SusanG

This may help others, so I'm posting my resolution to how to install mbam to a Windows7 install so you can use the Task Scheduler without being logged in, and a pwd. Pre-Win7, Experience #1 - installed spybot to Vista PC, scheduled tasks, set to run without being logged in, with a pwd, but jobs would not run from scheduler, found this article How to schedule Spybot in Vista, using XML file edit and applied it, resolved issue. Now I'm posting this link to the Spybot forum because it does have a bearing on my MBAM installs, later. In the article, note what poster says about how the ampersand in the folder name gives an error when you try to see the job history, which was a minor side-effect, not the issue he had to resolve. Experience #2 - cleanly installed Win7 to a PC, then installed mbam 1.43, scheduled from the product, then went to Task Scheduler to edit each task so it would run without being logged in. This worked out fine, with mbam 1.43. Jobs ran. Experience #2 - upgraded a Vista 64bit PC to 64bit Win7, and mbam 1.43 scheduled tasks. which previously worked fine, stopped working. Exported job then viewed in Notepad, saw that the Win7 upgrade had moved mbam to a folder different from default c:\Program Files. It moved mbam program folder (and folders of lots of other apps) to Program Files (X86). When I went to Task Scheduler and tried to run the mbam jobs from gui, they failed with a "cannot find the folder" message. Aha moment, went back to Spybot article, thought that the "x86" in folder name must be problematic for Win7 task scheduler, uninstalled mbam, installed new download, and when prompted to select a folder, browsed to choose c:\Program Files, used GUI to schedule jobs, then edited them in Task Scheduler - jobs run now. Of course, I edited each task for one command line argument as per this post mbam uses only one command line argument

I'm not sure from this thread what the steps were to stop Malwarebytes logging a false positive. I'm getting what I think are false positives, but not sure from this thread, so I need to ask for more details. Daily, the malware log shows up as successfully quarantining and deleting the regsvr.exe file and an associated registry key. What should I look for and what should I do to either confirm that an attempt to reinfect is occurring OR that I'm seeing a false positive. And if it's a false positive, how can I stop it? Posting the log here, I think that's OK, apologies if I read the instructions wrong. Although this log is from 8/19, it's still happening, on 4 out of 5 PCs. Malwarebytes' Anti-Malware 1.40 Database version: 2654 Windows 5.1.2600 Service Pack 3 8/19/2009 10:52:05 AM mbam-log-2009-08-19 (10-52-05).txt Scan type: Quick Scan Objects scanned: 135621 Time elapsed: 51 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\REGSVR.EXE (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\REGSVR.EXE (Backdoor.Bot) -> Quarantined and deleted successfully.