Concerned about uncaught infections

jreed · ‎06-15-2012

I recently migrated to WSAE and had a computer start acting up yesterday. I ran the scan and it found. So, I installed the free malwarebytes scanner and ran a full scan which found 50 infections! Below is the log from mb. This concerns me as it seems that WSAE missed these. Any ideas or could I have my software set up wrong? I am using the recommended defaults.

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
mwilt :: SHP06 [administrator]

6/14/2012 2:27:29 PM
mbam-log-2012-06-15 (08-32-04).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 517869
Time elapsed: 2 hour(s), 52 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 18
HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCR\TypeLib\{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCR\FunWebProductsInstaller.Start.1 (PUP.MyWebSearch) -> No action taken.
HKCR\FunWebProductsInstaller.Start (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> No action taken.
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> No action taken.
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> No action taken.
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> No action taken.
HKLM\SOFTWARE\FunWebProducts (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dbbin (Trojan.Goldun) -> No action taken.

Registry Values Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{E930AC18-34DF-9FEB-63C0-198472B84820} (Trojan.Agent) -> Data: "C:\Documents and Settings\mwilt\Application Data\Oroxe\veykzi.exe" -> No action taken.
HKCU\Control Panel\don't load|scui.cpl (Hijack.SecurityCenter) -> Data: No -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ttool (Trojan.Agent) -> Data: C:\WINDOWS\9129837.exe -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network|UID (Malware.Trace) -> Data: SHP06_0BA8C06F -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Antivirus Pro 2010 (Rogue.AntiVirusPro2010) -> Data: "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide -> No action taken.

Registry Data Items Detected: 4
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> No action taken.

Folders Detected: 1
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Detected: 22
C:\Documents and Settings\mwilt\Application Data\Oroxe\veykzi.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-4157305413-1978939531-3247275655-1394\Dc1\htmlayout.dll (Spyware.OnlineGames) -> No action taken.
C:\RECYCLER\S-1-5-21-4157305413-1978939531-3247275655-1394\Dc1\wscui.cpl (Malware.Packer.Gen) -> No action taken.
C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP325\A0079970.dll (Adware.Gamevance) -> No action taken.
C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP325\A0079971.exe (Adware.Gamevance) -> No action taken.
C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP346\A0117209.DLL (PUP.FunWebProducts) -> No action taken.
C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP346\A0117210.DLL (PUP.FunWebProducts) -> No action taken.
C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP346\A0117211.DLL (PUP.FunWebProducts) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\Temporary Directory 3 for UPS Delivery Notification -NYS1U2CP5MHQ -Jan-2012 (2).zip\UPS Delivery Notification - Jan-2012.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\Temporary Directory 1 for UPS Delivery Notification -NYS1U2CP5MHQ -Jan-2012 (2).zip\UPS Delivery Notification - Jan-2012.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\mwilt\Application Data\wiaserva.log (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\z98a.bin (Malware.Trace) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\tmpwr2 (Rogue.Installer) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\tmpwr3 (Rogue.Installer) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\tmpwr4 (Rogue.Installer) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\tmpwr5 (Rogue.Installer) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\tmpwr6 (Rogue.Installer) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\tmpwr7 (Rogue.Installer) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\tmpwr8 (Rogue.Installer) -> No action taken.
C:\Documents and Settings\mwilt\Local Settings\Temp\tmpwr9 (Rogue.Installer) -> No action taken.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.

(end)

Kit · ‎01-19-2012

The only record I was able to find in our system for you by your forum-registered email is the Business Endpoint key.

I can explain PART of the situation, but without directly looking at your scan results and data, I can only guess at the rest. To get the whole thing evaluated, I would need to know the keycode or email the keycode is under, or you would want to open a support ticket, which will also send the data.

The majority of that looks to be pre-existing traces and what MBAM calls "PUP"s, or "Potentially Unwanted Programs". The downside to PUPs is that they are also potentially WANTED instead of Unwanted, therefore we do not panic the user by detecting them.

Traces are just that. They are leftover, inactive, and otherwise not a threat. They cannot do anything on their own.

There are some things of concern. For example, there is a run key and a matching executable, so that should have been detected. Interestingly enough, that specific file exists only on your computer, and you scanned it yesterday, and is definitely detected on our back end system. So at this point, getting the basic logs would be the best way to find out what is going on, as WSA should be detecting it if it's still installed. if you installed, performed a scan, and then uninstalled, that is severely suboptimal, as the cloud had to make a determination on the file in question and that needs a chance to get back to your system.

You can open up a ticket and the installed WSA program will automatically send its operational logs, however we'll invariably want a more thorough set of logs as well.

Thanks!

Edit:

Cross-referenced. There was some confusion because "WSAE" is our consumer "WSA Essentials", as opposed to WSAEP (Endpoint Protection). I've modified a short bit of the information above and I'll be working to get an enterprise technician in touch with you so the situation can be evaluated. For the time being, please be cautious with the machine in question, as MBAM doesn't bother to indicate the severity of the infection.

Edit # 2:

It looks like Enterprise Support got in touch with you the same day and solved the problem. We'll consider this resolved now. Thanks!

Kit - Prior Webroot Quality Assurance / Prior Webroot Escalation Engineer

SecureAnywhere Endpoint Protection

Mobile Protection

Web Security Service

SecureAnywhere Endpoint Protection

Mobile Protection

Web Security Service

Business Community

Channel Partners

Affiliates

Technology Partners

Contact Us

Company Profile

Press Room

Careers

Ask the Experts

Concerned about uncaught infections

Re: Concerned about uncaught infections