rsonnie Posted January 3, 2009 ID:44349 Share Posted January 3, 2009 Hi guys. Great product. It removed the remnants of the Vundo virus that NAV 2008 didn't touch. I can now access he internet sites ike your again/ yeh! I did get an false positive for a bunch of seneka Trojen.Agnet files.I did the first scan using the downloaded software. Here's the log:Malwarebytes' Anti-Malware 1.31Database version: 1456Windows 5.1.2600 Service Pack 21/2/2009 9:57:02 PMmbam-log-2009-01-02 (21-57-02).txtScan type: Quick ScanObjects scanned: 92249Time elapsed: 6 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 36Registry Values Infected: 2Registry Data Items Infected: 1Folders Infected: 0Files Infected: 11Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\gnucdna.core (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{f02c0ae1-d796-42c9-81e1-084d88f79b8e} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{2850bdc7-2330-4e31-9fa0-88268846539a} (Adware.WhenUSave) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\efccuvne -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\efcCuVNe.dllDEL (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\eNVuCcfe.ini2del (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\eNVuCcfe.inidel (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.C:\WINDOWS\system32\senekabompxkru.dll (Trojan.Seneka) -> Delete on reboot.C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\rsonnie\GoToAssist_phone__268_en.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\rsonnie\GoToAssist_phone__317_en.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.I then rebooted and updated the product and ran it again. Here's log #2:Malwarebytes' Anti-Malware 1.31Database version: 1599Windows 5.1.2600 Service Pack 21/2/2009 10:16:15 PMmbam-log-2009-01-02 (22-16-15).txtScan type: Quick ScanObjects scanned: 96478Time elapsed: 6 minute(s), 30 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 7Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\senekameflhymi.dll (Trojan.Agent) -> Not selected for removal.C:\WINDOWS\system32\senekasplwsfvx.dll (Trojan.Agent) -> Not selected for removal.C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Not selected for removal.C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Not selected for removal.C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Not selected for removal.C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Not selected for removal.C:\WINDOWS\system32\drivers\senekajkomudev.sys (Trojan.Agent) -> Not selected for removal.All the 'seneka*' files in the files section aren't actually there on the disk. The first scan found some files, but they didn't show up on the disk either. I included a screen shot of the directory. I tried to save this screenshot as seneka.jpg, but guess what! It doesn't show up either! Maybe there's still something suppressing the display of these.I think I'll run it again and have it quarentine those files anyway.Hope this helps! Link to post Share on other sites More sharing options...
rsonnie Posted January 3, 2009 Author ID:44352 Share Posted January 3, 2009 Oops. Just saw the sticky. I'll run this again with mbam.exe /developer Link to post Share on other sites More sharing options...
rsonnie Posted January 3, 2009 Author ID:44361 Share Posted January 3, 2009 Here's the other log. This may not be a FP because after i let these files get cleared out, I can see the 'seneka.jpg' screenshot I saved earlier. There must still be some registry entries that were loading these files.Malwarebytes' Anti-Malware 1.31Database version: 1599Windows 5.1.2600 Service Pack 21/2/2009 10:59:41 PMmbam-log-2009-01-02 (22-59-41).txtScan type: Quick ScanObjects scanned: 96679Time elapsed: 6 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 7Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\senekameflhymi.dll (Trojan.Agent) -> Delete on reboot. [38575351343053838075667915347270798513013627615642473748565261849084857078201961847079707666323232323232323215697777]C:\WINDOWS\system32\senekasplwsfvx.dll (Trojan.Agent) -> Delete on reboot. [38575351343053838075667915347270798513013627615642473748565261849084857078201961847079707666323232323232323215697777]C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully. [38575351343053838075667915347270798513013627615642473748565261849084857078201961847079707666697115696685]C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully. [3857535134305383807566791534727079851301362761564247374856526184908485707820196184707970766615696685]C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully. [3857535134305383807566791534727079851301362761564247374856526184908485707820196184707970766677807215696685]C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully. [3857535134305383807566791534727079851301362761564247374856526184908485707820196137837487708384618470797076661584908411]C:\WINDOWS\system32\drivers\senekajkomudev.sys (Trojan.Agent) -> Quarantined and deleted successfully. [385753513430538380756679153472707985130136276156424737485652618490848570782019613783748770838461847079707666323232323232323215849084]Let me know if you need anything to investigate this. Link to post Share on other sites More sharing options...
