jf2572

Hello, I updated MBAM, rebooted and ran a scan. This time it detected nothing. The file was still in the same location after the scan, and like the previous file on the desktop, did not have the "gears" image on it. I've attached it, just in case it might provide a clue. Thank you for any information you might be able to provide. mfc45.zip

Log file below, for latest detection, on laptop. (See above post for details.) Malwarebytes Anti-Malware (PRO) 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.30.04 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 John :: JOHN-PC [administrator] Protection: Enabled 11/29/2012 7:51:53 PM mbam-log-2012-11-29 (19-51-53).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 230902 Time elapsed: 10 minute(s), 29 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\System32\mfc45.dat (Spyware.Passwords) -> Quarantined and deleted successfully. (end)

This may NOT be a false positive! I just booted up my laptop and updated and ran MBAM. Running the latest version it detected the Spyware.Password - mfc45.dat file. (I have not used the laptop since before MBAM first detected Spyware.Password - mfc45.dat on my desktop, so have not run MBAM in all of that time.) Since it was detected by the latest version of MBAM (with the revised signature), it seems to be more than the just a corrupt file. Is it possible that the file I submitted before was infected, but became corrupted while moving in and out of quarantine? I have quarantined the file on the laptop, and will hold it there for now. What should I do with it... try to submit it again? Delete it? I want to run a new backup on the laptop, including disc image, but do not want to do it while the suspicious file is in quarantine, in case it might somehow get transferred to the backup drive. Thank you for your help with this.

Thank you for your help!

Hello, As you requested, I checked my system to see if the detection still remains. I restored the file from quarantine, then ran a quick scan with database version v2012.11.26.03. No malicious items were detected in this scan. Just to be certain I understand clearly: Was this was definitely a false positive? (From what I have read, if it was an actual infection of spyware.password, I would need to change all of my passwords, at the very least.) Since MBAM now does not identify the file as a threat, is it safe to leave it in place, or should I delete it anyway, since it is corrupt? Thank you again!

Do you suspect this file was corrupt when first detected, or possibly became that way when passing in and out of quarantine? Also, I didn't mention before that the file was first detected in Windows>System32, but when I released it from quarantine, I could not find it back in tht location, so I ran another MBAM scan and this time it was caught in Windows>SysWOW64. (I thought I should mention this in case it might be a helpful clue of some sort.) A final question (at least for now), was this detected because it was indeed malware, or possibly just because it was a corrupt file? Thank you again!

MBAM has not detected the new file, in 2 scans. I have attached it anyway, just in case: mfc45.zip Is it possible that the first file I sent was also a copy of this second file, and not the original, which MBAM detected and is currently in quatantine?

Thank you for the quick reply. I released the file from quarantine to upload it, and when I re-scanned w/ MBAM, it again quarantined it, but this time left an icon in the folder where it was originally located. Maybe what it left behind is the corrupted file, and somehow that is what got uploaded. Should I delete both the quarantined file and the corrupted file? Is this mfc45.dat file something that was originally a necessary file (but got infected?) ...In other words, will I need to somehow find and replace it? Thank you again!

Is this an actual infection, or a false positive? Not detected by NOD 32. virus total reports suspicious or heuristic-corrupt on 4 out of 43, joti reports suspicious on 1 out of 19. Malwarebytes Anti-Malware (PRO) 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.24.11 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 John :: JOHN-PC [administrator] Protection: Enabled 11/25/2012 5:39:49 AM mbam-log-2012-11-25 (05-39-49).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 208161 Time elapsed: 23 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\SysWOW64\mfc45.dat (Spyware.Passwords) -> Quarantined and deleted successfully. [d5461d9e3a236fc7be22af9608f84ab6] (end) mfc45.zip