Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Tell Me if These are False Positives


  • Please log in to reply
7 replies to this topic

#1 maximianusherculius

maximianusherculius

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington, KY
  • Local time:11:51 AM

Posted 29 January 2010 - 11:15 AM

Here are five line items out of recent MBAM logs and one line item from an SAS log. I shut down system restore just prior to running all of these except the scan that found Trojan.Banker. After creating a new restore point the "Trojan.Banker" was found, but i don't know if a new restore point had anything to do with it. I am stumped because I have been surfing with Mozilla in Sandboxie, thus I don't see how I could have been infected. Please help me to figure out if they are false positives. ***Note: 123zap.exe is what I named combofix when I ran it about 10 days ago.

Files Infected:
C:\RECYCLER\S-1-5-21-1214440339-1085031214-1801674531-1003\Dc261.exe (Trojan.Banker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9F625216-922B-4B93-96D3-BF83D7CA5179}\RP2\A0000077.exe (Trojan.Banker) -> Quarantined and deleted successfully.


C:\123zap191491\PV.cfxxe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\123zap191491\pv.com (Trojan.Agent) -> Quarantined and deleted successfully.


C:\123zap191491\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully[/b]

The following is one that SAS found:

Trojan.Agent/Gen-Zbot
C:\RECYCLER\S-1-5-21-1214440339-1085031214-1801674531-1003\DC239\BIN\DWTF.EXE

Edited by maximianusherculius, 29 January 2010 - 11:25 AM.

Windows XP Professional 2002 sp3 32bit (ACPI Multiprocessor PC); Google Chrome and Mozilla w/Keyscramble
Processors: Twin Dual Core E5200's @ 2.5 GHz & 2 GB of RAM;..... MOTHERBOARD: INTEL
Hard Drive: Seagate 240GB ST3250310AS;..... SECURITY: Realtime is Avira (free) and Online Armor (free)
DVD/CD Drive: ATAPI DVD A DH20A4P;..... MALWARE Scanners: MBAM, SAS
WIRELESS: Linksys Wireless-N USB Network Adapter;..... DISPLAY Adaptors: NVIDIA GeForce 7300 SE/7200 GS

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 PM

Posted 30 January 2010 - 11:56 AM

Is this your thread at MBAM's forum under the name Diocletian?

ComboFix.sys is a dummy file written by GMER; incapable of doing anything malicious.

reply by sUBs' in Post #6

Note that PV.cfxxe and pv.com are in the same folder.

Combofix is not malware. However, certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes, malware strings it contains and the type of security engine that was used during the scan.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program.

It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

C:\RECYCLER\S-1-5-21-1214440339-1085031214-1801674531-1003\DC239\BIN\DWTF.EXE

Please see RootkitAnalytics's awareness of the file "Userland - DWTF.EXE "

C:\RECYCLER\S-1-5-21-1214440339-1085031214-1801674531-1003\Dc261.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9F625216-922B-4B93-96D3-BF83D7CA5179}\RP2\A0000077.exe (Trojan.Banker) -> Quarantined and deleted successfully.

Please see pctools assessment of "Trojan.Banker".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 maximianusherculius

maximianusherculius
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington, KY
  • Local time:11:51 AM

Posted 31 January 2010 - 01:20 AM

Thanks for responding.

I checked out those two links you gave me. I am familiar with www.rootkitanalytics.com. As a matter of fact I tried to watch the video they have about a week ago. It is the same text and video you linked me to. It makes my head spin. I am going to look at it all again tomorrow.

When MBAM says that it successfully removes and quarantines stuff like this, does it disable further exploitation potential of this sort of malware or should be running combofix and GMER and monitor with Spy Dll Remover and Rootkit Hook Analyzer? Should I be using the netstat command to possibly see something unusual?
Windows XP Professional 2002 sp3 32bit (ACPI Multiprocessor PC); Google Chrome and Mozilla w/Keyscramble
Processors: Twin Dual Core E5200's @ 2.5 GHz & 2 GB of RAM;..... MOTHERBOARD: INTEL
Hard Drive: Seagate 240GB ST3250310AS;..... SECURITY: Realtime is Avira (free) and Online Armor (free)
DVD/CD Drive: ATAPI DVD A DH20A4P;..... MALWARE Scanners: MBAM, SAS
WIRELESS: Linksys Wireless-N USB Network Adapter;..... DISPLAY Adaptors: NVIDIA GeForce 7300 SE/7200 GS

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 PM

Posted 31 January 2010 - 08:24 AM

Please note the message text in blue at the top of this forum.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

