Jump to content

C:\Windows\system32\f3PSSavr.scr (Trojan.Agent)


Recommended Posts

Sorry about posting this again. Not certain WHERE it should go. Posted first in General Malwarebytes' Anti-Malware Forum and was told to post in Malware Removal - HijackThis Logs which I did but have had no responses. Friend continues to try and remove this but it still keeps showing up.

He has run MBA-M multiple times. Scan ALWAYS looks like this latest one:

Malwarebytes' Anti-Malware 1.34

Database version: 1818

Windows 6.0.6001 Service Pack 1

04/03/2009 11:30:00 PM

mbam-log-2009-03-04 (23-30-00).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 234922

Time elapsed: 1 hour(s), 32 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\f3PSSavr.scr (Trojan.Agent) -> Delete on reboot.

He reboots and it is right back where it started.

Here is Quick Scan log done immediately upon Reboot.

Quick Scan results...

Malwarebytes' Anti-Malware 1.34

Database version: 1818

Windows 6.0.6001 Service Pack 1

04/03/2009 11:44:56 PM

mbam-log-2009-03-04 (23-44-56).txt

Scan type: Quick Scan

Objects scanned: 60478

Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\f3PSSavr.scr (Trojan.Agent) -> Delete on reboot.

Computer was rebooted.

Had him run PocketKill Box to try and find and kill the file, file not found.

He ran MBA-M again, file was again found. right click on what MBAM has found and choose Jump to file location it takes him to "user name" (not putting his real name here) which would be C:\Users\"user name" NOT to C:\Windows\system32\f3PSSavr.scr

He looked throughout that location and found nothing.

He then tried this:

Open MBAM

Clicked more tools

Clicked FileASSASIN

In windows explorer he put

C:\Windows\system32 in the top bar

And f3PSSavr.scr in the bottom and clicked open and got f3PSSavr.scr doesn't exist.

He has run multiple other scans both in normal and safe mode; Avira, Threatfire, SAS, Spybot and none of them found this file. Only things found, and only once by Spybot were a couple tracking cookies and one time and only one time by SAS were 13 tracking cookies. Subsequent scans with all of those programs both in normal and safe mode have come up 100% clean. He has done this regimen after each MBA-M scan and then runs MBA-M again and it always shows that file.

Has run HJT, showed really nothing out of the ordinary.

Ran combofix which DID remove the following:

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

And in Drivers and Services removed these:

-------\Legacy_NPF

-------\Service_NPF

One Registry Entry looked odd:

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2f8a1e7a-adf5-11dc-8f7b-001921e97245}]

\shell\AutoRun\command - setup.EXE /AUTORUN

\shell\configure\command - setup.EXE

\shell\install\command - setup.EXE

Last night he ran a program called Runscanner

It didn't show the file anywhere

Only questionable entry in that log was this one:

170 {2f8a1e7a-adf5-11dc-8f7b-001921e97245} : setup.EXE /AUTORUN

He did a search on the computer for for setup.EXE and even tried it with quotes "setup.EXE" but didn't find that exact type...

He found lot of variations including SETUP.EXE,Setup.exe and setup.exe but no setup.EXE

We are just totally stumped. We don't know if there is a rootkit hidden here or what. Also wonder if this is a false positive. But have not found references to false positives anywhere concerning this entry. Actually have found very few references to this particular file anywhere and when we have the recommended fix is MBA-M

Link to post
Share on other sites

Well, from what I can see (I'm no expert though) it doesn't really look like a false positive.

Try to upload it to this site, it might clear things up a bit.

Also, for the sake of the developers you should post a developer log from MBAM. Here's how:

1. Click the Start Menu.

2. Click Run.

3. Type in "mbam.exe /developer", without the quotes.

4. Run the same type of scan you did before and save the logfile and post it.

Link to post
Share on other sites
Well, from what I can see (I'm no expert though) it doesn't really look like a false positive.

Try to upload it to this site, it might clear things up a bit.

Also, for the sake of the developers you should post a developer log from MBAM. Here's how:

1. Click the Start Menu.

2. Click Run.

3. Type in "mbam.exe /developer", without the quotes.

4. Run the same type of scan you did before and save the logfile and post it.

Here is the developer log

Malwarebytes' Anti-Malware 1.34

Database version: 1825

Windows 6.0.6001 Service Pack 1

07/03/2009 4:40:49 PM

mbam-log-2009-03-07 (16-40-21).txt

Scan type: Quick Scan

Objects scanned: 61552

Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\f3PSSavr.scr (Trojan.Agent) -> No action taken. [3857535134303627615674796980888461849084857078201961712049525266878315846883]

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.