meactut Posted November 15, 2009 ID:158280 Share Posted November 15, 2009 Malwarebytes finds the following file on my my computer but can't seem to get rid of it. I get a message saying I need to reboot to delete it, when I run the scan again, it is still there. It looks like it blocks Malwarebytes on boot up. Files Infected:C:\preboot\rr\Migration\bin\p2pc.dll (Trojan.Dropper) -> Delete on reboot. Any suggestions on removal? My previous advice was to Combofix or reformat, but those both seem pretty extreme.Some in the previous post ask me to zip the file, but I could not find it. I looked through the directory and through search, so I included Trend Micro hijackThis logs, and the Malwarebytes log. Hopefully someone has some idea of out to get rid of this thing.Thanks, Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:32:55 PM, on 11/12/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v7.00 (7.00.6002.18005)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exeC:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exeC:\Windows\System32\TpShocks.exeC:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXEC:\Windows\System32\rundll32.exeC:\Program Files\Lenovo\AwayTask\AwaySch.EXEC:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXEC:\Program Files\ThinkVantage\AMSG\Amsg.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exeC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeC:\Program Files\Canon\MyPrinter\BJMYPRT.EXEC:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Symantec AntiVirus\VPTray.exeC:\Windows\System32\rundll32.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\RitzPix E-Z Print & Share\OurPictures.exeC:\Program Files\ThinkPad\Bluetooth Software\BTTray.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Windows\ehome\ehtray.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\ehome\ehmsas.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Lenovo\HOTKEY\TPONSCR.exeC:\Program Files\Lenovo\Zoom\TpScrex.exeC:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Windows\system32\Macromed\Flash\FlashUtil10c.exeC:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXEC:\Windows\system32\NOTEPAD.EXEC:\Program Files\ThinkPad\ConnectUtilities\ACMainGUI.exeC:\Program Files\Microsoft Office\Office12\WINWORD.EXEC:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\SearchFilterHost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 16, 2009 Staff ID:158448 Share Posted November 16, 2009 Hi,The Trojan.Dropper is most probably a false positive.Please do the following...1. Click the Start Menu.2. Click Run.3. Type in "mbam.exe /developer", without the quotes.4. Run the same type of scan you did before and save the logfile and post it.Also, Go to this page.Enter the url of this thread in the first field.Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:C:\preboot\rr\Migration\bin\p2pc.dllSelect it and click ok:Then click the Send File button below. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 16, 2009 Staff ID:158568 Share Posted November 16, 2009 Hi,Thank you for your submission.The file is 0 bytes, so I guess you already deleted it with malwarebytes and just entered the full path in the field for submission.Please open malwarebytes and click the quarantine tab. There search for the reference where it deleted the p2pc.dll file and select to restore that file.Then upload that file again (this time you should be able to find it, I hope).Then, after you have restored the file, 1. Click the Start Menu.2. Click Run.3. Type in "mbam.exe /developer", without the quotes.4. Run the same type of scan you did before and save the logfile and post it. Link to post Share on other sites More sharing options...
meactut Posted November 16, 2009 Author ID:158583 Share Posted November 16, 2009 Hi,Thank you for your submission.The file is 0 bytes, so I guess you already deleted it with malwarebytes and just entered the full path in the field for submission.Please open malwarebytes and click the quarantine tab. There search for the reference where it deleted the p2pc.dll file and select to restore that file.Then upload that file again (this time you should be able to find it, I hope).Then, after you have restored the file, 1. Click the Start Menu.2. Click Run.3. Type in "mbam.exe /developer", without the quotes.4. Run the same type of scan you did before and save the logfile and post it.Thank you very much for your help. I am running a scan, which usually takes about 2 hours. I can't seem to find the file. I've tried searching, and following the directory, but can't seem to find it. When I browse from bleeping computer, and enter the file in the search thing, it says I don't have access. I will post the new log when the scan finishes. I'm pretty sure the file is still there, i just can't seem to find it to send it to you. Any suggestions?Thanks again! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 16, 2009 Staff ID:158584 Share Posted November 16, 2009 Hi,It could be possible that the folder preboot is Locked to the Windows API. That may explain why mbam can't delete it and you can't find the file. In either way, the mbam /developer log may already be a great help as well here, so no need for the file as I expect that the folder preboot is a part of your installation to restore to factory settings.A quick google search shows that this file is related with ThinkVantage\SMA, so it's legit and you can ignore the detection. I just need that developers log, so it can be fixed in next update Link to post Share on other sites More sharing options...
