Spyware, viruses, & security : New MBAM false positives on XP SP3?
New MBAM false positives on XP SP3?
by qquirks - 3/31/09 12:23 PMUpdated and ran MBAM yesterday (March 30, 2009) and got following infections on Malwarebytes' Anti-Malware 1.35,
Windows 5.1.2600 Service Pack 3:
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\MSWINSCK.OCX (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\MSWINSCK.OCX (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\ServicePackFiles\i386\wadv07nt.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\wadv07nt.sys (Rootkit.Agent.V) -> Quarantined and deleted successfully.
Updated MBAM Yesterday and today, March 31, Database version: 1925 and took files out of MBAM quarantine. Reran MBAM scan updated to March 31, and only got positive on:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
I have Microsoft automatic updates shut off and Security Center set not to alert me on auto updates being shut off.
Do I have Trojan.BHO and Rootkit.Agent.V????????? Not a real expert
of any kind and there have been MBAM updating questions on google search. Thank you for help.
NEW MBAM
by Marianna Schmudlach
- 3/31/09 12:41 PM
In reply to: New MBAM false positives on XP SP3? by qquirks
No, your latest MBAM log IS clean.
The false positives, which showed up in your older log were corected in the latest MBAM update.
Regarding: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
This key controls the warning you get about your antivirus software (out of date , not installed .....) . If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software . MBAM is re-enabling this function in your log .
Do you have this disabled for a specific reason ? Also if you have kind of reg guard software it might be preventing the changes we are attempting to make .
Thread is here: http://www.malwarebytes.org/forums/index.php?showtopic=12624
New MBAM false positives on XP SP3?
by qquirks - 3/31/09 2:20 PM In reply to: New MBAM false positives on XP SP3? by qquirksI rescanned with Malware Bytes, left Avast free running, and turned
on MS Automatic Updates and got this result:
Malwarebytes' Anti-Malware 1.35
Database version: 1925
Windows 5.1.2600 Service Pack 3
3/31/2009 2:07:16 PM
mbam-log-2009-03-31 (14-07-16).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 150657
Time elapsed: 34 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
It seems like Malware Bytes is registering my turning off Microsoft
Automatic Updates or telling the XP Security Center not to notify me
that MS Automatic Updates are off, not anything to do with my Avast
anti-virus status. Sorry to be so thick.
That is a CLEAN log........
by Marianna Schmudlach - 3/31/09 2:30 PM
In reply to: New MBAM false positives on XP SP3? by qquirks
did you read the thread, I linked to: http://www.malwarebytes.org/forums/index.php?showtopic=12624
these are registry keys that can be disabled by either malware (to prevent notification that protection is disabled) or by the user or their legit software to prevent conflicts or duplicate warnings .
If you are seeing these with no other signs of infection then it is far more likely that your 3rd party security software has disabled these warnings to prevent duplicate security warnings and in these cases telling MBAM to ignore them once will forever solve the issue .
More:
http://www.malwarebytes.org/forums/index.php?showtopic=12624
New MBAM false positives on XP SP3?
by qquirks - 3/31/09 3:13 PM In reply to: New MBAM false positives on XP SP3? by qquirksI did read the malwarebytes thread and got a little lost.
Just updated Malware Bytes to data base 1926 and left Avast anti-virus
running but turned off Microsoft Automatic Updates and notification
feature in Security Center with this result:
Malwarebytes' Anti-Malware 1.35
Database version: 1926
Windows 5.1.2600 Service Pack 3
3/31/2009 3:00:55 PM
mbam-log-2009-03-31 (15-00-43).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 150736
Time elapsed: 28 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Then I put the item on Ignore for Malware Bytes. And ended the scan.
Does that stop it from showing up?
(NT) Yes, it should.
by Marianna Schmudlach - 3/31/09 3:15 PM
In reply to: New MBAM false positives on XP SP3? by qquirks
(NT) Yes, it should
by qquirks - 3/31/09 3:47 PM In reply to: (NT) Yes, it should. by Marianna Schmudlach
Thank you for your patience. While I'm conscientious about using
anti-spyware and anti-virus programs, obviously not very good at
understanding them. So thank you.
You Are Very Welcome......
by Marianna Schmudlach - 3/31/09 4:14 PM
In reply to: (NT) Yes, it should by qquirks
NO problem asking questions 
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
