[Spyware.Password - mfc45.dat]

Hello,

I updated MBAM, rebooted and ran a scan. This time it detected nothing.

The file was still in the same location after the scan, and like the previous file on the desktop, did not have the "gears" image on it.

I've attached it, just in case it might provide a clue.

Thank you for any information you might be able to provide.

mfc45.zip

[Spyware.Password - mfc45.dat]

Log file below, for latest detection, on laptop. (See above post for details.)

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.30.04

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

John :: JOHN-PC [administrator]

Protection: Enabled

11/29/2012 7:51:53 PM

mbam-log-2012-11-29 (19-51-53).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 230902

Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\System32\mfc45.dat (Spyware.Passwords) -> Quarantined and deleted successfully.

(end)

[Spyware.Password - mfc45.dat]

This may NOT be a false positive!

I just booted up my laptop and updated and ran MBAM. Running the latest version it detected the Spyware.Password - mfc45.dat file.

(I have not used the laptop since before MBAM first detected Spyware.Password - mfc45.dat on my desktop, so have not run MBAM in all of that time.)

Since it was detected by the latest version of MBAM (with the revised signature), it seems to be more than the just a corrupt file. Is it possible that the file I submitted before was infected, but became corrupted while moving in and out of quarantine?

I have quarantined the file on the laptop, and will hold it there for now. What should I do with it... try to submit it again? Delete it?

I want to run a new backup on the laptop, including disc image, but do not want to do it while the suspicious file is in quarantine, in case it might somehow get transferred to the backup drive.

Thank you for your help with this.

[Spyware.Password - mfc45.dat]

Hi,

Yes it was a False positivs and the file(s) are safe to restore or leave insitu.

Thanks agains for your help and time with resolving this

Thank you for your help!

[Spyware.Password - mfc45.dat]

Hi,

From the second non quarantined file you supplied also had a corrupted PE header would suggest whatever is recreating the file is recreating files with corrupted PE headers.

The original detection was based on a known bad file pattern and not because the file header was corrupted.

That said the signature is many years old would not be entered into the database nowadays as its way too loose and potentially prone to F/P as is the case for your detection.

I have revised the original signature if you can recheck your files to see if the detection still remains.

I would also like to thank you for your assistance and apologize for any inconvenience caused by this F/p.

Hello,

As you requested, I checked my system to see if the detection still remains. I restored the file from quarantine, then ran a quick scan with database version v2012.11.26.03. No malicious items were detected in this scan.

Just to be certain I understand clearly:

Was this was definitely a false positive? (From what I have read, if it was an actual infection of spyware.password, I would need to change all of my passwords, at the very least.)

Since MBAM now does not identify the file as a threat, is it safe to leave it in place, or should I delete it anyway, since it is corrupt?

Thank you again!

[Spyware.Password - mfc45.dat]

Hi,

It is possible but the last file attached is very simillar but not the same.

The signature making the original detection is quite an old one and will be shortly reviewed as we dont usually attack corrupt files as they are *broken* and do not work.

Do you suspect this file was corrupt when first detected, or possibly became that way when passing in and out of quarantine?

Also, I didn't mention before that the file was first detected in Windows>System32, but when I released it from quarantine, I could not find it back in tht location, so I ran another MBAM scan and this time it was caught in Windows>SysWOW64. (I thought I should mention this in case it might be a helpful clue of some sort.)

A final question (at least for now), was this detected because it was indeed malware, or possibly just because it was a corrupt file?

Thank you again!

[Spyware.Password - mfc45.dat]

Hi,

The new file with Icon that was created. Did we detect this file and if so can you please zip and attach that file.

With regards any removals it is always advised to hold files in quarantine for a period of time just incase their removal breaks a chain of dependency. That way if something breaks (after file removal) the file can be restored and another Fix can be persued.

If however you delete your quarantined item(s) immediately then that option is removed under that potential scenario.

MBAM has not detected the new file, in 2 scans.

I have attached it anyway, just in case: mfc45.zip

Is it possible that the first file I sent was also a copy of this second file, and not the original, which MBAM detected and is currently in quatantine?

[Spyware.Password - mfc45.dat]

Hi jf2572,

The detection looks to be intentional but the file is in fact corrupted/broken so cannot do any harm as it does not run.

Thank you for the quick reply.

I released the file from quarantine to upload it, and when I re-scanned w/ MBAM, it again quarantined it, but this time left an icon in the folder where it was originally located. Maybe what it left behind is the corrupted file, and somehow that is what got uploaded.

Should I delete both the quarantined file and the corrupted file?

Is this mfc45.dat file something that was originally a necessary file (but got infected?) ...In other words, will I need to somehow find and replace it?

Thank you again!

[Spyware.Password - mfc45.dat]

Is this an actual infection, or a false positive?

Not detected by NOD 32.

virus total reports suspicious or heuristic-corrupt on 4 out of 43, joti reports suspicious on 1 out of 19.

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.24.11

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

John :: JOHN-PC [administrator]

Protection: Enabled

11/25/2012 5:39:49 AM

mbam-log-2012-11-25 (05-39-49).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 208161

Time elapsed: 23 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\SysWOW64\mfc45.dat (Spyware.Passwords) -> Quarantined and deleted successfully. [d5461d9e3a236fc7be22af9608f84ab6]

(end)

mfc45.zip