Jump to content

Need Confirmation


Guest bugmenot
 Share

Recommended Posts

Guest bugmenot

I ran a scan with Malwarebytes' Anti-Malware for the first time today, and I suspect it has detected a couple of false positives. Here's the log:

Malwarebytes' Anti-Malware 1.34Database version: 1784Windows 5.1.2600 Service Pack 3
21/02/2009 16:23:32mbam-log-2009-02-21 (16-23-26).txt
Scan type: Full Scan (C:\|)Objects scanned: 132437Time elapsed: 31 minute(s), 30 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 2
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
Folders Infected:(No malicious items detected)
Files Infected:C:\Documents and Settings\home\My Documents\My Files\System Utilities\EvID4226Patch223d-en\EvID4226Patch.exe (Adware.Agent) -> No action taken.C:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> No action taken.

I very much doubt EvID4226Patch is an infection, it deals with the half-open TCP connections on Win XP, so we can assume that's an FP, but the other two needs confirmation. Thanks

Link to post
Share on other sites

  • Staff
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action

We are turning help back on , some malware will disable this . If you have disabled this option please whitelist this entry with the ignore option .

C:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> No action taken.

MBAM wont let you do much with reserved words in system directories , if you want to back up explorer picking a dedicated custom backup folder will avoid this FP . My Documents\backup system files\explorer.backup would be a much better location for multiple reasons .

C:\Documents and Settings\home\My Documents\My Files\System Utilities\EvID4226Patch223d-en\EvID4226Patch.exe (Adware.Agent) -> No action taken.

I need a dev log and/or sample of this one to tell you for sure . The dev log instructions are posted at the top of this forum .

Link to post
Share on other sites

Guest bugmenot
We are turning help back on , some malware will disable this . If you have disabled this option please whitelist this entry with the ignore option .

MBAM wont let you do much with reserved words in system directories , if you want to back up explorer picking a dedicated custom backup folder will avoid this FP . My Documents\backup system files\explorer.backup would be a much better location for multiple reasons .

I need a dev log and/or sample of this one to tell you for sure . The dev log instructions are posted at the top of this forum .

Here's the log and a sample, thanks.

http://rapidshare.com/files/201188776/EvID...atch223d-en.rar

Malwarebytes' Anti-Malware 1.34

Database version: 1784

Windows 5.1.2600 Service Pack 3

21/02/2009 21:44:16

mbam-log-2009-02-21 (21-44-10).txt

Scan type: Full Scan (C:\|)

Objects scanned: 132385

Time elapsed: 31 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) ->

Bad: (0) Good: (1) -> No action taken.

[5138494534363830417475666876155285668385467079861301414438586436545151384753

645452385161524839535634513861467468838

08480718561567479698088846136868383707985557083847480796138898177808370836134698

766796870699352856683856452738088417

07781301713011813015749]

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\home\My Documents\My Files\System Utilities\EvID4226Patch223d-en\EvID4226Patch.exe

(Adware.Agent) -> No action taken. [2319262067702117261823671718212617207069196871672022236667186767]

C:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> No action taken.

[4642524945343638373070898177808370831301474853017780729370897093846871936766

769377797693788071939174819383668393708

97015786679747170848593786679747170848593807769]

Link to post
Share on other sites

  • Staff
C:\Documents and Settings\home\My Documents\My Files\System Utilities\EvID4226Patch223d-en\EvID4226Patch.exe

Please select ignore on this file as well , it is frequently used in multiple infections to make worms/bots more effective . I am changing the detection of this from "Adware.Agent" to "Malware.Tool" to make it more clear as to what this is .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.