Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, lots of it, Infected !


  • Please log in to reply
19 replies to this topic

#1 Substance

Substance

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 31 March 2009 - 02:55 AM

Hi, first post.

I believe my PC is infected with Malware in the Windows/system32 folder. I have had it about a week now and Iím just getting more of it. I have been getting the blue screen of death a lot. I have MBAM, Stopzilla, AVG and Hijack this at my disposal.

Iíve googled around and found many people in the same situation, I just need more specific help.

Thanks for any advice.

Hereís the MBAM log


---------------------------------------------------

Malwarebytes' Anti-Malware 1.35
Database version: 1920
Windows 5.1.2600 Service Pack 2

3/31/2009 8:52:16 AM
mbam-log-2009-03-31 (08-52-13).txt

Scan type: Quick Scan
Objects scanned: 148458
Time elapsed: 22 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32

\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe ->

No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.
C:\WINDOWS\system32\k86.bin (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekalyorumxa.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekatymxfaoy.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekaxvkltoqx.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekaovbuwsfh.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekapdujnome.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekapxwnkxtx.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekaqjoepphe.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekasqjkdbit.dat (Trojan.Agent) -> No action taken.

BC AdBot (Login to Remove)

 


#2 Substance

Substance
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 31 March 2009 - 10:08 AM

Sorry guys had to bump this thread is almost on page 3 i only posted it 4 hours ago !

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 31 March 2009 - 10:36 AM

Make sure you let it remove what it can and reboot and run another scan, we'll see what we can do in this forum, what OS disks do you have for that computer?

Yes this is very serious!
Chewy

No. Try not. Do... or do not. There is no try.

#4 Substance

Substance
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 31 March 2009 - 11:02 AM

Yeah i basically been running AVG, MBAMB,etc. Its basically not doing much mind as they cannot delete it for me, I think i need to manually do it.

I have Windows Media Centre 2005.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 31 March 2009 - 11:12 AM

I have Windows Media Centre 2005.


Do you have a microsoft CD?

Post that last log I asked for from MBAM after rebooting
Chewy

No. Try not. Do... or do not. There is no try.

#6 Substance

Substance
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 31 March 2009 - 11:46 AM

No i forgot to say, quite unbelivably the OS disc has gone missing. I will have another good look around I never lose my discs normally.

Heres the log just completed.

Malwarebytes' Anti-Malware 1.35
Database version: 1920
Windows 5.1.2600 Service Pack 2

3/31/2009 5:42:34 PM
mbam-log-2009-03-31 (17-42-32).txt

Scan type: Quick Scan
Objects scanned: 148581
Time elapsed: 21 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\k86.bin (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekaovbuwsfh.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekapdujnome.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekapxwnkxtx.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekaqjoepphe.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekasqjkdbit.dat (Trojan.Agent) -> No action taken.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 31 March 2009 - 03:47 PM

One or more of the identified infections is a backdoor trojan/rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#8 Substance

Substance
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 01 April 2009 - 04:43 AM

Wow, I didn't realize it would require that.

I just want to remove as much as I can first. Re-formatting will be tricky especially as i can't find the OS disc, which is a stupid thing to lose.

Im prepared for the risks of that, but as for right now im just ready to remove most of this, and then I can decide what to do next.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 01 April 2009 - 04:57 AM

Let's try cureit next, your userinit is probably infected and needs to be replaced, there have been a few cases where it wasn't.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#10 Substance

Substance
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 01 April 2009 - 12:55 PM

OK. I ran the Scan, as instructed, which took a long time. I saved the report, rebooted, but no i am unable to log in, normally or in safe mode.

As i enter my pasword to log into Windows it loads up slightly and then stutters slightly and then logs be out. this is often accopanied by a black screen and a checkbox simply saying ' disabled '. I've had this Disabled box before, but it never prevented me from logging in.

I need to get past this now before I can post the scan. Im currently on another laptop in the house. I hope i dont need the OS disc as its dissapeared.

Thanks for the help so far it wasnt too long ago i had a 3 day fight over my PC, this one will probably top that :thumbsup:

Edited by Substance, 01 April 2009 - 01:59 PM.


#11 Substance

Substance
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 01 April 2009 - 02:14 PM

Bump:I appreciate everyones efforts so far so i dnt lik to bump, but im so desperate at the moment, Im just waiting for someone to tell me Im screwed.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 01 April 2009 - 04:03 PM

To repair or reload we'll need the disk.

You can recover data with a linux boot cd if a reload is your choice.
Chewy

No. Try not. Do... or do not. There is no try.

#13 Substance

Substance
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 01 April 2009 - 04:24 PM

So are they my only options ? I cant get the disc now you see. I can probably get another one though, but to be clear, ill need the OS disc to get past the next step right ?

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 01 April 2009 - 04:30 PM

Is your computer a custom built or factory with the cert/numbers on a sticker?

In safe mode do you have any options for logging in to different modes?
Chewy

No. Try not. Do... or do not. There is no try.

#15 Substance

Substance
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 01 April 2009 - 04:33 PM

Computer was custom built by Dell.

Yeah, I have

Safe Mode with command prompt
Safe Mode with Network
Safe Mode

And a few others

Thanks for the help again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users