Solved

Concerned about uncaught infections

  • 15 June 2012
  • 1 reply
  • 2190 views

I recently migrated to WSAE and had a computer start acting up  yesterday.  I ran the scan and it found.  So, I installed the free malwarebytes scanner and ran a full scan which found 50 infections!  Below is the log from mb.   This concerns me as it seems that WSAE missed these.  Any ideas or could I have my software set up wrong?  I am using the recommended defaults.
 
Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
mwilt :: SHP06 [administrator]

6/14/2012 2:27:29 PM
mbam-log-2012-06-15 (08-32-04).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 517869
Time elapsed: 2 hour(s), 52 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 18
HKCRCLSID{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCRTypeLib{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCRInterface{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCRFunWebProductsInstaller.Start.1 (PUP.MyWebSearch) -> No action taken.
HKCRFunWebProductsInstaller.Start (PUP.MyWebSearch) -> No action taken.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionExtStats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExtPreApproved{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> No action taken.
HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> No action taken.
HKUS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> No action taken.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> No action taken.
HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> No action taken.
HKUS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> No action taken.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorer{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> No action taken.
HKU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorer{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> No action taken.
HKUS-1-5-18SOFTWAREMicrosoftWindowsCurrentVersionExplorer{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> No action taken.
HKLMSOFTWAREFunWebProducts (PUP.MyWebSearch) -> No action taken.
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifydbbin (Trojan.Goldun) -> No action taken.

Registry Values Detected: 6
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun|{E930AC18-34DF-9FEB-63C0-198472B84820} (Trojan.Agent) -> Data: "C:Documents and SettingsmwiltApplication DataOroxeveykzi.exe" -> No action taken.
HKCUControl Paneldon't load|scui.cpl (Hijack.SecurityCenter) -> Data: No -> No action taken.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> No action taken.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun|ttool (Trojan.Agent) -> Data: C:WINDOWS9129837.exe -> No action taken.
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionNetwork|UID (Malware.Trace) -> Data: SHP06_0BA8C06F -> No action taken.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun|Antivirus Pro 2010 (Rogue.AntiVirusPro2010) -> Data: "C:Program FilesAntivirusPro_2010AntivirusPro_2010.exe" /hide -> No action taken.

Registry Data Items Detected: 4
HKLMSOFTWAREMicrosoftSecurity Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLMSOFTWAREMicrosoftSecurity Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLMSOFTWAREMicrosoftSecurity Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon|Userinit (Hijack.UserInit) -> Bad: (C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe,) Good: (userinit.exe) -> No action taken.

Folders Detected: 1
C:WINDOWSsystem32lowsec (Stolen.data) -> No action taken.

Files Detected: 22
C:Documents and SettingsmwiltApplication DataOroxeveykzi.exe (Trojan.Agent) -> No action taken.
C:RECYCLERS-1-5-21-4157305413-1978939531-3247275655-1394Dc1htmlayout.dll (Spyware.OnlineGames) -> No action taken.
C:RECYCLERS-1-5-21-4157305413-1978939531-3247275655-1394Dc1wscui.cpl (Malware.Packer.Gen) -> No action taken.
C:System Volume Information_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}RP325A0079970.dll (Adware.Gamevance) -> No action taken.
C:System Volume Information_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}RP325A0079971.exe (Adware.Gamevance) -> No action taken.
C:System Volume Information_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}RP346A0117209.DLL (PUP.FunWebProducts) -> No action taken.
C:System Volume Information_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}RP346A0117210.DLL (PUP.FunWebProducts) -> No action taken.
C:System Volume Information_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}RP346A0117211.DLL (PUP.FunWebProducts) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTempTemporary Directory 3 for UPS Delivery Notification -NYS1U2CP5MHQ -Jan-2012 (2).zipUPS Delivery Notification - Jan-2012.exe (Trojan.Agent) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTempTemporary Directory 1 for UPS Delivery Notification -NYS1U2CP5MHQ -Jan-2012 (2).zipUPS Delivery Notification - Jan-2012.exe (Trojan.Agent) -> No action taken.
C:Documents and SettingsmwiltApplication Datawiaserva.log (Malware.Trace) -> No action taken.
C:WINDOWSsystem32z98a.bin (Malware.Trace) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTemp mpwr2 (Rogue.Installer) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTemp mpwr3 (Rogue.Installer) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTemp mpwr4 (Rogue.Installer) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTemp mpwr5 (Rogue.Installer) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTemp mpwr6 (Rogue.Installer) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTemp mpwr7 (Rogue.Installer) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTemp mpwr8 (Rogue.Installer) -> No action taken.
C:Documents and SettingsmwiltLocal SettingsTemp mpwr9 (Rogue.Installer) -> No action taken.
C:WINDOWSsystem32lowseclocal.ds (Stolen.data) -> No action taken.
C:WINDOWSsystem32lowsecuser.ds (Stolen.data) -> No action taken.

