Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aftereffects of XP Internet Security 2010?


  • Please log in to reply
No replies to this topic

#1 justbrewit

justbrewit

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 11 March 2010 - 09:01 AM

Hi,

Unfortunately, I got hit with one of the variants of the XP internet security malware. When it happened, it disabled MBAM. I was able to run a SAS scan, then I had to run the exe fixer as it had messed up all the paths to programs. This seemed to work, then I ran MBAM successfully. I will post the initial logs from the SAS and MBAM scans below.

I re-ran scans with both programs as I think I still am infected. Periodically, I will get a pop-up in both Firefox and Explorer saying "Congratulations....You have won....blah blah blah...". Also, if I do a google search and click on a link, it will redirect me to a page that says the same as the popup above.

I have re-run MBAM and SAS this morning (with updated versions) and they both turn up nothing.

Next step???

Thanks in advance!!!

---------------------------

Initial SAS and MBAM results:

Application Version : 4.28.1010

Core Rules Database Version : 4618
Trace Rules Database Version: 2430

Scan type : Quick Scan
Total Scan Time : 00:23:08

Memory items scanned : 573
Memory threats detected : 1
Registry items scanned : 629
Registry threats detected : 0
File items scanned : 31307
File threats detected : 143

Trojan.Agent/Gen-Rogue[AV]
C:\DOCUMENTS AND SETTINGS\HUSKYPC\LOCAL SETTINGS\APPLICATION DATA\AV.EXE
C:\DOCUMENTS AND SETTINGS\HUSKYPC\LOCAL SETTINGS\APPLICATION DATA\AV.EXE
C:\WINDOWS\Prefetch\AV.EXE-27455453.pf

Adware.Tracking Cookie
C:\Documents and Settings\HuskyPC\Cookies\huskypc@specificclick[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@specificmedia[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@atdmt[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@2o7[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@pointroll[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@server.iad.liveperson[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@serving-sys[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@bluestreak[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@northwestairlines.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@content.yieldmanager[3].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ehg-becton.hitbox[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@amazonbebe.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.pgatour[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@cdn4.specificclick[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@247realmedia[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@bs.serving-sys[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@revsci[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@oasn04.247realmedia[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.fulltiltpoker[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ehg-theactivenetwork.hitbox[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@casalemedia[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@siemens.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ehg-scheringploughcorp.hitbox[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@edge.ru4[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@trafficmp[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.belointeractive[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@atwola[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@eyewonder[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@adfarm1.adition[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@everysport.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@eb.adbureau[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@at.atwola[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ar.atwola[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@statcounter[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@questionmarket[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.bridgetrack[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@tacoda[3].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@deucescracked[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.nascar[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@riptownmedia.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@cache.trafficmp[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@realmedia[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@medcommedia[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@eliteprospects[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@traveladvertising[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@web4.realtracker[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@a1.interclick[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@burstbeacon[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@microsoftwlcashback.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@microsoftsto.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@highbeam.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@interclick[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ad.proxad[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@zedo[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@nextbio.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@media6degrees[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ar.atwola[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@kontera[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@invitemedia[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.active[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.undertone[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@technoratimedia[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@jibjab.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@travidia.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@apmebf[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@content.yieldmanager[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@tribalfusion[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@yieldmanager[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@collective-media[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.sun[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@adserver.adtechus[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ad.yieldmanager[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@insightexpressai[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.pointroll[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@richmedia.yahoo[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@advertising[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.nba[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@mediaplex[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@stat.onestat[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@brycecountrycabins[3].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@rotator.adjuggler[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@marriottinternational.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@comparenetworks.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@burstnet[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@findaraceevent[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@media.expedia[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@surveymonkey.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@chitika[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@warnerbros.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@questions.cms.hhs[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@mediaforgews[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@traffic.prod.cobaltgroup[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@www.burstbeacon[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@usnews.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@link.mercent[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@revenue[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.cnn[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.addesktop[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@sales.liveperson[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.millstores[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@sales.liveperson[3].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@prnewswire.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@affiliates.commissionaccount[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@s.clickability[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@stat.dealtime[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@seeclickfix[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@bizrate[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ad.wsod[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@hitbox[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@vidego.multicastmedia[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@mediaite[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@basco.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@tracking.veille-referencement[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@overture[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@marketlive.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ehg-guess.hitbox[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@sales.liveperson[5].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.gmodules[3].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@sales.liveperson[4].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ru4[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@media.mtvnservices[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@www.burstnet[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@adbrite[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.sportsverige[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@patagonia.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@roiservice[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@statse.webtrendslive[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@afe.specificclick[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@www.trifind[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ox.trifind[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@videos.mediaite[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@valueclick[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@cmn.adbureau[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@aarf.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@superpages.122.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@trifind[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@trifind[3].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@ads.ad4game[2].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@www.googleadservices[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@gaylordentertainment.112.2o7[1].txt
C:\Documents and Settings\HuskyPC\Cookies\huskypc@gmaccessories.dealertrack[2].txt

-------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3829
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/6/2010 1:02:49 PM
mbam-log-2010-03-06 (13-02-49).txt

Scan type: Quick Scan
Objects scanned: 155368
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\fdmw.pvo (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users