Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Seneka/Rustock.G(?) Infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 Zorpheus

Zorpheus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 06 February 2009 - 05:20 PM

Greetings,

It all started with executing a suspicious file that in turn installed several infections on my laptop. I used Malwarebytes' Anti-Malware and AVG in efforts to get it under control, but one particular infection kept eluding me, and neither of the programs would give me a clear answer as to what the infections were nor pinpoint and eliminate the source. ComboFix and then SUPERAntiSpyware eventually helpfully told me there were traces of the Seneka malware. I then proceeded to attempt to reinstall Windows, and even format the hard drive and reinstall Windows, but somehow, it kept coming back. I found out it was reinstating itself whenever I installed my backed up wireless drivers, so apparently it was hiding in there. I reinstalled Windows and re-downloaded my wireless drivers from Dell. For a bit, everything was fine. Then I loaded in one of my programs that I backed up after the infection, and was thrown back into an infected state.

A few things I noticed about the infection:
1) It seems to be a strain that is better at disguising the files it uses to reinstate itself (other Seneka-related posts said to look for an installed "driver" with certain prefixes, which aren't evident on my laptop).
2) No virus scan or malware scan that I've ran so far will pick up any indication that backed up files are contaminated with the dormant malware (scans passed off both my drivers and the backed up program as clean).
3) Symptoms include repeated messages from Windows Data Protection blocking RUNDLL32.EXE and EXPLORER.EXE from running (about 25-50% of the time), and making me log in through a Username and Password prompt before Windows starts even though there is only one profile on my machine and it is not currently set up to go to such a prompt. It also frequently tries to use a C:\Windows\Services.exe file as part of the infection. In the event Explorer won't start, I can run ComboFix through the Task Manager, and this usually brings Explorer back (when it doesn't reboot). Though ComboFix doesn't always detect something... see #5.
4) It seems to come back in multiple forms: I've had Vundo, Rustock.G, Seneka, Sheur2.OCF, Virut.AJ.Dropper and HTML/Framer detected by my Anti-Virus and Anti-Spyware programs, among other more generic names.
5) I can run an Anti-Virus or Anti-Spyware program at times and it will detect absolutely nothing, even in the case that Explorer is blocked from running! Other times, it will detect infections and eliminate them, usually asking me to reboot, which may or may not bring me back to a Windows which gives the symptoms described in #3.
6) Disabling my Internet Connection occasionally allows me to reduce the infection down to a minimum, but as soon as I connect to the Internet again, no matter how many clean scans I was given beforehand and despite the presence of the Windows Firewall, the malware's hidden subroutine activates and everything is reinstated.

Here are the things I need to know:
1) What I'm infected with
2) How to remove the infection permanently
3) How to recognize if my backed-up programs carry the dormant malware before I run them, and a way to clean them

