TheGeekinator

@sUBs. Oops. I wasn't aware of that. I arrived at the webpage from google hit link, and immediately posted. Understand now that I didn't see context of full problem ... my sincerest apologies. Thanks.

@Intrinsic, and all interested. Ditto. Encountered identical as your description on my latest daily scheduled "Quick" scan. Thanks for promptly reporting this, as I couldn't find ANY applicable web-hits either ... except this one. @sUBs. Are you suggesting you have reason to believe this is malware infection based? Or is your cleanup link provided as simply a precautionary "just for good measure" kind of thing? Because I just simply performed an in-place reinstall of the MBAM app. Encountered another round of the two error dialogs in the midst of installation sequence. However, when it completed successfully, my MBAM is peforming normally again. My guess is a DLL or two somehow got unregistered, and the reinstall took care of it.

Thanks for your customarily prompt response. It's always much appreciated. Unfortunately, your suggestion isn't the anwser in this case. All those (and related) receptacles are, and have been, routinely kept nearly bare. There's also been no significant changes made to the target system experiencing the extended scan time. Again, it's been only for the past ~1-2 weeks that the scan duration has significantly increased by ~50-100%. In other words, what routinely took no longer than ~20 min's, now persistently takes ~30-40 min's (not including update time ... only the scan time). That's why I specifically inquired if there was an algorithm change in the scanner itself ... OR, has there been a recent significant increase in the size of the malware signature database? Can I presume from your reply the answer to these questions is authoritatively "no"? Again, sincerest thanks to one and all at team MBAM.

Has there been a scanning algorithm change in MBAM? ... because over the past 1-2 weeks or so, I've observed an approximate 50-100% increase in the duration of time it takes for my daily batch scripted "QuickScanTerminate" to execute. Thanks in advance.

Corrected indeed, Bruce. I've said it before, and I'll say it again ... thanks for your great product, as well as your conscientious and timely support. Yet again, you make it quite apparent that team MBAM takes corrective/update actions seriously: recieve, review, analyze/test, make determination, update the master online malware sig's database, and respond to my post ... all performed within a handful of hours.

Rec'd disposition of "Rogue.EAntispy" on file "C:\WINDOWS\system32\aamd532.dll" during latest routine MBAM "QUICK" type scan. This is identical file which has been at that location during all previous MBAM scans for at least the past 4+ months (confirmed via an identical SHA1 checksum against a backup dated Sep 1, 2008). I'm not certain, but I believe it was installed, and is organic to, resident installation of AutoPatcher. Submitted the file to VirusTotal.com for cross-check. It scans 100% clean there at 0/38: Please refer to: 1. FILEALYZER REPORT. 2. MBAM DEVELOPER SCAN LOG. 3. Attached archive containing subject file [password: falsepositive]. Thanks once again for your great product, as well as your conscientious and timely support. ==================================================================== FILEALYZER REPORT: -------------------------- File: C:\WINDOWS\system32\aamd532.dll Date: 1/9/2009 3:53:07 AM ***** General ****************************************************** Location: C:\WINDOWS\system32\ Size: 10752 Version: 1.0.0.1 CRC-32: D7BC0DD7 MD5: CEFD956A1EF122CDA4D53007BAB6C694 SHA1: B3E34E6B0C8BEAC8874D0B6414C5CFB5E0FB0B9F Read only: No Hidden: No System file: No Directory: No Archive: Yes Symbolic link: No Time stamp: Sunday, October 07, 2007 10:27:50 AM Creation: Sunday, August 17, 2008 7:20:36 AM Last access: Sunday, August 17, 2008 7:20:36 AM Last write: Sunday, October 07, 2007 10:27:50 AM ***** Version ****************************************************** Supported languages:: English (United States) (1033/1200) --- Version -------------------------------------------------------- File version: 1, 0, 0, 2 Company name: Almeida & Andrade Ltda Internal name: aamd532 Comments: Legal copyright: Copyright © 1998, 1999 Almeida & Andrade Ltda Legal trademarks: Original filename: aamd532.DLL Product name: MD5 Maker DLL Product version: 1, 0, 0, 2 File description: aamd532 DLL Private build: Special build: ***** Resources **************************************************** ***** PE Header **************************************************** : : : : : : : : : : : : ***** PE Sections ************************************************** CRC-32: ? MD5: ? ----- PE Sections -------------------------------------------------- Section VirtSize VirtAddr PhysSize PhysAddr Flags CRC32 MD5 ***** Import/Export table ****************************************** ==================================================================== MBAM DEVELOPER SCAN LOG: ------------------------------------- Malwarebytes' Anti-Malware 1.32 Database version: 1634 Windows 5.1.2600 Service Pack 3 1/9/2009 2:54:35 AM mbam-log-2009-01-09 (02-54-22).txt Scan type: Quick Scan Objects scanned: 1 Time elapsed: 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\aamd532.dll (Rogue.EAntispy) -> No action taken. [4134524130518072867015383479857484819013016870716926222366187071181919686966216 922201717246766672368232621] ==================================================================== aamd532.dll.zip aamd532.dll.zip

Razor! Don't you just love the always-too-few "easy one"'s. Thanks Bruce, and also to the entire MBAM team.

