emaleroland

Sorry, Ron. I think I'm confusing you. First, the problem is solved. The first scan was with an outdated database, as you first responded. There was an old version of MB on the server dated last year. I open it and it said it downloaded the app, then wanted to install the new version. After installation I realized, I just wanted to scan one file. So I scanned from Explorer and it said no infections found. I just realized that when it updates the app, it has the 2013-04-04-07 db. It doesn't try to update the defs until you open the app directly. I just scanned the zip file again and it reported no infection. That is with the 2013-10-15-06 db. I just ran an update to 2013-10-16-03. It also fails to detect the infection in the archive. It does detect it outside the archive. I also noticed, unless you choose to remove the infection, the log will show it detected 0 infections, even though the popup says there was one. And, I checked. The settings are to scan for infections in the archive. So, instead of having to restart the app (not the computer), it fails to detect the infection inside the archive even with the latest database but does detect it otherwise. Are there any known issues for that? I didn't know you guys were connected to Jotti so good to know.

Following that philosophy, if it's not an AV product, not supposed to detect malware or remove malware, then what good is it? (O:= I think you're missing my argument. The issue is NOT what it is or isn't. The issue is does it use the currently download defs db without a restart or not? If not, then please notify the user. If so, then please fix the bug. I seriously doubt the answer is "just wait an undetermined amount of time after updating the defs before scanning." The developers are too good for that to be the rule.

Thanks for the info, Ron, but the bottom line is, if the app informs you it needs to update the defs db, then it needs to use it. If it needs a restart, issue one or notify the user. I believe there's an issue. I've looked back through the logs and the log prior to today doesn't have a scan showing the 04-04 update. However, all the logs prior to that the dates match.

Noted but It can't clean it if it doesn't think it's dirty.

Ron... At 11:32am CDT, it was not being detected. I just updated again and NOW it is being detected. Your response reads as if there was an error on my part. So, fair enough. I checked the scan logs. Maybe this is the issue: I ran an update before scanning but the log shows this: Database version: v2013.04.04.07 After running another update, which should use the latest: Database version: v2013.10.15.06 It reports this: Database version: v2013.10.15.05 So, I closed MB and rescanned: Now I get the right engine reporting: Database version: v2013.10.15.06 It was my understanding you don't have to restart MB after an update. Apparently you do. Can you confirm? I don't mind if that is the procedure but I've never restarted after updating before a scan.

Thank you, David. Had I seen the link for newest malware threats, I would have posted there. I only posted here because I didn't know where else to go. Ron,,, In case you missed it, I wrote this in my OP, "Before I scanned, I performed an update."

I received an email with an attachment. The message was SPAM and originated from CERFNET (ATT). The attachment was a zip file. Inside was an .exe containing a trojan. When composing my email to ATT, I tested the zip to see if it was infected. MalwareBytes said no. Managed Antivirus (Vipre) said yes. (see attached) I uploaded the zip file to Jotti's Malware Scan. 10/23 scanners said it was infected. http://virusscan.jotti.org/en/scanresult/679a689bafe97cf1f235d3e9d40e1e2c1a48915e If this is a new signature, I would expect some may not have it yet. However, if it is not, WTH? This is the scary scenario where users fail to act responsibly relying on their AV product to protect them. Had their primary AV been MalwareBytes or any of the other 13 AV products listed at Jotti, that failed to detect this infection, this could have been troubling. Before I scanned, I performed an update. I know if one of my users had tried to save or unzip this attachment, the AV would have caught it. However, if that service had been off for any reason, this could have been a very bad thing considering this in a financial institution. I will need to report to GFI to see why their email scanner missed it when Vipre (threatattack.com) caught it. I'm concerned that MalwareBytes missed it and gave it an OK. Here is the scan log: (Personal details obfuscated: XXXXXXXX) Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.org Database version: v2013.10.15.05 Windows Server 2003 Service Pack 2 x86 NTFSInternet Explorer 8.0.6001.18702XXXXXXXX :: COMPUTERNAME [XXXXXXXX] 10/15/2013 1:40:49 PMmbam-log-2013-10-15 (13-40-49).txt Scan type: Custom scan (C:\Documents and Settings\XXXXXXXX\My Documents\Downloads\danger\PaymentAdvice15102013.zip|)Scan options enabled: File System | Heuristics/Shuriken | PUP | PUMScan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2PObjects scanned: 1Time elapsed: 3 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 0(No malicious items detected) Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 0(No malicious items detected) Folders Detected: 0(No malicious items detected) Files Detected: 0(No malicious items detected) (end) I did not include the zip file as an attachment because I don't want it to be publicly available. Please let me know if you need this infection for review and where to upload it.

I may have resolved my issue. DNS had been modified, apparently from the infection that was removed. It redirected primary and secondary which would explain the latency, why I could't reach your site or get updates and why I couldn't find any infections locally. To help any that may read this, these are the offending IPs. 93.188.162.12 93.188.161.51

When I try to reach malwarebytes.org I get 'Web server is OK.' (no quotes) I get this with IE and FF. I downloaded from CNET. Current db: 3510 When I run an update, it fails: 732 (0,0) I have followed the suggestion for updating common controls. I have run the registry fix suggestion (offline) I could also not reach superantispyware.com. Downloaded it from CNET. Cannot get an update for it either. No proxy set. No group policy set. No hosts file blocks. I did run Rootkit Revealer from Sysinternals (MSFT) and got lots of messages but it pointed mostly to TCP/IP errors. Kaspersky online scan is down. I ran Bitdefender online scan. Found nothing. Scan with SAS found nothing but cookies. MB did find one infection but issue remains. The apps run, but they don't update and I can't reach the sites. All other sites I've tried work. Symantec SEP is installed but disabled and not in memory. Puzzled. Any/all help appreciated.

I am getting a 732 (0,0) error and have tried the suggestions for this error. When I try to surf to the website with Firefox, I get 'Web site is OK', no quotes. Any path on the web site fails. Would it be possible to get downloads one of the following ways? FTP instead of HTTP? Dynamic locations so they cannot be blocked? Dynamic download names from the main and/or dynamic named site? I cannot verify that I am infected or if changes have been made to the system that cannot be repaired by removing any infections. I also cannot reach superantispyware.com. I had to download both apps from download.cnet.com. I will open up a new topic for this but an update alternative is greatly needed. Thank you.