Logs are as follows:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Zorpheus at 16:45:55.43 on Fri 02/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1489 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\9f68a7cb-a121-4aeb-9122-102924fb38b6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Zorpheus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\9f68a7cb-a121-4aeb-9122-102924fb38b6.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zorpheus\applic~1\mozilla\firefox\profiles\r32u64zq.default\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-5 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-5 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-5 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-5 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-5 298264]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S1 ethecynu;ethecynu;c:\windows\system32\drivers\ethecynu.sys --> c:\windows\system32\drivers\ethecynu.sys [?]
S1 ethfdqxv;ethfdqxv;c:\windows\system32\drivers\ethfdqxv.sys --> c:\windows\system32\drivers\ethfdqxv.sys [?]
S1 ethkitqx;ethkitqx;c:\windows\system32\drivers\ethkitqx.sys --> c:\windows\system32\drivers\ethkitqx.sys [?]
S1 ethlguly;ethlguly;c:\windows\system32\drivers\ethlguly.sys --> c:\windows\system32\drivers\ethlguly.sys [?]
S1 ethmakex;ethmakex;c:\windows\system32\drivers\ethmakex.sys --> c:\windows\system32\drivers\ethmakex.sys [?]
S1 ethmkpzu;ethmkpzu;c:\windows\system32\drivers\ethmkpzu.sys --> c:\windows\system32\drivers\ethmkpzu.sys [?]
S1 ethognsw;ethognsw;c:\windows\system32\drivers\ethognsw.sys --> c:\windows\system32\drivers\ethognsw.sys [?]
S1 ethoyvdk;ethoyvdk;c:\windows\system32\drivers\ethoyvdk.sys --> c:\windows\system32\drivers\ethoyvdk.sys [?]
S1 ethphvcu;ethphvcu;c:\windows\system32\drivers\ethphvcu.sys --> c:\windows\system32\drivers\ethphvcu.sys [?]
S1 ethpvoug;ethpvoug;c:\windows\system32\drivers\ethpvoug.sys --> c:\windows\system32\drivers\ethpvoug.sys [?]
S1 ethqpcyc;ethqpcyc;c:\windows\system32\drivers\ethqpcyc.sys --> c:\windows\system32\drivers\ethqpcyc.sys [?]
S1 ethtcnox;ethtcnox;c:\windows\system32\drivers\ethtcnox.sys --> c:\windows\system32\drivers\ethtcnox.sys [?]
S1 ethtnrhc;ethtnrhc;c:\windows\system32\drivers\ethtnrhc.sys --> c:\windows\system32\drivers\ethtnrhc.sys [?]
S1 ethulaik;ethulaik;c:\windows\system32\drivers\ethulaik.sys --> c:\windows\system32\drivers\ethulaik.sys [?]
S1 ethxnhfv;ethxnhfv;c:\windows\system32\drivers\ethxnhfv.sys --> c:\windows\system32\drivers\ethxnhfv.sys [?]
S3 dofxquxg;dofxquxg;\??\c:\windows\system32\drivers\dofxquxg.sys --> c:\windows\system32\drivers\dofxquxg.sys [?]
S3 iqgjnnqb;iqgjnnqb;\??\c:\windows\system32\drivers\iqgjnnqb.sys --> c:\windows\system32\drivers\iqgjnnqb.sys [?]

