3 replies to this topic

[planet]

Here's the log file in developer mode as requested. The 3 listings for the security center are ok; I have my security center disabled. The 7 files in the config folder I believe are FP.

Malwarebytes' Anti-Malware 1.35
Database version: 1931
Windows 5.1.2600 Service Pack 2

4/2/2009 9:24:49 AM
mbam-log-2009-04-02 (09-24-28).txt

Scan type: Quick Scan
Objects scanned: 70875
Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586445483634456446343641424738615248395356345138614674688
38084807185615270688683748590013670798570839334798574557483868437748466677770478
0
857471903018130117]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586445483634456446343641424738615248395356345138614674688
38084807185615270688683748590013670798570839339748370886677773774846667777047808
5
7471903018130117]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586445483634456446343641424738615248395356345138614674688
38084807185615270688683748590013670798570839354816966857084377484666777704780857
4
71903018130117]

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]
C:\WINDOWS\SYSTEM32\CONFIG\Cisco An.evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]
C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]
C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]
C:\WINDOWS\SYSTEM32\CONFIG\VPN.evt (Rootkit.Agent.H) -> No action taken. [52686679398083388785518080857674850910013986796885748079]

[planet]

Sorry, just to add, I uploaded about 4 of these .evt files to jotti and all vendors found nothing. Thanks again.

[nosirrah]

I need 2 things . I need a zipped copy of any of those files and I need to know if you are on a limited account .

I know how this heuristic works and under normal circumstances it cant hit those files no matter what so there is more going on here .

[planet]

nosirrah,
thanks for your input. I did do the quick scan from my limited user account. I didn't realize Malewarebytes is recommended to run only from an administrator account. Consequently, I logged into my admin account and scanned the system32/config folder. No malicious items were reported on this scan. So, I'm hoping that all is well.
Thanks again.