Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Vundo - Seneka - Firefox Linkjack

  • This topic is locked This topic is locked
6 replies to this topic

#1 TomDiamond


  • Members
  • 3 posts
  • Local time:01:55 AM

Posted 10 February 2009 - 06:01 AM

Late last Saturday (2/7/2009 10:51 PM) I was Googling some Photoshop plugins using Firefox 3.0.6 on a Win XP Home SP3 box when I apparently encountered a malicious website. Based on the log I can narrow it down to about three, though I'd rather not list them publicly, though if a moderator would like to contact me privately I can pass along the info. My first indication that there was a problem was when IE7 spontaneously opened and began loading a website. I closed IE and FF and then rebooted, at which time Win Defender popped-up a warning that Vundo was detected. Long story short, I've run quite a few scanners and I think I've managed to eradicate all the malware, but since this isn't my area of expertise I'd like to have one of the resident experts look over my scan logs and see if I missed anything.

Before getting to the scans, I'd like to mention that anytime (or at least most of the time) I tried to open a link from Google using Firefox it was being hijacked to a URL supplied by v1.adwarefeed.com... I've seen other people reporting the same problem lately and none of the malware scanner/removers seem to be picking up on it. Good news is I believe I have found the source in the Mozilla Firefox/extensions directory, there was a new directory created at the exact time that the other malware was installed. Within the subdirectories chrome/content there was a script named overlay.xul which I believe controlled the linkjacking from a number of search engines... removing these files/directories resolved the problem and it has not reoccurred. I can upload the files as a zip if any mods are interested in taking a closer look.

Getting back to the trojans, I ran a Kaspersky Online scan followed by SuperAntiSpyware, MalwareBytes Anti-Malware (which initially would crash to a blue screen and reboot after running for a few minutes), AdAware (which also crashed until I upgraded to the AE version), A-Squared Free, Windows Defender, RegRun Partizan, HijackThis and finally, mostly out of frustration, ComboFix (yeah, I know, my bad, I apologize). The results were that Kaspersky found:

C:\Program Files\Τasks\Τasks\ctxad-572.0000 Infected: Backdoor.Win32.Small.fmd
C:\WINDOWS\system32\fccaXOIB.dll Infected: Trojan.Win32.Monder.atxg

While mbam quarantined and deleted Trojan.Vundo.H, Rogue.WinAntivirus, seneka, Rogue.AdwareAlert and at least one Trojan.Downloader. I can post the mbam log if requested. Rerunning mbam, HJT and WinDef have since reported zero infections... but like I said, I'd like to be sure. I'm probably going to reformat and reinstall in the not too distant future, but for now I'm treating this as a learning experience, in fact I'm even thinking of signing-up for the training program.. we'll see how this goes first.

So there you have it. I really respect what you guys do here, it's a great and much needed public service you provide. Here's my DDS.txt log, let me know if you need anything else.


DDS (Ver_09-02-01.01) - NTFSx86
Run by DB at 4:33:38.60 on Tue 02/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2276 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Documents and Settings\DB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\DB\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\cyberpower powerpanel personal edition\pppeuser.exe"
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [Google Update] "c:\documents and settings\db\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "c:\windows\system32\rmoc3260.dll"
StartupFolder: c:\docume~1\db\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &NeoTrace It! - c:\progra~1\neotra~1\NTXcontext.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: MasterCook: Select Image - c:\program files\mastercook 9\web\MCIEContext.hta
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} - hxxp://www.digimeld.com/download/digimeldOcx.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\db\applic~1\mozilla\firefox\profiles\4cfdb9s5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\documents and settings\db\application

FF - plugin: c:\documents and settings\db\local settings\application data\google\update\\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R2 FlipShare Service;FlipShare Service;c:\program files\pure digital technologies\flipshare\FlipShareService.exe [2008-11-13 439616]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 npusbio;npusbio;c:\windows\system32\drivers\npusbio.sys [2008-12-25 36384]
R3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2007-5-30 3968]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 NPUSB;NPUSB;c:\windows\system32\drivers\npusb.sys [2008-12-25 15360]
S3 RegGuard;RegGuard;\??\c:\windows\system32\drivers\regguard.sys --> c:\windows\system32\drivers\regguard.sys [?]

