pc plodder Posted October 4, 2009 Posted October 4, 2009 Hi guys A few weeks ago you greatly helped my friend Nicky to clear her infected P.C of a lot of suspicious stuff. Since then she has had the fraud office of her bank on the phone advising her that atempts were made to log into her bank account last thursday while we were away at a tournement. I've been over and we've done scans with Eset which showed nothing. Superantispyware which showed nothing. However Malwarebytes showed the following log and this is where we thing her details have been compromised. Malwarebytes' Anti-Malware 1.41 Database version: 2899 Windows 5.1.2600 Service Pack 3 03/10/2009 14:03:45 mbam-log-2009-10-03 (14-03-45).txt Scan type: Full Scan (C:\|) Objects scanned: 220355 Time elapsed: 26 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 6 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS.0\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully. Now the question. I found a free piece of software from QFX software called keyscrambler. Can you guys give me feedback on weather you think this would be of use to her as it would probably defeat heyloggers. It's suposed to encrypt keystrokes and therefore defeat hackers trying to steal bank and credit card details. Thoughts please guys. P.S After we did all the scans above we also did an online pandascan and it found this which showed up the last time we had problems so maybe it's replicating itself from somewhere? ;*********************************************************************************************************************************************************************************** ANALYSIS: 2009-10-03 17:57:47 PROTECTIONS: 1 MALWARE: 1 SUSPECTS: 0 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== ESET Smart Security 3.0 3.0 Yes Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 03541233 HackTool/Rebooter HackTools No 0 Yes No C:\System Volume Information\_restore{BF655994-9F05-499A-8826-E96E91DC74D8}\RP121\A0058327.exe ;=================================================================================================================================================================================== SUSPECTS Sent Location ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== Sorry if i've posted this in the wrong section. Regards Steve Quote
Goku Posted October 4, 2009 Posted October 4, 2009 Hello Steve. After you have been infected with backdoor Trojans like these, the surest and only way to secure yourselves completely is to start over. If this is not feasible, then I would refrain from performing any confidential transactions on the infected computer. The piece of software that you suggest looks legitimate and probabvly works too, by the looks of it, but I would not trust it blindly just to have it betray me. But the program is outrageously overpriced considering the services it offers. I am sure the security experts can help you rid of the remnants if your friend is willing. They should at least be able to safe guard your computer so that no further data is leaked to the hacker. Hope that helps. :) -- Goku Quote
pc plodder Posted October 4, 2009 Author Posted October 4, 2009 Thanks Goku I'll place this in the security sub forum then Thanks for the info re: software. They do a free version apparently. Thansk again Regards Steve Quote
Goku Posted October 4, 2009 Posted October 4, 2009 No problem Steve. Please ask if you have any more questions. Thats what I am here for. :) -- Goku Quote
Tootech Posted October 4, 2009 Posted October 4, 2009 The panda scan has found some remnants of an infection stored in a Restore point. Goku pointed you in the right direction. The machine needs to be taken offline and Windows reinstalled. Any computer that has been compromised and cleaned has a question mark hanging over it - is it 100% clean or not. In a large number of cases the infections are not of too much concern, but some trojans and rootkits are of great concern, and even the specialist malware removal sites such as Bleeping Computer at times recommend a full rebuild, as do Microsoft incidently. Put another way - If my PC had been compromised, and I had been advised of attempted bank account fraud I would take all steps necessary to make sure I was secure, that includes a wipe and rebuild of my PC. Others may have a different view......... Quote
pc plodder Posted October 4, 2009 Author Posted October 4, 2009 Thanks tooltech, i'll put that forward to Nicky. Thanks for your time. Regards Steve Quote
RandyL Posted October 4, 2009 Posted October 4, 2009 You all make good points including the fact that the only real way to make sure the system is clean especially when it is an infection of this type that can compromise banking details is to run a full reinstall. Since pc plodder has now also posted in Malware Removal P.C seems to keep getting infected lets move on to that thread and continue there if you don't mind. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.