-
Posts
5 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by chaslang
-
-
Again yes I understand what you are saying but you are ignoring the fact that you are not declaring other files (EXE, ZIP, RAR) to be problems just because they are located in the root folder. Your logic or the logic of your coding is inconsistent. There is no reason to call winzip120.exe infected because it is in the root folder. If I put a copy of winzip120.exe into the root of C:\Program Files, it is not detected and I also believe that like the C:\ root folder, anything saved in the root of C:\Program File should also be questioned.
If I put a valid copy of explore.exe in the root folder you will call it worm.autorun since explorer.exe is not expected in the root folder which is fine. But if I simply rename the valid explorer.exe file to exp1orer.exe and leave it in the root folder. You do not detect it at all and this file name is well known to be a trojan and should be consider a problem no matter what folder it is in. Why detect winzip120.exe which is not a system file and has no fixed place that it must be saved that it must be downloaded to? It is a valid WinZIP installer filename.
I don't wish to continue debating this as I understand you have your reasons. I just don't agree with all of the logic and perhaps you should consider additional test methodologies.
Thank you for fixing the other false positive so quickly.
-
Yes I know. I'm an expert in malware removal and run the Malware Removal Forums at Major Geeks! What I'm saying is you cannot declare one thing to be infected when it is not, and then ignore all the others. What is your ignore list based on?No anti malware program will detect everything.
No I do not have an infection. It was a file I collected from a user while removing malware where I had determine some of there Windows OS files sizes were wrong. This PC is a PC using for experimenting/debugging.Have you really experience a Virut infection? -
I normally would not have a problem with this answer since I don't like seeing things stored in the root folder either. However there are quite a few other EXE, RAR, and ZIP files also stored right now in the root folder of this system that Malwarebytes is not complaining about. And in fact one of them is explorer-BAD.exe which is infected with Virut. What is the basis for exception?Being stored in root is why we hit that installer , MBAM wont let you get away with a lot in that location . If you want to use root for storage please use our ignore functionIf you wish to question files in the root folder, then point them out as a potential issue so as to call it to the user's attention to investigate further. Do not point them out as being infected unless they are actually infected.
-
Noticed the below false positives today:
Malwarebytes' Anti-Malware 1.37Database version: 2259
Windows 5.1.2600 Service Pack 2
6/10/2009 7:56:51 PM
mbam-log-2009-06-10 (19-56-39).txt
Scan type: Quick Scan
Objects scanned: 124712
Time elapsed: 1 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uninst.bat (Trojan.Agent) -> No action taken. [3857535134303627615642473748565261378088797780666970690149838072836678013974777
084615447421115113232]
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\downloaded program files\uninst.bat (Trojan.Agent) -> No action taken. [3857535134303627615642473748565261378088797780666970690149838072836678013974777
084615447421115113232]
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\downloaded program files\uninst.bat (Trojan.Agent) -> No action taken. [3857535134303627615642473748565261378088797780666970690149838072836678013974777
084615447421115113232]
c:\winzip120.exe (Trojan.Agent) -> No action taken. [3857535134303627618874791115708970]
The uninst.bat file and associated registry keys are just for BitDefender V8 Online Scanner. The batch file contains
echo offregsvr32 /u /s bitdefender.ocx
del fxfileop.dll
del bitdefender.ocx
del bitdefender.inf
del uninst.bat
The winzip120.exe file is a corporate installer version of WinZip and even has a Digital Signature stating it is WinZip Computing
Logs....as best I can do
in Resolved Malware Removal Logs
Posted
\\.\globalroot\Device\svchost.exe\svchost.exe
You can also see the above in the DDS.txt log and thus do not need the MGtools log.