19 replies to this topic

[MAM]

Hello, is this a false positive, or a real infection ?

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Datenbank Version: v2012.07.17.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXXXX :: XXXXXXXXXXXX [Administrator]
Schutz: Aktiviert
17.07.2012 19:11:22
mbam-log-2012-07-17 (19-11-22).txt
Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 260624
Laufzeit: 39 Minute(n), 14 Sekunde(n)
Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateien: 2
D:\WINDOWS.0\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Erfolgreich gelöscht und in Quarantäne gestellt.
D:\WINDOWS.0\ERDNT\cache\explorer.exe (Trojan.Bootkit.Dropper) -> Erfolgreich gelöscht und in Quarantäne gestellt.
(Ende)

MAM

[pine22]

I got the same thing on my laptop today

[MAM]

Ok, we must wait for the expert´s here

MAM

[Tom1986]

Okay this is strange, so more people have this trojan as of today?

But indeed i got the same trojan in the same directory as you have -> D:\WINDOWS.0\ServicePackFiles\i386\explorer.exe

Please can someone clarify this trojan if it's dangerous or just a false positive so we can restore it.

[MAM]

Here are my result´s from virustotal.com ,

https://www.virustot...sis/1342550603/

https://www.virustot...sis/1342550718/

That must mean nothing, or ?

MAM

[pine22]

I already deleted mine so I cannot post the file or the developer logs, but here is the scan that detected it and the next one after i removed/restarted my computer.



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.17.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXXXX :: XXXXXXXXXXXXX [administrator]

7/17/2012 11:41:13 AM
mbam-log-2012-07-17 (11-41-13).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 281614
Time elapsed: 1 hour(s), 24 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\ERDNT\cache\explorer.exe (Trojan.Bootkit.Dropper) -> Quarantined and deleted successfully.

(end)



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.17.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXXXXXXXXXXXXXXXXX [administrator]

7/17/2012 1:23:24 PM
mbam-log-2012-07-17 (13-23-24).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 281671
Time elapsed: 1 hour(s), 32 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[Tom1986]

I deleted mine also (in quarantine now), but here is my log also from this trojan;

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Databaseversie: v2012.07.17.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXX :: XXXXXXX [administrator]
17-7-2012 18:56:58
mbam-log-2012-07-17 (18-56-58).txt
Scantype: Volledige scan (C:\|F:\|)
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 217304
Verstreken tijd: 29 minuut/minuten, 30 seconde(n)
Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerdata gedetecteerd: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.
Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Bestanden gedetecteerd: 1
C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Succesvol in quarantaine geplaatst en verwijderd.
(einde)

[nosirrah]

I am looking at this now but I may need a copy of this file. If anyone can please zip and attach a copy to your next post.

[Tom1986]

@nosirrah

Thx for your help, but how do attach the file if it's in quarantine? Do I have to undo/restore the file from quarantine and then zip the file?

[nosirrah]

This should be fixed.

[nosirrah]

Quote

Do I have to undo/restore the file from quarantine

Yes

[Tom1986]

 nosirrah, on 17 July 2012 - 02:30 PM, said:

This should be fixed.

Restored it. So do I still have to zip the file or was this a false positive so everything is okay now?

[MAM]

Is this fixed now, or you need a sample, for fixing ?

MAM

[Tom1986]

 MAM, on 17 July 2012 - 02:36 PM, said:

Is this fixed now, or you need a sample, for fixing ?

MAM

I updated mbm, and after the update i scanned the selected explorer.exe file and came out clean (so it was a false positive). So everything is okay now fellas. Thx mbam for the quick help!

[MAM]

Ok, thanks to the developer Team around Malwarebytes' Anti-Malware to solve this issue

Thank you for the quick and smart response !

MAM

[jarrex]

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Tietokantaversio: v2012.07.17.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Joo :: KOTI-EFCB838AB7 [järjestelmänvalvoja]

17.7.2012 19:01:16
mbam-log-2012-07-17 (19-01-16).txt

Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistussuodattimia valittu: Muisti | Käynnistys | Rekisteri | Tietojärjestelmä | Heuristinen/Ylimäärinen | Heuristinen/Shuriken | Mahdollisesti haitallinen ohjelma | Mahdollisesti haitallinen muutos
Käytöstä poistetut tarkistusvalinnat: Vertaisverkko (Peer-to-Peer)
Tarkistettuja kohteita: 262120
Kulunut aika: 1 tunti(a), 20 minuutti(a), 57 sekunti(a)

Epäilyttäviä muistiprosesseja: 0
(Ei haitallisia kohteita)

Epäilyttäviä muistimoduuleja: 0
(Ei haitallisia kohteita)

Epäilyttäviä rekisteriavaimia: 13
HKCR\CLSID\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCR\CLSID\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

Epäilyttäviä rekisteriarvoja: 0
(Ei haitallisia kohteita)

Epäilyttäviä rekisterikohteita: 0
(Ei haitallisia kohteita)

Epäilyttäviä kansioita: 2
C:\Documents and Settings\All Users\Application Data\TheBflix (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\data (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

Epäilyttäviä tiedostoja: 10
C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\background.html (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\ajhcekcffkpnaednoeoegnmnjdlnjjmg.crx (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\bhoclass.dll (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\content.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\hjakmojkcnhgipgkkbiempkfdndcnlah.crx (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\settings.ini (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\uninstall.exe (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\data\content.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\data\jsondb.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

(loppu)

I got this log after update and i need to know one thing. Is that explorer.exe infection false or is it really badly infected?

[Tom1986]

@jarrex

False. Just update mbam and scan again.

[jarrex]

Tom1986, on 17 July 2012 - 03:50 PM, said:

@jarrex

False. Just update mbam and scan again.

Thanks for fast answer. After that, i can restore that file from quarantine?

[pine22]

i would assume it would be safe to do so now

[shadowwar]

Yes it is safe to restore.