WiredWX Hobby Weather ToolsLog in

 


Infected with Seneka virus

2 posters

descriptionInfected with Seneka virus EmptyInfected with Seneka virus

more_horiz
Well, what I *think* is the infamous seneka virus.

I'll provide a little backstory, to help everyone understand what's happening.

A few days ago, I was browsing a completely harmless website (icanhascheezburger.com, if you're curious), when suddenly I get a balloon popup stating that my Windows firewall has been turned off. Keep in mind that at this time, I have AVG 8.0 free updated and running constantly, and I run Malwarebyte's Anti-Malware every few days. My internet security settings are set to HIGH and the windows firewall is always on. Up until this point, at least. So, I thought that was weird, but I didn't waste any time with turning it back on. All seemed to be running fine for a time and that's when the troubles started.

SYMPTOMS:
- Computer restarting on it's own. When rebooted, it demands a password...we never set a password for that PC.
- Upon reboot, the start menu is gone. Disappeared. Sometimes my previous desktop image is displayed, other times it's a blank, black screen.
- Sometimes nothing at all shows up on the desktop...it's just blank, and I have to restart yet again.
- When running malwarebytes, it finds different numbers of infections after every reboot. Sometimes 43, other times only 3, 5, 7, 14, or 23. It never gets rid of them successfully.
- My husband purchased Trojan Remover 6 to help get rid of it, but even that won't help. It's like it resurfaces every time the computer is restarted.
- Trojan Remover 6 has detected something call 'seneka.sys' in the system 32 folder, but even though I click the box telling it to disable the file, upon restart it's right there again. Like a vicious circle.
- Sometimes the start menu IS there, but it's not normal looking. It reminds me of the way the Windows 98 menu looked...gray and very 2-dimensional. Can't change it.

STEPS I'VE TAKEN:
Of course, I've scoured the internet for answers but it seems to be different with every computer, and thus useless to me. I found a website listing the steps to take to get rid of the Seneka virus, but it didn't help me at all. For example, it instructed readers to open up devices (under my computer > properties > hardware), scroll down to non plug n play drivers (or whatever it's called - I'm on a different computer right now), and find the ones called seneka and a few others that I don't have listed at all. Even though I have 'show hidden drivers' checked. I'm at a complete loss.

I finally decided that I guess I need personalized help which is why I'm here. I've tried to take care of it myself, but I have virtually no knowledge of things like this and I don't want to further damage my computer by tinkering around where I don't belong.

Thanks in advance for any and all help.

And just for reference, here again are the security softwares on the infected PC that are SUPPOSED to be protecting it:

- AVG free 8.0 (updated and scans every day)
- Malwarebyte's Anti-Malware (scans system every few days)
- Trojan Remover 6, purchased (Just recently being used. Can detect hidden files and rootkits, but can't get rid of them completely.)

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Hello.
Yes, senaka is a hidden plug and play device, please do not try to stop the device on your own.
If you disable it yourself manually, then our tools will overlook and it won't appear on logs.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Here is the log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "seneka" found!
ImagePath: \systemroot\system32\drivers\senekaerrnsgsb.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Okay, lets kill the rootkit now.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
seneka

Files to delete:
C:\WINDOWS\system32\drivers\senekaerrnsgsb.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
I followed your instructions, but now nothing is happening upon reboot. My desktop is completely blank and nothing is loading. Sad tearing

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Hold ctrl + alt and hit del twice to open the Task Manager.
Under the "Applications" tab, press the "New Task..." button.

Where it says open, type in "explorer" and press okay.
Does your stuff load now?

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Yes! Thank you! Phew, I got scared for a moment. Here's the log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "seneka" deleted successfully.
File "C:\WINDOWS\system32\drivers\senekaerrnsgsb.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Okay, the rootkit gone, lets run MBAM to get rid of anything that is left behind.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

2/24/2009 1:35:35 PM
mbam-log-2009-02-24 (13-35-35).txt

Scan type: Quick Scan
Objects scanned: 53925
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\Documents and Settings\Owner\reader_s.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57acbb8c-1988-4603-8977-f10608797b98} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\utachqsd (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{57acbb8c-1988-4603-8977-f10608797b98} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\kwicgjl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\reader_s.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\services.ex_ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Hello.
The log raises issues, but I need to confirm my suspicions.

The problem is, your machine might have Virut, a file infector which cannot be fixed. So right now, this machine has 50/50 chance of surviving. We'll see what DDS says.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Oh no...that's horrible...


