Jump to content
RichardNixonsHead

Possible F.P.'s not removed on reboot

Recommended Posts

mbam_log_2009_01_21__14_23_19_.txt

So, I'm running a work laptop, very clean habits, use MS Forefront Client Security (corporate AV), Spybot S&D, CCleaner, Pest Patrol and MBAM. Everything's happy until I load MBAM v1.33 this week and run that for the first time in a short while. Subsequent Full and Quick scans find 14-22 'infected' files containing anything from trojan.fakealert, to trojan.agent, to backdoor.bot (see log attached).

Anyway, I can't find any of the 'infected files' listed (and I have checked "show hidden files" etc. in Win Ex) AND none of these infections show when I scan with the computer in 'safe mode'. Whatsmore, when I have MBAM remove the selected files, it says that it cannot remove and will do so on reboot. When I reboot and rescan, they are all there again, sometimes a couple of them have disapeared but generally in subsequent scans they return.

In the meantime, no other software can detect anything untoward (I also used Autoruns.exe and could not find anything that I could immediately spot as suspect).

Are these false positives?

Thanks for any help.

mbam_log_2009_01_21__14_23_19_.txt

Share this post


Link to post
Share on other sites

Forgive the following, as I am new to this forum but is it normal to have 60+ views in a week and not one reply?

I am getting the same items coming up on mbam every day and still can not find any of the files. Delete on reboot does not work.

If I can't explain and/or remedy this situation, I may as well remove mbam forever as it is rendered useless at this point!

The log I posted was a developers log, so am I missing something? If these are legit and I need to post in another part of the forum, let me know.

Thanks.

Share this post


Link to post
Share on other sites

Your topic must have been overlooked, usually FP's are fixed much more quickly. I suggest you re-post that log as part of your actual reply, just copy and paste. As it is it is really difficult to read.

I haven't been getting any FP's with the newest database (or any recent ones), so it's possible your infection is legit.

Is there any unusual software on the pc that MBAM might be flagging? Hopefully one of the devs will see this and fix it up for you.

Malwarebytes' Anti-Malware 1.33

Database version: 1701

Windows 6.0.6001 Service Pack 1

28/01/2009 11:06:22 AM

mbam-log-2009-01-28 (11-06-22).txt

Scan type: Quick Scan

Objects scanned: 64514

Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Thanks Insomniac!

Latest log generated today, is posted below.

As to your software question, nothing non-legit on the laptop, plenty of software on here though. Most of the 'identified files' cannot be found when searched for.

Hope someone can help!

Malwarebytes' Anti-Malware 1.33

Database version: 1709

Windows 5.1.2600 Service Pack 2

1/30/2009 3:44:04 PM

mbam-log-2009-01-30 (15-44-04).txt

Scan type: Quick Scan

Objects scanned: 72567

Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 20

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\beep.sys (Trojan.Patched) -> Quarantined and deleted successfully. [4134524130538380756679154966856873706913016966187119246925227017691822192271232

319182024197024672325227026]

C:\WINDOWS\scvhost.exe (Backdoor.Bot) -> Delete on reboot. [3857535134303566687669808083153580851301362761564247374856526184688773808485157

08970]

C:\WINDOWS\system32\crss.exe (Backdoor.Bot) -> Delete on reboot. [3857535134303566687669808083153580851301362761564247374856526184908485707820196

16883848415708970]

C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Delete on reboot. [3857535134303966767015378380818170691546667788668370130136276156424737485652618

38679697777182315708970]

C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Delete on reboot. [3857535134303966767015378380818170691546667788668370130136276156424737485652613

9554983808570688515708970]

C:\WINDOWS\system32\nsosscfg.exe (Spyware.MarketScore) -> Delete on reboot. [3857535134305281908866837015466683767085526880837013013627615642473748565261849

084857078201961798480848468717215708970]

D:\TEMP\hsperfdata_feegc\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot. [3857535134305383807566791539667670347770838513013727615338464961738481708371696

68566647170707268617479848566777770836484676964707915708970]

