Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with possible trojan/malware


  • This topic is locked This topic is locked
4 replies to this topic

#1 shazzzam

shazzzam

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 23 February 2009 - 12:27 AM

ok to start i have recently been experiencing several different types of problems and as soon as one is solved another totally different issue arises. i started getting pop ups and antivirus2009, stopzilla, pop up virus scanners, in addition everytime i use a search engine like google i am redirected to another site (example:blackberry.com, toseeka and others) it has also taken the ability to use system restore and has also erased all my restore points it has made operation of my computer extremely slow at times. i usually can solve ad/spy/mal ware problems by running spybot ad-aware and malewarebytes (which are all up to date). my newest problem is that when i start my computer there is no sound and now my windows theme is changed to classic without the ability to change it back. so i attempted to run these programs in safe mode and i always end up coming up with results that indicate i have a trojan/maleware. the problem is i delete it and t just happens all over again like i just suppressed it temporarily. anyway as instructed i have posted the logs below in addition the most recent log indicating the name of the alleged infections. FYI i use pctools antivirus and firewall along with threat fire service. it is a dell8400 3.0Ghz 1.5GB ram pciexpress nvidia 6600 any other info you need just let me know. Thank you in advance for your help with this very frustrating issue!!



DDS (Ver_09-02-01.01) - NTFSx86
Run by aLfiZZle at 23:49:52.06 on 2009-02-22
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [reader_s] c:\documents and settings\alfizzle\reader_s.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [RegistryMechanic]
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [reader_s] c:\documents and settings\alfizzle\reader_s.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - blank
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187762524859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alfizzle\applic~1\mozilla\firefox\profiles\qdlgc3n9.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\documents and settings\alfizzle\application data\mozilla\firefox\profiles\qdlgc3n9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-22 23:17 <DIR> --d----- c:\program files\Trend Micro
2009-02-22 23:16 1,688 a------- c:\windows\system32\15.tmp
2009-02-22 12:23 1,688 a------- c:\windows\system32\17.tmp
2009-02-22 11:16 1,688 a------- c:\windows\system32\16.tmp
2009-02-22 04:08 0 a------- c:\windows\system32\25.tmp
2009-02-22 04:08 168 a------- c:\windows\system32\14.tmp
2009-02-22 03:14 1,688 a------- c:\windows\system32\13.tmp
2009-02-22 02:50 128 a------- c:\windows\adobe.bat
2009-02-22 02:50 43,009 a------- c:\windows\services.exe
2009-02-22 02:50 67,585 a------- c:\windows\system32\23.tmp
2009-02-22 02:50 25,601 a------- c:\windows\system32\22.tmp
2009-02-22 02:50 168 a------- c:\windows\system32\21.tmp
2009-02-21 12:43 1,687 a------- c:\windows\system32\C.tmp
2009-02-21 12:13 0 a------- c:\windows\system32\HìÏ­
2009-02-21 11:23 <DIR> a-dshr-- C:\cmdcons
2009-02-21 11:23 67,585 a------- c:\windows\system32\1F.tmp
2009-02-21 11:23 25,601 a------- c:\windows\system32\1B.tmp
2009-02-21 11:23 168 a------- c:\windows\system32\1A.tmp
2009-02-21 11:20 179,200 a------- c:\windows\SWREG.exe
2009-02-21 11:20 116,224 a------- c:\windows\sed.exe
2009-02-21 11:19 <DIR> --d----- C:\ComboFix
2009-02-21 11:19 406,016 a------- c:\windows\system32\CF10662.exe
2009-02-21 11:10 1,687 a------- c:\windows\system32\B.tmp
2009-02-21 11:05 37,376 a------- c:\windows\system32\20.tmp
2009-02-21 11:05 67,585 a------- c:\windows\system32\1E.tmp
2009-02-21 11:05 64,000 a------- c:\windows\system32\i386kd.exe
2009-02-21 11:05 24,577 a------- c:\windows\system32\1D.tmp
2009-02-21 11:05 168 a------- c:\windows\system32\1C.tmp
2009-02-21 10:20 64,000 a------- c:\windows\system32\makehm.exe
2009-02-21 10:20 168 a------- c:\windows\system32\2.tmp
2009-02-21 10:13 118 a------- c:\windows\system32\MRT.INI
2009-02-20 19:37 1,688 a------- c:\windows\system32\12.tmp
2009-02-20 17:40 51,472 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-02-20 17:40 39,184 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-02-20 17:40 33,040 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-02-20 17:40 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-02-20 17:38 8,704 a------- c:\windows\system32\sporder.dll
2009-02-20 16:18 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-02-20 16:18 616 a------- c:\windows\system32\37D.tmp
2009-02-20 16:17 37,888 -------- c:\windows\system32\37C.tmp
2009-02-20 16:17 2,560 a------- c:\windows\system32\37B.tmp
2009-02-20 16:17 88,065 a------- c:\windows\system32\377.tmp
2009-02-20 16:17 24,577 a------- c:\windows\system32\376.tmp
2009-02-20 16:17 208 a------- c:\windows\system32\371.tmp
2009-02-20 16:07 1,180 a------- c:\windows\vlelzifu
2009-02-20 15:16 96 a------- c:\windows\system32\private.inf
2009-02-16 13:49 2,204 a------- c:\windows\rrelvelw
2009-02-14 17:19 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-02-14 17:19 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-14 00:19 4,608 a--sh--- c:\windows\system32\Thumbs.db
2009-02-13 11:08 1,104 a------- c:\windows\lvizxysq
2009-02-10 15:12 <DIR> --d----- c:\documents and settings\alfizzle\Tracing
2009-02-10 15:10 <DIR> --d----- c:\program files\Microsoft
2009-02-10 15:10 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-02-10 15:08 208,744 a------- c:\windows\system32\muweb.dll
2009-02-10 15:08 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-02-10 15:08 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-10 15:00 <DIR> --d----- c:\program files\common files\Windows Live
2009-02-09 13:33 <DIR> --d----- c:\windows\system32\Adobe
2009-02-09 10:32 28,568 a------- c:\windows\system32\drivers\AVHook.sys
2009-02-09 10:32 21,912 a------- c:\windows\system32\drivers\AVRec.sys
2009-02-09 10:32 21,904 a------- c:\windows\system32\drivers\AVFilter.sys
2009-02-09 10:31 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-02-09 10:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M ====================

