Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo infection/unable to create restore points


  • This topic is locked This topic is locked
9 replies to this topic

#1 Stevie_C

Stevie_C

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 21 January 2009 - 04:38 PM

Hello all,

My system was infected with the vundo trojan and possibly other malware. Rigel has very kindly helped me clean up much of infection. But due to an unknown problem, I am unable to create a restore point as he suggested, and has advised me to post a HJT log here. Here is the link to my original thread, in the "Am I infected? What do I do?" forum.
The symptoms of the problem varied at first but after cleaning up the infection I can only identify two peculiarities:
I sporadically hear the Windows 'warning' sound but no error appears. I don't know what is causing this noise but I assume it's related to the infection as it was not happening before.
Also my display had changed slightly. The desktop icons had a blue haze to them but I was able to correct this after cleaning out much of the malware. Also I think certain software, such as the notepad is looking slightly different. In the top menu options, the background colour of the options has turned white, whereas previously it was the same shade of grey as the top bar. This may possibly be a graphic/monitor settings issue, although I'm not 100% sure!
There may be other problems which I haven't yet noticed! Also, in my original thread I stated I was using Bit Defender but my license expired a few days ago and I have replaced it with AVG 8.

Here's the HJT log, and I've attached the Attached.text file too.

Many thanks to anyone who can help!


DDS (Ver_09-01-18.01) - NTFSx86
Run by Steve at 20:57:39.01 on 21/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1511 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Universal Shield 4.0\US30Service.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/news
mDefault_Page_URL = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: microsoftelearning.com\www
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: rfkskh.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGwXnol

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xd1nmqt8.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-15 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-15 26824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2008-2-1 34944]
R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [2005-3-31 10464]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-15 231704]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 Crycpgoe;Crycpgoe; [x]

=============== Created Last 30 ================

2009-01-18 14:16 115,224 a------- C:\img2-001.raw
2009-01-16 00:39 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-16 00:39 --d----- c:\program files\SUPERAntiSpyware
2009-01-16 00:39 --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-01-15 23:01 --d-h--- C:\$AVG8.VAULT$
2009-01-15 22:22 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-15 22:22 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-15 22:22 --d----- c:\windows\system32\drivers\Avg
2009-01-15 22:22 --d----- c:\program files\AVG
2009-01-15 22:22 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-15 21:57 --d----- c:\program files\common files\Symantec Shared
2009-01-15 21:38 --d----- c:\windows\system32\xircom
2009-01-15 21:38 --d----- c:\windows\system32\oobe
2009-01-15 21:38 --d----- c:\windows\srchasst
2009-01-15 21:33 578,048 a------- c:\windows\system32\dllcache\user32.dll
2009-01-15 21:31 --d----- c:\windows\ERUNT
2009-01-15 21:05 --d----- C:\SDFix
2009-01-14 19:34 1 a------- c:\windows\system32\uniq.tll
2009-01-13 20:34 1,519,583 a--sh--- c:\windows\system32\lonXwGgh.ini2
2009-01-13 20:34 2,204 a------- c:\windows\nfzvwywg
2009-01-13 20:34 1,519,583 a--sh--- c:\windows\system32\lonXwGgh.ini
2009-01-09 23:45 --d----- c:\docume~1\owner\applic~1\Red Kawa
2009-01-09 23:44 --d----- c:\program files\AviSynth 2.5
2009-01-09 23:44 --d----- c:\program files\Red Kawa
2009-01-07 00:15 244 a---h--- C:\sqmnoopt00.sqm
2009-01-07 00:15 232 a---h--- C:\sqmdata00.sqm
2009-01-06 21:56 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-06 21:56 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-06 21:56 --d----- c:\program files\iPod
2009-01-06 21:56 --d----- c:\program files\iTunes
2009-01-06 21:56 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-06 21:53 32,000 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-01-15 22:17 81,984 a------- c:\windows\system32\bdod.bin
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 22:40 5,632 a------- c:\windows\system32\drivers\StarOpen.sys
2008-12-13 06:26 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:24 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:24 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-11-12 21:38 23,168 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2008-10-26 17:05 2,272 a------- c:\windows\system32\w95inf16.dll
2008-10-26 17:05 4,608 a------- c:\windows\system32\w95inf32.dll
2008-10-24 11:25 455,936 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-14 21:42 1,136 a------- c:\docume~1\owner\applic~1\filterclsid.dat
2008-09-04 22:12 708 a------- c:\program files\INSTALL.LOG
2006-06-22 23:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2003-12-18 10:33 20,102 a------- c:\program files\Readme.txt
2003-09-03 06:46 10,960 a------- c:\program files\EULA.txt
2008-09-04 22:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat
2008-09-04 23:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 20:57:55.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 PM

Posted 31 January 2009 - 02:50 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTScanIt

Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Rootkit Scan setting from "No" to Yes.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Please post back with:
-OTScanIT log
-GMER log
-What Problems do you still have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Stevie_C

Stevie_C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 01 February 2009 - 06:29 PM

Hi EB, thanks for responding!

I have attached the OTScanIt log, and pasted the log for the gmer scan below. Thanks!
The problems I still have:
Internet Explorer does not load, it crashes and I am forced to reboot as there is no way to exit IE.
I hear the Windows 'warning' sound every so often but no alert or message appears!
Some of the display on certain software has changed. For example, in Notepad the top menu options (File, Edit, Format, View, Help) have a white background instead of the grey coloured background of the menu bar. When selecting any of the menu options the colour distorts the background.

