Suspicion confirmed?

[DaChew]

I just had a poster at Bleeping that was running MBAM and refinding the same malware files with normal mode scans after rebooting and then ran MBAM in safe mode and then came up clean with a normal mode scan?

RD had said it was a trade off, but others have stressed how MBAM is not effective in safe mode

I have always thought the combination of safe and normal mode scans to be more effective in a wider range of cases

Hmmmmmmmmm.

[nosirrah]

MBAM is designed to be a fully regular mode only tool and not letting it reboot a machine as it is designed could cause problems .

Most newer malware can run in safemode so we opted not to bother with any safemode instructions , these no longer help much at all .

When MBAM says that it needs to reboot a machine to complete removal , it is not kidding .

[DaChew]

Okay, did as instructed. Here's the log:

Malwarebytes' Anti-Malware 1.20

Database version: 962

Windows 5.1.2600 Service Pack 2

7:40:46 PM 7/17/2008

mbam-log-7-17-2008 (19-40-46).txt

Scan type: Quick Scan

Objects scanned: 54044

Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\cnhwtsfi.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49ca2940-b842-4298-bff3-cf9dd4df3a2c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{49ca2940-b842-4298-bff3-cf9dd4df3a2c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{2329332b-2bf4-4cdc-b86f-5ef78017fc1b} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2329332b-2bf4-4cdc-b86f-5ef78017fc1b} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{660640e6-950e-4f98-86c3-a2d8625e8127} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{660640e6-950e-4f98-86c3-a2d8625e8127} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8facb54e-894c-4620-9445-61c4362e601c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8facb54e-894c-4620-9445-61c4362e601c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc63d2d6 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\dp\Local Settings\Temp\cbXPfEwW.dll (Trojan.Vundo) -> Delete on reboot.

C:\Documents and Settings\dp\Local Settings\Temp\WwEfPXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\dp\Local Settings\Temp\WwEfPXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cnhwtsfi.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\ifstwhnc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\traauejd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\djeuaart.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\colbac.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\BMcf50e14a.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\BMcf50e14a.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Also, I did a reboot when prompted before I posted these replies.

I've since run two more scans, and the problems are still there, even after reboot. I would post the latest log, but I can't go anywhere but Google due to being bogged down. If I can get back here, I'll post the latest.

at which point I asked to him to run his AV(AVG) from safe mode

Safe Mode AVG just finished its scan. It said that there were no infections found and no infections healed.

I just ran Malware bytes and its still finding infected files. I'm going to try running it in safe mode.

Okay, I believe Malwarebytes in Safe Mode fixed them. I re-ran the scan in Safe Mode and it didn't find anything, and re-ran the scan in Full Mode and it didn't find anything.