2009-02-22 23:29 81,920 a------- c:\windows\system32\Dversion.dll
2009-02-22 23:29 122,880 a------- c:\windows\system32\DVC.dll
2009-02-22 23:29 45,056 a------- c:\windows\system32\Fsinst32.dll
2009-02-22 23:29 5,120 a------- c:\windows\system32\Fsinst16.DLL
2009-02-20 16:18 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-22 20:18 42,320 a------- c:\windows\system32\xfcodec.dll
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-03-18 13:40 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-02-21 13:06 245,376 -------- c:\windows\inf\rt2500usb.sys
2002-06-04 02:06 88,048 -------- c:\windows\inf\copyinf.exe

============= FINISH: 23:51:26.40 ===============




Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 2

2/21/2009 9:55:07 AM
mbam-log-2009-02-21 (09-55-07).txt

Scan type: Quick Scan
Objects scanned: 70437
Time elapsed: 11 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekabaijxufo.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaeyputoqo.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\restore.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 23 February 2009 - 06:06 AM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 shazzzam

shazzzam
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 24 February 2009 - 07:51 PM

ok thnx for taking the time to check this out for me. i will take your advice and back up while i can. thnx again!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 24 February 2009 - 08:05 PM

Success. :thumbup2:

For future reference, make sure this won't happen again, so please read my Prevention page with lots of info and tips how to prevent this in the future.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 01 March 2009 - 12:47 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users