Jump to content
jf2572

Spyware.Password - mfc45.dat

Recommended Posts

Is this an actual infection, or a false positive?

Not detected by NOD 32.

virus total reports suspicious or heuristic-corrupt on 4 out of 43, joti reports suspicious on 1 out of 19.

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.24.11

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

John :: JOHN-PC [administrator]

Protection: Enabled

11/25/2012 5:39:49 AM

mbam-log-2012-11-25 (05-39-49).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 208161

Time elapsed: 23 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\SysWOW64\mfc45.dat (Spyware.Passwords) -> Quarantined and deleted successfully. [d5461d9e3a236fc7be22af9608f84ab6]

(end)

mfc45.zip

Share this post


Link to post
Share on other sites

Hi jf2572,

The detection looks to be intentional but the file is in fact corrupted/broken so cannot do any harm as it does not run.

Share this post


Link to post
Share on other sites

Hi jf2572,

The detection looks to be intentional but the file is in fact corrupted/broken so cannot do any harm as it does not run.

Thank you for the quick reply.

I released the file from quarantine to upload it, and when I re-scanned w/ MBAM, it again quarantined it, but this time left an icon in the folder where it was originally located. Maybe what it left behind is the corrupted file, and somehow that is what got uploaded.

Should I delete both the quarantined file and the corrupted file?

Is this mfc45.dat file something that was originally a necessary file (but got infected?) ...In other words, will I need to somehow find and replace it?

Thank you again!

Share this post


Link to post
Share on other sites

Hi,

The new file with Icon that was created. Did we detect this file and if so can you please zip and attach that file.

With regards any removals it is always advised to hold files in quarantine for a period of time just incase their removal breaks a chain of dependency. That way if something breaks (after file removal) the file can be restored and another Fix can be persued.

If however you delete your quarantined item(s) immediately then that option is removed under that potential scenario.

Share this post


Link to post
Share on other sites

Hi,

The new file with Icon that was created. Did we detect this file and if so can you please zip and attach that file.

With regards any removals it is always advised to hold files in quarantine for a period of time just incase their removal breaks a chain of dependency. That way if something breaks (after file removal) the file can be restored and another Fix can be persued.

If however you delete your quarantined item(s) immediately then that option is removed under that potential scenario.

MBAM has not detected the new file, in 2 scans.

I have attached it anyway, just in case: mfc45.zip

Is it possible that the first file I sent was also a copy of this second file, and not the original, which MBAM detected and is currently in quatantine?

Share this post


Link to post
Share on other sites

Hi,

It is possible but the last file attached is very simillar but not the same.

The signature making the original detection is quite an old one and will be shortly reviewed as we dont usually attack corrupt files as they are *broken* and do not work.

Share this post


Link to post
Share on other sites

Hi,

It is possible but the last file attached is very simillar but not the same.

The signature making the original detection is quite an old one and will be shortly reviewed as we dont usually attack corrupt files as they are *broken* and do not work.

Do you suspect this file was corrupt when first detected, or possibly became that way when passing in and out of quarantine?

Also, I didn't mention before that the file was first detected in Windows>System32, but when I released it from quarantine, I could not find it back in tht location, so I ran another MBAM scan and this time it was caught in Windows>SysWOW64. (I thought I should mention this in case it might be a helpful clue of some sort.)

A final question (at least for now), was this detected because it was indeed malware, or possibly just because it was a corrupt file?

Thank you again!

Share this post


Link to post
Share on other sites

Hi,

From the second non quarantined file you supplied also had a corrupted PE header would suggest whatever is recreating the file is recreating files with corrupted PE headers.

The original detection was based on a known bad file pattern and not because the file header was corrupted.

That said the signature is many years old would not be entered into the database nowadays as its way too loose and potentially prone to F/P as is the case for your detection.

I have revised the original signature if you can recheck your files to see if the detection still remains.

I would also like to thank you for your assistance and apologize for any inconvenience caused by this F/p.

Share this post


Link to post
Share on other sites

Hi,

From the second non quarantined file you supplied also had a corrupted PE header would suggest whatever is recreating the file is recreating files with corrupted PE headers.

The original detection was based on a known bad file pattern and not because the file header was corrupted.

That said the signature is many years old would not be entered into the database nowadays as its way too loose and potentially prone to F/P as is the case for your detection.

I have revised the original signature if you can recheck your files to see if the detection still remains.

I would also like to thank you for your assistance and apologize for any inconvenience caused by this F/p.

Hello,

As you requested, I checked my system to see if the detection still remains. I restored the file from quarantine, then ran a quick scan with database version v2012.11.26.03. No malicious items were detected in this scan.

Just to be certain I understand clearly:

Was this was definitely a false positive? (From what I have read, if it was an actual infection of spyware.password, I would need to change all of my passwords, at the very least.)

Since MBAM now does not identify the file as a threat, is it safe to leave it in place, or should I delete it anyway, since it is corrupt?

Thank you again!

Share this post


Link to post
Share on other sites

Hi,

Yes it was a False positivs and the file(s) are safe to restore or leave insitu.

Thanks agains for your help and time with resolving this :)

Share this post


Link to post
Share on other sites

Hi,

Yes it was a False positivs and the file(s) are safe to restore or leave insitu.

Thanks agains for your help and time with resolving this :)

Thank you for your help!

Share this post


Link to post
Share on other sites

This may NOT be a false positive!

I just booted up my laptop and updated and ran MBAM. Running the latest version it detected the Spyware.Password - mfc45.dat file.

(I have not used the laptop since before MBAM first detected Spyware.Password - mfc45.dat on my desktop, so have not run MBAM in all of that time.)

Since it was detected by the latest version of MBAM (with the revised signature), it seems to be more than the just a corrupt file. Is it possible that the file I submitted before was infected, but became corrupted while moving in and out of quarantine?

I have quarantined the file on the laptop, and will hold it there for now. What should I do with it... try to submit it again? Delete it?

I want to run a new backup on the laptop, including disc image, but do not want to do it while the suspicious file is in quarantine, in case it might somehow get transferred to the backup drive.

Thank you for your help with this.

Share this post


Link to post
Share on other sites

Log file below, for latest detection, on laptop. (See above post for details.)

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.30.04

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

John :: JOHN-PC [administrator]

Protection: Enabled

11/29/2012 7:51:53 PM

mbam-log-2012-11-29 (19-51-53).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 230902

Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\System32\mfc45.dat (Spyware.Passwords) -> Quarantined and deleted successfully.

(end)

Share this post


Link to post
Share on other sites

Hi,

I suspect this is a F/p detection caused by a bug possibly but inorder to verify further need to take some additional steps.

Please update MBAM to its most recent database and then reboot the computer.

Next restore the file from quarantine and then zip and attach it to a reply if its detected again and also send back to quarantine.

Thanks in advance.

Share this post


Link to post
Share on other sites

Hello,

I updated MBAM, rebooted and ran a scan. This time it detected nothing.

The file was still in the same location after the scan, and like the previous file on the desktop, did not have the "gears" image on it.

I've attached it, just in case it might provide a clue.

Thank you for any information you might be able to provide.

mfc45.zip

Share this post


Link to post
Share on other sites

Sorry for resurrecting a dead thread, but we, iolo technologies the makers of System Mechanic, just wanted to let everyone know (and anyone who may stumble upon this thread in the future) more about the MFC45.dat file that is being discussed.

 

First, thank you for all of the information that everyone has submitted. It's always very helpful for us to know about each user's experience and any complications that occur while running our software simultaneously with other programs. We are constantly focused on providing a quality product for all of our users.

 
Secondly, we'd like to let it be known that the MFC45.dat file is not harmful in anyway. The file itself was created specifically by us to provide security for our users and their product licenses as a result of the rising cracks and hacks for System Mechanic. 
 
We are aware that this file has sometimes been mistakenly detected by certain antivirus programs and we've addressed this issue in the latest update this week.
 
Lastly, we are also working on a solution that does not require this file. We plan to have this fix addressed in a future product update. Please let us know if there are any questions or concerns that you may still have, we'd be happy to answer them! We hope this provides a better understanding about the file in question and helps alleviate any concerns. Thanks!

Share this post


Link to post
Share on other sites

I found this forum reply from :

 

This is the persons comment:

 

iolo technologies writes

0 thumbs 

 

Hi everyone, 

Thank you for all of the information that was provided and for the many comments regarding this file. We are iolo technologies, the creators of System Mechanic and the MFC45.dat file that is in question. 

It is extremely helpful for us to know about everyone's user experiences and any complications found while running our software simultaneously with other programs. 

We'd like to let you know that the MFC45.dat file is not harmful in anyway. The file itself was created specifically by us to provide security for our users and their product licenses as a result of the rising cracks and hacks for System Mechanic. 

We are aware that this file has sometimes been mistakenly detected by certain antivirus programs and we've addressed this issue in the latest update this week. 

Lastly, we are also working on a solution that does not require this file. We plan to have this fix addressed in a future product update. Please let us know if there are any questions or concerns that you may still have, we'd be happy to answer them! 

Thank you!

Edited by AdvancedSetup
Removed external hyperlink

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.