MAM

Trojan.Bootkit.Dropper, f/p or real infection ?

20 posts in this topic

Hello, is this a false positive, or a real infection ?

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Datenbank Version: v2012.07.17.10

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

XXXXXX :: XXXXXXXXXXXX [Administrator]

Schutz: Aktiviert

17.07.2012 19:11:22

mbam-log-2012-07-17 (19-11-22).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 260624

Laufzeit: 39 Minute(n), 14 Sekunde(n)

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 2

D:\WINDOWS.0\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Erfolgreich gelöscht und in Quarantäne gestellt.

D:\WINDOWS.0\ERDNT\cache\explorer.exe (Trojan.Bootkit.Dropper) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

MAM

Share this post


Link to post
Share on other sites

Ok, we must wait for the expert´s here :)

MAM

Share this post


Link to post
Share on other sites

Okay this is strange, so more people have this trojan as of today?

But indeed i got the same trojan in the same directory as you have -> D:\WINDOWS.0\ServicePackFiles\i386\explorer.exe

Please can someone clarify this trojan if it's dangerous or just a false positive so we can restore it.

Share this post


Link to post
Share on other sites

I already deleted mine so I cannot post the file or the developer logs, but here is the scan that detected it and the next one after i removed/restarted my computer.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.17.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

XXXXXX :: XXXXXXXXXXXXX [administrator]

7/17/2012 11:41:13 AM

mbam-log-2012-07-17 (11-41-13).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 281614

Time elapsed: 1 hour(s), 24 minute(s), 47 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\ERDNT\cache\explorer.exe (Trojan.Bootkit.Dropper) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.17.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

XXXXXXXXXXXXXXXXXXX [administrator]

7/17/2012 1:23:24 PM

mbam-log-2012-07-17 (13-23-24).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 281671

Time elapsed: 1 hour(s), 32 minute(s), 44 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

I deleted mine also (in quarantine now), but here is my log also from this trojan;

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Databaseversie: v2012.07.17.10

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

XXXX :: XXXXXXX [administrator]

17-7-2012 18:56:58

mbam-log-2012-07-17 (18-56-58).txt

Scantype: Volledige scan (C:\|F:\|)

Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM

Uitgeschakelde scanopties: P2P

Objecten gescand: 217304

Verstreken tijd: 29 minuut/minuten, 30 seconde(n)

Geheugenprocessen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Slecht: (1) Goed: (0) -> Geen actie ondernomen.

Mappen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 1

C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Succesvol in quarantaine geplaatst en verwijderd.

(einde)

Share this post


Link to post
Share on other sites

I am looking at this now but I may need a copy of this file. If anyone can please zip and attach a copy to your next post.

Share this post


Link to post
Share on other sites

@nosirrah

Thx for your help, but how do attach the file if it's in quarantine? Do I have to undo/restore the file from quarantine and then zip the file?

Share this post


Link to post
Share on other sites

Do I have to undo/restore the file from quarantine

Yes

Share this post


Link to post
Share on other sites

This should be fixed.

Restored it. So do I still have to zip the file or was this a false positive so everything is okay now?

Share this post


Link to post
Share on other sites

Is this fixed now, or you need a sample, for fixing ?

MAM

Share this post


Link to post
Share on other sites

Is this fixed now, or you need a sample, for fixing ?

MAM

I updated mbm, and after the update i scanned the selected explorer.exe file and came out clean (so it was a false positive). So everything is okay now fellas. Thx mbam for the quick help!

Share this post


Link to post
Share on other sites

Ok, thanks to the developer Team around Malwarebytes' Anti-Malware to solve this issue :)

Thank you for the quick and smart response !

MAM

Share this post


Link to post
Share on other sites

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Tietokantaversio: v2012.07.17.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Joo :: KOTI-EFCB838AB7 [järjestelmänvalvoja]

17.7.2012 19:01:16

mbam-log-2012-07-17 (19-01-16).txt

Tarkistustyyppi: Täysi tarkistus (C:\|)

Tarkistussuodattimia valittu: Muisti | Käynnistys | Rekisteri | Tietojärjestelmä | Heuristinen/Ylimäärinen | Heuristinen/Shuriken | Mahdollisesti haitallinen ohjelma | Mahdollisesti haitallinen muutos

Käytöstä poistetut tarkistusvalinnat: Vertaisverkko (Peer-to-Peer)

Tarkistettuja kohteita: 262120

Kulunut aika: 1 tunti(a), 20 minuutti(a), 57 sekunti(a)

Epäilyttäviä muistiprosesseja: 0

(Ei haitallisia kohteita)

Epäilyttäviä muistimoduuleja: 0

(Ei haitallisia kohteita)

Epäilyttäviä rekisteriavaimia: 13

HKCR\CLSID\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{101CC834-8B07-4236-9E4D-92C0E667F787} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCR\CLSID\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A98FF6-4815-46DA-8569-D9B6BD328486} (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

Epäilyttäviä rekisteriarvoja: 0

(Ei haitallisia kohteita)

Epäilyttäviä rekisterikohteita: 0

(Ei haitallisia kohteita)

Epäilyttäviä kansioita: 2

C:\Documents and Settings\All Users\Application Data\TheBflix (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\data (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

Epäilyttäviä tiedostoja: 10

C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Trojan.Bootkit.Dropper) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\background.html (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\ajhcekcffkpnaednoeoegnmnjdlnjjmg.crx (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\bhoclass.dll (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\content.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\hjakmojkcnhgipgkkbiempkfdndcnlah.crx (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\settings.ini (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\uninstall.exe (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\data\content.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

C:\Documents and Settings\All Users\Application Data\TheBflix\data\jsondb.js (PUP.BFlix) -> Karanteenattu ja poistettu onnistuneesti.

(loppu)

I got this log after update and i need to know one thing. Is that explorer.exe infection false or is it really badly infected? :wacko:

Share this post


Link to post
Share on other sites

@jarrex

False. Just update mbam and scan again.

Thanks for fast answer. After that, i can restore that file from quarantine?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.