=============== Created Last 30 ================

2009-02-10 00:08 <DIR> --d----- C:\fixwareout
2009-02-09 04:49 <DIR> a-dshr-- C:\cmdcons
2009-02-09 04:48 161,792 a------- c:\windows\SWREG.exe
2009-02-09 04:48 98,816 a------- c:\windows\sed.exe
2009-02-08 16:48 <DIR> --d----- c:\docume~1\db\applic~1\Malwarebytes
2009-02-08 16:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-08 16:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 16:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-08 16:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-08 02:21 4 a------- c:\windows\jycveqea
2009-02-08 02:05 <DIR> --d----- c:\windows\RestoreSafeDeleted
2009-02-08 02:03 2 a--shrot c:\windows\winstart.bat
2009-02-07 21:40 <DIR> --d----- c:\program files\Topaz Labs
2009-02-07 00:39 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-07 00:39 1,409 a------- c:\windows\QTFont.for
2009-02-02 18:37 <DIR> --d----- c:\program files\SpaceShuttleMission2007
2009-01-31 16:18 <DIR> --d----- c:\windows\system32\AGEIA
2009-01-28 17:36 <DIR> a-d----- c:\program files\heavensat214
2009-01-28 15:03 <DIR> --d----- c:\windows\SxsCaPendDel
2009-01-23 03:55 110,080 a------- c:\windows\system32\Orbitron.scr
2009-01-23 03:55 <DIR> --d----- c:\program files\Orbitron
2009-01-15 08:19 1,253,376 a------- c:\windows\system32\NvPVEnc.ax

==================== Find3M ====================

2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-04 08:41 6,537,728 a------- c:\windows\system32\tliadjust26.dll
2008-12-10 09:45 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-04 09:28 24,344 a------- c:\windows\system32\PhysXDevice.dll
2008-11-30 16:02 36,824 a------- c:\program files\TSH Hi-Resabout.jpg
2008-11-30 14:34 325,632 a------- c:\windows\system32\EAREMOVE.EXE
2008-11-26 08:55 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-11-25 20:48 1,695,744 a------- c:\windows\system32\tliadjust26_dll.dll
2008-11-25 08:38 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2008-11-21 13:21 3,281 a------- c:\windows\unins000.dat
2008-11-21 13:20 682,266 a------- c:\windows\unins000.exe
2008-06-15 07:21 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-04-24 18:34 47,360 a------- c:\docume~1\db\applic~1\pcouffin.sys
2008-05-06 23:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050720080508\index.dat

============= FINISH: 4:34:09.95 ===============

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:55 AM

Posted 20 February 2009 - 08:17 PM


Seneka is a very nasty infection as well. It's a rootkit/backdoor infection.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 TomDiamond

  • Topic Starter

  • Members
  • 3 posts
  • Local time:01:55 AM

Posted 21 February 2009 - 10:29 PM

Thank you, I'll take your recommendations under advisement.

#4 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:55 AM

Posted 21 February 2009 - 10:41 PM


Okay. Good luck on the reinstall/format. If you need help post another topic in the Xp forum. If you need to backup any files/folders there are 2 guidelines I have for you.

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Then you can do a reinstall. This will not remove any of your files or pictures etc... it just reinstall windows onto your Drive. If you partitioned your drive it would be easier because you just have to reinstall windows on that one drive, and all your other data will be safe.

However a format will remove everything. If you need help reinstall or formating please start another topic in the XP forum as this forum is only removing malware infections. Thanks.

Hope that helps. Any other questions related to malware? If not, I will give you some prevention tips and close off this topic.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 TomDiamond

  • Topic Starter

  • Members
  • 3 posts
  • Local time:01:55 AM

Posted 21 February 2009 - 11:02 PM

Thanks again, I appreciate your assistance. I've been working with computers for a little over 25 years, pretty much know the drill by now. :thumbup2:

#6 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:55 AM

Posted 22 February 2009 - 10:26 AM


Good luck on the format/reinstall then :) Below are some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:02:55 AM

Posted 22 February 2009 - 10:30 AM


Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users