Jump to content

Recycled.scr Files Infected: 7 ... false positive


Recommended Posts

Each time I run Malwarebytes (with an updated database) .. 7 items specific to Recycled.scr always appear.

These files do not exist on the drive (verified by typing: attrib *.* in the appropriate subdirectory's CMD prompt)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4877

Windows 6.1.7600

Internet Explorer 9.0.7930.16406

10/18/2010 10:06:44 PM

mbam-log-2010-10-18 (22-06-44).txt

Scan type: Quick scan

Objects scanned: 157854

Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files (x86)\Common Files\Microsoft shared\msinfo\Recycled.scr (Worm.AutoRun) -> No action taken.

C:\Program Files\Common Files\Microsoft shared\msinfo\Recycled.scr (Worm.AutoRun) -> No action taken.

C:\Program Files\_Recycled.scr (Worm.AutoRun) -> No action taken.

C:\Program Files (x86)\_Recycled.scr (Worm.AutoRun) -> No action taken.

C:\Program Files\RRecycled.scr (Worm.AutoRun) -> No action taken.

C:\Program Files (x86)\RRecycled.scr (Worm.AutoRun) -> No action taken.

C:\Recycled.scr (Worm.AutoRun) -> No action taken.

Attached is: mbam.exe /debug info.txt

mbam_info.txt

Link to post
Share on other sites

  • Staff

That would not be good enough to verify if they are there or not. This is most likely a legitimate detection. These files are hidden from windows (not the attrib hidden but rootkit hidden) and you would need something like GMER's file browser to verify if they are there are not. Here is a Mcafee write up on this trojan. Did you try to remove these?

http://vil.nai.com/vil/content/v_128387.htm

Also please reread this post. That is not a developers log.

http://forums.malwarebytes.org/index.php?showtopic=3228

Link to post
Share on other sites

  • Staff

In gmer you would have to navigate to the file location indicated in the mbam scan log. you can do this by expanding the tabs and going into the file tab in gmer and navigating to the files listed. I am almost positive these files are there according to the developer log. Thanks for that. Have you tried to remove them with Malwarebytes yet?

That Mcafee listing is a fairly old version of this. This spybot worm has been around a while and i am sure has changed from that listing. None of the files listed by MBAM log are safe. They are all malware.

You seem familiar with dos. If gmer doesnt show them have you tried booting into the recovery console to see if they are there?

Link to post
Share on other sites

I booted into 'Safe Mode Command Prompt' ... searched for those files .. they are not there.

I checked with gmer in the files tab, those files don't exist in the directories stated.

(see zipped JPG of gmer screen-print)

I've tried multiple times to have Malwarebytes to remove them (it needs to reboot).

But Malwarebytes continues to identify that these 7 files exist.

More info: this is my company's laptop .. the harddrive in encryped with PGP.

gmer.zip

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.