "Next". After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "*Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes" and reboot normally. To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program. -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

srk_fan22 View Member Profile	Jan 2 2009, 01:43 AM Post #3
Member Group: Members Posts: 59 Joined: 15-November 06 Member No.: 95,889	thanks! but whenever i run an mbam scan, the same five infections always come up...like in every one of the scans, even if i have deleted them in the previous mbam scan. after reboot, if i run the mbam scan again, then the same infections show up. the infections are: malware.trace (category registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan), trojan.vundo (category registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System), trojan.agent (category file, C:\WINDOWS\system32\seneka.dat), trojan.agent (trojan.agent (category file, C:\WINDOWS\system32\senekaadf.dat), and trojan.agent (category file, C:\WINDOWS\system32\senekalog.dat). heres the log for these 5 infections: Malwarebytes' Anti-Malware 1.31 Database version: 1456 Windows 5.1.2600 Service Pack 3 1/2/2009 1:43:11 AM mbam-log-2009-01-02 (01-43-11).txt Scan type: Full Scan (C:\\|D:\\|E:\\|) Objects scanned: 122342 Time elapsed: 37 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully. also, whenver i go online, there are still some pop ups, but definitely not as frequently as before. and also, the window for norton 360 still doesn't come up, but i think the process is still running. so is there anything wrong with norton? should i switch my security system? heres the log for mbam (in safe mode): Malwarebytes' Anti-Malware 1.31 Database version: 1456 Windows 5.1.2600 Service Pack 3 1/1/2009 2:48:53 AM mbam-log-2009-01-01 (02-48-53).txt Scan type: Full Scan (C:\\|D:\\|E:\\|) Objects scanned: 122110 Time elapsed: 30 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully. and heres the log for superantispyware: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 01/01/2009 at 06:16 PM Application Version : 4.24.1004 Core Rules Database Version : 3692 Trace Rules Database Version: 1668 Scan type : Complete Scan Total Scan Time : 03:39:45 Memory items scanned : 164 Memory threats detected : 0 Registry items scanned : 8117 Registry threats detected : 0 File items scanned : 72446 File threats detected : 3 Trojan.Unknown Origin C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\24B2C5A72209F99D C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\7C931B47B3D9FB2 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\EE03C2C11D5E6B88

rigel View Member Profile	Jan 2 2009, 12:07 PM Post #4
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	QUOTE also, whenver i go online, there are still some pop ups, but definitely not as frequently as before. and also, the window for norton 360 still doesn't come up, but i think the process is still running. so is there anything wrong with norton? should i switch my security system? You may end up reloading Norton. Let's do a few more scans and see what happens. Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY. When using this tool, you must use the Administrator's account* or an account with "Administrative rights"* Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan. When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet. -- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes. -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

srk_fan22 View Member Profile	Jan 3 2009, 03:57 PM Post #5
Member Group: Members Posts: 59 Joined: 15-November 06 Member No.: 95,889	heres the report: SDFix: Version 1.240 Run by Ownder on Sat 01/03/2009 at 03:32 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP10.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP11.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP12.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP14.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP15.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP16.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP17.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP18.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP19.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1A.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1B.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1C.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP1D.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP2.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP3.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP4.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP5.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP6.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMP7.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMPE.tmp - Deleted C:\DOCUME~1\Ownder\LOCALS~1\Temp\TMPF.tmp - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-03 15:45:34 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... disk error: C:\WINDOWS\system32\config\system, 0 scanning hidden registry entries ... disk error: C:\WINDOWS\system32\config\software, 0 disk error: C:\Documents and Settings\Ownder\ntuser.dat, 0 scanning hidden files ... disk error: C:\WINDOWS\ please note that you need administrator rights to perform deep scan Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:æTorrent" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe::Enabled:AIM" "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE::Enabled:Microsoft Office OneNote" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Thu 3 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sun 14 Dec 2008 50,176 ...H. --- "C:\Documents and Settings\Ownder\My Documents\English\literature junior year\~WRL3657.tmp" Mon 29 Dec 2008 44,544 ...H. --- "C:\Documents and Settings\Ownder\My Documents\History\history junior year\~WRL0001.tmp" Finished!

