gloriousgreenfox Posted August 2, 2017 ID:1148787 Share Posted August 2, 2017 I had decided to run an antirootkit scan without internet access on one of my devices. On this same device when I updated the Malwarebytes antirootkit scan it detected nothing. But, when i ran it without updating it it found similar malware across two different devices, and it keeps finding the same malware after completing wiping each device and reinstalling windows. Registry Keys Detected: 6 HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [6ecfb786d9a3db5b11bc9262a75c5ca4] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [2d100b324e2ea59111d5fff5a06314ec] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [f04dc974b8c445f18a7c45b27e856e92] HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [ad9007369ce0e94dd4f9827222e10ff1] HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [b38a9aa32b513006707638bccc37e41c] HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [3a0359e46b111e1834d233c459aaff01] My assumption is either these are false positives or the antirootkit scan is being corrupted when i update it. Not sure why these would remain on the device after formating the drives and reinstalling windows. Thanks mbar-log-2017-08-01 (17-41-48).txt Link to post Share on other sites More sharing options...
Aura Posted August 2, 2017 ID:1148790 Share Posted August 2, 2017 Hi gloriousgreenfox These are false positives indeed. If you update the database before launching the scan, these shouldn't appear. main: v2014.11.18.05 rootkit: v2014.11.12.01 Link to post Share on other sites More sharing options...
gloriousgreenfox Posted August 2, 2017 Author ID:1148793 Share Posted August 2, 2017 Oh boy lol, I wish I had come to my senses before completly wiping my device lol. Thanks you so much for your timely resposne Link to post Share on other sites More sharing options...
Aura Posted August 2, 2017 ID:1148798 Share Posted August 2, 2017 No problem gloriousgreenfox, you're welcome Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now