Author Topic: Strange MBAM detections again...  (Read 15086 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Strange MBAM detections again...
« on: May 20, 2010, 07:20:37 PM »
I've run MBAM regularly. Nothing is found.
Today appeared a f.exe file in the root directory.
Of course it is fishy. Most probably infected.
The problem is that the file NEVER exists...

avast does not detect any rootkit also.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83355
  • No support PMs thanks
Re: Strange MBAM detections again...
« Reply #1 on: May 20, 2010, 07:52:21 PM »
Well the file might well be hidden from the normal windows explorer or APIs. So it might be worth running GMER anti-rootkit to check.

    GMER Rootkit Scanner - Download - Homepage
    • Download GMER
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe.

    • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)

      Click the image to enlarge it
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
    • Save the log where you can easily find it, such as your desktop.
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Please copy and paste the report into your Post.
    WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
    Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

    Offline Lisandro

    • Avast team
    • Certainly Bot
    • *
    • Posts: 67275
    Re: Strange MBAM detections again...
    « Reply #2 on: May 22, 2010, 03:50:09 AM »
    The best things in life are free.

    Offline Lisandro

    • Avast team
    • Certainly Bot
    • *
    • Posts: 67275
    Re: Strange MBAM detections again...
    « Reply #3 on: May 22, 2010, 01:45:02 PM »
    Uninstalled MBAM. Boot. Installed again.
    Problem is there...

    Code: [Select]
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Versão da Base de Dados:  4127

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    22/05/2010 08:39:49
    mbam-log-2010-05-22 (08-39-49).txt

    Tipo de Verificação:  Verificação Rápida
    Objetos escaneados:  138823
    Tempo decorrido: 9 hora(s), 22 minuto(s), 11 segundo(s)

    Processos de Memória Infectados:  0
    Módulos de Memória Infectados:  0
    Chaves de Registro Infectadas: 0
    Valores de Registro Infectados: 0
    Itens de Dados no Registro Infectados:  0
    Pastas Infectadas:  0
    Arquivos Infectados: 1

    Processos de Memória Infectados:
    (Não foram detectados ítens maliciosos)

    Módulos de Memória Infectados:
    (Não foram detectados ítens maliciosos)

    Chaves de Registro Infectadas:
    (Não foram detectados ítens maliciosos)

    Valores de Registro Infectados:
    (Não foram detectados ítens maliciosos)

    Itens de Dados no Registro Infectados:
    (Não foram detectados ítens maliciosos)

    Pastas Infectadas:
    (Não foram detectados ítens maliciosos)

    Arquivos Infectados:
    C:\f.exe (Trojan.Agent) -> No action taken.

    I had this problem before and could not solve (I've formated/installed again everything so the problem disappeared in meanwhile...).
    http://forum.avast.com/index.php?topic=58921.msg496604#msg496604
    The best things in life are free.

    Offline DavidR

    • Avast Überevangelist
    • Certainly Bot
    • *****
    • Posts: 83355
    • No support PMs thanks
    Re: Strange MBAM detections again...
    « Reply #4 on: May 22, 2010, 02:51:02 PM »
    Your MBAM log shows No action taken, what happens when you let it Remove it ?
    Presumably on reboot it is back again ?

    I'm not too familiar with the GMER logs and this is the largest GMER log I have seen, but I have had a quick look at it and I don't see anything obvious; GMER is usually quite distinct in highlighting anything that it considers suspect/a rootkit.

    So I think we will need essexboy to take a look at it.
    WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
    Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

    Offline Lisandro

    • Avast team
    • Certainly Bot
    • *
    • Posts: 67275
    Re: Strange MBAM detections again...
    « Reply #5 on: May 22, 2010, 03:23:49 PM »
    I run OTL (like posted here: http://forum.avast.com/index.php?topic=58921.msg496741#msg496741).
    The logs are here: http://www.mediafire.com/file/ijydtq4mzjj/OTL.7z

    Your MBAM log shows No action taken, what happens when you let it Remove it ?
    Allow to remove and boot three times... MBAM does nothing with it.
    The best things in life are free.

