We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Pushbot.A.93 found by Avira
spud17
Posts: 4,434 Forumite
in Techie Stuff
I turned on my pc on Friday evening and Avira popped up saying it had found,
'WORM/Pushbot.A.93 [worm]' in 'C:\Users\xxxx\AppData\Roaming\17675268803411.exe.
I let Avira deal with it after looking at its properties which showed it was modified (installed?) Sunday 21st Aug.
I updated and ran Malwarebytes
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7577
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
26/08/2011 18:29:25
mbam-log-2011-08-26 (18-29-25).txt
Scan type: Full scan (C:\|)
Objects scanned: 263481
Time elapsed: 16 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe (Trojan.Agent) -> Value: lsass.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjsdahflkjhnliuyctgbo (Trojan.Agent) -> Value: kjsdahflkjhnliuyctgbo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe (Trojan.Agent) -> Value: lsass.exe -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
BTW using 64-bit Win7, Firefox 6 and NoScript.
The only thing suspicious, is the date of the file coincides with when I had another Firefox window open up in the background advertising a poker site.
At the time I was Googling about some obscure file extensions on a laptop I was sorting.
Do I need to do anything else?
'WORM/Pushbot.A.93 [worm]' in 'C:\Users\xxxx\AppData\Roaming\17675268803411.exe.
I let Avira deal with it after looking at its properties which showed it was modified (installed?) Sunday 21st Aug.
I updated and ran Malwarebytes
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7577
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
26/08/2011 18:29:25
mbam-log-2011-08-26 (18-29-25).txt
Scan type: Full scan (C:\|)
Objects scanned: 263481
Time elapsed: 16 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe (Trojan.Agent) -> Value: lsass.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjsdahflkjhnliuyctgbo (Trojan.Agent) -> Value: kjsdahflkjhnliuyctgbo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe (Trojan.Agent) -> Value: lsass.exe -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
BTW using 64-bit Win7, Firefox 6 and NoScript.
The only thing suspicious, is the date of the file coincides with when I had another Firefox window open up in the background advertising a poker site.
At the time I was Googling about some obscure file extensions on a laptop I was sorting.
Do I need to do anything else?
Move along, nothing to see.
0
Comments
-
Current is 7604Database version: 7577
Update & run a Quick scan with mbam & post the log.0 -
Hi waddler, database version 7577 was what it updated to on Friday when I ran the scan.
Todays scan
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7604
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
29/08/2011 10:35:12
mbam-log-2011-08-29 (10-35-12).txt
Scan type: Quick scan
Objects scanned: 168561
Time elapsed: 1 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)Move along, nothing to see.0 -
Looks ok that. I rate Avira as one of the better AV's & mbam only detected reg keys/values. Avira looks to have stopped it in its tracks.
You could try an online scan as well, or post a DDS log to see if anything shows up.
http://www.eset.co.uk/Antivirus-Utilities/Online-Scanner/
One thing about the detection is "This worm contains backdoor functionality that allows unauthorized access and control of an affected machine."
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fPushbot
Personally speaking, if the computer is ever used for financial transactions then I would consider wiping it and reinstalling if you have any doubts. That way you are certain you can trust it.0 -
If you want to post a DDS log.
Download DDS from the link below and save it to your desktop:
Link
After you've downloaded it and saved it to your desktop:- Double click DDS to run it.
- When it's finished, DDS will open two logs:
- DDS.txt
- Attach.txt
Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)0 -
Any financial stuff, perhaps 6 times/yr, is done via Linux.Personally speaking, if the computer is ever used for financial transactions then I would consider wiping it and reinstalling if you have any doubts. That way you are certain you can trust it.
I know it's not scientific, but I'm also pretty confident that Avira and Malwarebytes have taken care of it.
HijackThis didn't show anything unusual, also I do realise that DDs is a bit more thorough than HJT.:)
I do have a Macrium image from 2 weeks back which I could use, I've already checked it to see if the file is in the C:\Users\xxxx\AppData\Roaming\ folder.
Meanwhile I'll try the Eset scan.Move along, nothing to see.0 -
Eset came back clean. :beer:Move along, nothing to see.0
-
The main thing is you trust it's clean.
Check the hosts file. Generic scanners don't tell you if it has any erroneous entries.
http://support.microsoft.com/kb/9720340
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards