shanenin Posted July 3, 2009 Report Share Posted July 3, 2009 At my work, i use this computer for very minimal stuff. I mainly just use google docs, google mail, download drivers from reputable websites. I do not ever install anything on this computer. For what it worth, I use firefox for my browsing. I have no idea how I got infected. any insight to the vector of the infection? I am not looking for help on cleaning. Here is my mbam log file. One big negative, this computer is not fully up to date with microsoft updates(maybe an unpatched vulnerability) . I was not running any AV also. I have not looked at porn on this computer. I do not use any gaming programs. I am convinced this was a pure drive buy install, I do not install anything.Malwarebytes' Anti-Malware 1.38Database version: 2369Windows 5.1.2600 Service Pack 27/3/2009 3:20:38 PMmbam-log-2009-07-03 (15-20-38).txtScan type: Quick ScanObjects scanned: 91584Time elapsed: 7 minute(s), 4 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 3Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnlineGames) -> Delete on reboot.Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\olhrwef.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\owner\Local Settings\Temp\olhrwef.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.c:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnlineGames) -> Delete on reboot. Quote Link to post Share on other sites
hitest Posted July 3, 2009 Report Share Posted July 3, 2009 That sounds like a good theory to me, shanenin. It might be a vulnerability because the box needs to be patched. So did malwarebytes successfully remove the weird stuff? I like malwarebytes as well on my XP partition. Quote Link to post Share on other sites
shanenin Posted July 4, 2009 Author Report Share Posted July 4, 2009 I always blame my clients(politely) when they get infected. I usually say it must have been something you accidentally installed. Quote Link to post Share on other sites
flashh4 Posted July 4, 2009 Report Share Posted July 4, 2009 Hi shanenin, bad news for you. I would change all passwords and and not use this computer for anything of importance, here is why. Even tho MBAM removed it.This is a Infostealer.Gampass >>> C:\WINDOWS\system32\olhrwef.exe <<< A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)Chuck Quote Link to post Share on other sites
shanenin Posted July 4, 2009 Author Report Share Posted July 4, 2009 thanks for the heads up Quote Link to post Share on other sites
hitest Posted July 4, 2009 Report Share Posted July 4, 2009 Yeah, thanks, Chuck. That scared me so I scanned my XP partition with malwarebytes too. I'm okay. shanenin, are you going to format that unit? bad news, man. Quote Link to post Share on other sites
shanenin Posted July 4, 2009 Author Report Share Posted July 4, 2009 formatting would be wise. If they have been stealing my info, I am already screwed. I use paypal, and credit cards on this computer all the time. Even though I have no faith in AV, I should start using it as a little extra added protection.I think I may start running Vista. i ran it for abit when it came out, but since have been using XP at work and OS X(mini) at home. Everything I do is web based, any OS works fine for me. The crazy thing is we still sell almost all of our new computers with XP. we sold about 36 new computer in the last 12 months, 3 of which were Vista. I don't think Vista is bad, it just seems to be how things have been. Quote Link to post Share on other sites
hitest Posted July 4, 2009 Report Share Posted July 4, 2009 formatting would be wise. If they have been stealing my info, I am already screwed. I use paypal, and credit cards on this computer all the time. Even though I have no faith in AV, I should start using it as a little extra added protection.I think I may start running Vista. i ran it for abit when it came out, but since have been using XP at work and OS X(mini) at home. Everything I do is web based, any OS works fine for me. The crazy thing is we still sell almost all of our new computers with XP. we sold about 36 new computer in the last 12 months, 3 of which were Vista. I don't think Vista is bad, it just seems to be how things have been.Agreed. A format would make sense! I would call all of your credit card companies and cancel your cards, Get them to issue you new cards. Just to be safe. I would bet you're probably fine.This happened to me a few years ago. A company that I bought CDs from got hacked ( all of my credit card info compromised). I cancelled my credit card and nothing bad happened. Quote Link to post Share on other sites
TheTerrorist_75 Posted July 4, 2009 Report Share Posted July 4, 2009 Online game password stealer.More info:Trojan.PWS.OnlineGames.KBVT Quote Link to post Share on other sites
flashh4 Posted July 4, 2009 Report Share Posted July 4, 2009 Hey shanenin, you'r welcome, i think hitest said it correct, for future use i would do all he recommended.A format would make sense! I would call all of your credit card companies and cancel your cards, Get them to issue you new cards. Just to be safe.More than likely you are safe but in this day and age one never knows.Good link TT, lets hope they did not get to anything, just shows no matter how safe one thinks they are its no Guarantee.Chuck Quote Link to post Share on other sites
shanenin Posted July 13, 2009 Author Report Share Posted July 13, 2009 We suspect we may have got infected by inserting a clients flash drive which was infected. We did have autorun enabled on the computer. Quote Link to post Share on other sites
masterwong Posted July 14, 2009 Report Share Posted July 14, 2009 Virus email maybe? Unless you are also watching porn with that comp Quote Link to post Share on other sites
flashh4 Posted July 15, 2009 Report Share Posted July 15, 2009 Hi Master Wong, Before you make a comment like this you should do some research about the topic poster. Unless you are also watching porn with that compChuck Quote Link to post Share on other sites
TheTerrorist_75 Posted July 15, 2009 Report Share Posted July 15, 2009 I have warned Master Wong by PM that these type of replies are not acceptable here. My ban hammer is getting dusty. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.