Rec'd false positive on Windows Registry key "HKCU\Software\AVS" installed/associated by app "AVS Video Tools v5.6". I exported the regkey and submitted to VirusTotal.com. It scans clean there: File "HKCU_Software_AVS.reg" received on 10.30.2008 06:05:32 (CET) Also scanned with "a-Squared" and "Ad-Aware 2008 Pro" (latest updated signatures) ... clean also. This regkey existed during previous scans and only on latest is it now encountered. It is attached with password: falsepositive Thanks in advance for your time and efforts. DEVELOPER LOG: Malwarebytes' Anti-Malware 1.30 Database version: 1338 Windows 5.1.2600 Service Pack 3 10/29/2008 9:37:45 PM mbam-log-2008-10-29 (21-37-40).txt Scan type: Quick Scan Objects scanned: 71016 Time elapsed: 20 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\AVS (Rogue.AntiVirusSentry) -> No action taken. [3857535134305180728670153479857455748386845270798583901301414438586436545151384 753645452385161524839535634513861345552] Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HKCU_Software_AVS.reg.zip HKCU_Software_AVS.reg.zip

To lordpake (and all): Thanks so much to for your suggestion. At first I tried it verbatim in the hopes there was a going to be a way to direct MBAM's context-memu initiated GUI to perform a developer scan. But just as when directly launching, no joy. Also tried first launching a developer GUI, then via context-menu, but alas, encountered error dialog "Malwarebytes' Anti-Malware is already running". But then gave it a try via CLI including the target directory using this format: "%PROGRAMFILES%\Malwarebytes Anti-Malware\mbam.exe" "%PROGRAMFILES%\`Utilities\RAM Idle" /developer ...Success! Q: Is there also a way to perform a delevoper scan on a target directory via context-menu as you describe? Is so, please advise. To nosirrah (and all): Thanks for the email I recieved by "Marcin Kleczynski on 10/26/2008 stating "Thanks, I hope to get this resolved by tomorrow". At the time of my original post, I'd only been using MBAM since earlier that day, and was in the process of writing a batch script (my usual preference whenever CLI is available). Therefore, at that time I didn't realize there was a volume-level choice when performing a full scan via MBAM's GUI. And now, I'm even more gratified to see that I can include any desired target path in the CLI. I didn't initially attempt this because the help section didn't include that as an option. Q: Are there ANY other undocumented switches/option available? I'm sorry for only now providing the developer log. I was simply OBE (overcome by events). Also, these particular files have no importance to me since they are merely the Win98 and Me versions of the app installed by default. The subject system is WinXP, so pretty low priority to me. I have attached the subject files (password: falsepositive). Also curious why .RAR files are "not allowed" to be uploaded (per error message stating so)? Thanks to all for your time and efforts. DEVELOPER LOG: Malwarebytes' Anti-Malware 1.30 Database version: 1338 Windows 5.1.2600 Service Pack 3 10/29/2008 11:42:22 PM mbam-log-2008-10-29 (23-42-19).txt Scan type: Quick Scan Objects scanned: 10 Time elapsed: 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files\`utilities\RAM Idle\RAM_98.exe (Trojan.FakeAlert) -> No action taken. [5253514247405230538380756679153966767034777083851301182426191301391739383939393 93835213725353725253520381720223917362535392617202434172120353739242217342535211 9 17212535182319262119173638352020253518341720223417212526223619211721253520382535 2 43917252535193817202437173619353935252624361921172519353625253517232526212517362 5 37222119211721253517233825213739383939393925213617242217212020361738351825351717 1 83835182125351723253517172526172325351723203521211921173617392522222639393939393 9 20203617252036211817223722392238223536202617222022232224253537342535391725183938 1 71717171817] c:\program files\`utilities\RAM Idle\RAM_ME.exe (Trojan.FakeAlert) -> No action taken. [5253514247405230538380756679153966767034777083851301182426191301391739383939393 93835213725353725253520381720223917362535392617202434172120353739242217342535211 9 17212535182319262119173638352020253518341720223417212526223619211721253520382535 2 43917252535193817202437173619353935252624361921172519353625253517232526212517362 5 37222119211721253517233825213739383939393925213617242217212020361738351825351717 1 83835182125351723253517172526172325351723203521211921173617392522222639393939393 9 20203617252036211817223722392238223536202617222022232224253537342535391725183938 1 71717171817] _RAM_Idle__False_Positive_Files.zip _RAM_Idle__False_Positive_Files.zip

Rec'd false positives on two files. Submitted both to VirusTotal.com. They both scan clean there: 1. File "C:\Program Files\`Utilities\RAM Idle\RAM_98.exe" received on 10.22.2008 19:46:31 (CET) 2. File "C:\Program Files\`Utilities\RAM Idle\RAM_ME.exe" received on 10.22.2008 19:53:46 (CET) Also scanned both files with "a-Squared" and "Ad-Aware 2008 Pro" (latest updated signatures) ... clean also. ---------------------------------------------- Malwarebytes' Anti-Malware Scan Log: ---------------------------------------------- Scan type: Full Scan (C:\|D:\|E:\|G:\|H:\|M:\|) Objects scanned: 281607 Time elapsed: 6 hour(s), 36 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Program Files\`Utilities\RAM Idle\RAM_98.exe (Trojan.FakeAlert) -> No action taken. C:\Program Files\`Utilities\RAM Idle\RAM_ME.exe (Trojan.FakeAlert) -> No action taken. ----------------------------------------------------------------------------------------------------- I am aware you request a </developer> parameter switch scan log. But after cursory review of this forum, it appears the only additional info contained in it vs the above standard log is file hash checksum elements. If I'm mistaken, please let me know and I'll comply. I just didn't want to subject myself/system to another redundant several-hour-long scan if not necessary [as the VirusTotal links above provide multiple hash checksums (MD5, SHA*)] ... unless perhaps there's an undocumented switch that allows narrowing the scan to other than "/quickscan" or "/fullscan"? Thanks in advance. "Today's the best day of my life...and NOW you're part of it!" Craig, Puget Sound, Washington USA