GMER is a stand-alone tool that will help investigate for the presence of rootkits. It will not actually tell you if you are infected or not unless you know what you're looking for. If you're unsure how to use a particular anti-rootkit (ARK) tool, then you should not be using it. Some ARKs are intended for advanced users or to be used under the guidance of an expert who can interpret the log results. Further, such tools are powerful and using them incorrectly could lead to disastrous problems with your operating system. There are many free ARK tools but some require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

With Malwarebytes Anti-Malware, once the scan is completed, infected files marked for "Remove Selected", are copied, renamed, handled with additional secure measures, then sent to Quarantine. The original file is either immediately removed or removed on reboot. While in Quarantine, the copy of the renamed original file is no longer a thread and can therefore cannot do any harm. If at a later date you find MBAM removed a legitimate file (known as a false positive), it can be restored from Quarantine by clicking the Restore button. When the quarantined file is known to be malicious, you can delete it at any time. Choosing delete, removes the backup copy and it no longer can be restored.

I recommend taking advantage of the Malwarebytes Anti-Malware Protection Module which uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology monitors every process and stops malicious processes before they can infect your computer. Enabling the Protection Module feature requires reqistration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as it utilizes few system resources and should not conflict with other scanners or anti-virus programs.

You can use netstat, a command-line tool that displays incoming and outgoing network connections, from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically; no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).

Edited by quietman7, 31 January 2010 - 08:35 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 maximianusherculius

maximianusherculius
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington, KY
  • Local time:11:51 AM

Posted 31 January 2010 - 11:35 AM

Thank you for the cut and dried advice.

I really do like MBAM. I have been using it for years.

I am pretty sure my pc is clean, but these days can anyone really know for sure? I really don't think so.

MBAM's most recent find was Adware.swizzor. I have never heard of that one before. It was removed successfully.
MBAM found something a while back called rogue.SecurityTool. Eventhough I was browsing in Sandboxie at the time, It brought my pc functions to a screeching halt. MY pc froze on me for the first time ever (have had it for 3 years). I could not close Sandboxie to do auto delete nor could I manually "Terminate all programs" via task manager or Sandboxie controls. I had to hit the reset button. MBAM removed it as well.


I have Sophos and ran it. It found over 10,000 hidden registry obects. From what I can tell, nearly all of them have "zonemap" in the title. Not sure. I have run CClean and Powertools light reg sweeps. I ran avira and avg reg sweep for left over AV program stuff. I then ran Sophos again. It still finds over 10,000 hidden reg entries. Strange don't you think?

My pc is working fine. I am fortunate I guess.

Edited by maximianusherculius, 31 January 2010 - 11:45 AM.

Windows XP Professional 2002 sp3 32bit (ACPI Multiprocessor PC); Google Chrome and Mozilla w/Keyscramble
Processors: Twin Dual Core E5200's @ 2.5 GHz & 2 GB of RAM;..... MOTHERBOARD: INTEL
Hard Drive: Seagate 240GB ST3250310AS;..... SECURITY: Realtime is Avira (free) and Online Armor (free)
DVD/CD Drive: ATAPI DVD A DH20A4P;..... MALWARE Scanners: MBAM, SAS
WIRELESS: Linksys Wireless-N USB Network Adapter;..... DISPLAY Adaptors: NVIDIA GeForce 7300 SE/7200 GS

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 PM

Posted 31 January 2010 - 01:59 PM

ThreatExpert's Submission Summary of "Adware.Swizzor"
MalwareNET report on "Adware.Swizzor"

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.

Edited by quietman7, 31 January 2010 - 02:00 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 maximianusherculius

maximianusherculius
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lexington, KY
  • Local time:11:51 AM

Posted 31 January 2010 - 09:28 PM

Thanks for the plethora of info. Those last two topics, in bold print, really caught my attention. I never really thought of that scenario. Very useful tips. Much appreciated.
Windows XP Professional 2002 sp3 32bit (ACPI Multiprocessor PC); Google Chrome and Mozilla w/Keyscramble
Processors: Twin Dual Core E5200's @ 2.5 GHz & 2 GB of RAM;..... MOTHERBOARD: INTEL
Hard Drive: Seagate 240GB ST3250310AS;..... SECURITY: Realtime is Avira (free) and Online Armor (free)
DVD/CD Drive: ATAPI DVD A DH20A4P;..... MALWARE Scanners: MBAM, SAS
WIRELESS: Linksys Wireless-N USB Network Adapter;..... DISPLAY Adaptors: NVIDIA GeForce 7300 SE/7200 GS

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 PM

Posted 31 January 2010 - 10:11 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users