Jump to content

Recommended Posts

Noticed strange activity on boyfriend's parent's laptop and desktop pc that of course use the same network. They are also used occasionally by boyfriend's dad to remotely connect to his work (reason for Citrix, Kaseya Agent and RealVnc that his company's IT Contractor uses). I was under the impression that security protection was managed through this as well. Recently though, I noticed strange activity on the laptop. Unsuccessful attempts for info on the anti-virus caused me to download/run MSE and uninstall AVG (IT Contractor use). MSE found and removed over 10 severe trojans & malware, on 4/30/11. I then purchased and now run Malwarebytes' Pro as well, which has not found anything during scans as of yet but has blocked many items...THANK YOU FOR REAL-TIME PROTECTION! The laptop did have to be accessed and looked at by the IT Contractor due to protocol, and I was personally told by the Contractor that it was okay to run more than one anti-virus and that the more protection the better. Ummm weird? Anyways, with a few lingering issues and being told by 3 "knowledgeable" people that everything looked to be fine, my boyfriend's visiting brother clicked on the pop-up of the rogue XP Security 11 on the desktop pc, on 5/17/11. I instantly grabbed my Malwarebytes' CD, installed (did not register), updated, and scanned in Safe Mode a few times until I got a clean log, with only 13 objects found and removed. I then uninstalled AVG, downloaded and now run MSE (nothing found in any scans) on the desktop pc as well. I also bought a new router which was installed this past Saturday 5/21/11 by one of the "knowledgeable" people. My boyfriends dad went out of town yesterday so he had to take along the laptop so I am using the desktop (till Wednesday night) and have gotten redirected to Yahoo when trying to use Google. Now reaching ultimate frustration I come to seek advice from you, almighty Malwarbytes' Team. PLEASE HELP! Malewarebytes' has ran clean since the 17th so here are what I can fit of the Malwarebytes' logs with the found objects. I will attempt the DeFogger and DDS/GMER while I wait for your response.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/17/2011 8:37:20 PM

mbam-log-2011-05-17 (20-37-20).txt

Scan type: Quick scan

Objects scanned: 192476

Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6603

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/17/2011 9:29:37 PM

mbam-log-2011-05-17 (21-29-37).txt

Scan type: Full scan (A:\|C:\|D:\|)

Objects scanned: 256526

Time elapsed: 16 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\dell\Local Settings\Application Data\qjb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\dell\Local Settings\Application Data\qjb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\dell\Local Settings\Application Data\qjb.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\dell\application data\Sun\Java\deployment\cache\6.0\44\7f8027ac-2a40c2c9 (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\dell\application data\Sun\Java\deployment\cache\6.0\44\7f8027ac-30223027 (Malware.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\dell\local settings\application data\qjb.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\dell\local settings\application data\xwr.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.