C:\WINDOWS\Logo1_.exe (Worm.Viking) -> Delete on reboot. [3857535134305680837815557476747972130136276156424737485652614580728018641570897

0]

C:\WINDOWS\Downloaded Program Files\EGDAccess.inf (Adware.EGDAccess) -> Delete on reboot. [3857535134303469886683701538403734686870848413013627615642473748565261378088797

7806669706901498380728366780139747770846138403734686870848415747971]

C:\WINDOWS\Downloaded Program Files\EGDAccess_ASPIV4.inf (Adware.EGDAccess) -> Delete on reboot. [3857535134303469886683701538403734686870848413013627615642473748565261378088797

78066697069014983807283667801397477708461384037346868708484643452494255211574797

1

]

C:\WINDOWS\Downloaded Program Files\Netslv32.inf (Adware.EGDAccess) -> Delete on reboot. [3857535134303469886683701538403734686870848413013627615642473748565261378088797

78066697069014983807283667801397477708461477085847787201915747971]

C:\WINDOWS\Downloaded Program Files\Netslv32.dll (Adware.EGDAccess) -> Delete on reboot. [3857535134303469886683701538403734686870848413013627615642473748565261378088797

78066697069014983807283667801397477708461477085847787201915697777]

C:\WINDOWS\system32\mksc.exe (Spyware.MarketScore) -> Delete on reboot. [3857535134305281908866837015466683767085526880837013013627615642473748565261849

0848570782019617876846815708970]

C:\WINDOWS\system32\ossproxy.exe (Spyware.MarketScore) -> Delete on reboot. [3857535134305281908866837015466683767085526880837013013627615642473748565261849

084857078201961808484818380899015708970]

C:\WINDOWS\system32\sss.exe (Trojan.Agent) -> Delete on reboot. [3857535134305383807566791534727079851301362761564247374856526184908485707820196

184848415708970]

C:\WINDOWS\Temp\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot. [3857535134305383807566791539667670347770838513013627615642473748565261537078816

17479848566777770836484676964707915708970]

D:\TEMP\WPDNSE\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot. [3857535134305383807566791539667670347770838513013727615338464961564937475238617

479848566777770836484676964707915708970]

D:\TEMP\VBE\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot. [3857535134305383807566791539667670347770838513013727615338464961553538617479848

566777770836484676964707915708970]

D:\TEMP\msohtmlclip1\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot. [3857535134305383807566791539667670347770838513013727615338464961788480738578776

877748118617479848566777770836484676964707915708970]

D:\TEMP\MPTelemetrySubmit\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot. [3857535134305383807566791539667670347770838513013727615338464961464953707770787

0858390528667787485617479848566777770836484676964707915708970]

Share this post


Link to post
Share on other sites

Hmm... I'm no expert, far from it, but I think I can see why at least a couple of those are flagged. (I'm just going off stuff I've read, so I could easily be far from the truth)

The beep.sys one I think is a F/P, judging by this topic: http://www.malwarebytes.org/forums/index.php?showtopic=10591

However, I noticed that a couple of the things it found (crss.exe, scvhost.exe, (and probably others, they are just the first two I looked at) would in my opinion seem to be caused by a real infection. The names are just too close to legit system processes (csrss.exe, svchost.exe) Often malware writers disguise their program to have a similar name to a legit process in the hope that it would be overlooked.

Also, I think I remember nossirah saying that there just shouldn't be .exe files located in your c/windows directory... and MBAM has detected some there (MBAM is very aggressive against stuff like .exe files located in places they shouldn't be, regardless of what the file actually is)

Try updating the database and scanning again to see if beep.sys was a FP (I think that fp is fixed in the newest database)

Also, if I were you I wouldn't go using any important logins and passwords until you get this cleared up, just in case there is a keylogger or similar on your pc.

Again, I really don't know much about this sorta thing but I would be careful until somone who really knows what they're talking about clears this up.