meactut Posted November 16, 2009 Author ID:158589 Share Posted November 16, 2009 Great! You have been very helpful. I will send this file as soon as it is finished. When I pull it up I can see it has already found it. Thanks again!Hi,It could be possible that the folder preboot is Locked to the Windows API. That may explain why mbam can't delete it and you can't find the file. In either way, the mbam /developer log may already be a great help as well here, so no need for the file as I expect that the folder preboot is a part of your installation to restore to factory settings. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 16, 2009 Staff ID:158595 Share Posted November 16, 2009 Ok, waiting for your reply with the developers log....In either way, don't select to delete since this file is harmless (and mbam won't be able to delete it anyway since the folder is locked) Link to post Share on other sites More sharing options...
meactut Posted November 16, 2009 Author ID:158624 Share Posted November 16, 2009 Ok, waiting for your reply with the developers log....In either way, don't select to delete since this file is harmless (and mbam won't be able to delete it anyway since the folder is locked) Okay, here is the log from the last run. Any thoughts? I'm tempted just to wipe my hard drive and start from scratch anyways. Its been a few years.Malwarebytes' Anti-Malware 1.41Database version: 3179Windows 6.0.6002 Service Pack 211/16/2009 2:37:15 PMmbam-log-2009-11-16 (14-37-09).txtScan type: Full Scan (C:\|)Objects scanned: 266221Time elapsed: 1 hour(s), 59 minute(s), 51 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\preboot\rr\Migration\bin\p2pc.dll (Trojan.Dropper) -> No action taken. [52535142474052305383807566791537838081817083130125172125171301222017172239171722231717212217172219171722201717212617172139171721381717223917172126171721381717212317172139171717171717171717173537172138393938171717171718171713014755] Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 16, 2009 Staff ID:158630 Share Posted November 16, 2009 Hi,I would like to have the file anyway - even though it's legit so we can adjust our detection.I know you can't access the file since it's in a locked folder, but maybe gmer may be a help here.Download GMER's application from here:http://www2.gmer.net/gmer.zipIt will do a fast scan automatically. Just ignore what it finds since the folder or subfolders of the preboot folder will be targetted there anyway.Then, click on the arrows next to the Rootkit/Malware tabThen more tabs will appear.Click the "files" tabThen you'll see an enumeration of your folders and files.In there, you *should be able to navigate to the C:\preboot\rr\Migration\bin\p2pc.dll file. So from there, navigate to the Preboot folder, then rr subfolder, then Migration subfolder, then bin subfolder and in there you should find the file p2pc.dllselect that file and on the right you'll see a button with the name "copy". Click copy and your explorer will open in order to save the file.Name the file p2pc.dll and save it on your desktop.Then upload the file from your desktop here again: http://www.bleepingcomputer.com/submit-malware.php?channel=8 Link to post Share on other sites More sharing options...
meactut Posted November 16, 2009 Author ID:158637 Share Posted November 16, 2009 Hi,I would like to have the file anyway - even though it's legit so we can adjust our detection.I know you can't access the file since it's in a locked folder, but maybe gmer may be a help here.Download GMER's application from here:http://www2.gmer.net/gmer.zipIt will do a fast scan automatically. Just ignore what it finds since the folder or subfolders of the preboot folder will be targetted there anyway.Then, click on the arrows next to the Rootkit/Malware tabThen more tabs will appear.Click the "files" tabThen you'll see an enumeration of your folders and files.In there, you *should be able to navigate to the C:\preboot\rr\Migration\bin\p2pc.dll file. So from there, navigate to the Preboot folder, then rr subfolder, then Migration subfolder, then bin subfolder and in there you should find the file p2pc.dllselect that file and on the right you'll see a button with the name "copy". Click copy and your explorer will open in order to save the file.Name the file p2pc.dll and save it on your desktop.Then upload the file from your desktop here again: http://www.bleepingcomputer.com/submit-malware.php?channel=8I got the gmer to work, but when I navigate to the folder there is no preboot folder. I attached a screen shot in a word file. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 16, 2009 Staff ID:158643 Share Posted November 16, 2009 Ok, no worries then. Next malwarebytes database version shouldn't detect this one anymore since we have fixed this false positive already. Link to post Share on other sites More sharing options...
meactut Posted November 16, 2009 Author ID:158644 Share Posted November 16, 2009 Ok, no worries then. Next malwarebytes database version shouldn't detect this one anymore since we have fixed this false positive already. Okay, thanks again for your help! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 16, 2009 Staff ID:158645 Share Posted November 16, 2009 You're most welcome Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 18, 2009 Staff ID:159578 Share Posted November 18, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts