Jump to content

Worm.P2P (Bot.exe) gets redetected again in the IXP000.TMP Folder during every Full Scan By MBAM even after system reboot.


pm2397
 Share

Recommended Posts

I use an HP Pavilion DV6516TX Notebook with standard configuration. The OS is Windows Vista Home Premium with Service Pack installed. I am using fully updated Microsoft Security Essentials as the Anti-Virus and Anti-Malware engine thereon. I almost always use Mozilla Firefox (latest version) as my Internet browser and only rarely use IE8.

I am facing the subject issue with details mentioned below:

MBAM full scan (with fully updated latest definitions) of the C: (OS installed) drive with Default Scanner Settings in normal boot (Administrator) mode detects Worm P2P (Bot.exe) in the C:\Users\Prashant Mujumdar\AppData\Local\Temp\IXP000.tmp folder. MBAM detects the Worm.P2P 'always' at the fag end of the scan while MBAM is 'scanning additional objects'. On deleting it by selecting the Worm.P2P and pressing 'Remove selected', the MBAM Full Scan log is displayed and saved and a message comes up to the effect that some objects could not be deleted. Next a window comes up directing to reboot the system. I respond 'Yes' to that. After rebooting in normal boot mode and another full MBAM scan (again with fully updated latest definitions) again redetects the same Worm.P2P (Bot.exe) in the same location while MBAM is 'scanning additional objects' at the fag end of the MBAM full scan. This happens on every reboot and every MBAM Full rescan with Default Scanner Settings.

When the above malware was first detected on my system by MBAM i immediately uninstalled the only P2P client Utorrent on my system and uninstalled almost all the applications downloaded through it on my system together with the deletion of the Setup files of those applications and the related torrent files from my system.

Some intriguing points that i have of late noticed in reference to the MBAM full scan on my system:

1. When i do it in normal boot mode, the bot.exe in the above IXP000.TMP folder is always detected at the fag end of the MBAM scan while MBAM is 'scanning additional items on your system' as mentioned in the MBAM window, but no malware is at all detected while MBAM is scanning the 'as displayed during the scan' all the various different folder paths of the system or while scanning Memory objects or even while scanning of Registry objects.

2. The funny thing is that there is no IXP000.TMP folder in the so referred detected location on my system or for that matter in any other location on my system. The only similar folder in that detected path is IXP499.TMP but that is completely empty.

3. When i do the full MBAM scan in 'safe mode' using 'exactly the same settings in MBAM' as used for the normal boot mode scan, surprisingly, the full scan completes without MBAM detecting absolutely any malware whatsoever anywhere on my system including that bot.exe in the same folder path in which the bot.exe was detected in the IXP000.TMP folder during the normal boot mode scan.

4. When i could not find any IXP000.TMP folder anywhere on my system, i used the find option in regedit.exe (opened in elevated mode) to check for 'IXP000.TMP'. Therein i could find references to IXP000.TMP in the MBAM detected folder path in the right pane in at least two different subkeys. But of course no reference there of bot.exe .

Request please help to resolve the issue to permanently remove the above Worm P2P from my system.

I have completely followed the steps in sequence provided in the 'I'm infected - what do i do' guide and have not faced any issues.

Accordingly, please find below the outputs in sequence.

1. MBAM Latest Full Scan Log: Copied and pasted below

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5088

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

11/11/2010 01:56:15

mbam-log-2010-11-11 (01-56-15).txt

Scan type: Full scan (C:\|)

Objects scanned: 426145

Time elapsed: 5 hour(s), 10 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Prashant Mujumdar\AppData\Local\Temp\IXP000.TMP\bot.exe (Worm.P2P) -> Delete on reboot.

---------------------------------------------------------------------------------------------------------------------------------------

2. DDS.txt: Copied and pasted below.

DDS (Ver_10-11-10.01) - NTFSx86

Run by Prashant Mujumdar at 13:21:18.81 on Sat 11/13/2010

Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22

Microsoft

Attach.zip

Link to post
Share on other sites

Hi!

You have the same thread in another forum:

http://www.bleepingcomputer.com/forums/topic360369.html

Choose between them and us.

FAO: Maniac

Sir, with respect i beg to state that the issues posted in this thread and also the same issues posted in the thread with the same Title in Bleeping Computer was an action taken by me reluctantly 'in the last three four days' after i found that Jacee was not responding for a long time to my thread having link http://www.vistax64.com/general-discussion...-safe-mode.html in which these issues were originally posted by me in the Vistax64 forum under the General Discussion subforum there.

Please refer to posts #12 through #18 on page 2 of that thread, skip the later posts upto #25 on page 3 of that thread and continue onwards from post #26 through post #36 on page 4 of that thread. On reading these even cursorily you will come to know of how i have been thinking on the non-response and why i acted accordingly.

I found out from a senior problem solver on that forum that Jacee has responsibilities on 30+ forums. So, the way i thought was that she might be more active on Malwarebytes' forum and Bleeping Computer forum and therefore if i post my issues in threads on these two forums maybe she will reply to me on them faster as she may be more active on them as compared to on Vistax64 forum.

But now Jacee is again replying quite fast to the issues on the abovecited thread in Vistax64 as you can see from post #37 and onwards thereon, so it will be better for me to close this thread on Malwarebytes' forum.

Therefore, this thread here can be closed as the link to the thread on Vistax64 has now been provided by me. Thanks, but i still request you to still retain me as a member. Thanks again in anticipation.

pm2397

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.