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Owner at 14:01:27.35 on Tue 02/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.115 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN6.tmp
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds(2).com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {57acbb8c-1988-4603-8977-f10608797b98} - c:\windows\system32\pejtqro.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [LxrAutorun] c:\documents and settings\owner\local settings\application data\lexar media\LxrAutorun.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [cogad] "c:\documents and settings\owner\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [reader_s] c:\documents and settings\owner\reader_s.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [AspireService] c:\program files\acer\acer emode management\AspireService.exe
mRun: [MediaSync] c:\program files\acer\acer econsole\MediaSync.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [services] c:\windows\services.exe
dRun: [services] c:\windows\services.exe
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
Trusted Zone: avg.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: utachqsd - pejtqro.dll
LSA: Notification Packages = scecli c:\windows\system32\jebubedu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\exyemz7m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\exyemz7m.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll

============= SERVICES / DRIVERS ===============

S0 dntku;dntku;c:\windows\system32\drivers\fsvvdn.sys --> c:\windows\system32\drivers\fsvvdn.sys [?]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2008-2-15 72672]
S2 swsboiif;Creative SoundFont Management Device Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 31744]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys --> c:\windows\system32\drivers\sbusb.sys [?]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-02-24 13:56 42,497 a------- c:\windows\services.ex_
2009-02-24 13:56 161,792 a------- c:\windows\system32\5.tmp
2009-02-24 13:56 128 a------- c:\windows\system32\2.tmp
2009-02-24 12:53 75,392 a------- c:\windows\system32\LxrSII1s.exe
2009-02-24 12:48 130 a------- c:\windows\system32\Tablet.dat
2009-02-23 21:38 59 a------- c:\windows\system32\senekatkbmimpp.dat
2009-02-23 21:36 64,512 a------- c:\windows\system32\hhupd.exe
2009-02-23 21:28 121,344 a------- c:\windows\system32\drivers\seneka.sys
2009-02-23 19:47 16,491,495 a------- c:\windows\system32\senekaxbdripfv.dat
2009-02-23 19:47 29,794 a------- c:\windows\system32\senekansvnwgre.dll
2009-02-23 19:47 27,234 a------- c:\windows\system32\senekavxtqfuxx.dll
2009-02-23 19:47 90,210 a------- c:\windows\system32\senekasducrgkb.dll
2009-02-23 19:31 29,794 a------- c:\windows\system32\senekavrabvtid.dll
2009-02-23 19:31 27,234 a------- c:\windows\system32\senekariyqxeen.dll
2009-02-23 19:31 3,329 a------- c:\windows\system32\senekacjphwtpe.dat
2009-02-23 19:31 90,210 a------- c:\windows\system32\senekavalqbuto.dll
2009-02-23 19:25 67,585 a------- c:\windows\system32\18.tmp
2009-02-23 19:20 121,344 a------- c:\windows\system32\drivers\senekabdewbspk.sys
2009-02-23 18:57 29,794 a------- c:\windows\system32\senekaecbdwfdb.dll
2009-02-23 18:57 27,234 a------- c:\windows\system32\senekadutimnlv.dll
2009-02-23 18:57 90,210 a------- c:\windows\system32\senekaemlwkfyq.dll
2009-02-23 18:47 5,419 a------- c:\windows\system32\senekajaimrmpl.dat
2009-02-23 18:42 121,344 a------- c:\windows\system32\drivers\senekabavhoscs.sys
2009-02-23 18:42 121,344 a------- c:\windows\system32\drivers\senekawxirsbfa.sys
2009-02-23 18:17 1 a------- c:\windows\system32\uniq.tll
2009-02-23 18:16 44,544 a------- c:\windows\system32\998.exe
2009-02-23 18:06 64,000 a------- c:\windows\system32\codeblocks.exe.vir
2009-02-21 21:18 64,000 a------- c:\windows\system32\vmware-ufad.exe.vir
2009-02-21 21:16 64,000 a------- c:\windows\system32\ndetect.exe
2009-02-21 21:16 23,234 a------- c:\windows\system32\1B.tmp
2009-02-21 21:16 67,585 a------- c:\windows\system32\19.tmp
2009-02-21 21:16 168 a------- c:\windows\system32\17.tmp
2009-02-21 21:14 0 a------- c:\windows\system32\16.tmp
2009-02-21 21:13 168 a------- c:\windows\system32\14.tmp
2009-02-21 21:08 6 a------- c:\windows\_id.dat
2009-02-21 21:08 130 a------- c:\windows\adobe.bat
2009-02-21 21:08 64,000 a------- c:\windows\system32\i386kd.exe
2009-02-21 21:08 67,585 a------- c:\windows\system32\15.tmp
2009-02-21 21:08 168 a------- c:\windows\system32\12.tmp
2009-02-21 21:05 64,512 a------- c:\windows\system32\undname.exe
2009-02-21 21:05 31,514 a------- c:\windows\system32\13.tmp
2009-02-21 21:05 67,585 a------- c:\windows\system32\11.tmp
2009-02-21 21:05 38,913 a------- c:\windows\system32\10.tmp
2009-02-21 20:33 121,344 a------- c:\windows\system32\drivers\seneka.sys.vir
2009-02-21 20:18 59 a------- c:\windows\system32\senekafvgfwbhk.dat
2009-02-21 20:18 1,608,251 ---sh--- c:\windows\system32\ukinipin.ini
2009-02-21 20:13 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-02-21 20:13 --d----- c:\docume~1\owner\applic~1\cogad
2009-02-21 20:13 47,104 a------- c:\windows\system32\reader_s.exe
2009-02-21 20:13 64,000 a------- c:\windows\system32\deviceemulator.exe
2009-02-21 20:13 67,585 a------- c:\windows\system32\1270.tmp
2009-02-21 20:13 38,913 a------- c:\windows\system32\126F.tmp
2009-02-21 20:13 168 a------- c:\windows\system32\126E.tmp
2009-02-21 20:13 21,559,371 a------- c:\windows\system32\senekamatreeaa.dat
2009-02-21 20:13 90,210 a------- c:\windows\system32\senekachhvuduf.dll
2009-02-21 20:13 29,794 a------- c:\windows\system32\senekanbtkbjtf.dll
2009-02-21 20:13 27,234 a------- c:\windows\system32\senekasmxnumip.dll
2009-02-21 20:13 121,344 a------- c:\windows\system32\drivers\senekadeavdqyq.sys