=============== Created Last 30 ================

2009-02-06 16:24 179,712 a------- c:\windows\SWREG.exe
2009-02-06 16:24 116,224 a------- c:\windows\sed.exe
2009-02-06 16:10 324,096 a------- c:\windows\IsUninst.exe
2009-02-06 15:45 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-02-06 15:45 <DIR> --d----- c:\windows\system32\LogFiles
2009-02-06 05:01 <DIR> --d----- c:\windows\pss
2009-02-06 04:30 67,585 a------- c:\windows\system32\EB.tmp
2009-02-06 04:26 163,652 a------- c:\windows\system32\E9.tmp
2009-02-06 04:26 168 a------- c:\windows\system32\E8.tmp
2009-02-06 03:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-06 03:26 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-06 03:26 <DIR> --d----- c:\docume~1\zorpheus\applic~1\SUPERAntiSpyware.com
2009-02-06 03:11 32,768 a---h--- c:\documents and settings\zorpheus\lctj.exe
2009-02-06 03:11 67,585 a------- c:\windows\system32\DF.tmp
2009-02-06 03:10 32,768 a---h--- c:\documents and settings\zorpheus\tuybky.exe
2009-02-06 03:10 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-06 03:10 616 a------- c:\windows\system32\DD.tmp
2009-02-06 03:10 67,585 a------- c:\windows\system32\DB.tmp
2009-02-06 03:08 162,948 a------- c:\windows\system32\D9.tmp
2009-02-06 03:08 168 a------- c:\windows\system32\D8.tmp
2009-02-06 03:08 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-06 03:07 162,948 a------- c:\windows\system32\C9.tmp
2009-02-06 03:07 168 a------- c:\windows\system32\C8.tmp
2009-02-05 18:00 <DIR> --d----- c:\program files\uTorrent
2009-02-05 17:59 <DIR> --d----- c:\program files\Peach Princess
2009-02-05 17:58 <DIR> --d----- c:\program files\3D Custom Girl
2009-02-05 17:50 <DIR> --d----- C:\dawn
2009-02-05 17:50 <DIR> --d----- C:\PSXsound
2009-02-05 17:46 <DIR> --d----- C:\illusion
2009-02-05 17:46 <DIR> --d----- C:\downloads
2009-02-05 17:40 <DIR> --d----- C:\MegaTen
2009-02-05 17:40 <DIR> --d----- C:\Battle Arena Toshinden 3
2009-02-05 17:39 <DIR> --d----- C:\OpenRPG
2009-02-05 17:28 <DIR> --d----- C:\NeverwinterNights
2009-02-05 17:27 <DIR> --d----- C:\mIRC
2009-02-05 17:18 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-05 17:18 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-05 17:18 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-05 17:18 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-05 17:18 <DIR> --d----- c:\program files\AVG
2009-02-05 17:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-05 17:14 45,568 a----r-- c:\windows\system32\drivers\bcm4sbxp.sys
2009-02-05 17:14 <DIR> --d----- c:\program files\Broadcom
2009-02-05 17:12 217,088 a----r-- c:\windows\system32\UCI32M21.dll
2009-02-05 17:12 94,208 a----r-- c:\windows\system32\mdmxsdk.dll
2009-02-05 17:12 12,672 a----r-- c:\windows\system32\drivers\mdmxsdk.sys
2009-02-05 17:12 <DIR> --d----- c:\program files\CONEXANT
2009-02-05 17:12 989,952 a----r-- c:\windows\system32\drivers\HSF_DPV.sys
2009-02-05 17:12 731,136 a----r-- c:\windows\system32\drivers\HSF_CNXT.sys
2009-02-05 17:12 211,200 a----r-- c:\windows\system32\drivers\HSFHWAZL.sys
2009-02-05 17:09 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-05 16:41 <DIR> --d----- c:\windows\system32\AGEIA
2009-02-05 16:40 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-05 16:40 453,152 a------- c:\windows\system32\nvuninst.exe
2009-02-05 16:40 453,152 a------- c:\windows\system32\nvudisp.exe
2009-02-05 16:40 206,530 a------- c:\windows\system32\nvapps.xml
2009-02-05 16:40 18,725 a------- c:\windows\system32\nvdisp.nvu
2009-02-05 16:40 <DIR> --d----- c:\windows\nview
2009-02-05 16:36 <DIR> --d----- c:\program files\Synaptics
2009-02-05 16:35 54,272 ac------ c:\windows\system32\dllcache\swmidi.sys
2009-02-05 16:35 <DIR> --d----- c:\program files\SigmaTel
2009-02-05 16:33 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-05 16:30 <DIR> --d----- c:\program files\Dell
2009-02-05 16:29 26,496 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-02-05 16:27 <DIR> --d----- c:\documents and settings\Zorpheus
2009-02-05 16:27 <DIR> --ds---- c:\windows\system32\Microsoft
2009-02-05 15:54 8,192 a------- c:\windows\REGLOCS.OLD
2009-02-05 15:52 101,376 ac------ c:\windows\system32\dllcache\srusbusd.dll
2009-02-05 15:51 29,696 ac------ c:\windows\system32\dllcache\admexs.dll
2009-02-05 15:50 23,392 a------- c:\windows\system32\nscompat.tlb
2009-02-05 15:50 16,832 a------- c:\windows\system32\amcompat.tlb
2009-02-05 15:50 316,640 a------- c:\windows\WMSysPr9.prx
2009-02-05 15:50 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-02-05 15:49 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-02-05 15:48 <DIR> --d----- c:\program files\common files\MSSoap
2009-02-05 15:47 <DIR> --d----- c:\program files\Online Services
2009-02-05 15:47 <DIR> --d----- c:\program files\Messenger
2009-02-05 15:47 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-02-05 15:46 <DIR> --d----- c:\program files\Windows NT
2009-02-05 03:49 <DIR> --d----- c:\program files\common files\ODBC
2009-02-05 03:49 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-02-05 03:49 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-02-05 15:50 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-05 15:47 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-10 09:45 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-04 09:28 24,344 a------- c:\windows\system32\PhysXDevice.dll
2008-11-26 08:55 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-11-25 08:38 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe

============= FINISH: 16:46:12.53 ===============

Attached Files


Edited by Zorpheus, 06 February 2009 - 05:41 PM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:27 AM

Posted 19 February 2009 - 09:19 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Zorpheus

Zorpheus
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 19 February 2009 - 02:43 PM

Greetings,

Thanks for getting back to me, but I have already solved the problem while I was waiting.

Regards,
Zorpheus

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:27 AM

Posted 19 February 2009 - 06:51 PM

Thank you for letting me know.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users