Avast WEBforum
Other => Viruses and worms => Topic started by: Lisandro on May 20, 2010, 07:20:37 PM
-
I've run MBAM regularly. Nothing is found.
Today appeared a f.exe file in the root directory.
Of course it is fishy. Most probably infected.
The problem is that the file NEVER exists...
avast does not detect any rootkit also.
-
Well the file might well be hidden from the normal windows explorer or APIs. So it might be worth running GMER anti-rootkit to check.
(http://www.geekstogo.com/misc/guide_icons/gmer.png) GMER Rootkit Scanner - Download (http://www.gmer.net/gmer.zip) - Homepage (http://www.gmer.net/)
- Download GMER
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe.
(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
- If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
- In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
- Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
-
Essexboy, can you check my log?
http://www.mediafire.com/file/dtnn0mmwgqm/GMER.7z
-
Uninstalled MBAM. Boot. Installed again.
Problem is there...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Versão da Base de Dados: 4127
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
22/05/2010 08:39:49
mbam-log-2010-05-22 (08-39-49).txt
Tipo de Verificação: Verificação Rápida
Objetos escaneados: 138823
Tempo decorrido: 9 hora(s), 22 minuto(s), 11 segundo(s)
Processos de Memória Infectados: 0
Módulos de Memória Infectados: 0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados: 0
Pastas Infectadas: 0
Arquivos Infectados: 1
Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)
Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)
Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)
Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)
Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)
Pastas Infectadas:
(Não foram detectados ítens maliciosos)
Arquivos Infectados:
C:\f.exe (Trojan.Agent) -> No action taken.
I had this problem before and could not solve (I've formated/installed again everything so the problem disappeared in meanwhile...).
http://forum.avast.com/index.php?topic=58921.msg496604#msg496604
-
Your MBAM log shows No action taken, what happens when you let it Remove it ?
Presumably on reboot it is back again ?
I'm not too familiar with the GMER logs and this is the largest GMER log I have seen, but I have had a quick look at it and I don't see anything obvious; GMER is usually quite distinct in highlighting anything that it considers suspect/a rootkit.
So I think we will need essexboy to take a look at it.
-
I run OTL (like posted here: http://forum.avast.com/index.php?topic=58921.msg496741#msg496741).
The logs are here: http://www.mediafire.com/file/ijydtq4mzjj/OTL.7z
Your MBAM log shows No action taken, what happens when you let it Remove it ?
Allow to remove and boot three times... MBAM does nothing with it.
-
Yes it will take essexboy to root into the OTL log as I have no experience of that.
-
Hi Tech - GMER looks clean, as does OTL. Note this part from the OTL scan
< %SYSTEMDRIVE%\*.exe >
< MD5 for: AGP440.SYS >
The empty part under %systemdrive%\*.exe means that there are no exe files on your root drive - which is as should be
MBAM is now at 4130 - could you update and see if it is still present
-
OTM log:
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
File/Folder C:\f.exe not found.
========== COMMANDS ==========
OTM by OldTimer - Version 3.1.12.0 log created on 05222010_102611
Essexboy, I'll update MBAM again.
-
Essexboy, which will be good as a third opinion?
SuperAntispyware?
HitmanPro?
Any on-line scanning?
-
Do you dare to try this...?? ;)
http://www.emsisoft.com/en/software/antimalware/
asyn
-
Do you dare to try this...?? ;)
http://www.emsisoft.com/en/software/antimalware/
For what? More false positives? ???
And look for a fourth opinion ;D
-
Combofix log.
-
Well CF couldn't find it
c:\users\Tech\AppData\Roaming\inst.exe This was taken out on the principle that exe files should not reside there
I have just spent an hour getting Hitmanpro off of my system - so not happy with that one
-
Well CF couldn't find it
Any further thing to do?
c:\users\Tech\AppData\Roaming\inst.exe This was taken out on the principle that exe files should not reside there
Ok. Deleted.
