Rogue.Multiple

[Cherie]

One of our employees computers received a virus notification about a Downloader that was reportedly "cleaned by deletion" by the Symantec AV product we use. I cleared out all cache and temporary files then re-ran a scan to confirm it was clean.

For good measure I also ran a Malwarebytes scan. It did find some "Rogue.Mulitple" items but took no action. Please see attached MBAM log file.

I haven't been able to find anything on the Rogue.Multiple entries in the log file. Can you please review and let me know if this is something new I should do something about or if it's a false positive?

The machine is not exhibiting any odd behavior, which is why I did not include HJT logs. I only need to know if this "Rogue.Mulitple" is a false positive or not. If you still require HJT logs, please let me know.

Thanks...cbc

mbam_log_2009_11_18__13_25_16_.txt

[miekiemoes]

Hi,

This is nothing new though, but known leftovers from a Rogue antispywarescanner, so let Malwarebytes delete what it found.

Yes, also post a HijackThislog in your next reply.

[Cherie]

Please see attached HJT log.

hijackthis.txt

[miekiemoes]

Hi,

There's a leftover from Adware.Deepdive here:

O18 - Filter hijack: text/html - {9fc93e77-e01a-4ece-b323-b954a21849c2} - C:\WINDOWS\mark_32.dll

Can you check if the file still exists? C:\WINDOWS\mark_32.dll

This because malwarebytes should detect and delete this file.

[Cherie]

Confirmed the file C:\WINDOWS\mark_32.dll wasn't there. So this should be OK then, we're clean?

[miekiemoes]

Good.

Just check next entry in HijackThis and click the fix checked button:

O18 - Filter hijack: text/html - {9fc93e77-e01a-4ece-b323-b954a21849c2} - C:\WINDOWS\mark_32.dll

In case it won't go away in HijackThis (as this appears to be a common problem with Protocol registry entries in HijackThis), do the following...

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

[Cherie]

If HijackThis found something, but that file doesn't exist on my machine, what exactly is that registry change supposed to do? I'd like to understand it better before I do it, especially if it has the potential of breaking something else.

[miekiemoes]

Hi,

It's a protocol class registered by this malicious file, so the registryfix removes that protocol again in the registry as this is not a default protocol set in Windows anyway.

You can't break anything with it since the related file is gone - so it's just an orphaned protocol\filter entry in the registry.

[Cherie]

Mieke, you have been very helpful. Thank you!

[miekiemoes]

Glad I could help

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.