Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Heads Up. Mbam cant delete a virus, keeps coming back again.

  • Please log in to reply
2 replies to this topic

#1 vladmir21


  • Members
  • 38 posts
  • Local time:12:58 AM

Posted 22 July 2010 - 02:05 AM

Hi guys,
here's the situation. Got a friends laptop, had viruses, removed most of them with Mbam + SAS + Combofix.
Just 1 remains.
It might be a rootkit.
Mbam detects it, deletes it, it comes back up again.
In normal and safe mode.
System restore is already turned off, dosent help.
Heres the log of MBAM:
Malwarebytes' Anti-Malware 1.46

Database version: 4125

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/22/2010 8:18:07 AM
mbam-log-2010-07-22 (08-18-07).txt

Scan type: Quick scan
Objects scanned: 13655
Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (regedit.exe %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HIjackthis Log is more clear, it identifies the file as
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\fbqjhw.exe,

I can post the whole hijackthis log, if you need me to. The rest of the log is clean.

Guys, help please!!

Some more info. it looks like its this one:

Its funny that the prevx website lists this one as originating in the UK, because until a couple of weeks, this laptop was in the Uk.
Now its in India.

Edited by vladmir21, 22 July 2010 - 02:12 AM.

BC AdBot (Login to Remove)


#2 vladmir21

  • Topic Starter

  • Members
  • 38 posts
  • Local time:12:58 AM

Posted 22 July 2010 - 09:38 PM

Update: This laptop does not have internet access for now, so i wont be able to do online scans, but will have to download the update database manually.
Also, this has XP pro SP2 installed. There is no autorun.inf infection happening, as i checked by inserting pendrives in the usb ports, everything came up clean. So i dont know what this fbqjhw.exe is doing.
Thanks for all your hard work in helping us.
In the mean time, i will scan with Avira and AVG bootscan rescue CD's and will keep you updated.
Please tell me what else you would like from me.

#3 vladmir21

  • Topic Starter

  • Members
  • 38 posts
  • Local time:12:58 AM

Posted 23 July 2010 - 07:29 AM

Mods please close this thread. thank you. the problem has been resolved.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users