maba

Whaooo what a strange things !!!! malwarebyte report only if the file is in the root of C:\ !!!! If i put the file in other place malwarebytes don't report it as virus !!!! (in other folder in C: or in other drive ...) very very weird !!! maybe win 7 and is UAC ... the file i have is the same with the download link.. (i had compare them with hex editor... ) Why malwarebytes acting differently / folders ?? ------ ------ Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Version de la base de données: 7057 Windows 6.1.7601 Service Pack 1 Internet Explorer 9.0.8112.16421 10/07/2011 10:48:30 mbam-log-2011-07-10 (10-48-25).txt Type d'examen: Examen rapide Elément(s) analysé(s): 1 Temps écoulé: 4 seconde(s) Processus mémoire infecté(s): 0 Module(s) mémoire infecté(s): 0 Clé(s) du Registre infectée(s): 0 Valeur(s) du Registre infectée(s): 0 Elément(s) de données du Registre infecté(s): 0 Dossier(s) infecté(s): 0 Fichier(s) infecté(s): 1 Processus mémoire infecté(s): (Aucun élément nuisible détecté) Module(s) mémoire infecté(s): (Aucun élément nuisible détecté) Clé(s) du Registre infectée(s): (Aucun élément nuisible détecté) Valeur(s) du Registre infectée(s): (Aucun élément nuisible détecté) Elément(s) de données du Registre infecté(s): (Aucun élément nuisible détecté) Dossier(s) infecté(s): (Aucun élément nuisible détecté) Fichier(s) infecté(s): c:\usbdiskeject_beta4.exe (Trojan.FakeAlert) -> No action taken.

is the beta4 of this utlity false positive ? Description of the utility Download link it is reported as trojan fake alert...

oups sorry the process involved is system32/services.exe and not processes.exe ... anyways a legal microsoft process... Of course i have .pcap ... but i thinks they don't be helpfull ... this virus may know billions ip adress to contact... and my captures are quite sames with thoses on the link "superuser.com".... i can send them by email to an admin if it can help detection of this thing... but i don't thinks it help so much... if you see referer like this in tcp stream ... POST /download.php?file=66dd7fe9e8b101980ed55b170532fc24 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://muza-flowers.biz/ Content-Type: application/x-www-form-urlencoded Content-Encoding: gzip UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: muza-flowers.biz Content-Length: 182 Connection: Keep-Alive Cache-Control: no-cache ...... if you see DNS MX queries ... and smtp TCP 25 grey encrypted streams ... and if of course you are not sending emails... surely somethings is going wrong... (and the best is watching at startup of the pc )... my next move is the use of gmer maybe i found something .... for know i have nothing to send ... all is fine on this pc .... it's just sends encrypted mails without my consent .... have nice days ...

I suspect new variant of rustock botnet to be invisible to many anti-virus softwares... i try on 28/03/10 : malwarebytes, eset nod32, online bitdefender, online trendmicro, hijackthis logs normal ... none of them find any virus files ... all is ok they said .... Ok BUT ... when i use wireshark to see what happens on networks ... when pc startup... it sends encrypted mails, make dns MX queries, and downloads something on a mysterious "forum"... My only hope now to find this xxx is to use GMER ... i hope it find something (i'll try maybe next weeks...). For now the only things i see it's a system32/processes.exe (microsoft process) who open/close rapidly and use ports tcp 1035-1040 to send ecnrypted mails.. i think it's an hidden services who cheat antivirus softwares... gmer maybe help ... I founds theses links with sames captures... and i think it's ruskov botnet... http://lists.emergingthreats.net/pipermail...ary/005837.html http://malwarelab.tistory.com/83 http://superuser.com/questions/88788/how-d...ed-by-wireshark Here links who talks about ruskov botnet ... http://www.m86security.com/labs/i/Rustock-...trace.1243~.asp http://securitythreat.info/online-security...rustock-botnet/ So i post this only to says .... BE CARREFUL AND DON'T TRUST "BLINDLY" YOUR MANY ANTIVIRUS SOFTWARE .... in this cases... they all says "all is fine brother !" ! For now i'am going to always recommend the use of wireshark or another packet sniffing sotware to make SURE you have no virus ... and i hope found this xxxx botnet... have nice days

thanx for your reply ! i have "fixed" my problem by doing full scan in safe mode ... surely a third party program who don't like malwarebyte ... but it's very hard to know who ... so ... in one way, i can do a full scan in a "normal time". byeeee

Full scan is done only on my c:windows partiton ... my pc is clean (no temp files, no dump, etc ...) ; "c:" have 174 003 files and 12895 folders... I remark it took long time to scan .jar .rar etc ... all compressed files ... some folders windows are so long too... at the begining of mbam process it took 50% process and 32 mo ram ... (maybe scan regisrty) very quickly, it took 00 to 10 % of processor (it stay at 00 when the program scan a new file...it goes to (1 to 7)% then return to 00%) and the scan keep going ... but it is very slow ... raising process priority don't help ... i raise it to real time , then high ... then when i canceled the operation of scan, mbam stop responding and a windows "windows defender" say me if i want to send c:\windows\drivers\mbamswissarmy.sys to microsoft ... maybe windows defender cause troubles to do a rapid full scan on a xp sp3 system or maybe it's just a crash because i play with the process priority ... it's very hard to know why mbam is so slow on this pc ! and maybe it's the normal time to scan 174 000 files ... thanx to you all

Malwarebytes is a very great program but i have trouble to finish full scan with the latest updated version... On a pc under vista with a q6600,asus mb, sata hd ... no problems, full scan took 1,5 hours ... everything is fine .. On my other old pc ... P4 3.2GghsHT XP PRO asus p4p800 socket 478 DD IDE, norton antivirus, ..., malwarebytes full scan take 10 hours ! for 30 go !! I have chek all my hardware and all is fine (hd tach; cpu test etc) ... is it normal for malwarebyte to take this time to scan 30go on older configuration ? and in any way ! thanx to this wonderfull program who saved me against evil trojans ) thanx.