Jump to content

exp5374.tmp.exe (Spyware.Password)


Recommended Posts

Something happen to my PC today. Someone tried to transfer $99,000 from our corporate bank account from my PC. I downloaded an installed MBAM.

Here is what it found and removed---

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.19.06

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 8.0.6001.19393

becky :: TRUSTEE1010 [administrator]

Protection: Enabled

12/19/2012 12:12:51 PM

mbam-log-2012-12-19 (12-12-51).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 219988

Time elapsed: 5 minute(s), 37 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 4

HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.securewebinfo.com (Trojan.Zlob) -> Data: -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.safetyincludes.com (Trojan.Zlob) -> Data: -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.securemanaging.com (Trojan.Zlob) -> Data: -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KB00072502.exe (Trojan.Agent.KBGen) -> Data: "C:\Users\becky\AppData\Roaming\KB00072502.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Users\becky\AppData\Local\Temp\exp5374.tmp.exe (Spyware.Password) -> Quarantined and deleted successfully.

C:\Users\becky\Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Users\becky\Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Users\becky\Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Users\becky\Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.

(end)

After a restart, MBAM found nothing.

Second scan--

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.19.06

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 8.0.6001.19393

becky :: TRUSTEE1010 [administrator]

Protection: Enabled

12/19/2012 12:29:03 PM

mbam-log-2012-12-19 (12-29-03).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 36456

Time elapsed: 58 second(s) [aborted]

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

My Symantec was updated and nothing was found.

How bad was this infection? Should I be worried?

I plan on changing ALL my passwords.

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

Report for RogueKiller.

RogueKiller V8.4.0 [Dec 18 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : becky [Admin rights]

Mode : Scan -- Date : 12/19/2012 15:48:34

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[13] : NtAlertResumeThread @ 0x8229D65D -> HOOKED (Unknown @ 0x87F94560)

SSDT[14] : NtAlertThread @ 0x82216295 -> HOOKED (Unknown @ 0x87F94620)

SSDT[18] : NtAllocateVirtualMemory @ 0x8225254B -> HOOKED (Unknown @ 0x87FA2E20)

SSDT[54] : NtConnectPort @ 0x821D7B3A -> HOOKED (Unknown @ 0x87CA0290)

SSDT[67] : NtCreateMutant @ 0x8222A862 -> HOOKED (Unknown @ 0x87F942D0)

SSDT[78] : NtCreateThread @ 0x8229BC74 -> HOOKED (Unknown @ 0x87FA38E8)

SSDT[147] : NtFreeVirtualMemory @ 0x8208EF1D -> HOOKED (Unknown @ 0x87F94D78)

SSDT[156] : NtImpersonateAnonymousToken @ 0x821C4F16 -> HOOKED (Unknown @ 0x87F943C0)

SSDT[158] : NtImpersonateThread @ 0x821DA553 -> HOOKED (Unknown @ 0x87F944A0)

SSDT[177] : NtMapViewOfSection @ 0x8221A8DA -> HOOKED (Unknown @ 0x87F94C98)

SSDT[184] : NtOpenEvent @ 0x82203DFF -> HOOKED (Unknown @ 0x87F941F0)

SSDT[195] : NtOpenProcessToken @ 0x8220BA60 -> HOOKED (Unknown @ 0x87F70400)

SSDT[202] : NtOpenThreadToken @ 0x822262FD -> HOOKED (Unknown @ 0x87F94A38)

SSDT[282] : NtResumeThread @ 0x82225B9A -> HOOKED (Unknown @ 0x87D07618)

SSDT[289] : NtSetContextThread @ 0x8229D10B -> HOOKED (Unknown @ 0x87F94978)

SSDT[305] : NtSetInformationProcess @ 0x8221E908 -> HOOKED (Unknown @ 0x87F94B08)

SSDT[306] : NtSetInformationThread @ 0x822032DD -> HOOKED (Unknown @ 0x87F948A8)

SSDT[330] : NtSuspendProcess @ 0x8229D597 -> HOOKED (Unknown @ 0x87F94110)

SSDT[331] : NtSuspendThread @ 0x821A492D -> HOOKED (Unknown @ 0x87F94728)

SSDT[334] : NtTerminateProcess @ 0x821FB173 -> HOOKED (Unknown @ 0x87FA2080)

SSDT[335] : NtTerminateThread @ 0x82226584 -> HOOKED (Unknown @ 0x87F947E8)

SSDT[348] : NtUnmapViewOfSection @ 0x8221AB9D -> HOOKED (Unknown @ 0x87F94BD8)

SSDT[358] : NtWriteVirtualMemory @ 0x8221796D -> HOOKED (Unknown @ 0x87F94E48)

¤¤¤ Extern Hives: ¤¤¤

-> D:\windows\system32\config\SOFTWARE

-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD80 0JD-75MSA3 SCSI Disk Device +++++

--- User ---

[MBR] 3ae5e9925f8a16bfa6d1eb844adf5d66

[bSP] 15aa431f21a280c81d2601e5a5773708 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 2048 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 4323328 | Size: 74181 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_12192012_02d1548.txt >>

RKreport[1]_S_12192012_02d1548.txt

Link to post
Share on other sites

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

I think we should run all the scans.......

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.