Author Topic: mbam infected ?  (Read 8385 times)

0 Members and 1 Guest are viewing this topic.

October 30, 2014, 10:43:42 pm

steddye

  • Guest
mbam infected ?
« on: October 30, 2014, 10:43:42 pm »
Is a false positive or real injection the zeus tr ?

here the log

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : foca [Administrator]
Mode : Delete -- Date : 10/30/2014  22:07:54

Processes : 1
[Tr.Zeus] mbam.exe -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7] -> Killed [TermProc]

Registry : 19
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vcdrom (\??\E:\AppData\tmp\VCdRom.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vcdrom (\??\E:\AppData\tmp\VCdRom.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vcdrom (\??\E:\AppData\tmp\VCdRom.sys) -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected

Tasks : 0

Files : 0

Hosts File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: WDC WD1003FZEX-00MK2A0 ATA Device +++++
--- User ---
[MBR] adcc5058a2b3ffdb25ff293490119835
[BSP] 690b767b6d8bc467a0a947e1263cffed : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Maxtor 6H500F0 ATA Device +++++
--- User ---
[MBR] 9f931b9192b6a19b905787b8e88450ae
[BSP] cf0b651b0fab45c6ab8f1d8c9f955908 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476939 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: ADATA SP900 ATA Device +++++
--- User ---
[MBR] 2b9f2e12b490e0005987573fb446e66e
[BSP] c08dc13d915e62ae570e0b6e7e1dc92a : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 122102 MB
User = LL1 ... OK
User = LL2 ... OK



thanks

Reply #1October 31, 2014, 08:54:05 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 818
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: mbam infected ?
« Reply #1 on: October 31, 2014, 08:54:05 am »
Hello
Hard to tell with Zeus.

Can you reboot, and dump mbam.exe memory with process explorer (full dump).
Attach it here please.

Reply #2October 31, 2014, 09:54:17 am

steddye

  • Guest
Re: mbam infected ?
« Reply #2 on: October 31, 2014, 09:54:17 am »
i try to attach the file 2 minutes later pressing the post button it bring me to a page like how i pressed start new topic.  it's too large the file  31,3 mb (packed wirh winrar) ?

Reply #3October 31, 2014, 10:07:20 am

steddye

  • Guest
Re: mbam infected ?
« Reply #3 on: October 31, 2014, 10:07:20 am »
I've tryed again with no luck to attack the file but I rescan again and the log seems good now

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : foca [Administrator]
Mode : Scan -- Date : 10/31/2014  10:00:35

Processes : 0

Registry : 16
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found

Tasks : 0

Files : 0

Hosts File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: WDC WD1003FZEX-00MK2A0 ATA Device +++++
--- User ---
[MBR] adcc5058a2b3ffdb25ff293490119835
[BSP] 690b767b6d8bc467a0a947e1263cffed : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Maxtor 6H500F0 ATA Device +++++
--- User ---
[MBR] 9f931b9192b6a19b905787b8e88450ae
[BSP] cf0b651b0fab45c6ab8f1d8c9f955908 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476939 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: ADATA SP900 ATA Device +++++
--- User ---
[MBR] 2b9f2e12b490e0005987573fb446e66e
[BSP] c08dc13d915e62ae570e0b6e7e1dc92a : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 122102 MB
User = LL1 ... OK
User = LL2 ... OK


any suggestion ? something I must check?
thank for the patience

Reply #4October 31, 2014, 07:16:29 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 818
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: mbam infected ?
« Reply #4 on: October 31, 2014, 07:16:29 pm »
mmh, that's weird.
I'll see if I can reproduce.

Reply #5November 01, 2014, 10:14:23 am

steddye

  • Guest
Re: mbam infected ?
« Reply #5 on: November 01, 2014, 10:14:23 am »
I've tried to reproduce the zeus tr find but it doesn't show anymore

don't want to bother you, here today's log

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : foca [Administrator]
Mode : Scan -- Date : 11/01/2014  09:41:41

Processes : 0

Registry : 16
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2558236547-444649337-1807880188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found

Tasks : 0

Files : 0

Hosts File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

Antirootkit : 4 (Driver: Loaded)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP3T0L0-3 : \Driver\iaStorF @ Unknown (\SystemRoot\system32\DRIVERS\iaStorF.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP2T0L0-2 : \Driver\iaStorF @ Unknown (\SystemRoot\system32\DRIVERS\iaStorF.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-1 : \Driver\iaStorF @ Unknown (\SystemRoot\system32\DRIVERS\iaStorF.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP0T0L0-0 : \Driver\iaStorF @ Unknown (\SystemRoot\system32\DRIVERS\iaStorF.sys)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: WDC WD1003FZEX-00MK2A0 ATA Device +++++
--- User ---
[MBR] adcc5058a2b3ffdb25ff293490119835
[BSP] 690b767b6d8bc467a0a947e1263cffed : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Maxtor 6H500F0 ATA Device +++++
--- User ---
[MBR] 9f931b9192b6a19b905787b8e88450ae
[BSP] cf0b651b0fab45c6ab8f1d8c9f955908 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476939 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: ADATA SP900 ATA Device +++++
--- User ---
[MBR] 2b9f2e12b490e0005987573fb446e66e
[BSP] c08dc13d915e62ae570e0b6e7e1dc92a : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 122102 MB
User = LL1 ... OK
User = LL2 ... OK

iaStorF.sys intel rapid storage filter...         intel corporation     vers. 12.8.0.1016
virus total 0/53

Everything looks good right?
thanks

Reply #6November 01, 2014, 11:51:56 am

greysmouth

  • Jr. Member

  • Offline
  • **

  • 61
  • Reputation:
    0
    • View Profile
    • Facebook
Re: mbam infected ?
« Reply #6 on: November 01, 2014, 11:51:56 am »
Same problem running Rogue Killer 10.0.4. Please, see attachment for more information. Thanks, greysmouth BO IT.

Reply #7November 02, 2014, 11:56:18 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 818
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: mbam infected ?
« Reply #7 on: November 02, 2014, 11:56:18 pm »
Yeah, please if you have that problem I need dump with process explorer.

Reply #8November 03, 2014, 01:16:26 pm

greysmouth

  • Jr. Member

  • Offline
  • **

  • 61
  • Reputation:
    0
    • View Profile
    • Facebook
Re: mbam infected ?
« Reply #8 on: November 03, 2014, 01:16:26 pm »
So, what do I have to do, now??? Regards. greysmouth BO IT.

Reply #9November 03, 2014, 01:55:03 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 818
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: mbam infected ?
« Reply #9 on: November 03, 2014, 01:55:03 pm »
Make a dump of mbam.exe with Process Explorer and send it to us.