Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ?Gootkit/Seneka


  • This topic is locked This topic is locked
2 replies to this topic

#1 petethepotato

petethepotato

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 07 April 2010 - 05:36 PM

I have recently experienced the following symptoms on my PC:

- Intermittent internet connection
- IE dialogue box reporting no connection appears frequently and without user stimulus
- Sites relating to computer security blocked
- Anti-malware and anti-virus software updates blocked
- Google Chrome does not load any page
- Significant slowing of PC
- Mystery icons appearing on desktop and elsewhere
- Pop-ups purporting to be windows security utils, finding hazards in 'scans' and asking for the full version to be bought*
- Entries 'User Protection' and similar appearing in Program Files*

* These problems seem to have stopped after quarantining several entries with Security Task Manager.

I have scanned with MBAM, and Spybot S&D, which consistently find infected files but cannot clean them, and Bitdefender AV 10 and Lavasoft, which find nothing. Common entries involve 'Gootkit' or 'Seneka'.

I succeeded in updating MBAM via Safe Mode with Networking, but cannot update Bitdefender.

Attemping to scan with GMER results in a stop error (0x000000f4 0x00000003 0x8a3d0da0 0x8a3d0f14 0x805d1206)

Thank you very much for your time and advice in attending to this problem.

DDS results attached.

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 22:35:20.92 on 07/04/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
AV: BitDefender Antivirus Plus v10 *On-access scanning enabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Antivirus Plus v10 *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============