(end)
icon

Best answer by Kit 15 June 2012, 18:09

The only record I was able to find in our system for you by your forum-registered email is the Business Endpoint key.
 
I can explain PART of the situation, but without directly looking at your scan results and data, I can only guess at the rest.  To get the whole thing evaluated, I would need to know the keycode or email the keycode is under, or you would want to open a support ticket, which will also send the data.
 
The majority of that looks to be pre-existing traces and what MBAM calls "PUP"s, or "Potentially Unwanted Programs".   The downside to PUPs is that they are also potentially WANTED instead of Unwanted, therefore we do not panic the user by detecting them.
 
Traces are just that.  They are leftover, inactive, and otherwise not a threat.  They cannot do anything on their own.
 
There are some things of concern.  For example, there is a run key and a matching executable, so that should have been detected.  Interestingly enough, that specific file exists only on your computer, and you scanned it yesterday, and is definitely detected on our back end system.  So at this point, getting the basic logs would be the best way to find out what is going on, as WSA should be detecting it if it's still installed.  if you installed, performed a scan, and then uninstalled, that is severely suboptimal, as the cloud had to make a determination on the file in question and that needs a chance to get back to your system.
 
You can open up a ticket and the installed WSA program will automatically send its operational logs, however we'll invariably want a more thorough set of logs as well.
 
Thanks!
 
Edit:
Cross-referenced.  There was some confusion because "WSAE" is our consumer "WSA Essentials", as opposed to WSAEP (Endpoint Protection).  I've modified a short bit of the information above and I'll be working to get an enterprise technician in touch with you so the situation can be evaluated.  For the time being, please be cautious with the machine in question, as MBAM doesn't bother to indicate the severity of the infection.
 
Edit # 2:
It looks like Enterprise Support got in touch with you the same day and solved the problem.  We'll consider this resolved now.  Thanks!
View original

1 reply

Userlevel 7
The only record I was able to find in our system for you by your forum-registered email is the Business Endpoint key.
 
I can explain PART of the situation, but without directly looking at your scan results and data, I can only guess at the rest.  To get the whole thing evaluated, I would need to know the keycode or email the keycode is under, or you would want to open a support ticket, which will also send the data.
 
The majority of that looks to be pre-existing traces and what MBAM calls "PUP"s, or "Potentially Unwanted Programs".   The downside to PUPs is that they are also potentially WANTED instead of Unwanted, therefore we do not panic the user by detecting them.
 
Traces are just that.  They are leftover, inactive, and otherwise not a threat.  They cannot do anything on their own.
 
There are some things of concern.  For example, there is a run key and a matching executable, so that should have been detected.  Interestingly enough, that specific file exists only on your computer, and you scanned it yesterday, and is definitely detected on our back end system.  So at this point, getting the basic logs would be the best way to find out what is going on, as WSA should be detecting it if it's still installed.  if you installed, performed a scan, and then uninstalled, that is severely suboptimal, as the cloud had to make a determination on the file in question and that needs a chance to get back to your system.
 
You can open up a ticket and the installed WSA program will automatically send its operational logs, however we'll invariably want a more thorough set of logs as well.
 
Thanks!
 
Edit:
Cross-referenced.  There was some confusion because "WSAE" is our consumer "WSA Essentials", as opposed to WSAEP (Endpoint Protection).  I've modified a short bit of the information above and I'll be working to get an enterprise technician in touch with you so the situation can be evaluated.  For the time being, please be cautious with the machine in question, as MBAM doesn't bother to indicate the severity of the infection.
 
Edit # 2:
It looks like Enterprise Support got in touch with you the same day and solved the problem.  We'll consider this resolved now.  Thanks!

Reply