Jump to content


Photo

Something is wrong


  • This topic is locked This topic is locked
6 replies to this topic

#1 John.Doe

John.Doe

    Advanced Member

  • Malware Hunters
  • PipPipPip
  • 174 posts
  • Gender:Male
  • Location:Germany

Posted 15 June 2012 - 01:13 PM

Hi,

I don't know what happened but a lot of files Malwarebytes detected before are now clean?

This is a listing of the latest ransomwares I collected:

SystemLook 30.07.11 by jpshortstuff
Log created at 20:12 on 15/06/2012 by Administrator
Administrator - Elevation successful

========== dir ==========

I:\gurken2 - Parameters: "(none)"

---Files---
08.06.2012.com --a---- 38912 bytes [10:30 13/06/2012] [22:35 07/06/2012]
1d2sdfsd911i1oipo3470.exe --a---- 119808 bytes [18:29 04/06/2012] [18:46 31/05/2012]
5e1851.exe --a---- 117993 bytes [21:36 01/06/2012] [09:20 30/05/2012]
7BC226CA9CE23423AC52.exe --ah--- 39936 bytes [21:01 11/06/2012] [11:31 07/06/2012]
ArchiverforWin.exe --a---- 233819 bytes [21:31 01/06/2012] [17:55 29/05/2012]
ArchiverforWin2.exe --ahs-- 207872 bytes [21:35 01/06/2012] [20:57 24/05/2012]
bauesch.exe --a---- 230400 bytes [18:29 04/06/2012] [13:06 19/05/2012]
Bestelldetails.exe --ah--- 90112 bytes [21:27 01/06/2012] [21:20 14/05/2012]
Bestellung Dnet24 GmbH.exe --ah--- 102400 bytes [10:41 13/06/2012] [06:11 12/06/2012]
Buchung.pif --a---- 52224 bytes [21:29 01/06/2012] [12:49 23/05/2012]
Buchungen nach Vertrag 13.06.2012 .com --a---- 65536 bytes [08:10 13/06/2012] [22:44 12/06/2012]
byig.exe --a---- 227328 bytes [10:42 13/06/2012] [22:52 18/02/2012]
Diablo_III.exe --a---- 245760 bytes [21:16 01/06/2012] [16:55 27/05/2012]
Einzelheiten Ihrer Bestellung.com --a---- 65536 bytes [10:59 07/06/2012] [18:29 06/06/2012]
explorer_new.exe --a---- 54784 bytes [11:56 03/06/2012] [01:43 02/06/2012]
explorer_new2.exe --a---- 61440 bytes [17:14 03/06/2012] [14:02 31/05/2012]
explorer_new3.exe --a---- 55296 bytes [16:44 06/06/2012] [09:22 01/06/2012]
hw56suzj11.exe --a---- 294912 bytes [18:29 04/06/2012] [09:30 19/03/2012]
IRSPROFILE.exe --a---- 48640 bytes [18:29 04/06/2012] [03:27 03/06/2012]
Mahnung 2012.pif --ah--- 69632 bytes [10:44 13/06/2012] [18:50 25/05/2012]
ms.exe --a---- 53248 bytes [15:53 11/06/2012] [01:43 10/06/2012]
ms2.exe --a---- 53248 bytes [15:49 15/06/2012] [08:15 13/06/2012]
Neuverlieben Mitgliedschaft.com --a---- 65536 bytes [16:38 06/06/2012] [19:56 05/06/2012]
Rechnung nach Vertrag.com --a---- 81920 bytes [20:18 05/06/2012] [12:21 05/06/2012]
Tabelle Abrechnung 11.06.2012 .com --a---- 51671 bytes [15:52 11/06/2012] [15:58 11/06/2012]
tpl_0_c.exe --a---- 54784 bytes [15:47 14/06/2012] [12:06 13/06/2012]
WinArchiver.exe --a---- 212992 bytes [18:29 04/06/2012] [01:21 01/06/2012]
WinrarArchiver.exe --a---- 286720 bytes [17:57 03/06/2012] [14:48 02/06/2012]
wochvehtmescfratgvlo.exe --a---- 53248 bytes [12:40 07/06/2012] [13:44 05/06/2012]
Zusatz Leistungen.scr --a---- 88064 bytes [10:30 13/06/2012] [21:47 04/06/2012]

---Folders---
None found.

-= EOF =-

Now only the latest i uploaded are recognized.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Datenbank Version: v2012.06.15.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: RECHNER [Administrator]

15.06.2012 20:14:41
mbam-log-2012-06-15 (20-14-48).txt

Art des Suchlaufs: Benutzerdefinierter Suchlauf
Aktivierte Suchlaufeinstellungen: Dateisystem | HeuristiKs/Shuriken | PUP | PUM | P2P
Deaktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Heuristiks/Extra
Durchsuchte Objekte: 30
Laufzeit: 1 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 3
I:\Gurken2\byig.exe (Trojan.PWS) -> Keine Aktion durchgeführt.
I:\Gurken2\tpl_0_c.exe (Trojan.Ransom) -> Keine Aktion durchgeführt.
I:\Gurken2\Zusatz Leistungen.scr (Trojan.Matsnu) -> Keine Aktion durchgeführt.

(Ende)

Shall I upload them again?

confused, andreas

#2 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,543 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 15 June 2012 - 01:18 PM

Hi andreas,

Im equally confused.

Can you upload some or all of the files and so i can investigate further.
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 John.Doe

John.Doe

    Advanced Member

  • Malware Hunters
  • PipPipPip
  • 174 posts
  • Gender:Male
  • Location:Germany

Posted 15 June 2012 - 01:26 PM

Hi Fatdcuk,

surely. :)

bye, andreas

Attached File  Gurken2.zip   2.64MB   19 downloads

#4 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,543 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 15 June 2012 - 01:33 PM

Hi Andreas,


29/30 of those files are detected :)

Im unsure what might be the issue your end but 2 possible fixes.

If you reboot(restart) your computer and scan the folder again do they detect ?

If you have some kind of database corruption then the next update should fix any issue should it be DB rrelated.That said we have not ever has any bugs reported with the database and detections.
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 John.Doe

John.Doe

    Advanced Member

  • Malware Hunters
  • PipPipPip
  • 174 posts
  • Gender:Male
  • Location:Germany

Posted 15 June 2012 - 01:37 PM

Hi Ade,

OK, will try and thanks for your investigation.

bye, andreas

#6 John.Doe

John.Doe

    Advanced Member

  • Malware Hunters
  • PipPipPip
  • 174 posts
  • Gender:Male
  • Location:Germany

Posted 15 June 2012 - 02:20 PM

Hi Ade,

found the reason. But i won't tell the truth about the ignorelist, because it's too embarrassing.

So I use the usual sayings like: I was blinded by the sun or: the sidewind was too strong (german saying for a lame excuse).

Sorry for inconvenience, andreas

#7 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,543 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 15 June 2012 - 02:24 PM

Hehe no worries Andreas.

To take a quote from Harry Potter book....Mischief managed :)
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users