12 replies to this topic

[Buffalo]

This is what I keep receiving during a Quick scan (during hueristic scan) and also during a full scan.
I am running Win2000Pro with the latest Service Pack on a dual boot Win98SE-Win2000Pro.
I have an AMD Athlon 2100XP Palomino cpu, Radeon 8500LE vid card and 1GB Ram on an ECS K7S5a mb.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ImagePath (Hijack.LanmanWorkstation) -> Bad: (%SystemRoot%\System32\services.exe) Good: (%SystemRoot%\system32\services.exe) -> No action taken. [5138494534363830417475666876154566797866795680837684856685748079130141443858644
54836344564463436414247386152585253384661368683837079853680798583807752708561527
0
83877468708461456679786679568083768485668574807993427866727049668573293111848768
7
38084851570897011130141443858644548363445644634364142473861525852533846613686838
3
70798536807985838077527085615270838774687084618470687780728079934278667270496685
7
3]

I now have it in the Ignore Section.
I used SAS and it does not tag that key.
Thanks for any help.
Buffalo

[nosirrah]

For some reason MBAM is seeing the service path for that service as wrong (it is a common malware hijack) but in this case as you can see the two values are the same so there is a bug of some lind .

I will have our lead coder look into this .

EDIT :

After a second look this seems to be a leftover from a past infection but for some reason MBAM is not setting it correctly back to the standard service path , I will have to look into how this could happen .

EDIT :

After further research I have found the actual problem (I think) . It seems that your system was badly infected at some point in the past and the key MBAM is looking to to get correct registry data is also corrupted thus the same image path , both services were infected . Looks like I need a better backup key to get this data from .

EDIT :

%SystemRoot%\System32\svchost.exe -k netsvcs

This is the standard path for this service , I will make you a patch to correct this and see about getting it corrected in MBAM as well .

[nosirrah]

EDIT :

Ok , I have a better backup loaction and testing confirms that it should work :

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ImagePath (Hijack.LanmanWorkstation) -> Bad: (C:\WINDOWS\system32\drivers\services.exe) Good: (%SystemRoot%\system32\svchost.exe -k netsvcs)

Bad is set incorrectly (same malware that was in your system) , Good is the correct image path taken from a new backup .

[nosirrah]

Update is up , please update MBAM , run a scan and post the results .

If you see :

Bad: (C:\WINDOWS\system32\drivers\services.exe) Good: (%SystemRoot%\system32\svchost.exe -k netsvcs)

For any services these are not FPs , they are hijacked services that SAS fails to correct .

[97jhawk]

 nosirrah, on Sep 21 2008, 04:59 PM, said:

EDIT :

Ok , I have a better backup loaction and testing confirms that it should work :

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ImagePath (Hijack.LanmanWorkstation) -> Bad: (C:\WINDOWS\system32\drivers\services.exe) Good: (%SystemRoot%\system32\svchost.exe -k netsvcs)

Bad is set incorrectly (same malware that was in your system) , Good is the correct image path taken from a new backup .

I had the same results as Buffalo after scanning my PC with MBAM and then re-ran it after updating it as you suggested. I got the results you listed

Bad: (C:\WINDOWS\system32\drivers\services.exe) Good: (%SystemRoot%\system32\svchost.exe -k netsvcs)

After that, I "Removed Selected," the computer shutdown and rebooted and then I got a Blue Screen when it rebooted and even when I tried in "Safe Mode. " Therefore, I then tried "Last Known Good Configuration" and was able to logon. The error I got on the Blue Screen was:

STOP: c000021a (fatal system error)

Windows logon terminated with status of

0xc0000005 (0x00000000 0x00000000)

I am running Windows 2000 SP4 same as Buffalo.

Thanks.

[nosirrah]

I have made all of these checks skip windows 2K for now .

We will try and find a better way to do this for each individual system .

The update is already up .

[97jhawk]

 nosirrah, on Sep 21 2008, 08:43 PM, said:

I have made all of these checks skip windows 2K for now .

We will try and find a better way to do this for each individual system .

The update is already up .

So, when you say "skip windows 2K for now" do you mean that the latest update doesn't apply towards Windows 2K regarding the Hijack.Lanmanworkstation?

Thanks.

[nosirrah]

There is a built in function I can use to exclude certian OSs from a def , I have used it on this group untill we get this sorted .

For now MBAM will still remove this malware on 2K , it just wont unhijack the services yet .

[97jhawk]

 nosirrah, on Sep 21 2008, 10:23 PM, said:

There is a built in function I can use to exclude certian OSs from a def , I have used it on this group untill we get this sorted .

For now MBAM will still remove this malware on 2K , it just wont unhijack the services yet .

Oh, I understand. If any new developments should arise, please post.

Thanks.

[Buffalo]

 nosirrah, on Sep 21 2008, 05:24 PM, said:

Update is up , please update MBAM , run a scan and post the results .

If you see :

Bad: (C:\WINDOWS\system32\drivers\services.exe) Good: (%SystemRoot%\system32\svchost.exe -k netsvcs)

For any services these are not FPs , they are hijacked services that SAS fails to correct .

I just did a quick scan with v1191 and fp48897 and it did not pick up anything. I did take that key out of ignore before I ran the scan.
Thanks

[Buffalo]

 Buffalo, on Sep 22 2008, 04:18 PM, said:

I just did a quick scan with v1191 and fp48897 and it did not pick up anything. I did take that key out of ignore before I ran the scan.
Thanks

I forgot to mention that I also run SpyWareBlaster, in case that could be important.
I know that Anti-Malware also picks up :

Registry Data Items Infected:
"HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken."

which, I believe, is because I used SpyWareBlaster (Tools tab) to disable the Home Page Settings area in the Internet Tools Control Panel.

I run SAS at Real-time protection also.

[nosirrah]

 Buffalo, on Sep 23 2008, 12:14 PM, said:

I forgot to mention that I also run SpyWareBlaster, in case that could be important.
I know that Anti-Malware also picks up :

Registry Data Items Infected:
"HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken."

which, I believe, is because I used SpyWareBlaster (Tools tab) to disable the Home Page Settings area in the Internet Tools Control Panel.

I run SAS at Real-time protection also.

There is malware that changes your home page and then locks it , this fix will undo that .

We have no way to tell if the user has locked their home page intentionally so if you have use the ignore function .

[Buffalo]

 nosirrah, on Sep 23 2008, 07:17 PM, said:

There is malware that changes your home page and then locks it , this fix will undo that .

We have no way to tell if the user has locked their home page intentionally so if you have use the ignore function .

Yes, I completely understand and agree.
I just wanted to let you know I was using that program and that function in case it had anything to do with the lanmanworkstation problem.

Thanks for your great program and the quick responses.
Buffalo