6 replies to this topic

[DiazDiaz]

Just finished running a scan not too long ago and, to my surprise, a couple of trojans and PUPs popped up and it made me wonder: is a trojan necessarily a keylogger? While the presence of trojans is never a good thing, I feel secure once I have them off my system, but I'm not so sure if I should be. Is there an actual distinction between trojans and keyloggers? I intend to change all of my passwords no matter what, but the possibility that keyloggers made it onto my system worries me because I've been using my debit card recently. Posted below is the log file. How worried should I be?

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.07.13

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Dave :: DAVE-PC [administrator]

9/11/2012 1:12:17 AM
mbam-log-2012-09-11 (04-06-04).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 718509
Time elapsed: 2 hour(s), 48 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 16
HKCR\CLSID\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKCR\TypeLib\{44444444-4444-4444-4444-440044344491} (PUP.GamePlayLab) -> No action taken.
HKCR\Interface\{55555555-5555-5555-5555-550055345591} (PUP.GamePlayLab) -> No action taken.
HKCR\CrossriderApp0003491.BHO.1 (PUP.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKCR\CrossriderApp0003491.BHO (PUP.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vid-Saver (Adware.GamePlayLabs) -> No action taken.
HKCR\CrossriderApp0003491.FBApi (PUP.CrossFire.Gen) -> No action taken.
HKCR\CrossriderApp0003491.FBApi.1 (PUP.CrossFire.Gen) -> No action taken.
HKCR\CrossriderApp0003491.Sandbox (PUP.CrossFire.Gen) -> No action taken.
HKCR\CrossriderApp0003491.Sandbox.1 (PUP.CrossFire.Gen) -> No action taken.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|kowuzpecxaxj (Trojan.Phex.THAGen9) -> Data: C:\Users\Dave\kowuzpecxaxj.exe -> No action taken.
HKCU\Software\InstalledBrowserExtensions\215 Apps|3491 (PUP.CrossFire.SA) -> Data: Vid-Saver -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\Dave\kowuzpecxaxj.exe (Trojan.Phex.THAGen9) -> No action taken.
C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll (PUP.GamePlayLab) -> No action taken.
C:\$Recycle.Bin\S-1-5-18\$dacfecbb120bc22c1fb9e19fdbbb9e61\n (Trojan.0Access) -> No action taken.
C:\$Recycle.Bin\S-1-5-18\$dacfecbb120bc22c1fb9e19fdbbb9e61\U\00000001.@ (Trojan.0Access) -> No action taken.
C:\$Recycle.Bin\S-1-5-18\$dacfecbb120bc22c1fb9e19fdbbb9e61\U\80000000.@ (Trojan.0Access) -> No action taken.
C:\$Recycle.Bin\S-1-5-18\$dacfecbb120bc22c1fb9e19fdbbb9e61\U\800000cb.@ (Trojan.0Access) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-921460983-3056730930-4089156627-1000\$dacfecbb120bc22c1fb9e19fdbbb9e61\n (Trojan.0Access) -> No action taken.
C:\Program Files (x86)\Vid-Saver\Uninstall.exe (Adware.GamePlayLabs) -> No action taken.
C:\Users\Dave\AppData\Local\Temp\422516914.exe (Trojan.Phex.THAGen9) -> No action taken.

(end)

[AdvancedSetup]

Hello and welcome to Malwarebytes

You're computer appears to be infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

We can attempt to clean this machine but we cannot guarantee that it will be 100% secure afterwards nor that we can repair whatever damage may have already been done.

If you decide to clean it, see below.



Here are the steps needed to try to get your computer cleaned....
Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

• Option 1 —— Free Expert advice in the Malware Removal Forum
  
• Option 2 —— Paying customer -- Contact Support via email
  
• Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the
Malware Removal forum so a qualified helper can help you fix any malware related problems or infections you may have.

• Please read and follow the directions here, skipping any steps you are unable to complete.
  
• After posting your new post, make sure under options, you select Follow this topic and choose Instantly,
  so that you're alerted when someone has replied to your post.

NOTE: Please do not post back to (bump) your topic within the first 48 hours.
Replying to your own posts changes the post count and helpers are looking for topics with zero replies.
If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

• 
  
  • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
    
  • You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer, you can contact the help desk here

OPTION 3

If you would like to use our Malwarebytes Premium Consumer Services partner, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our Malwarebytes Premium Services support site.


Please be patient, someone will assist you as soon as possible.

[DiazDiaz]

I started looking into 0access and wound up downloading RogueKiller. I removed all the infection MBAM showed, but the rescan with RogueKiller showed two entries for 0access in the registry. I used RogueKiller to delete them, re-scanned, and haven't found anything else so far.

[daledoc1]

Hi, DiazDiaz:

ZeroAccess is a really severe infection that can cause major system damage, aside from the privacy concerns.
It often requires several powerful tools and the help of a qualified expert to fully clean it.

It's up to you, but it would still be advisable to follow forum Admin AdvancedSetup's advice to have one of the malware helpers check your system.

Just a suggestion,

daledoc1

[DiazDiaz]

daledoc1, on 11 September 2012 - 05:30 AM, said:

Hi, DiazDiaz:

ZeroAccess is a really severe infection that can cause major system damage, aside from the privacy concerns.
It often requires several powerful tools and the help of a qualified expert to fully clean it.

It's up to you, but it would still be advisable to follow forum Admin AdvancedSetup's advice to have one of the malware helpers check your system.

Just a suggestion,

daledoc1

You're right. I created a thread in the appropriate forum. http://forums.malwar...howtopic=115635

For the time being, I'm just bombarding the problem with every anti-rootkit tool I can while changing all of my passwords from my secure laptop.

[daledoc1]

DiazDiaz, on 11 September 2012 - 05:48 AM, said:

You're right. I created a thread in the appropriate forum. http://forums.malwar...howtopic=115635

Good idea!
The experts will assist you with checking and cleaning the system.

Quote

For the time being, I'm just bombarding the problem with every anti-rootkit tool I can

It might be best to wait for the experts -- some of the removal tools are very powerful and, when used incorrectly, can also damage the system.
Again, just a suggestion.

Quote

while changing all of my passwords from my secure laptop.

Excellent and very important idea!

Good luck!

daledoc1

[AdvancedSetup]

Self medicating the problem often makes it worse. Some tools will not detect or work properly if another tool has removed triggers they're looking for.