Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM keeps on detecting the same 8 infected files. What do I do?


  • This topic is locked This topic is locked
8 replies to this topic

#1 llee1000

llee1000

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 15 August 2015 - 11:25 AM

Lately, whenever I scan MBAM, it keeps on detecting the same 8 infected files. I quarantine them each time and delete the, but they keep on coming back. Here is a scan log of a recent scan I did showing the 8 infected files:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2015-08-13
Scan Time: 7:36 AM
Logfile: MBAM scan results.txt
Administrator: Yes
 
Version: 2.1.8.1057
Malware Database: v2015.08.13.04
Rootkit Database: v2015.08.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Danny
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 358032
Time Elapsed: 2 hr, 5 min, 13 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 2
PUP.Optional.GlobalSearch.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, , [ce8a00087516092d691d6fab9b68d52b], 
PUP.Optional.GlobalSearch.ShrtCln, HKU\S-1-5-21-3267975050-1300920022-1020474669-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, , [aeaa5dab414a30060382dd3df40f9769], 
 
Registry Values: 2
PUP.Optional.GlobalSearch.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://www.globasearch.com/?serie=209&installkey=7VtzxHHUOoY5LiPgaY5E&b=3&q={searchTerms}, , [ce8a00087516092d691d6fab9b68d52b]
PUP.Optional.GlobalSearch.ShrtCln, HKU\S-1-5-21-3267975050-1300920022-1020474669-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://www.globasearch.com/?serie=209&installkey=7VtzxHHUOoY5LiPgaY5E&b=3&q={searchTerms}, , [aeaa5dab414a30060382dd3df40f9769]
 
Registry Data: 2
Hijack.GlobaSearch.C, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.globasearch.com/?serie=209&b=3&installkey=7VtzxHHUOoY5LiPgaY5E, Good: (www.google.com), Bad: (http://www.globasearch.com/?serie=209&b=3&installkey=7VtzxHHUOoY5LiPgaY5E),,[65f3b454414ade585fe72929cb3abb45]
Hijack.GlobaSearch.C, HKU\S-1-5-21-3267975050-1300920022-1020474669-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.globasearch.com/?serie=209&b=3&installkey=7VtzxHHUOoY5LiPgaY5E, Good: (www.google.com), Bad: (http://www.globasearch.com/?serie=209&b=3&installkey=7VtzxHHUOoY5LiPgaY5E),,[ea6e4cbcdab1a3930243f45ea95cab55]
 
Folders: 0
(No malicious items detected)
 
Files: 2
PUP.Optional.GlobalSearch.ShrtCln, C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\w6kze442.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.globasearch.com/?serie=209&b=2&installkey=7VtzxHHUOoY5LiPgaY5E&newtab");), ,[0c4cbd4bb8d33df99bab99f07194e11f]
PUP.Optional.GlobalSearch.ShrtCln, C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\w6kze442.default\prefs.js, Good: (browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/), Bad: (browser.startup.homepage", "http://www.globasearch.com), ,[6aeefa0e335826100544503dfd086e92]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
What is going on and what do I do? Thanks in advance!


BC AdBot (Login to Remove)

 


#2 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 15 August 2015 - 01:52 PM

Hi

 

Have you tried setting action to remove instead of quarantine?

 

You might try running AdwCleaner if the Malwarebytes doesn't do the job(which sounds odd). Instructions here:

http://www.bleepingcomputer.com/download/adwcleaner/



#3 llee1000

llee1000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 15 August 2015 - 02:36 PM

Thanks! So I downloaded ADWCleaner and it deleted everything for the most part. It didn't delete two keys for some reason. Here is the logfile if you want it:

 

# AdwCleaner v5.000 - Logfile created 15/08/2015 at 14:28:05
# Updated 14/08/2015 by Xplode
# Database : 2015-08-15.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Danny - CLONE
# Running from : C:\Users\Danny\Downloads\adwcleaner_5.000.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKU\.DEFAULT\Software\Nico Mak Computing
[-] Key Deleted : HKCU\Software\Nico Mak Computing
[!] Key Not Deleted : [x64] HKCU\Software\Nico Mak Computing
[-] Key Deleted : [x64] HKLM\SOFTWARE\Nico Mak Computing
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
[-] Data Restored : HKU\S-1-5-21-3267975050-1300920022-1020474669-1001\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[!] Key Not Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\w6kze442.default\prefs.js] [Preference] Deleted : user_pref("browser.startup.homepage", "hxxp://www.globasearch.com/?serie=209&b=2&installkey=7VtzxHHUOoY5LiPgaY5E");
[-] [C:\Users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\w6kze442.default\prefs.js] [Preference] Deleted : user_pref("browser.newtab.url", "hxxp://www.globasearch.com/?serie=209&b=2&installkey=7VtzxHHUOoY5LiPgaY5E&newtab");
 
*************************
 
:: Proxy settings cleared
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner[C4].txt - [2301 octets] - [15/08/2015 14:28:05]
C:\AdwCleaner[S5].txt - [2599 octets] - [15/08/2015 14:24:43]
 
########## EOF - C:\AdwCleaner[C4].txt - [2427 octets] ##########


#4 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 15 August 2015 - 04:13 PM

Both of those keys that it didn't delete appear to be in 64bit registry. It is possible that those keys only existed in 32bit part which explains why it didn't delete them. You try running Malwarebytes again to check whether it reports those keys again.


Edited by Slurppa, 15 August 2015 - 04:14 PM.


#5 llee1000

llee1000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 15 August 2015 - 06:00 PM

Okay, I scanned MBAM again and it detected the same 8 files again. But this, it asked me that is needed to restart to remove the infected files. This is weird since it never asked me this before when it detected the 8 files. I guess my computer is fixed now again. Again, thanks for the help. 



#6 llee1000

llee1000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 22 August 2015 - 10:15 AM

During the past week, MBAM kept on detecting these same 8 threats. So I used AdwCleaner and JRTto help remove them. Also, I discovered that it was Firefox that was the one giving me problems. It has a hijack search engine installed into it, called globasearch. So I removed globasearch using the searchreset extension. Yet, globasearch keeps on coming back and MBAM keeps n detecting the globasearch hijack virus. Would the best course of action to take be to uninstall Firefox? 



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:09 PM

Posted 03 September 2015 - 01:42 PM

Hi llee1000,
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:09 PM

Posted 06 September 2015 - 05:24 AM

Hi llee1000,
 
This is a 3 day bump:
 
It has been 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:09 PM

Posted 08 September 2015 - 12:00 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users