Jump to content


Photo

Trojan.Bootkit.Dropper, f/p or real infection ?


  • Please log in to reply
19 replies to this topic

#1 MAM

MAM

    Elite Member

  • Honorary Members
  • PipPipPipPipPip
  • 1,219 posts
  • Gender:Male

Posted 17 July 2012 - 01:06 PM

Hello, is this a false positive, or a real infection ?

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Datenbank Version: v2012.07.17.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXXXX :: XXXXXXXXXXXX [Administrator]
Schutz: Aktiviert
17.07.2012 19:11:22
mbam-log-2012-07-17 (19-11-22).txt
Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 260624
Laufzeit: 39 Minute(n), 14 Sekunde(n)
Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateien: 2
D:\WINDOWS.0\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Erfolgreich gelöscht und in Quarantäne gestellt.
D:\WINDOWS.0\ERDNT\cache\explorer.exe (Trojan.Bootkit.Dropper) -> Erfolgreich gelöscht und in Quarantäne gestellt.
(Ende)

MAM
Windows XP home, SP3, all updates after SP3, Fire Fox 3.6.3, Internet Explorer 8.0.6001.18702, 2.4 Ghz slow computer, with 1 GB RAM, two hard drive.

#2 pine22

pine22

    New Member

  • Members
  • Pip
  • 3 posts
  • Gender:Male
  • Location:Ohio

Posted 17 July 2012 - 01:19 PM

I got the same thing on my laptop today

#3 MAM

MAM

    Elite Member

  • Honorary Members
  • PipPipPipPipPip
  • 1,219 posts
  • Gender:Male

Posted 17 July 2012 - 01:28 PM

Ok, we must wait for the expert´s here :)

MAM
Windows XP home, SP3, all updates after SP3, Fire Fox 3.6.3, Internet Explorer 8.0.6001.18702, 2.4 Ghz slow computer, with 1 GB RAM, two hard drive.

#4 Tom1986

Tom1986

    New Member

  • Members
  • Pip
  • 9 posts

Posted 17 July 2012 - 01:28 PM

Okay this is strange, so more people have this trojan as of today?

But indeed i got the same trojan in the same directory as you have -> D:\WINDOWS.0\ServicePackFiles\i386\explorer.exe

Please can someone clarify this trojan if it's dangerous or just a false positive so we can restore it.

#5 MAM

MAM

    Elite Member

  • Honorary Members
  • PipPipPipPipPip
  • 1,219 posts
  • Gender:Male

Posted 17 July 2012 - 01:49 PM

Here are my result´s from virustotal.com ,

https://www.virustot...sis/1342550603/

https://www.virustot...sis/1342550718/

That must mean nothing, or ?

MAM
Windows XP home, SP3, all updates after SP3, Fire Fox 3.6.3, Internet Explorer 8.0.6001.18702, 2.4 Ghz slow computer, with 1 GB RAM, two hard drive.

#6 pine22

pine22

    New Member

  • Members
  • Pip
  • 3 posts
  • Gender:Male
  • Location:Ohio

Posted 17 July 2012 - 02:05 PM

I already deleted mine so I cannot post the file or the developer logs, but here is the scan that detected it and the next one after i removed/restarted my computer.



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.17.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXXXX :: XXXXXXXXXXXXX [administrator]

7/17/2012 11:41:13 AM
mbam-log-2012-07-17 (11-41-13).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 281614
Time elapsed: 1 hour(s), 24 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\ERDNT\cache\explorer.exe (Trojan.Bootkit.Dropper) -> Quarantined and deleted successfully.

(end)



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.17.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXXXXXXXXXXXXXXXXX [administrator]

7/17/2012 1:23:24 PM
mbam-log-2012-07-17 (13-23-24).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 281671
Time elapsed: 1 hour(s), 32 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 Tom1986

Tom1986

    New Member

  • Members
  • Pip
  • 9 posts

Posted 17 July 2012 - 02:17 PM

I deleted mine also (in quarantine now), but here is my log also from this trojan;

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Databaseversie: v2012.07.17.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
XXXX :: XXXXXXX [administrator]
17-7-2012 18:56:58
mbam-log-2012-07-17 (18-56-58).txt
Scantype: Volledige scan (C:\|F:\|)
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 217304
Verstreken tijd: 29 minuut/minuten, 30 seconde(n)
Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerdata gedetecteerd: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.
Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Bestanden gedetecteerd: 1
C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Succesvol in quarantaine geplaatst en verwijderd.
(einde)

#8 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 17 July 2012 - 02:22 PM

I am looking at this now but I may need a copy of this file. If anyone can please zip and attach a copy to your next post.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 Tom1986

Tom1986

    New Member

  • Members
  • Pip
  • 9 posts

Posted 17 July 2012 - 02:28 PM

@nosirrah

Thx for your help, but how do attach the file if it's in quarantine? Do I have to undo/restore the file from quarantine and then zip the file?

