Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows vista post infection


  • Please log in to reply
2 replies to this topic

#1 donniejj

donniejj

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 06 December 2011 - 12:46 PM

i have windows vista. I had, i guess, the Rogue virus (fake malware computer scan) pop up on my computer. I deleted it with Malwarebytes antimalware in safe mode. after restarting my microsoft security found a "trojan". i delated that and restarted. the virus is gone, but now my keyboard does not work. i can plug in an external keyboard and that works. I ran Malwarebytes again without any threats noted. I ran AVG without any threats noted. what is my next step?

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:31 AM

Posted 06 December 2011 - 01:19 PM

can you post the logs from the scans with Malwarebytes and MS Security Essentials?

#3 donniejj

donniejj
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 06 December 2011 - 03:15 PM

I hope this helps

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8261

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.17037

12/5/2011 5:41:59 PM
mbam-log-2011-12-05 (17-41-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 235780
Time elapsed: 39 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Backdoor.CycBot) -> Value: Load -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9B9.exe (Backdoor.CycBot.Gen) -> Value: 9B9.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Yvonne\AppData\Local\ovi.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\5609.sys (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\Users\Yvonne\AppData\Roaming\microsoft\3204\9B9.exe (Backdoor.CycBot.Gen) -> Quarantined and deleted successfully.


MSE:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft Antimalware" />
<EventID Qualifiers="0">1116</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-12-06T00:31:12.000Z" />
<EventRecordID>194622</EventRecordID>
<Channel>System</Channel>
<Computer>Yvonne-PC</Computer>
<Security />
</System>
- <EventData>
<Data>%%860</Data>
<Data>3.0.8402.0</Data>
<Data>{BDD26EAD-3CDB-41E9-A6C0-B58C1D2C4FBA}</Data>
<Data>2011-12-06T00:28:25.139Z</Data>
<Data />
<Data />
<Data>2147650329</Data>
<Data>Trojan:WinNT/Simda.gen!A</Data>
<Data>5</Data>
<Data>Severe</Data>
<Data>8</Data>
<Data>Trojan</Data>
<Data>http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:WinNT/Simda.gen!A&threatid=2147650329</Data>
<Data>1</Data>
<Data />
<Data>1</Data>
Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft Antimalware" />
<EventID Qualifiers="0">1117</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-12-06T16:42:19.000Z" />
<EventRecordID>195049</EventRecordID>
<Channel>System</Channel>
<Computer>Yvonne-PC</Computer>
<Security />
</System>
- <EventData>
<Data>%%860</Data>
<Data>3.0.8402.0</Data>
<Data>{CCDE7477-0CFB-4163-A3C9-2C2E9ED6DACC}</Data>
<Data>2011-12-06T16:42:04.782Z</Data>
<Data />
<Data />
<Data>2147638259</Data>
<Data>Exploit:Java/CVE-2008-5353.QS</Data>
<Data>5</Data>
<Data>Severe</Data>
<Data>30</Data>
<Data>Exploit</Data>
<Data>http://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Java/CVE-2008-5353.QS&threatid=2147638259</Data>
<Data>4</Data>
<Data />
<Data>2</Data>
<Data>3</Data>
<Data>%%818</Data>
<Data>C:\PROGRA~1\AVG\AVG2012\avgrsx.exe</Data>
<Data>NT AUTHORITY\SYSTEM</Data>
<Data />
<Data>containerfile:_C:\Users\Yvonne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\1eff77e1-77b09ed5;file:_C:\Users\Yvonne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\1eff77e1-77b09ed5->dev/s/LoaderX.class</Data>
<Data>1</Data>
<Data>%%845</Data>
<Data>1</Data>
<Data>%%813</Data>
<Data>0</Data>
<Data>%%822</Data>
<Data>0</Data>
<Data>3</Data>
<Data>%%808</Data>
<Data />
<Data>0x00000000</Data>
<Data>The operation completed successfully.</Data>
<Data />
<Data>0</Data>
<Data>0</Data>
<Data>No additional actions required</Data>
<Data>Yvonne-PC\Yvonne</Data>
<Data />
<Data>AV: 1.117.457.0, AS: 1.117.457.0, NIS: 0.0.0.0</Data>
<Data>AM: 1.1.7903.0, NIS: 0.0.0.0</Data>
</EventData>
</Event>

<Data>3</Data>
<Data>%%818</Data>
<Data>System</Data>
<Data>NT Authority\System</Data>
<Data />
<Data>driver:_Wdf01000;file:_C:\Windows\System32\drivers\Wdf01000.sys</Data>
<Data>1</Data>
<Data>%%845</Data>
<Data>1</Data>
<Data>%%813</Data>
<Data>2</Data>
<Data>%%823</Data>
<Data>0</Data>
<Data>9</Data>
<Data>%%887</Data>
<Data />
<Data>0x00000000</Data>
<Data>The operation completed successfully.</Data>
<Data />
<Data>0</Data>
<Data>0</Data>
<Data>No additional actions required</Data>
<Data />
<Data />
<Data>AV: 1.117.358.0, AS: 1.117.358.0, NIS: 0.0.0.0</Data>
<Data>AM: 1.1.7903.0, NIS: 0.0.0.0</Data>
</EventData>
</Event>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users