============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [FlashMute] c:\program files\flashmute\FlashMute.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [BDMCon] "c:\program files\bitdefender10\bdmcon.exe" /reg
mRun: [BDAgent] "c:\program files\bitdefender10\bdagent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [uxvefl] RUNDLL32.EXE c:\windows\system32\mssapsmr.dll,w
mRun: [fzwkht] RUNDLL32.EXE c:\windows\system32\msuqddft.dll,w
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\user\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek rtl8185 wireless lan driver and utility\RtWLan.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: sockspy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\xhtyf95x.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/|http://www.google.com/calendar/|http://news.bbc.co.uk/|http://spudmania.myminicity.com/env/|http://en-gb.facebook.com/|http://www.kingdomofloathing.com/login.php?loginid=47696ca5f2f84002b0146c0418c900d7|http://www.forumwarz.com/characters/me/|http://library.ox.ac.uk/|http://www.straightdope.com/|http://www.google.com/reader/
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32a.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-04-07 21:33:59 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-04-07 21:04:19 54016 ----a-w- c:\windows\system32\drivers\vwaat.sys
2010-04-07 20:44:10 42496 ------w- c:\windows\system32\msxsltsso.dll
2010-04-07 20:29:26 168786 ----a-w- c:\windows\system32\1803552.exe
2010-04-07 18:28:30 120 ----a-w- c:\documents and settings\user\1602593.BAT
2010-04-07 18:28:27 36865 ----a-w- c:\windows\system32\msuqddft.dll
2010-04-07 18:28:24 168786 ----a-w- c:\windows\system32\4904596.exe
2010-04-06 18:36:30 0 d-----w- c:\program files\SpywareGuard
2010-04-06 17:57:41 238920 ----a-w- c:\windows\system32\3176063.exe
2010-04-06 17:57:36 120 ----a-w- c:\documents and settings\user\1648265.BAT
2010-04-06 17:57:33 36865 ----a-w- c:\windows\system32\mssapsmr.dll
2010-04-06 17:57:29 167554 ----a-w- c:\windows\system32\1266443.exe
2010-04-06 15:11:31 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-04-06 15:11:24 0 d-----w- c:\program files\Security Task Manager
2010-04-06 11:33:29 238920 ----a-w- c:\windows\system32\4384226.exe
2010-04-06 11:32:11 169289 ----a-w- c:\windows\system32\7038385.exe
2010-04-06 11:28:54 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-06 11:27:40 0 d-----w- c:\docume~1\user\applic~1\Bitdefender
2010-04-06 11:25:59 0 d-----w- c:\program files\BitDefender10
2010-04-06 11:25:59 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-04-06 11:25:04 0 d-----w- c:\program files\common files\Softwin
2010-04-06 11:23:03 169289 ----a-w- c:\windows\system32\7018549.exe
2010-03-31 20:57:24 238920 ----a-w- c:\windows\system32\5704417.exe
2010-03-31 20:57:15 168786 ----a-w- c:\windows\system32\3440058.exe
2010-03-31 20:53:59 238920 ----a-w- c:\windows\system32\1429057.exe
2010-03-31 20:53:52 168786 ----a-w- c:\windows\system32\1541712.exe
2010-03-31 20:50:48 238920 ----a-w- c:\windows\system32\556559.exe
2010-03-31 20:50:41 168786 ----a-w- c:\windows\system32\3156397.exe
2010-03-31 20:46:10 168786 ----a-w- c:\windows\system32\134823.exe
2010-03-31 20:24:54 238920 ----a-w- c:\windows\system32\2057594.exe
2010-03-31 20:24:32 168786 ----a-w- c:\windows\system32\7634088.exe
2010-03-31 19:01:39 238920 ----a-w- c:\windows\system32\290565.exe
2010-03-31 19:01:14 168786 ----a-w- c:\windows\system32\7621576.exe
2010-03-31 16:11:27 238920 ----a-w- c:\windows\system32\8525614.exe
2010-03-31 16:11:20 168786 ----a-w- c:\windows\system32\6914919.exe
2010-03-31 14:49:34 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-03-31 14:49:10 124 ----a-w- c:\documents and settings\user\8.tmp
2010-03-31 14:49:06 169477 ----a-w- c:\windows\system32\9870547.exe
2010-03-31 14:44:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-31 14:44:37 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-31 14:44:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-31 14:44:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-31 14:42:21 0 d-----w- C:\gmer
2010-03-31 14:07:04 124 ----a-w- c:\windows\system32\8.tmp
2010-03-31 14:07:00 238920 ----a-w- c:\windows\system32\5337595.exe
2010-03-31 14:06:54 169675 ----a-w- c:\windows\system32\7072085.exe
2010-03-31 13:17:28 112 ----a-w- c:\docume~1\alluse~1\applic~1\L1u2B487h.dat
2010-03-31 13:17:26 4736 ----a-w- c:\windows\system32\o.sys
2010-03-31 13:07:27 238920 ----a-w- c:\windows\system32\9770273.exe
2010-03-31 13:07:23 36865 ----a-w- c:\windows\system32\msyblkya.dll
2010-03-31 13:07:08 124 ----a-w- c:\documents and settings\user\C.tmp
2010-03-31 13:07:07 169675 ----a-w- c:\windows\system32\8247797.exe
2010-03-31 01:30:36 210 ----a-w- c:\windows\wininit.ini
2010-03-31 01:08:05 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-31 01:06:29 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-31 01:06:17 0 d-----w- c:\program files\Lavasoft
2010-03-31 01:04:41 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-31 01:04:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-31 00:57:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 00:49:25 130 ----a-w- c:\windows\win.ini
2010-03-31 00:49:25 0 ----a-w- c:\windows\system.ini
2010-03-31 00:48:28 238920 ----a-w- c:\windows\system32\3644328.exe
2010-03-31 00:47:15 1 ----a-w- c:\windows\system32\7.tmp
2010-03-31 00:47:14 109056 ----a-w- c:\windows\system32\6.tmp
2010-03-31 00:47:13 88 ----a-w- c:\windows\system32\5.tmp
2010-03-31 00:44:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-31 00:26:22 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-31 00:16:44 1 ----a-w- c:\windows\system32\14.tmp
2010-03-31 00:16:43 109056 ----a-w- c:\windows\system32\13.tmp
2010-03-31 00:16:35 88 ----a-w- c:\windows\system32\12.tmp
2010-03-31 00:16:35 44032 ---ha-w- c:\windows\system32\cmdabel.dll
2010-03-31 00:12:56 0 d-----w- c:\windows\system32\GroupPolicy
2010-03-31 00:12:55 238920 ----a-w- c:\windows\system32\8326792.exe
2010-03-31 00:12:48 36865 ----a-w- c:\windows\system32\msbyylfy.dll
2010-03-31 00:11:51 1176 ----a-w- c:\docume~1\alluse~1\applic~1\_VOIDmfeklnmal.dll
2010-03-31 00:11:50 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2010-03-31 00:11:49 1 ----a-w- c:\windows\system32\E9.tmp
2010-03-31 00:11:48 88 ----a-w- c:\windows\system32\E7.tmp
2010-03-31 00:11:48 109056 ----a-w- c:\windows\system32\E8.tmp
2010-03-31 00:11:20 65024 ----a-w- c:\windows\system32\bb52fkri.few
2010-03-31 00:11:20 32768 ----a-w- c:\windows\system32\23rh46g.4e
2010-03-31 00:05:56 1 ----a-w- c:\documents and settings\user\D5.tmp
2010-03-31 00:05:50 109056 ----a-w- c:\documents and settings\user\D4.tmp
2010-03-31 00:05:44 88 ----a-w- c:\documents and settings\user\D3.tmp
2010-03-31 00:04:49 44032 ---ha-w- c:\windows\system32\cmdlghts(2).dll
2010-03-31 00:04:47 16 ----a-w- c:\docume~1\user\applic~1\zcbmvn.dat
2010-03-28 20:26:25 0 d-----w- c:\program files\Prime Minister Forever - British Version Demo
2010-03-26 17:31:20 8949 ----a-w- C:\dewplayer.swf
2010-03-26 17:22:53 8343 ----a-w- C:\dewplayer-mini.swf

==================== Find3M ====================

2010-03-31 13:07:45 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-03-31 00:11:50 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2010-03-31 00:11:17 577536 ----a-w- c:\windows\system32\user32.DLL
2010-02-28 20:35:45 103509 ----a-w- c:\windows\hpoins04.dat
2010-02-28 19:37:37 43488 ----a-w- c:\windows\system32\drivers\AFS2K.SYS
2010-02-12 10:03:03 317952 ------w- c:\windows\system32\browserchoice.exe
2009-11-12 00:52:30 604 ---ha-w- c:\program files\STLL Notifier

============= FINISH: 22:36:00.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:32 AM

Posted 10 April 2010 - 11:50 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)



Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.


Then please post back here with the following:
  • log.txt
  • info.txt
  • mbr.log
Thanks

Edited by syler, 10 April 2010 - 11:52 AM.

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:32 AM

Posted 15 April 2010 - 05:55 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users