But it was a clean file: http://www.virustotal.com/analisis/c74d2fa6374b5f1e251e3205de0efe99ed026b8b7a0ad5ee549ee3700f8e63d7-1274549791
I have just spent an hour getting Hitmanpro off of my system - so not happy with that one
Thanks for sharing. Dropping it then. I don't like SuperAntispyware due to the things it needs to be running even on demand (drivers, services, etc.).
-
I've registered and entered the information into MBAM forum.
http://forums.malwarebytes.org/index.php?showtopic=51225
-
Methinks MBAM has decided to play games with you - by finding non-existant files
-
Methinks MBAM has decided to play games with you - by finding non-existant files
I can't believe ;D
Am I alone? ???
-
But look on the bright side - it makes you special ;D
-
But look on the bright side - it makes you special ;D
No, it makes me unlucky ;D
-
MBAM forum remains in silent...
Is it normal? I mean, slow response time?
-
MBAM forum remains in silent...
Is it normal? I mean, slow response time?
Nope, they usually reply within 24 hours. In order to make things move along more smoothly and quickly next time. You should follow these steps when posting a F/P in Malwarebytes' forum.
1. Go to the Start Menu.
2. Click Run
3. Type in mbam.exe /developer
4. Then run a quick or full scan, save the logfile and post it.
Also, if you can attach the file with your post in ZIP or RAR format.
-
Absolutely lack of support...
http://forums.malwarebytes.org/index.php?showtopic=51225
I hate this...
-
You posted Yesterday, 08:50 PM (forum time) and expect a quick response. ???
Do you have MBAM full?
If you do then contact support(@)malwarebytes.org by email and they will help you.
-
You posted Yesterday, 08:50 PM (forum time) and expect a quick response. ???
Define "quick"... The problem was posted three days ago...
Do you have MBAM full?
No. But I suppose forum is for free support, isn't it?
If you do then contact support(@)malwarebytes.org by email and they will help you.
No need, seems the staff is following the thread, slowly, but it's there.
-
Long lags into support...
Seems the voice of Internet is correct: MBAM is a good program but the support is horrible or very weak.
http://forums.malwarebytes.org/index.php?showtopic=51225
-
Looks like you found another bug there Tech, looking at your posts anyway
-
Looks like you found another bug there Tech, looking at your posts anyway
I can't believe I'm alone on this... What does my machine have so special? ???
-
Tech, Does this help? I found this by doing a search for F.exe.
http://www.prevx.com/filenames/X8616758784404325-X1/F.EXE.html
http://www.threatexpert.com/files/f.exe.html
http://www.file.net/process/f.exe.html
Here's someone else with a similar problem and maybe a fix.
http://www.bleepingcomputer.com/forums/topic236537.html
-
Thanks Marc. Let me comment:
http://www.prevx.com/filenames/X8616758784404325-X1/F.EXE.html
The hash of the file is fundamental (MD5). Different files have the same name and the opposite. So I don't think my f.exe file (that does not exist...) is the same as the Prevx one.
http://www.threatexpert.com/files/f.exe.html
The same.
http://www.file.net/process/f.exe.html
Can't find anything useful...
http://www.bleepingcomputer.com/forums/topic236537.html
Topic was closed. Not that much helpful. Besides I had send all the logs to Essexboy for analysis.
No further help on the MBAM forum. I'm waiting.
-
I was hoping that post # 3 might help you get rid of it.
http://www.bleepingcomputer.com/forums/topic236537.html
-
Marc, I've tested: the file does not exist (it should be c:\f.exe) and the prefetch folder does not have any f.exe file related.
I'm running another MBAM scanning with an old partition backup restored and trying...
-
Scanning finished. The file is found. Something is weird in my computer and MBAM.
-
Sorry I couldn't help Tech.
-
What happens if you are able to access that drive outside windows, using a Linux live CD, etc. can that find anything ?
-
What happens if you are able to access that drive outside windows, using a Linux live CD, etc. can that find anything ?
Good shot. I'll try.
-
Hopefully that will work if it exists and is hidden when windows is running.