Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seneka trojan


  • Please log in to reply
6 replies to this topic

#1 trevorvalentine

trevorvalentine

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 06 January 2009 - 02:33 AM

Awhile ago I was infected with vundo. I successfully ran Malwarebytes and removed a lot of it. I thought that I was good to go, but now I have a DCOM error that will shut down the computer within 60 seconds and when I run Malwarebytes, it finds seneka files. I read that someone's computer was extremely compromised, and now I'm scared. This is my malwarebytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

1/6/2009 2:32:37 AM
mbam-log-2009-01-06 (02-32-37).txt

Scan type: Quick Scan
Objects scanned: 50977
Time elapsed: 1 minute(s), 9 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Failed to unload process.

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:27 PM

Posted 06 January 2009 - 12:06 PM

You are using an outdated version of Mbam


Please reboot the computer
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan
After scan click Remove Selected, Post new scan log for review
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 trevorvalentine

trevorvalentine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 06 January 2009 - 02:59 PM

Pretty sure this is nasty. I took some precautions against identity theft. Should I completely restore?

Malwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 2

1/6/2009 2:52:42 PM
mbam-log-2009-01-06 (14-52-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 93127
Time elapsed: 25 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\waoncxmesr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\xcoanerwsm.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekamujnqtyf.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaxudoyxck.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#4 trevorvalentine

trevorvalentine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 06 January 2009 - 04:20 PM

Also, now I just keep getting these: Malwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 2

1/6/2009 4:20:08 PM
mbam-log-2009-01-06 (16-20-08).txt

Scan type: Quick Scan
Objects scanned: 53258
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 trevorvalentine

trevorvalentine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 06 January 2009 - 06:04 PM

Sorry for so many replies to myself, but I replaced userinit.exe with another one from an uninfected computer. Now Malwarebytes says:
Malwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 2

1/6/2009 6:01:21 PM
mbam-log-2009-01-06 (18-01-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 92914
Time elapsed: 27 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:27 PM

Posted 06 January 2009 - 06:10 PM

So, how is it running?
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 trevorvalentine

trevorvalentine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 06 January 2009 - 06:37 PM

It's running fine, MBAM full scan came up with 0 results, SuperAntiSpyware came up with 0, Ad-Aware SE came up with fakealert, but all around it seems ok. How worried should I be about everything? I changed a lot of passwords, and I'm still kind of apprehensive about what could have been compromised in that small window that I had the virus/backdoor.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users