Jump to content

Recommended Posts

First, I have to say MBAM is the GREATEST!

I recently had an infection (several at once)

ComboFix and SDFix removed the first 4 files, with no re-infections:

C:\Windows\System32\sockins32.dll

C:\Windows\System32\sft.res

C:\Windows\System32\sockots64.dll

C:\Windows\System32\adsn.dll

But these files were only partly handled by each of those tools, so these files re-infected after reboot:

C:\Documents and Settings\(USER)\ftp34.dll

C:\Windows\System32\ftp34.dll

C:\Documents and Settings\(USER)\svchost.exe

C:\Windows\System32\drivers\services.exe

C:\Documents and Settings\(USER)\Start Menu\Programs\Startup\userinit.exe

C:\userinit.exe

Malwarebytes Anti-Malware to the rescue! It cleaned this all up and more, and no re-infections.

One VERY-MINOR point though ... the Registry entry:

O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')

was not cleaned by MBAM.

(I removed the registry entry with HJT-2.02)

The file:

C:\Documents and Settings\LocalService\svchost.exe

Was removed by one of the tools ... so the registry entry did not cause further problems.

I don't know which tool removed the file, it could have been MBAM ...

Anyways, thanks to Malwarebytes, I am glad to be able to use my PC again. :P

Kevin

Edited by JeanInMontana
Merge info
Link to post
Share on other sites

You should never use ComboFix or SDFix without the assistance of someone familiar with how they work. I suggest you start a topic in the HJT forum and follow the instructions at the top of that forum for Pre-HJT log posting. Someone should look at what is going on with your system.

Link to post
Share on other sites

You should never use ComboFix or SDFix without the assistance of someone familiar with how they work. I suggest you start a topic in the HJT forum and follow the instructions at the top of that forum for Pre-HJT log posting. Someone should look at what is going on with your system.

Hello Jean,

Thanks for your quick reply, and for your concern. I will post in the HJT forum as you recommend.

I just want to make sure that the original reason for my post doesn't get lost.

One VERY-MINOR point though ... the Registry entry:
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')

was not cleaned by MBAM.

(I removed the registry entry with HJT-2.02)

Edit: Sorry ... I just realized that should have been posted in the support forum ...

General Malwarebytes' Anti-Malware Forum

I'll repost this MBAM issue there.

Thanks again,

Kevin

Link to post
Share on other sites

First, I have to say MBAM is the GREATEST!

Some details are below, but the reason for my post is to let you know of a VERY-MINOR issue with MBAM during the cleanup of a recent infection ... the Registry entry:

O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')

was not cleaned by MBAM.

(I removed the registry entry with HJT-2.02)

I was using: Malwarebytes' Anti-Malware 1.17

Database version: 849 ... 8:56:15 AM 6/12/2008

-----------

I recently had an infection (several at once)

ComboFix and SDFix removed the first 4 files, with no re-infections:

C:\Windows\System32\sockins32.dll

C:\Windows\System32\sft.res

C:\Windows\System32\sockots64.dll

C:\Windows\System32\adsn.dll

But these files were only partly handled by each of those tools, so these files re-infected after reboot:

C:\Documents and Settings\(USER)\ftp34.dll

C:\Windows\System32\ftp34.dll

C:\Documents and Settings\(USER)\svchost.exe

C:\Windows\System32\drivers\services.exe

C:\Documents and Settings\(USER)\Start Menu\Programs\Startup\userinit.exe

C:\userinit.exe

Malwarebytes Anti-Malware to the rescue! It cleaned this all up, and no re-infections.

One VERY-MINOR point though ... the Registry entry:

O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')

was not cleaned by MBAM.

(I removed the registry entry with HJT-2.02)

The file:

C:\Documents and Settings\LocalService\svchost.exe

Was removed by one of the tools ... so the registry entry did not cause further problems.

I don't know which tool removed the file, it could have been MBAM ...

Anyways, thanks to Malwarebytes, I am glad to be able to use my PC again.

On the reecommendation of one of your Moderators, I will post in the HJT forum to make sure that anything that might remain is looked at.

Thanks

Kevin

Link to post
Share on other sites

If you still have a copy of C:\Documents and Settings\LocalService\svchost.exe then you can upload it to http://uploads.malwarebytes.org/

After I ran MBAM, I then ran HJT2.02 and found the registry entry:

O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')

But the file C:\Documents and Settings\LocalService\svchost.exe was already gone.

I looked through the logs and found that ComboFix had removed the file before I ran MBAM. When I ran MBAM, the file was gone but the registry entry was still there.

So the issue is only that MBAM did not flag/remove the registry entry that was pointing to a non-existant file. Perhaps this is by design.

I still have the file svchost.exe MD5: 0326a3e66838dc2b4b99fee588cef724, but it is likely that MBAM would have removed the file and the registry entry, if the file was present when I ran MBAM.

Link to post
Share on other sites

This si why I say you need to post in the HJT forum. You don't know if your clean or not. MBAM might miss things that haven't been added to the definitions yet, all programs will.

Exactly. It's best to head to our HijackThis forum and follow the instructions for posting your logs. That way Jean, or one of our other experts can help make sure that you are clean, and you can help improve Malwarebytes' Anti-Malware in the process.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.