Jump to content

Recommended Posts

I'm trying to figure out whether I'm dealing with a rootkit or something else. We've got a terminal server that everyone uses (20+ users) for administrative purposes on the network. Every time we run a Flash or Quick scan with MBAM (PRO), it detects 148 items in each users roaming profiles directory. If we choose to have MBAM remove the suspect items, they will just show up again on another scan. Rebooting the server after a scan / removal yields no different results. Here are some other characteristics that we know so far. I've also attached a partial mbam log (I only included the objects that are found in one users profile since the same exact objects are found in everyone elses profile).

-We're running McCrapfee (McAfee) on the system and it finds nothing (go figure)

-We are unable to see the files that MBAM is detecting on the file system (Folder options are set to 'show hidden files'). We've even went as far as to zip up a suspect directory, move that zip file to a unix file system, unzip it and still are not able to see the files. Perplexing!

-Everytime we create a new user on the domain, the same exact malware objects show up in an MBAM scan in the new users roaming profile directory

-In the log file below, 192.168.1.137 is the server in which all of the users profiles are physically located

Any guidance will be greatly appreciated!

enstro

--------------------------------------------

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5322

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/30/2010 2:56:07 PM

mbam-log-2010-12-30 (14-55-56).txt

Scan type: Quick scan

Objects scanned: 135531

Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 7

Files Infected: 141

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

\\192.168.1.137\userdocs\userx\favorites\

Link to post
Share on other sites

  • Staff

Hi,

This is indeed related with the fact that this is scanned on/from a network. Malwarebytes can't access these drives, thus, it causes misreads in malwarebytes.

We already fixed this with the latest version 1.50.1.1100, so please update your Malwarebytes to the latest program version and let me know if you're still getting these detections.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.