nosirrah Posted January 3, 2009 ID:44367 Share Posted January 3, 2009 You cant see them because they are cloaked by rootkit malware technology .You have a serious and very real infection . Link to post Share on other sites More sharing options...
nosirrah Posted January 3, 2009 ID:44374 Share Posted January 3, 2009 C:\WINDOWS\system32\drivers\senekajkomudev.sys (Trojan.Agent) -> Not selected for removal.This one right here is the core of the problem , if you let MBAM destroy this you will be able to see the rest of the files on reboot . Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 3, 2009 Root Admin ID:44399 Share Posted January 3, 2009 STEP01Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtSTEP02Update TrendMicro Link to post Share on other sites More sharing options...
SwingBlade Posted January 3, 2009 ID:44460 Share Posted January 3, 2009 Seneka keeps popping up in my MBAM scans. Here are my logs from a moment ago.Malwarebytes' Anti-Malware 1.31Database version: 1555Windows 5.1.2600 Service Pack 21/3/2009 11:29:57 AMmbam-log-2009-01-03 (11-29-57).txtScan type: Quick ScanObjects scanned: 59478Time elapsed: 3 minute(s), 0 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:33:23 AM, on 1/3/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Sandboxie\SbieSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ZuneBusEnum.exeC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\WinGrab1.50\WinGrab.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Winamp\winampa.exeC:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exeC:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Zune\ZuneLauncher.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\n52te\n52teHid.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\Google Talk\googletalk.exeC:\Program Files\Windows Live\Messenger\MsnMsgr.ExeC:\Program Files\Skype\Phone\Skype.exeC:\program files\steam\steam.exeC:\Program Files\Sandboxie\SbieCtrl.exeC:\Program Files\Eraser\eraser.exeC:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Documents and Settings\SwingBlade\Desktop\G15 Mods\SirReal\LCDSirReal.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\FRAPS\FRAPS.EXEC:\Program Files\DAEMON Tools Lite\daemon.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\PC Magazine Utilities\RoboType\RoboType.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [WinGrab1.50.09] "C:\Program Files\WinGrab1.50\WinGrab.exe" -Key "Default"O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exeO4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe bootO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDEO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [Jomantha] C:\Program Files\n52te\n52teHid.exeO4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofixO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostartO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silentO4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hideO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorunO4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXEO4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')O4 - Startup: RoboType auto-start.lnk = C:\Documents and Settings\SwingBlade\My Documents\Updated.rtlO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{480BA504-73F4-42F6-A96A-E210DE1B35A1}: NameServer = 10.250.1.32,10.249.1.30O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: avgrsstx.dll ernxyk.dllO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: Instinct Drivers Auto Removal (pr2ae5eb) (pr2ae5eb) - Noviy Disk - C:\WINDOWS\system32\pr2ae5eb.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe--End of file - 10169 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 3, 2009 Root Admin ID:44504 Share Posted January 3, 2009 Hello SwingBlade and Welcome to Malwarebytes.Please post your logs in the HJT forum and someone will assist you with cleaning your system. Link to post Share on other sites More sharing options...
afroman102 Posted January 6, 2009 ID:45373 Share Posted January 6, 2009 Hi All,I am having the same problem and I did what AdvancedSetup suggested. I scanned my system using Malwarebytes and removed the malware it found If you can take a look and let me know if I have any thing more that I need to do. Thank you,AfromanMalwarebytes' Anti-Malware 1.32Database version: 1624Windows 5.1.2600 Service Pack 206/01/2009 9:29:11 AMmbam-log-2009-01-06 (09-29-11).txtScan type: Quick ScanObjects scanned: 63376Time elapsed: 6 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 4Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\t850600\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\system32\senekapxylqeay.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\senekaunspvjxh.sys (Trojan.Agent) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 6, 2009 Root Admin ID:45438 Share Posted January 6, 2009 Hello afroman102 and Welcome to Malwarebytes.org Please read and follow the instructions provided here: Pre- HJT Post InstructionsWhen ready please post your logs here: Malware Removal - HijackThis LogsSomeone will be happy to assist you further with cleaning your system.During this scan and cleanup process you should not install any other software unless requested to do so. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now