EcoGeek

Malwarebytes missed stealth trojan

6 posts in this topic

I have the retail purchase version with real time protection. Malwarebytes missed 4 stealth trojans that attacked Microsoft add-ins to windows programs in which the programs, themselves did not require a dll. These scripts embedded themselves as executables in the windows registry, and as part of windows services in services.msc calling up their own dll. Why didn't your program pick up this malware? Are they running beneath your programs at the kernel level?

Share this post


Link to post
Share on other sites

You'll have to first provide samples of the "trojans" missed before anyone could even begin to comment.

Share this post


Link to post
Share on other sites

You'll have to first provide samples of the "trojans" missed before anyone could even begin to comment.

MEWQYPZEUQRX.EXE MEWQYPZEUQRX.EXE C:\USERS\HANNSP~1\APPDATA\LOCAL\TEMP\MEWQYPZEUQRX.EXE BLANK BLANK BLANK BLANK

SVKMEQV.EXE SVKMEQV.EXE C:\USERS\HANNSP~1\APPDATA\LOCAL\TEMP BLANK BKANK BLANK BLANK

TVSGIQTUGSI.EXE TVSGIQTUGSI.EXE C:\USERS\HANNSP~1\APPDATA\LOCAL\TEMP BLANK BLANK BLANK BLANK

XHVIIOCAY.EXE XHVIIOCAY.EXE C:\USERS\HANNSP~1\APPDATA\LOCAL\TEMP BLANK BLANK BLANK BLANK

YFAGR.EXE YFAGR.EXE C:\USERS\HANNSP~1\APPDATA\LOCAL\TEMP BLANK BLANK BLANK BLANK

Or go here for the complete scenario on these malware

Complete files

Share this post


Link to post
Share on other sites

I have the retail purchase version with real time protection. Malwarebytes missed 4 stealth trojans that attacked Microsoft add-ins to windows programs in which the programs, themselves did not require a dll. These scripts embedded themselves as executables in the windows registry, and as part of windows services in services.msc calling up their own dll. Why didn't your program pick up this malware? Are they running beneath your programs at the kernel level?

No one product protects against everything. It's impossible to do so as thousands of malware are released daily.

Share this post


Link to post
Share on other sites

Also reading from the combofix logs in the thread those were orphaned entries and were dead services. The files didnt exist. Combofix removed the service entries but never deleted most of the files cause they werent there. So i would have to say something you have picked up the files but didnt clean the registry. Would have to see logs from before you started the thread.

The main reason i saw of your infection was a patched Userinit.exe. Most AV products cant deal with patched files at this time and requires manually replacing which the helper did.

As far as stopping the infection, without the source its hard to say why it was missed.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.