Jump to content

Malware detected... not sure what to do

Recommended Posts

I noticed today that MWB found a heap of malware on my computer today. It's been about a month since I've done a scan (my mistake) and prior to this my system was, to my knowledge, clean.

I appear to have removed all of the infected files in safemode, but I'm a bit afraid of what exactly these malwares were. Is this a keylogger? Should I change all of my logins? Should I reformat? How can I be sure that it's really been cleaned completely?

My apologies if the information posted is insufficient. Attached is my MWB log.

Thanks in advance for any help provided.

Malwarebytes Anti-Malware


Database version: v2012.02.23.05

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Michael :: MICHAEL-PC [administrator]

23/02/2012 7:38:15 PM

mbam-log-2012-02-23 (19-47-47).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 202200

Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 4

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE (Trojan.Agent) -> No action taken.

HKCR\CLSID\{WDTS831R-DF6L-UB6I-S507-P0GEK0I7QAT8} (Backdoor.SpyNet) -> No action taken.

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{WDTS831R-DF6L-UB6I-S507-P0GEK0I7QAT8} (Backdoor.SpyNet) -> No action taken.

HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> No action taken.

Registry Values Detected: 5

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKLM (Backdoor.SpyNet) -> Data: C:\Users\Michael\AppData\Roaming\install\Svchost.exe -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Policies (Backdoor.SpyNet) -> Data: C:\Users\Michael\AppData\Roaming\install\Svchost.exe -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKCU (Backdoor.SpyNet) -> Data: C:\Users\Michael\AppData\Roaming\install\Svchost.exe -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Policies (Backdoor.SpyNet) -> Data: C:\Users\Michael\AppData\Roaming\install\Svchost.exe -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Realtek (Heuristics.Reserved.Word.Exploit) -> Data: C:\Users\Michael\AppData\Roaming\explorer.exe -> No action taken.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 6

C:\Users\Michael\AppData\Roaming\bot.exe (Trojan.Agent) -> No action taken.

C:\Users\Michael\AppData\Roaming\iexplore.exe (Trojan.Agent) -> No action taken.

C:\Users\Michael\AppData\Roaming\install\Svchost.exe (Backdoor.SpyNet) -> No action taken.

C:\Users\Michael\AppData\Local\Temp\xxxyyyzzz.dat (Malware.Trace) -> No action taken.

C:\Users\Michael\AppData\Roaming\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\Users\Michael\AppData\Local\Temp\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.


Link to post
Share on other sites


Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Thankfully, I don't use this computer for any online purchases, I do however have many email and forum accounts. The first thing I did after removing the malware with malware bytes was change all of my passwords. Unfortunately, I don't have a second computer to change the passwords. I think I am going to reformat (I have some nvidia driver issues anyways). After reformating, I will once again change all of my passwords just to be safe.

Microsoft Security Essentials is complaining about TrojanDownloader:VBS/Ainslot.A infecting a temporary file. I think it is best to reformat. Would providing a hijack this log help show the extent of the infection?

Thanks a lot for the help.

Link to post
Share on other sites

This might show it better.

Download TDSSKiller from here and save it to your Desktop.

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  3. Click the Start Scan button.
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.