==================== Find3M ====================

2009-02-21 21:26 90,112 a------- c:\windows\DUMP5c29.tmp
2009-02-21 21:25 90,112 a------- c:\windows\DUMP5ec9.tmp
2009-02-21 21:24 90,112 a------- c:\windows\DUMP5c87.tmp
2009-02-21 21:21 90,112 a------- c:\windows\DUMP6532.tmp
2009-02-21 21:18 90,112 a------- c:\windows\DUMP5cd5.tmp
2009-02-21 21:13 90,112 a------- c:\windows\DUMP5c49.tmp
2009-02-21 21:08 90,112 a------- c:\windows\DUMP60ae.tmp
2009-02-21 21:04 90,112 a------- c:\windows\DUMP5cb6.tmp
2009-02-21 21:00 90,112 a------- c:\windows\DUMP6d31.tmp
2009-02-21 20:38 64,512 a------- c:\windows\system32\regwiz.exe
2009-02-21 20:37 90,112 a------- c:\windows\DUMP540b.tmp
2009-02-21 20:36 90,112 a------- c:\windows\DUMP5ca6.tmp
2009-02-21 20:35 90,112 a------- c:\windows\DUMP593b.tmp
2009-02-21 20:13 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-02-17 14:21 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 03:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 03:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 23:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 23:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 14:01:47.62 ===============

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Hello.
Yep, it's Virut. Do not back up any .exe or .scr files.
Do not backup any htm/html/asp/php or zip files containing .exe or .scr files.
There is nothing that can be done now, this is game over.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS).

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Oh...I see. Thank you very much for your help and time spent. This is quite serious, and I just don't understand.

Do you have any idea how I caught something this nasty? Sad tearing I mean, I visit trusted sites, I'm always running AVG and malwarebytes, I have a firewall, I don't use P2P apps....I'm just so frustrated and confused!

And I have one more question, since my desktop is infected, is it safe to do all password changing on my laptop? It has a wireless connection.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
Hello.
It spreads via USB sticks that are infected.
When was the last time you plugged in a USB thumb stick, and did this start round about the time that happened?

See here:
http://miekiemoes.blogspot.com/2008/11/please-disable-autorun-asap.html

She describes three different types of autorun worms.
BOTH Sality and Virut CANNOT be fixed, because both are file infectors.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
At the time of the infection, no USB stick had been used for weeks...however, earlier while downloading the programs you instructed me to, the only way I could transfer information from my desktop to my laptop was with a USB stick. Could my laptop be infected now??? Sad tearing Sad tearing Sad tearing It seems to be working fine.

descriptionInfected with Seneka virus EmptyRe: Infected with Seneka virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum