Jump to content

Is infection clear?


Recommended Posts

Hi,

I have been using MBAM myself, and with others PCs for a number of years now (mainly thanks to pointers from some friends at Icrontic).

My friend's son called yesterday stating he had varying issues and these all led me to believe he had some kind of malware present on his system, so I got him to download and run MBAM and send me the log.

I would just like some kind of advice/confirmation on whether there is a need to look further, using more tools maybe, before assuming he should now be okay.

Thank you, in anticipation, of any helpful responses.

SV :)

MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4627

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

16/09/2010 15:12:41

mbam-log-2010-09-16 (15-12-41).txt

Scan type: Full scan (C:\|)

Objects scanned: 210695

Time elapsed: 1 hour(s), 25 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 3

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bat wave base dale (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\78756235 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\mp3 cake.dat (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\mp3 cake.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Local Settings\Temp\0.0735242180337774.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Don't know if he's clean, but from this, Backdoor.Bot showing in the scan results...I have to give you this warning about his computer:

One or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

I certainly would continue with checking the computer for malware if you decide not to reinstall.

If you which to continue, please start at the link below:

http://forums.malwarebytes.org/index.php?showtopic=9573

If you can't get GMER to run, then use this:

Please download Rootkit Unhooker and save it to your Desktop

http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE

Double-click on RKUnhookerLE to run it

Click the Report tab, then click Scan

Check Drivers, Stealth and uncheck the rest

Click OK

Wait until it's finished and then go to File > Save Report

Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

MrC

Link to post
Share on other sites

Don't know if he's clean, but from this, Backdoor.Bot showing in the scan results...I have to give you this warning about his computer:

I certainly would continue with checking the computer for malware if you decide not to reinstall.

// Snipped middle of reply for easier reading//

MrC

Hi,

thank you for the swift response and advice - getting advice on the nature of the malware was the main reason I posted the log here.

Doing a reinstall should be no problem - would it be safe to use the D:/ OEM restore partition?

Other than waiting on your reply to this question, and taking the steps you provided to check what may have been potentially compromised on his system, is there any sense in reporting the, again potential, "crime" before destroying evidence with a reformat?

I can't imagine there would be anything left to easily identify the individual attacker, let alone get any form of successful prosecution.

Thank you, again, for your assistance,

SV :)

Link to post
Share on other sites

Format and re-install is the way to go.

Is there any sense in reporting the, again potential, "crime" before destroying evidence with a reformat?

I guess not really, it's a standard speech given in these cases, Good Luck....MrC

Sorry to sound a little dim (in mitigation ... it is 40 mins after midnight here :)), but "Format & re-install" - does this mean it is, or is not, safe to use the D:/ OEM pre-installed recovery partition to do the reformat?

Link to post
Share on other sites

Sorry to sound a little dim (in mitigation ... it is 40 mins after midnight here ), but "Format & re-install" - does this mean it is, or is not, safe to use the D:/ OEM pre-installed recovery partition to do the reformat?

As long as it has the ability to format, in my opinion.

What kind of computer is it? MrC

Link to post
Share on other sites

As long as it has the ability to format, in my opinion.

What kind of computer is it? MrC

It is an HP Pavilion (lower end) desktop... about 3 or 4 years old. I have reformatted it this way before (due to some bad system file corruption issues) and, from memory, it did a full reformat of the C:/ partition. My only concern is if this trojan is, somehow, able to regenerate itself from infecting the recovery partition, too.

I know it is labelled as "D:/ HP_RECOVERY" and is FAT32, if that tells you anything useful??

Also, in the process of reformatting, I will take my USB HDD (which has a bootable version of Ubuntu on it) and boot into Ubuntu on the system to save any important documents/pictures etc.. so if you can recommend a Linux run anti-malware I can run on the D:/ disk before reformatting, that may solve the question of whether it is, or is not, "clean"??

Thanks for the continued support, it is much appreciated. :)

Link to post
Share on other sites

OK, the recovery partition should be OK

as for this question...

Also, in the process of reformatting, I will take my USB HDD (which has a bootable version of Ubuntu on it) and boot into Ubuntu on the system to save any important documents/pictures etc.. so if you can recommend a Linux run anti-malware I can run on the D:/ disk before reformatting, that may solve the question of whether it is, or is not, "clean"??

I don't know, but I would ask in this part of the forum:

http://forums.malwarebytes.org/index.php?showforum=6

I'm sure you'll get your answer:

MrC

Link to post
Share on other sites

OK, the recovery partition should be OK

as for this question...

I don't know, but I would ask in this part of the forum:

http://forums.malwarebytes.org/index.php?showforum=6

I'm sure you'll get your answer:

MrC

I am more than happy to work on your educated belief that the recovery partition is okay, so will try that route, first, followed by an immediate fresh MBAM scan to check it is clean, post reformat.

If I run into any problems and/or MBAM shows signs of persistent infection, then, I will follow your advice and post in the thread you link to.

Thank you, once again (for the last time... I hope :)) for your prompt assistance - great product & great forum team!!

SV :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.