Below is the gmer log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-01 23:22:22
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code 89A0A1F8 ZwEnumerateKey
Code 89A057C8 ZwFlushInstructionCache
Code B7E4754C pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 80578EE4 5 Bytes JMP 89A0A1FC
PAGE ntoskrnl.exe!ZwFlushInstructionCache 805873DB 5 Bytes JMP 89A057CC

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs US30XP.sys
Device \FileSystem\Mup \Dfs US30XP.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 US30Kbd2K.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 US30Kbd2K.sys

Device \Driver\Serial \Device\Serial0 US30XP.sys
Device \FileSystem\RAW \Device\RawTape US30XP.sys
Device \FileSystem\MRxDAV \Device\WebDavRedirector US30XP.sys
Device \Driver\rdpdr \Device\RdpDrPort US30XP.sys
Device \Driver\ParVdm \Device\ParallelVdm0 US30XP.sys
Device \Driver\rdpdr \Device\RdpDr US30XP.sys
Device \Driver\Cdrom \Device\CdRom0 89A166E0
Device \FileSystem\Rdbss \Device\FsWrap US30XP.sys
Device \Driver\Cdrom \Device\CdRom1 89A166E0
Device \Driver\atapi \Device\Ide\IdePort0 89A02008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 89A02008
Device \Driver\atapi \Device\Ide\IdePort1 89A02008
Device \Driver\atapi \Device\Ide\IdePort2 89A02008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 89A02008
Device \Driver\atapi \Device\Ide\IdePort3 89A02008
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17 89A02008
Device \Driver\Parport \Device\Parallel0 US30XP.sys
Device \Driver\Cdrom \Device\CdRom2 89A166E0
Device \FileSystem\Srv \Device\LanmanServer 891A5FB0
Device \FileSystem\Mup \Device\Mup US30XP.sys
Device \FileSystem\RAW \Device\RawDisk US30XP.sys
Device \Driver\Ptilink \Device\ParTechInc0 US30XP.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver US30XP.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector US30XP.sys
Device \FileSystem\Npfs \Device\NamedPipe US30XP.sys
Device \FileSystem\Msfs \Device\Mailslot US30XP.sys
Device \FileSystem\RAW \Device\RawCdRom US30XP.sys
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port4Path0Target0Lun0 89B44828
Device \Driver\a347scsi \Device\Scsi\a347scsi1 89B44828
Device \FileSystem\Mup \Device\WinDfs\Root US30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer US30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer US30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer US30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer US30XP.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer US30XP.sys
Device \FileSystem\Cdfs \Cdfs US30XP.sys

---- Modules - GMER 1.0.14 ----

Module _________ F7472000-F748A000 (98304 bytes)
Module \systemroot\system32\drivers\senekalewbqufr.sys (*** hidden *** ) B7E45000-B7E5E000 (102400 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\senekalewbqufr.sys (*** hidden *** ) [SYSTEM] seneka <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@imagepath \systemroot\system32\drivers\senekalewbqufr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dll \systemroot\system32\senekauxrmpfmx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekalewbqufr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekawi.dll \systemroot\system32\senekarnkosfrq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\seneka
Reg HKLM\SYSTEM\ControlSet002\Services\seneka@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\seneka@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\seneka@imagepath \systemroot\system32\drivers\senekalewbqufr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\seneka@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\seneka\modules
Reg HKLM\SYSTEM\ControlSet002\Services\seneka\modules@seneka.dll \systemroot\system32\senekauxrmpfmx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekalewbqufr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\seneka\modules@senekawi.dll \systemroot\system32\senekarnkosfrq.dll

---- EOF - GMER 1.0.14 ----

Attached Files


Edited by Stevie_C, 01 February 2009 - 06:33 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 PM

Posted 01 February 2009 - 07:16 PM

Hello again.

It seems you are infected with some vundos and rootkits, this should be fun. There are also some disk errors, which isn't good at all. Best option would be to format now. You were not warned in the Am I Infected forum, so I will warn you now.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Some questions I would like to ask you:
1) I believe you are posting this from another clean computer, since you said IE doesn't work?
2) Do you have a Windows XP CD disk anywhere? I ask because we may need it later on. If not that's okay too.

Post back with:
-Combofix log
-New GMER log


Attach back with:
-New OTScanIT2 Scan log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 PM

Posted 04 February 2009 - 06:16 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Stevie_C

Stevie_C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 04 February 2009 - 07:20 PM

Hi. Sorry for late reply, I decided to format the hard drive, I think it was due a format too. Thanks for your time. If you have further advice, that would be great. :thumbup2:

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 PM

Posted 04 February 2009 - 08:04 PM

Hello.

Good idea. Format would of been the best option :thumbup2:

Some advice is as followed:

Install an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources

Some Free Anti-Virus software I recommend are: Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Install a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Some Firewall programs I recommend to others are:
Update your Firewall Program - It is imperitive that you update your Firewall at least once a week (Even more if you wish). If you do not update your firewall then it will not be able to catch any of the new variants that may come out.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :)


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :step4:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Stevie_C

Stevie_C
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 05 February 2009 - 07:51 PM

Thanks for the advice EB. You can close this topic now. :thumbup2:

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 PM

Posted 05 February 2009 - 07:59 PM

You are very welcome Stevie_C. :)

Happy suring again! Good Luck :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 PM

Posted 05 February 2009 - 08:09 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users