#10 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 17 July 2012 - 02:30 PM

This should be fixed.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 17 July 2012 - 02:30 PM

Do I have to undo/restore the file from quarantine


Yes
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 Tom1986

Tom1986

    New Member

  • Members
  • Pip
  • 9 posts

Posted 17 July 2012 - 02:34 PM

This should be fixed.


Restored it. So do I still have to zip the file or was this a false positive so everything is okay now?

#13 MAM

MAM

    Elite Member

  • Honorary Members
  • PipPipPipPipPip
  • 1,219 posts
  • Gender:Male

Posted 17 July 2012 - 02:36 PM

Is this fixed now, or you need a sample, for fixing ?

MAM
Windows XP home, SP3, all updates after SP3, Fire Fox 3.6.3, Internet Explorer 8.0.6001.18702, 2.4 Ghz slow computer, with 1 GB RAM, two hard drive.

#14 Tom1986

Tom1986

    New Member

  • Members
  • Pip
  • 9 posts

Posted 17 July 2012 - 02:41 PM

Is this fixed now, or you need a sample, for fixing ?

MAM



I updated mbm, and after the update i scanned the selected explorer.exe file and came out clean (so it was a false positive). So everything is okay now fellas. Thx mbam for the quick help!

#15 MAM

MAM

    Elite Member

  • Honorary Members
  • PipPipPipPipPip
  • 1,219 posts
  • Gender:Male

Posted 17 July 2012 - 02:49 PM

Ok, thanks to the developer Team around Malwarebytes' Anti-Malware to solve this issue :)

Thank you for the quick and smart response !

MAM
Windows XP home, SP3, all updates after SP3, Fire Fox 3.6.3, Internet Explorer 8.0.6001.18702, 2.4 Ghz slow computer, with 1 GB RAM, two hard drive.

#16 jarrex

jarrex

    New Member

  • Members
  • Pip
  • 2 posts

Posted 17 July 2012 - 03:43 PM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Tietokantaversio: v2012.07.17.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Joo :: KOTI-EFCB838AB7 [järjestelmänvalvoja]

17.7.2012 19:01:16
mbam-log-2012-07-17 (19-01-16).txt

Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistussuodattimia valittu: Muisti | Käynnistys | Rekisteri | Tietojärjestelmä | Heuristinen/Ylimäärinen | Heuristinen/Shuriken | Mahdollisesti haitallinen ohjelma | Mahdollisesti haitallinen muutos
Käytöstä poistetut tarkistusvalinnat: Vertaisverkko (Peer-to-Peer)
Tarkistettuja kohteita: 262120
Kulunut aika: 1 tunti(a), 20 minuutti(a), 57 sekunti(a)

Epäilyttäviä muistiprosesseja: 0
(Ei haitallisia kohteita)

Epäilyttäviä muistimoduuleja: 0
(Ei haitallisia kohteita)

Epäilyttäviä rekisteriavaimia: 13
HKCR\CLSID\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCR\CLSID\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

Epäilyttäviä rekisteriarvoja: 0
(Ei haitallisia kohteita)

Epäilyttäviä rekisterikohteita: 0
(Ei haitallisia kohteita)

Epäilyttäviä kansioita: 2
C:\Documents and Settings\All Users\Application Data\TheBflix (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\data (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

Epäilyttäviä tiedostoja: 10
C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\background.html (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\ajhcekcffkpnaednoeoegnmnjdlnjjmg.crx (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\bhoclass.dll (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\content.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\hjakmojkcnhgipgkkbiempkfdndcnlah.crx (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\settings.ini (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\uninstall.exe (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\data\content.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.
C:\Documents and Settings\All Users\Application Data\TheBflix\data\jsondb.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

(loppu)

I got this log after update and i need to know one thing. Is that explorer.exe infection false or is it really badly infected? :wacko:

#17 Tom1986

Tom1986

    New Member

  • Members
  • Pip
  • 9 posts

Posted 17 July 2012 - 03:50 PM

@jarrex

False. Just update mbam and scan again.

#18 jarrex

jarrex

    New Member

  • Members
  • Pip
  • 2 posts

Posted 17 July 2012 - 04:09 PM

@jarrex

False. Just update mbam and scan again.


Thanks for fast answer. After that, i can restore that file from quarantine?

#19 pine22

pine22

    New Member

  • Members
  • Pip
  • 3 posts
  • Gender:Male
  • Location:Ohio

Posted 17 July 2012 - 04:34 PM

i would assume it would be safe to do so now

#20 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,227 posts
  • Gender:Male

Posted 17 July 2012 - 04:40 PM

Yes it is safe to restore.
Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users