system
10
Hi All,
My MBAM full scan just ended! Not bad for just under six hours…
I ran the full scan because I had run the quick scan a few days ago, and found no problem. I just wanted to be sure I got whatever caused the problem today.
Here’s a copy of the MBAM results, edited to remove unimportant info.
Malwarebytes' Anti-Malware 1.51.2.1300
Database version: 8357
Windows 5.1.2600 Service Pack 3
Scan type: Full scan (C:\|)
Objects scanned: 698361
Time elapsed: 5 hour(s), 55 minute(s), 46 second(s)
Registry Values Infected: 1
Files Infected: 6
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usrcrtTime (Trojan.Agent) -> Value: usrcrtTime -> Quarantined and deleted successfully.
Files Infected:
c:\documents (Trojan.Agent) -> Quarantined and deleted successfully
c:\documents and settings\mike\local settings\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\fsquirt.exe (Trojan.Dropper.BCM) -> Quarantined and deleted successfully.
c:\WINDOWS\servicepackfiles\i386\fsquirt.exe (Trojan.Dropper.BCM) -> Quarantined and deleted successfully.
c:\downloads\miopocket 3.0 release 59\mfcce300.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\downloads\miopocket 3.0 release 59\MFCCE400.DLL (Malware.Packer.Gen) -> Quarantined and deleted successfully.
I’m not sure what the first File Infected is referring to, since there’s no file name.
The second one, ms0cfg32.exe, may be a legitimate find.
The third and fourth, fsquirt, may be a false positive, since I’m reading that it’s just started popping up in scans lately.
The last two, part of a download of utilities for a GPS (miopocket) may or may not be legit. Those files are actually meant to run on Windows CE, so I’m wondering if standard Windows malware scanners would report false positive, or if it is a legitimate find.
MBAM did find the registry entry for the program that was trying to phone home, so the original problem (when Avast! found a problem with usrcrtTime.dll) should be resolved at this point.
I welcome any further comments on this little escapade, but it seems that it is now under control.
Thanks to all who helped!