Firefox 25 update/install false positive - Trojan.FakeAlert

[DenDron]

Okey, I am using MBAM for years and it always served me right but today I got through hell because of it.

Firefox 25 release is out, I got auto-update, downloaded it, installed and when Malwarebytes went crazy.

I uninstalled Firefox, cleaned system with CCleaner, did full scan with MBAM, full scan with Malwarebytes Anti-Rootkit, full scan with NOD32, full scan with Webroot, doublechecked my HiJackThis logs and everything was FINE.

I went to official Firefox website, downloaded Firefox installer, installer downloaded Firefox 25 and moment it started installing it MBAM went crazy again preventing my installation.

This is log of MBAM when:

- trying to update Firefox from 24 to 25.

- when installing Firefox 25 with official installer from http://www.mozilla.org/en-US/firefox/new/

2013/11/06 13:09:04 +0100 XXX XXX DETECTION C:\Documents and Settings\XXX\Local Settings\Temp\nsb14.tmp\System.dll Trojan.FakeAlert QUARANTINE

[DenDron]

Forgot to add,

OS: WinXP32 SP3 fully updated

MBAM: 1.70.0.1100

MBAM Database: v2013.11.06.03

[miekiemoes]

Hi,

 

I cannot reproduce detection on this file when I install latest firefox, so can you disable your realtime protection, then dequarantine the file and zip and attach it to your next post please?

[DenDron]

Sure,

 

I just tried again installing Firefox 25 from official website and their installer - MBAM still prevents me doing it.

 

I also did VirusTotal scan of that file: https://www.virustotal.com/en/file/03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b/analysis/1383742993/ - no detection, 0 / 47!

 

"Trojan.FakeAlert" that gets quarantined is in the attachment.

System.zip

[shadowwar]

Please update your mbam to 1.75 and see if its still detected. you are a version behind on the program itself.

[miekiemoes]

Thanks.

I think I found the culprit, so this will get fixed in next database update

[DenDron]

Alright guys I didn't even know there's 1.75 version - idea for next MBAM client version, introduce client update feature. Also I just downloaded today's .04 database version I didn't have before this issue (I was on .03, update just went out for me).

 

Here we go,

 

MBAM version: 1.75.0.1300

MBAM database: v2013.11.06.04

 

Scan of the "trojan" file:

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.11.06.04

 

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Milosh M :: XXX [administrator]

 

Protection: Disabled

 

11/6/2013 2:16:18 PM

mbam-log-2013-11-06 (14-16-18).txt

 

Scan type: Custom scan (C:\Documents and Settings\XXX\Desktop\System.dll|)

Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled: Memory | Startup | Registry | Heuristics/Extra

Objects scanned: 1

Time elapsed: 1 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

It's clean!

 

But we aware that MBAM 1.70 with today's .03 database (didn't test 1.75 with .03 nor 1.70 with .04) is still preventing Firefox 25 installation, for testing purposes I tried it on my 2nd PC with same setup.

 

Thanks for swift answers, I lost about 10 years of my life due to stress today but at least I am not infected.

[miekiemoes]

v2013.11.06.05 (so next version which should be available in a few) will fix this false positive.

[shadowwar]

There is a setting under the settings tab/updater settings to update the client if a new one is available.

.