rigel View Member Profile	Jan 3 2009, 07:55 PM Post #6
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	Please run the F-Secure Online Scanner Note: This Scanner is for Internet Explorer Only! Follow the Instruction here for installation. Accept the License Agreement. Once the ActiveX installs,Click Full System Scan Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and Copy&Paste the entire report in your next reply. Then update and rerun Malwarebytes - post a fresh log. -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

srk_fan22 View Member Profile	Jan 4 2009, 12:35 AM Post #7
Member Group: Members Posts: 59 Joined: 15-November 06 Member No.: 95,889	i tried to update malwarebytes, but a message keeps on popping up saying "Update failed. make sure you are connected to the internet and your firewall is set to allow malwarebytes' anti-malware to access the internet." i don't understand why because the windows firewall isn't in the way either and i am connected to the internet. heres the report for F-Secure: Scanning Report Saturday, January 03, 2009 22:56:41 - 23:33:43 Computer name: 71AEB1941296405 Scanning type: Scan system for malware, rootkits Target: C:\ -------------------------------------------------------------------------------- Result: 6 malware found AdWare.Win32.SuperJuan (spyware) System INI/Vundo.A (virus) C:\WINDOWS\SYSTEM32\XFILLUVW.INI TrackingCookie.2o7 (spyware) System TrackingCookie.Advertising (spyware) System TrackingCookie.Doubleclick (spyware) System TrackingCookie.Yieldmanager (spyware) System -------------------------------------------------------------------------------- Statistics Scanned: Files: 32716 System: 3942 Not scanned: 8 Actions: Disinfected: 0 Renamed: 0 Deleted: 0 None: 6 Submitted: 0 Files not scanned: C:\HIBERFIL.SYS C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL -------------------------------------------------------------------------------- Options Scanning engines: F-Secure USS: 2.40.0 F-Secure Hydra: 2.8.8110, 2009-01-03 F-Secure AVP: 7.0.171, 2009-01-02 F-Secure Pegasus: 1.20.0, 2008-11-17 F-Secure Blacklight: 0.0.0 Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use Advanced heuristics also, heres the log for malwarebytes (when i ran an un-updated scan)-->i think these 5 infected items are the same ones as before: Malwarebytes' Anti-Malware 1.31 Database version: 1456 Windows 5.1.2600 Service Pack 3 1/4/2009 12:34:30 AM mbam-log-2009-01-04 (00-34-30).txt Scan type: Full Scan (C:\\|D:\\|E:\\|) Objects scanned: 124623 Time elapsed: 31 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.

rigel View Member Profile	Jan 4 2009, 02:34 PM Post #8
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	QUOTE C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully. These files are being protected by a rootkit. I think our best path would be to refer you to the HJT forums. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far. If you need any help with the guide, please let me know. Best wishes - you are in good hands... -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

srk_fan22 View Member Profile	Jan 4 2009, 03:27 PM Post #9
Member Group: Members Posts: 59 Joined: 15-November 06 Member No.: 95,889	thank you for all your help. i really appreciate it

rigel View Member Profile	Jan 4 2009, 05:42 PM Post #10
BC 1st Responder Group: Global Moderator Posts: 9,844 Joined: 21-October 04 From: South Carolina - USA Member No.: 3,905	You are welcome. I wish we could have cleaned everything, but some malware requires more powerful tools. http://www.bleepingcomputer.com/forums/ind...amp;pid=1075821 Since you now have an open topic, please follow only the advise of the HJT Team member who takes your log. This topic is now closed... Take care -------------------- "In a world where you can be anything, be yourself." ~ unknown Become a BleepingComputer fan: Facebook

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides