Jump to content

Need Confirmation

Guest bugmenot

By Guest bugmenot
in File Detections

 Share

Recommended Posts

Guest bugmenot

Guest bugmenot

Posted
Posted

I ran a scan with Malwarebytes' Anti-Malware for the first time today, and I suspect it has detected a couple of false positives. Here's the log:

Malwarebytes' Anti-Malware 1.34Database version: 1784Windows 5.1.2600 Service Pack 3
21/02/2009 16:23:32mbam-log-2009-02-21 (16-23-26).txt
Scan type: Full Scan (C:\|)Objects scanned: 132437Time elapsed: 31 minute(s), 30 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 2
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
Folders Infected:(No malicious items detected)
Files Infected:C:\Documents and Settings\home\My Documents\My Files\System Utilities\EvID4226Patch223d-en\EvID4226Patch.exe (Adware.Agent) -> No action taken.C:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> No action taken.

I very much doubt EvID4226Patch is an infection, it deals with the half-open TCP connections on Win XP, so we can assume that's an FP, but the other two needs confirmation. Thanks

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action

We are turning help back on , some malware will disable this . If you have disabled this option please whitelist this entry with the ignore option .

C:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> No action taken.

MBAM wont let you do much with reserved words in system directories , if you want to back up explorer picking a dedicated custom backup folder will avoid this FP . My Documents\backup system files\explorer.backup would be a much better location for multiple reasons .

C:\Documents and Settings\home\My Documents\My Files\System Utilities\EvID4226Patch223d-en\EvID4226Patch.exe (Adware.Agent) -> No action taken.

I need a dev log and/or sample of this one to tell you for sure . The dev log instructions are posted at the top of this forum .

Link to post
Share on other sites
Guest bugmenot

Guest bugmenot

Posted
Posted
We are turning help back on , some malware will disable this . If you have disabled this option please whitelist this entry with the ignore option .

MBAM wont let you do much with reserved words in system directories , if you want to back up explorer picking a dedicated custom backup folder will avoid this FP . My Documents\backup system files\explorer.backup would be a much better location for multiple reasons .

I need a dev log and/or sample of this one to tell you for sure . The dev log instructions are posted at the top of this forum .

Here's the log and a sample, thanks.

http://rapidshare.com/files/201188776/EvID...atch223d-en.rar

Malwarebytes' Anti-Malware 1.34

Database version: 1784

Windows 5.1.2600 Service Pack 3

21/02/2009 21:44:16

mbam-log-2009-02-21 (21-44-10).txt

Scan type: Full Scan (C:\|)

Objects scanned: 132385

Time elapsed: 31 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) ->

Bad: (0) Good: (1) -> No action taken.

[5138494534363830417475666876155285668385467079861301414438586436545151384753

645452385161524839535634513861467468838

08480718561567479698088846136868383707985557083847480796138898177808370836134698

766796870699352856683856452738088417

07781301713011813015749]

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\home\My Documents\My Files\System Utilities\EvID4226Patch223d-en\EvID4226Patch.exe

(Adware.Agent) -> No action taken. [2319262067702117261823671718212617207069196871672022236667186767]

C:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> No action taken.

[4642524945343638373070898177808370831301474853017780729370897093846871936766

769377797693788071939174819383668393708

97015786679747170848593786679747170848593807769]

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted
C:\Documents and Settings\home\My Documents\My Files\System Utilities\EvID4226Patch223d-en\EvID4226Patch.exe

Please select ignore on this file as well , it is frequently used in multiple infections to make worms/bots more effective . I am changing the detection of this from "Adware.Agent" to "Malware.Tool" to make it more clear as to what this is .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.