    Offline DavidR

    • Avast Überevangelist
    • Certainly Bot
    • *****
    • Posts: 83355
    • No support PMs thanks
    Re: Strange MBAM detections again...
    « Reply #6 on: May 22, 2010, 03:29:42 PM »
    Yes it will take essexboy to root into the OTL log as I have no experience of that.
    WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
    Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40631
    • Dragons by Sasha
      • Malware fixes
    Re: Strange MBAM detections again...
    « Reply #7 on: May 22, 2010, 03:45:19 PM »
    Hi Tech - GMER looks clean, as does OTL.  Note this part from the OTL scan
    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >

    The empty part under %systemdrive%\*.exe means that there are no exe files on your root drive - which is as should be

    MBAM is now at 4130 - could you update and see if it is still present

    Offline Lisandro

    • Avast team
    • Certainly Bot
    • *
    • Posts: 67275
    Re: Strange MBAM detections again...
    « Reply #8 on: May 22, 2010, 04:03:18 PM »
    OTM log:

    Code: [Select]
    ========== PROCESSES ==========
    Process explorer.exe killed successfully!
    ========== FILES ==========
    File/Folder C:\f.exe not found.
    ========== COMMANDS ==========
     
    OTM by OldTimer - Version 3.1.12.0 log created on 05222010_102611

    Essexboy, I'll update MBAM again.
    The best things in life are free.

    Offline Lisandro

    • Avast team
    • Certainly Bot
    • *
    • Posts: 67275
    Re: Strange MBAM detections again...
    « Reply #9 on: May 22, 2010, 04:06:54 PM »
    Essexboy, which will be good as a third opinion?
    SuperAntispyware?
    HitmanPro?
    Any on-line scanning?
    The best things in life are free.

    Offline Asyn

    • Avast Überevangelist
    • Certainly Bot
    • *****
    • Posts: 65510
      • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
    Re: Strange MBAM detections again...
    « Reply #10 on: May 22, 2010, 04:13:30 PM »
    Do you dare to try this...?? ;)
    http://www.emsisoft.com/en/software/antimalware/
    asyn
    Win 8.1 [x64] - Avast PremSec 20.6.2416.B#1 [UI.537] - CC 5.68 - EEK - FF ESR 68.10 [NS/AOS/uBO/PB] - TB 68.10 - SB/CP/SL/DU.BC
    Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

    Offline Lisandro

    • Avast team
    • Certainly Bot
    • *
    • Posts: 67275
    Re: Strange MBAM detections again...
    « Reply #11 on: May 22, 2010, 05:25:08 PM »
    Do you dare to try this...?? ;)
    http://www.emsisoft.com/en/software/antimalware/
    For what? More false positives? ???
    And look for a fourth opinion ;D
    The best things in life are free.

    Offline Lisandro

    • Avast team
    • Certainly Bot
    • *
    • Posts: 67275
    Re: Strange MBAM detections again...
    « Reply #12 on: May 22, 2010, 05:25:32 PM »
    Combofix log.
    The best things in life are free.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40631
    • Dragons by Sasha
      • Malware fixes
    Re: Strange MBAM detections again...
    « Reply #13 on: May 22, 2010, 05:58:47 PM »
    Well CF couldn't find it

    c:\users\Tech\AppData\Roaming\inst.exe This was taken out on the principle that exe files should not reside there

    I have just spent an hour getting Hitmanpro off of my system - so not happy with that one


    Offline Lisandro

    • Avast team
    • Certainly Bot
    • *
    • Posts: 67275
    Re: Strange MBAM detections again...
    « Reply #14 on: May 22, 2010, 07:38:29 PM »
    Well CF couldn't find it
    Any further thing to do?

    c:\users\Tech\AppData\Roaming\inst.exe This was taken out on the principle that exe files should not reside there
    Ok. Deleted.
    But it was a clean file: http://www.virustotal.com/analisis/c74d2fa6374b5f1e251e3205de0efe99ed026b8b7a0ad5ee549ee3700f8e63d7-1274549791

    I have just spent an hour getting Hitmanpro off of my system - so not happy with that one
    Thanks for sharing. Dropping it then. I don't like SuperAntispyware due to the things it needs to be running even on demand (drivers, services, etc.).
    The best things in life are free.