Root Admin RubbeR DuckY Posted December 6, 2007 Root Admin ID:10667 Share Posted December 6, 2007 Bruce,I'm pretty sure these are false positives. I don't have a developers log. Any idea how they were detected?Malwarebytes' Anti-Malware Version 0.77Database version: 219Scan type: Quick ScanObjects scanned: 59363Time elapsed: 16 minute(s), 23 second(s)Memory Processes Infected: 1Memory Modules Infected: 3Registry Keys Infected: 3Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 5Files Infected: 23Memory Processes Infected:c:\program files\spywarebot\spywarebot.exe (Rogue.SpywareBot) -> No action taken.Memory Modules Infected:c:\program files\spywarebot\spycleaner.dll (Rogue.SpywareBot) -> No action taken.c:\program files\spywarebot\tcl.dll (Rogue.SpywareBot) -> No action taken.c:\program files\spywarebot\zlib.dll (Rogue.SpywareBot) -> No action taken.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> No action taken.HKEY_CLASSES_ROOT\Typelib\{5937cd7f-1c0b-41e1-9075-60ebdf3c7d34} (Adware.Zango) -> No action taken.HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Program Files\SpywareBot (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\Administrator\Application Data\SpywareBot (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\Administrator\Application Data\SpywareBot\Log (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\Administrator\Application Data\SpywareBot\Settings (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot (Rogue.SpywareBot) -> No action taken.Files Infected:C:\Program Files\SpywareBot\DataBase.ref (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\Launcher.exe (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\license.rtf (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\SpyCleaner.dll (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\SpywareBot.exe (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\SpywareBot.url (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\TCL.dll (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\unins000.dat (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\unins000.exe (Rogue.SpywareBot) -> No action taken.C:\Program Files\SpywareBot\zlib.dll (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\Administrator\Application Data\SpywareBot\rs.dat (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\Administrator\Application Data\SpywareBot\Log\2007 Dec 05 - 03_00_01 AM_765.log (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\Administrator\Application Data\SpywareBot\Log\2007 Dec 05 - 03_00_04 AM_718.log (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\Administrator\Application Data\SpywareBot\Settings\ScanResults.pie (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot.lnk (Rogue.SpywareBot) -> No action taken.C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk (Rogue.SpywareBot) -> No action taken.C:\WINDOWS\system32\taskmgr.exe (Trojan.Downloader) -> No action taken.C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe (Trojan.Downloader) -> No action taken.C:\WINDOWS\I386\OPRGHDLR.SY_ (Heuristics.Malware) -> No action taken.C:\WINDOWS\system32\winlogon.exe (Rootkit.Dropper) -> No action taken.C:\WINDOWS\$NtUninstallKB840987$\winlogon.exe (Rootkit.Dropper) -> No action taken.C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe (Rootkit.Dropper) -> No action taken. Link to post Share on other sites More sharing options...
Staff nosirrah Posted December 6, 2007 Staff ID:10673 Share Posted December 6, 2007 Those should not be FPs from the looks of it .The fact that winlogon.exe and taskmgr.exe are detected in multiple locations seems to indicate that these files have been replaced .OPRGHDLR.SY_ will likely be the only one I can research without MD5s or a dev log .There is another possibility though . If I added a def for a patched file by mistake then this could happen . Link to post Share on other sites More sharing options...
Recommended Posts