Jump to content

Suspicion confirmed?


Recommended Posts

I just had a poster at Bleeping that was running MBAM and refinding the same malware files with normal mode scans after rebooting and then ran MBAM in safe mode and then came up clean with a normal mode scan?

RD had said it was a trade off, but others have stressed how MBAM is not effective in safe mode

I have always thought the combination of safe and normal mode scans to be more effective in a wider range of cases

Hmmmmmmmmm.

Link to post
Share on other sites

  • Staff

MBAM is designed to be a fully regular mode only tool and not letting it reboot a machine as it is designed could cause problems .

Most newer malware can run in safemode so we opted not to bother with any safemode instructions , these no longer help much at all .

When MBAM says that it needs to reboot a machine to complete removal , it is not kidding .

Link to post
Share on other sites

Okay, did as instructed. Here's the log:

Malwarebytes' Anti-Malware 1.20

Database version: 962

Windows 5.1.2600 Service Pack 2

7:40:46 PM 7/17/2008

mbam-log-7-17-2008 (19-40-46).txt

Scan type: Quick Scan

Objects scanned: 54044

Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\cnhwtsfi.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49ca2940-b842-4298-bff3-cf9dd4df3a2c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{49ca2940-b842-4298-bff3-cf9dd4df3a2c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{2329332b-2bf4-4cdc-b86f-5ef78017fc1b} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2329332b-2bf4-4cdc-b86f-5ef78017fc1b} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{660640e6-950e-4f98-86c3-a2d8625e8127} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{660640e6-950e-4f98-86c3-a2d8625e8127} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8facb54e-894c-4620-9445-61c4362e601c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8facb54e-894c-4620-9445-61c4362e601c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc63d2d6 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\dp\Local Settings\Temp\cbXPfEwW.dll (Trojan.Vundo) -> Delete on reboot.

C:\Documents and Settings\dp\Local Settings\Temp\WwEfPXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\dp\Local Settings\Temp\WwEfPXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cnhwtsfi.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\ifstwhnc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\traauejd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\djeuaart.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\colbac.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\BMcf50e14a.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\BMcf50e14a.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Also, I did a reboot when prompted before I posted these replies.

I've since run two more scans, and the problems are still there, even after reboot. I would post the latest log, but I can't go anywhere but Google due to being bogged down. If I can get back here, I'll post the latest.

at which point I asked to him to run his AV(AVG) from safe mode

Safe Mode AVG just finished its scan. It said that there were no infections found and no infections healed.

I just ran Malware bytes and its still finding infected files. I'm going to try running it in safe mode.

Okay, I believe Malwarebytes in Safe Mode fixed them. I re-ran the scan in Safe Mode and it didn't find anything, and re-ran the scan in Full Mode and it didn't find anything.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.