Strange MBAM detections again...

I’ve run MBAM regularly. Nothing is found.
Today appeared a f.exe file in the root directory.
Of course it is fishy. Most probably infected.
The problem is that the file NEVER exists…

avast does not detect any rootkit also.

Well the file might well be hidden from the normal windows explorer or APIs. So it might be worth running GMER anti-rootkit to check.

Essexboy, can you check my log?
http://www.mediafire.com/file/dtnn0mmwgqm/GMER.7z

Uninstalled MBAM. Boot. Installed again.
Problem is there…


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versão da Base de Dados:  4127

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

22/05/2010 08:39:49
mbam-log-2010-05-22 (08-39-49).txt

Tipo de Verificação:  Verificação Rápida 
Objetos escaneados:  138823
Tempo decorrido: 9 hora(s), 22 minuto(s), 11 segundo(s)

Processos de Memória Infectados:  0
Módulos de Memória Infectados:  0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados:  0
Pastas Infectadas:  0
Arquivos Infectados: 1

Processos de Memória Infectados: 
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados: 
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados: 
(Não foram detectados ítens maliciosos)

Pastas Infectadas: 
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
C:\f.exe (Trojan.Agent) -> No action taken.

I had this problem before and could not solve (I’ve formated/installed again everything so the problem disappeared in meanwhile…).
http://forum.avast.com/index.php?topic=58921.msg496604#msg496604

Your MBAM log shows No action taken, what happens when you let it Remove it ?
Presumably on reboot it is back again ?

I’m not too familiar with the GMER logs and this is the largest GMER log I have seen, but I have had a quick look at it and I don’t see anything obvious; GMER is usually quite distinct in highlighting anything that it considers suspect/a rootkit.

So I think we will need essexboy to take a look at it.

I run OTL (like posted here: http://forum.avast.com/index.php?topic=58921.msg496741#msg496741).
The logs are here: http://www.mediafire.com/file/ijydtq4mzjj/OTL.7z

Allow to remove and boot three times… MBAM does nothing with it.

Yes it will take essexboy to root into the OTL log as I have no experience of that.

Hi Tech - GMER looks clean, as does OTL. Note this part from the OTL scan
< %SYSTEMDRIVE%*.exe >

< MD5 for: AGP440.SYS >
The empty part under %systemdrive%*.exe means that there are no exe files on your root drive - which is as should be

MBAM is now at 4130 - could you update and see if it is still present

OTM log:

========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
File/Folder C:\f.exe not found.
========== COMMANDS ==========
 
OTM by OldTimer - Version 3.1.12.0 log created on 05222010_102611

Essexboy, I’ll update MBAM again.

Essexboy, which will be good as a third opinion?
SuperAntispyware?
HitmanPro?
Any on-line scanning?

Do you dare to try this…?? :wink:
http://www.emsisoft.com/en/software/antimalware/
asyn

For what? More false positives? ???
And look for a fourth opinion ;D

Combofix log.

Well CF couldn’t find it

c:\users\Tech\AppData\Roaming\inst.exe This was taken out on the principle that exe files should not reside there

I have just spent an hour getting Hitmanpro off of my system - so not happy with that one

Any further thing to do?

Ok. Deleted.
But it was a clean file: http://www.virustotal.com/analisis/c74d2fa6374b5f1e251e3205de0efe99ed026b8b7a0ad5ee549ee3700f8e63d7-1274549791

Thanks for sharing. Dropping it then. I don’t like SuperAntispyware due to the things it needs to be running even on demand (drivers, services, etc.).

I’ve registered and entered the information into MBAM forum.
http://forums.malwarebytes.org/index.php?showtopic=51225

Methinks MBAM has decided to play games with you - by finding non-existant files

I can’t believe ;D
Am I alone? ???

But look on the bright side - it makes you special ;D

No, it makes me unlucky ;D