Jump to content

Recommended Posts

After installing Anti-Rootkit Beta I ran it and it found six items.  Four were noted as "(Security.Hijack)".  I had the program delete all of them.  How comes Malwarebytes didn't catch these or would this be considered a false positive?

This is what the log file showed for those items.  It didn't find anything elsewhere.  I have also attached the log file.  Should I be concerned about these?  I've had several hacks recently and suspect somebody planted something deep into my system which is why I originally downloaded this beta.

Registry Keys Detected: 6
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [a895a59857251d195875f8fc7093f808]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [de5f0d30007c04326680b3416d96a25e]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [ee4f4af3433981b524e2df18d03351af]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [a697112c790339fd0cc1d81c877c7e82]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [0d30b8855c202e08a343af45b84b8f71]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [e756c37aaad21323fe08e4130af96898]

mbar-log-2016-11-15 (13-03-58).txt

Link to post
Share on other sites

Malwarebytes Anti-Rootkit is constantly in a beta state, and when the technology is stable enough, it is rolled in Malwarebytes Anti-Malware and a new beta for MBAR is released. It could explain why MBAR caught these entries while MBAM didn't. I guess that only an employee will have a more comprehensive answer for you.

Link to post
Share on other sites

Anything is possible with my computer.  I'm very observant of anything suspicious activity on this computer since I lost a lot of important electronic documents that cannot be replaced.  I suspected months ago my computer was phoning home to somebody who is probably responsible for the loss of all those documents.  That's why I believe the scan results are not false positives.  It would explain all the suspicious activity.

I'm considering throwing this laptop out because of all the problems I've had with it since the problem surfaced in May.  I wonder if it's possible that malware or a virus can exist even if the hard drive is formatted numerous times.  Besides doing resets to factory settings I have also manually formatted the drive several times.  MB Anti-Rootkit is the only program to show results that might prove malware is buried deep inside my system.  Even Norton can't find anything or any other anti-virus programs I have tried.

Link to post
Share on other sites

It is possible for some malware and virus to survive a Factory Reset, though it's more rare for them to survive a full drive wipe (done properly). If you really are infected, you could have reinfected yourself with an infected device such as a USB Flash Drive. If you need assistance with malware removal, you'll need to start a new thread in the Malware Removal for Windows section, by following the instructions in the thread below.

https://forums.malwarebytes.org/topic/9573-im-infected-what-do-i-do-now/

 

Link to post
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.