Blue452

My question: Since the latest database is currently no longer flagging these files and I have these files in quarantine, would you recommend that I restore them or just leave them in quarantine for now? I'm not sure what to do. Thank you. Registry Keys Infected: HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> Quarantined and deleted successfully.

In answer to Amethyst's post #25, I currently have these items in quarantine as shown below and upon reboot/shutdown, my computer is fine. We always turn off the computer when not in use and so far, no problems. Registry Keys Infected: HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> Quarantined and deleted successfully. HP Computer XP, SP3 IE8

Thank you to all you who have responded to this thread. "Registry Keys Infected: HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> Quarantined and deleted successfully." As you can see, currently these items are in quarantine. After reading the responses, I'm still not sure what to do. Should I leave them in quarantine for now, delete them permanently or restore them? I depend on experts on this forum for advice since my experience is more of a novice/beginner. HP computer XP, SP3 IE8

I scanned my computer this morning and below is a copy of my log. It says I have 4 infections. The files are now in quarantine. Are they false positive or real? After your determination, please let me know what I should do next? I have a HP computer with the following: XP SP3, IE8, and NIS 2010. Malwarebytes' Anti-Malware 1.44 Database version: 3917 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/26/2010 7:36:52 AM mbam-log-2010-03-26 (07-36-52).txt Scan type: Full Scan (C:\|D:\|L:\|) Objects scanned: 279979 Time elapsed: 2 hour(s), 0 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> Quarantined and deleted successfully.

Below is a log of the scan I ran a few minutes ago. Is this a false positive? I looked up this file in my system 32 directory and the file is dated 8/9/04. Malwarebytes' Anti-Malware 1.41 Database version: 2912 Windows 5.1.2600 Service Pack 3 10/5/2009 5:04:45 PM mbam-log-2009-10-05 (17-04-41).txt Scan type: Quick Scan Objects scanned: 111480 Time elapsed: 12 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ufat.dll (Spyware.Zbot) -> No action taken. Thank you, Blue 452 XP, SP3 IE 8 NIS 2009

Is below a false positive? Not being an expert, I just pressed the option to save the log file and it saved it in the My Documents folder. Then I exited MBAM without doing anything else because I wasn't sure what to do - whether to remove, ignore (I had doubts whether this was an actual infected file). Isn't "jusched.exe" a legitimate java file? Note: This is my first scan with version 1.41. Malwarebytes' Anti-Malware 1.41 Database version: 2785 Windows 5.1.2600 Service Pack 3 9/12/2009 8:43:35 AM mbam-log-2009-09-12 (08-43-25).txt Scan type: Quick Scan Objects scanned: 111105 Time elapsed: 14 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Program Files\Java\jre6\bin\jusched.exe (Trojan.Agent) -> No action taken. XP SP3 Internet Explore 8 NIS 2009

See also my response on Post #8. I couldn't figure out how to do a double quote. I'm attaching the file you requested. I think I did it right. My friend told what to do. I went into c:\windows and found the file; copied it and zipped it. Hope this is what you wanted. Even though I said in Post #8 that database 2256 did not show an infection, will you please still check this file out that database 2252 flagged out as an infection. Thank you. kb913800.zip kb913800.zip

Sorry about that. Before I came on again, I did a scan with the latest definition 2256 and it showed no infection. I'm clueless about the file that you needed. Are there instructions on how to do this for any future infection that shows up on my scan? Thank you. Hopefully next time I can do it right. Blue452 Inexperience user

As requested, the zip file. I hope I did it correctly; it's my first time doing this. mbam_log_2009_06_08__22_00_41_.zip mbam_log_2009_06_08__22_00_41_.zip

I also would like to know if this is a false positive. Below is my log: Malwarebytes' Anti-Malware 1.37 Database version: 2252 Windows 5.1.2600 Service Pack 3 6/8/2009 10:00:50 PM mbam-log-2009-06-08 (22-00-41).txt Scan type: Quick Scan Objects scanned: 96772 Time elapsed: 5 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\kb913800.exe (Trojan.Banker) -> No action taken. This is the second Trojan.Banker that MBAM has flagged on my comper. The first one, (HKEY_CURRENT_USER\SOFTWARE\Microsfot\Internet Explorer\International\W2KLpk (Trojan.Banker), was on Saturday. I had MBAM quarantine and delete it and then later restored it after I learned it was a false position. So, this time I decided to ask first before I take any further action. Thank you.

Please ignore my above post (#12). After my thinking cleared a bit, I decided to do a "restore" since all the posts above indicated this was likely a false positive. And then I rescanned and this time, nothing was detected.

Rel to Post #10. Thank you for answering my post. I'm not a computer expert and I have no experience in the registry. Should I just restore this item and rerun the scan.

I got same entry when I scanned a few minutes ago and hit the removal button. My log says . . . Quarantined and deleted successfully. I have a question: If this is a false positive, what did Malwarebytes delete and quarantine? Blue452 XP SP3 IE6

Sorry about Post #3. Will a moderator please delete it? I don't know what I did for Post #3 to post with a quote (happened too fast) and couldn't find an edit button to make a revision. All I wanted to do was to say thank you to exile360 for responding to my question - so thank you exile360. A newbie

Whenever I ran Quick Scan, the scan would take about 12-15 minutes to complete. However, I noticed that the scan I did today took only 5 minutes 11 seconds. With version 1.36, does the scan now take less time to complete? Thank you. XP, SP3 IE7

I got the same entries as Edge when I did a scan today. The entries were checked for removal and since the explanation indicated it was a malware, I trusted malwarebytes and pressed the button to continue with the removal. Below is my log after automatic restart and removal: "Malwarebytes' Anti-Malware 1.34 Database version: 1856 Windows 5.1.2600 Service Pack 3 3/16/2009 4:31:58 PM mbam-log-2009-03-16 (16-31-58).txt Scan type: Quick Scan Objects scanned: 78756 Time elapsed: 13 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)" The log indicates that these entries were removed and they were quarantined and deleted successfully. But when I checked the quarantine section, these entries were not listed. And Fatdcuk's post indicated this is just an alert. So I assume I did not have to let malwarebyes remove it. My question: Was I wrong in letting malwarebytes remove the entries and need I be concerned that my registry got messed up? Or was no harm done? I wish I had read this thread before I ran the scan today and did what I did. Thank you. Blue452 An inexperience user