Could Not Remove Malware

[Unicore]

Using MAM Premium version 2.0.2.1012.  After finishing a scan, MAM alerted me that it had found two pieces of malware (HKCR\piffile\shell\open\command) and (HKCR\scrfile\shell\open command).

 

I searched Malwarebytes forum and discovered that they were listed back in 2009 as false positives.  However, my experience was that these two pieces of malware caused my computer to spontaneously reboot without warning.

 

MAM was unable to quarantine or remove these threats.  I finally resorted to using ComboFix to solve the problem and remove this malware.

 

The next day, I found that another computer on my network (also protected with MAM 2.0.2.1012) got infected with the same malware and started to randomly reboot.  Once again MAM was able to detect the malware, but it was unable to remove the malware and I had to use ComboFix.

 

Both computers are clean and malware free now but I wanted to pass along my experience for others that might encounter the same problem.

 

I have included the ComboFix log file from my Dell laptop that was infected:

ComboFix Doc.txt

[1PW]

Hello Unicore and

Under these circumstances, I'll request the below three diagnostic log sets be attached in a reply to this thread for possible analysis:

Diagnostic Logs.

Thank You.

[Unicore]

I've included two of the three files you requested.  I was unable to locate the "Addition.txt" file.

CheckResults.txt

FRST.txt

[AdvancedSetup]

Actually can you please do the following.

Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

If this is what I think it is then it's not an infection but I want to see the full log please.

Thanks

[Unicore]

Attached is the scanning history log.  I have also noticed that while scanning, MAM will sometimes freeze.  It puts up a message (Not Responding).  MAM only becomes not responsive for a short period (20 seconds or so) and then returns to normal.

Scanning History Log.txt

[Unicore]

I have attached a second scanning history log.  I noticed that the first log did not include the PUP and PUM changes until I rebooted my computer.

Scanning History Log 2.txt

[AdvancedSetup]

Well at this time the logs are clean and I don't see that entry. Unless there is some other issue it seems fine now.

[Unicore]

Thank you for the help.  I discovered that the problem is a conflict between MBAM and CryptoPrevent v6.  I jumped over to the "Broken.Open Command CryptoPrevent" thread to seek a solution.  I'm still trying to figure out how to add the offending registry entries (HKCR\piffile\shell\open\command) and (HKCR\scrfile\shell\open\command) to the MBAM exclusion list.

 

Thanks again for helping me with this problem!