(OTL, Hijack This attached) Recovered after Vista Internet Security 2010, but clean?

[546mpster]

Hello,

On 2010-03-07, in th early evening, I got hit with the Vista Internet Security 2010 virus. After trying a lot of things, I managed to boot into safe mood, rename the executable of Malwarebytes ('vistanext'), install and run Malwarebytes. It looks and feels like the infection is gone, however, I am worried if it is. I am especially worried about keyloggers, since I do things like banking and Skype calls home/credit online.

My OTL logs, Hijack This log, and Malwarebytes log (pre and post infection) are attached.

My OTL settings follow this thread:

http://forums.malwarebytes.org/index.php?s...=39041&st=0

Thanks for your time, which is really really appreciated.

mbam_log_2010_03_07__23_05_31_.txt

mbam_log_2010_03_07__20_45_24_.txt

hijackthis.txt

Extras.Txt

OTL.Txt

[546mpster]

Can anyone help with this?

[546mpster]

Should I reformat?

[screen317]

Hi and welcome to Malwarebytes.

Do you still need help?

[546mpster]

Thanks, yes I do. Some help would be appreciated.

[screen317]

Okay.

First, please update MBAM, run a Quick Scan, and post (do not attach) its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

-screen317

[546mpster]

Thanks for your help screen317, it is tremendously appreciated.

Malwarebytes' Anti-Malware 1.44

Database version: 3902

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18882

3/22/2010 10:54:54 PM

mbam-log-2010-03-22 (22-54-54).txt

Scan type: Quick Scan

Objects scanned: 121565

Time elapsed: 29 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Neel\AppData\Local\MSASCui.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Neel\AppData\Local\MSASCui.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Neel\AppData\Local\MSASCui.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Neel\Local Settings\Application Data\MSASCui.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Neel at 1:02:09.41 on Tue 03/23/2010

Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18

Microsoft

[screen317]

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.
  

-screen317