Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill.com listed as infected by Trojan.BankerBot.Gen in mbam.log


  • Please log in to reply
2 replies to this topic

#1 Tim Salm

Tim Salm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 26 May 2011 - 03:37 PM

I have a co-worker who ran rkill.com and Malwarebytes' Anti-Malware earlier today. The mbam.log file included the following information.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6685

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/26/2011 11:16:56 AM
mbam-log-2011-05-26 (11-16-56).txt

Scan type: Full scan (C:\|)
Objects scanned: 242089
Time elapsed: 15 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\xxxxxxx\Desktop\rkill.com (Trojan.BankerBot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\xxxxx\Desktop\rkill.com (Trojan.BankerBot.Gen) -> Quarantined and deleted successfully.

My co-worker believes that rkill.com was the source of the infection. I attempted to replicate the issue on my PC and it did not find any infected files (and, more importantly, any infected files associated with rkill.com). What, if anything, should I make of this? Any possible explanations?

BC AdBot (Login to Remove)

 


#2 mkbcomputerrepair

mkbcomputerrepair

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 28 May 2011 - 10:13 PM

I had the same problem just the other day. I have copies of Rkill and iexplore (same file different name) on my Dell laptop. I also have copies on a flash drive that I use to fix clients computers that have malware infections.

I ran MalwareBytes. The copies on my flash drive were infected with trojan.bankerbot.gen, but NOT the copies on my Dell computer. The copies on my flash drive are themselves copies of the the ones on my Dell computer. This tells me that the copies on my flash drive probably got infected themselves when I used the flash drive to remove malware from a clients computer.

#3 Liuqin

Liuqin

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 31 May 2011 - 06:58 PM

had same thing , detected by malbytes, downloaded newer version of rkill, isolated old one and scanned separate, this time nothing. Deleted it anyway. Rescanned with malbytes again, full scan and got this:


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 6682

Windows 5.1.2600 Service Pack 1 (Safe Mode)
Internet Explorer 6.0.2800.1106

31/05/2011 6:51:26 PM
mbam-log-2011-05-31 (18-51-26).txt

Scan type: Full scan (C:\|)
Objects scanned: 535962
Time elapsed: 3 hour(s), 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{987e0331-0f01-427c-a58a-7a2e4aabf84d}\RP280\A0053201.exe (Trojan.BankerBot.Gen) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users