Share this post


Link to post
Share on other sites
mbam_log_2009_01_21__14_23_19_.txt

So, I'm running a work laptop, very clean habits, use MS Forefront Client Security (corporate AV), Spybot S&D, CCleaner, Pest Patrol and MBAM. Everything's happy until I load MBAM v1.33 this week and run that for the first time in a short while. Subsequent Full and Quick scans find 14-22 'infected' files containing anything from trojan.fakealert, to trojan.agent, to backdoor.bot (see log attached).

Anyway, I can't find any of the 'infected files' listed (and I have checked "show hidden files" etc. in Win Ex) AND none of these infections show when I scan with the computer in 'safe mode'. Whatsmore, when I have MBAM remove the selected files, it says that it cannot remove and will do so on reboot. When I reboot and rescan, they are all there again, sometimes a couple of them have disapeared but generally in subsequent scans they return.

In the meantime, no other software can detect anything untoward (I also used Autoruns.exe and could not find anything that I could immediately spot as suspect).

Are these false positives?

Thanks for any help.

I have forwarded this to our lead researcher. He will be able to confirm whether or not these are all FP's and should be dealt with.

Share this post


Link to post
Share on other sites
I have forwarded this to our lead researcher. He will be able to confirm whether or not these are all FP's and should be dealt with.

THanks to both Raid and Insomniac.

I had read yesterday that beep.sys seemed to be a FP issues with definition set 1709 so was not concerned about that one.

As far as files such as scvhost.exe are concerned, I have read on other file identifier sites that it is more than likely a 'dodgy' file, being that it is so close to the legit svchost.exe. But here's the kicker (and this may be where I show my lack of expertise), when I look for the files with a search, I can never find them. Now, I don't claim to be very experienced in malware combat, but generally if I have had something 'infect' a p.c. before, I usually find it when searching, but these don't seem to be there? That was the main reason for me posting in the FP section.

It's confusing the hell out of me. Even if you have a malware that hides elsewhere and reseeds itself on reboot, generally the anti-malware software says it stripped it and then it 'magically' reappears next time you scan. But in this case, MBAM says it was unable to remove and will do on reboot, but it doesn't appear to. Oh, and again, just incase we forget, when I reboot in safe mode, the scan finds nothing!!

As Insomniac says, I am staying away from web passwords etc which is difficult as I do a lot of that on this machine.

Thanks for the continued support,

Share this post


Link to post
Share on other sites

MBAM isn't really meant to run in safe mode, some of the features it uses to detect and remove malware won't work properly. I wonder what is causing this? I've got MBAM running on both a vista and XP machine, and have never had somthing like this happen.

Share this post


Link to post
Share on other sites
THanks to both Raid and Insomniac.

I had read yesterday that beep.sys seemed to be a FP issues with definition set 1709 so was not concerned about that one.

As far as files such as scvhost.exe are concerned, I have read on other file identifier sites that it is more than likely a 'dodgy' file, being that it is so close to the legit svchost.exe. But here's the kicker (and this may be where I show my lack of expertise), when I look for the files with a search, I can never find them. Now, I don't claim to be very experienced in malware combat, but generally if I have had something 'infect' a p.c. before, I usually find it when searching, but these don't seem to be there? That was the main reason for me posting in the FP section.

It's confusing the hell out of me. Even if you have a malware that hides elsewhere and reseeds itself on reboot, generally the anti-malware software says it stripped it and then it 'magically' reappears next time you scan. But in this case, MBAM says it was unable to remove and will do on reboot, but it doesn't appear to. Oh, and again, just incase we forget, when I reboot in safe mode, the scan finds nothing!!

As Insomniac says, I am staying away from web passwords etc which is difficult as I do a lot of that on this machine.

Thanks for the continued support,

No problem. Sorry for the hassle your going thru. At this point, I'd suggest you start a new thread in the hijackthis forum and allow one of our experts to help you disinfect your machine. I have no reason at this time to believe any of them are necessarily false positives.

Share this post


Link to post
Share on other sites
No problem. Sorry for the hassle your going thru. At this point, I'd suggest you start a new thread in the hijackthis forum and allow one of our experts to help you disinfect your machine. I have no reason at this time to believe any of them are necessarily false positives.

Thanks to all for your help, I'll move it over to the HJT thread.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.