Spyware.banker infecting ntuser.dat

[badbill]

Bit of a problem here. According to Malwarebytes it needs to remove my copy of ntuser.dat in order to clear out a copy of Spyware.Banker.

Not a good idea to remove ntuser.dat, trashes your user profile and basically ends your ability to use Vista. Here's the log:

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6002 Service Pack 2

8/9/2009 12:24:54 PM

mbam-log-2009-08-09 (12-24-54).txt

Scan type: Quick Scan

Objects scanned: 89855

Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Bill\ntuser.dat (Spyware.Banker) -> Delete on reboot.

Do I have a problem?

Thanks for the help.

[miekiemoes]

Hi,

Can you update and rescan again? Because this detection indeed doesn't make sense...

Let me know if it's still detecting after the update. If it is, please create a developers log for it:

1. Click the Start Menu.

2. Click Run.

3. Type in "mbam.exe /developer", without the quotes.

4. Run the same type of scan you did before and save the logfile and post it.

Then we can see why it is detecting this file. Strange no one reported this earlier though....

[badbill]

Thank you Mieke for the clear and easy to follow instructions. Here is the logfile generated after I updated my copy of Malwarebyes and ran in developer mode.

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6002 Service Pack 2

8/10/2009 10:59:26 AM

mbam-log-2009-08-10 (10-59-20).txt

Scan type: Quick Scan

Objects scanned: 82225

Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Bill\ntuser.dat (Spyware.Banker) -> No action taken. [5253514247405230192224182621130120171717202117172018171720231717]

I can find no evidence of processes or files to support the existence of this malware on my machine. Not sure if I should be relieved or more concerned about that.

Please let me know what else I can do to help unravel this mystery, I agree this is most peculiar.

Bill

[miekiemoes]

Hi,

This is a real strange detection since this is a Strings detection and strings detection only supports MZ files, so no way it could detect this one.

In anyway, I see you didn't update yet, so please update and rescan again.

Then let me know if it's still detecting it.

[badbill]

That was peculiar because I did hit the update button before I scanned the last time. I've had to restore my system twice and perhaps that threw things off.

That said, I hit update again and got the new definitions, ran the scan and good news: No detection, here's the log file:

Malwarebytes' Anti-Malware 1.40

Database version: 2593

Windows 6.0.6002 Service Pack 2

8/10/2009 11:48:10 AM

mbam-log-2009-08-10 (11-48-10).txt

Scan type: Quick Scan

Objects scanned: 82090

Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

As I type this I'm running a full scan just to follow up. I've been in the field since the earliest days of PCs back in the early '80s. I used to tell people that if I ever opened up a computer repair shop I'd call it "Catholic Computer Repair." So many of my repairs and saves have been "mysteries" or "miracles." Maybe we'll have to file this situation as a "mystery."

I appreciate your prompt, professional response to this issue. You've inspired me to upgrade to the paid version. Thanks again for your assistance.

[miekiemoes]

Yes, this is indeed a mystery since you are the only one who reported this and this detection is already in the database for months. Also, as I said, it didn't make sense since strings detection is only for MZ files, and ntuser.dat isn't an MZ file

In either way, it's not detecting anymore now, so this issue, whatever was causing it, is resolved now.

And thank you for the trust in our product, much appreciated

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.