Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to tell if still infected


  • Please log in to reply
1 reply to this topic

#1 Matt100uk

Matt100uk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 13 December 2009 - 07:10 AM

I am trying to fix a comp that I found some malware on yesterday. I ran Malwarebytes and Spybot Search and Destroy and it found the following:

Rogue.registrysmart
Rogue.Spywarebot
Rogue.antimalwarepro
Adware.navipromo
Adware.EGDAccess
egroup.instantaccess
rogue.drive cleaner

I know the person whos comp this is thought some of those were legit packages so downloaded them I think, the dialer is also pretty worrying though they haven't noticed anything strange about their phone/internet bill

What the scans found was quarantined and then removed by the above packages (they found diff elements, sorry dont have the exact logs for spybot but my malwarebytes one is below). Will the comp be clean now. I have also run Superantispyware and that has found nothing but tracking cookies, which I removed, Im currently running Ad-Aware but doesnt look like its found anything. How can I tell if the comp is clean, particularly the dialer sounds dangerous...... are any of these v v dangerous, my friend internet banks and stuff on here I think but theres been no strange activity or anything like that so dont think anything has been stolen like passwords, should I panic.

Amy advice would be very helpful, like how to know if Im clean and if theres stuff there how to remove it. Should I post a hijack this log? My scans all seem to be coming back clean right now.


Here is my infected malwarebytes log though incase it helps:

Malwarebytes' Anti-Malware 1.42
Database version: 3349
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/12/2009 17:04:56
mbam-log-2009-12-12 (17-04-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 161142
Time elapsed: 46 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a_m_p_net (Rogue.AntiMalwarePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\(default) (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\microsoft.vc80.mfc\(default) (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\microsoft.vc80.crt\(default) (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Mally\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\SpywareBot\Settings (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.CRT (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.MFC (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Mally\Application Data\RegistrySmart\Log\2008 Jan 14 - 10_49_15 PM_187.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\RegistrySmart\Log\2008 Jan 14 - 10_49_17 PM_968.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\RegistrySmart\Registry Backups\2007-12-25_21-50-15.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\SpywareBot\rs.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\SpywareBot\Log\2008 Jan 14 - 10_40_53 PM_234.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\SpywareBot\Log\2008 Jan 14 - 10_40_55 PM_640.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mally\Application Data\SpywareBot\Settings\ScanResults.pie (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\AVP 2009\1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yitasymbw_nav.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Edited by Matt100uk, 13 December 2009 - 07:42 AM.


BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 13 December 2009 - 08:57 AM

It looks clean to me, but you can always do a check with an online scanner.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users