Jump to content
Fom

Trojan.Backdoor.MRX FP?

Recommended Posts

Hello,

2013/02/15 19:56:16 +0100 ASUS-CHANTAL Chantal DETECTION C:\Program Files\7-Zip\Uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 20:14:17 +0100 ASUS-CHANTAL Chantal DETECTION C:\Program Files\Codebox\BitMeter\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 20:14:19 +0100 ASUS-CHANTAL Chantal DETECTION C:\Program Files\CCleaner\uninst.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 20:14:35 +0100 ASUS-CHANTAL Chantal DETECTION C:\Program Files\MozBackup\Uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 20:15:26 +0100 ASUS-CHANTAL Chantal DETECTION C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 20:15:27 +0100 ASUS-CHANTAL Chantal DETECTION C:\Program Files\SEAF\Un-SEAF.exe Trojan.Backdoor.MRX QUARANTINE

I restored the files, I think they are FP

Thanks

Share this post


Link to post
Share on other sites

Downloaded the latest and got this:

Files Detected: 56

C:\Program Files\Common Files\LogiShrd\Unifying\UnifyingUnInstaller.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Battlelog Web Plugins\uninstall.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Battlelog Web Plugins\Sonar\esnsonar_uninstall.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Common Files\Oberon Media\occcu.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\EVGA Precision X\Uninstall.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\GamesBar\uninst.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Marvell\mv91xx\uninst-91xx.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Seagate\Products\Memeo_Instant_Backup_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Seagate\Products\Memeo_Send_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Seagate\Products\Memeo_Share_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Seagate\Products\Memeo_Sync_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Seagate\Seagate Dashboard\uninstall.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uninstall.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Download\33020A60\drsupdate.12601159_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00000000\drsupdate.12601159_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\000002b4\drsupdate.12941764_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00000548\drsupdate.13114128_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00000553\drsupdate.13143727_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\000007e8\drsupdate.13303955_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\0000097d\drsupdate.13406784_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00000983\drsupdate.13414223_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00000d93\drsupdate.13583115_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00000e29\drsupdate.13680887_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00000eaf\drsupdate.13728286_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001145\drsupdate.13925146_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001253\vops-battlefield_3.13971986.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\0000175b\drsupdate.14225440_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\0000194d\drsupdate.14354895_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001969\drsupdate.14375883_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001a14\vops-left_4_dead_2.14411131.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001a2a\drsupdate.14413407_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001b82\drsupdate.14483726_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001d37\vops-call_of_duty_black_ops_2_singleplayer.14503144.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001dde\drsupdate.14516895_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001ddf\drsupdate.14517731_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001f94\vops-call_of_duty_black_ops_2_multiplayer.14567074.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00001f95\vops-call_of_duty_black_ops_2_zombies.14567074.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\000021cd\drsupdate.14607810_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\000025d5\vops-skyrim.14808186.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\000027c2\dao.14929100.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\0000285e\drsupdate.14956297_RUNASUSER.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\000028f1\dao.14973436.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00002984\vops-battlefield_3.14998644.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00002986\vops-call_of_duty_black_ops_2_multiplayer.14998644.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00002987\vops-call_of_duty_black_ops_2_singleplayer.14998644.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00002988\vops-call_of_duty_black_ops_2_zombies.14998644.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\0000299f\vops-left_4_dead_2.14998644.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\000029a1\vops-max_payne_3.14998644.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\000029ac\vops-skyrim.14998644.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00002ac6\dao.15008532.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00002ad5\dao.15025559.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\ProgramData\NVIDIA\Updatus\Packages\00002b7b\dao.15052761.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Users\Pauls\AppData\Roaming\Seagate\Seagate Dashboard\temp\SeagateDashboard_1421_Better_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Users\Public\Documents\DriverGenius\Temp\marvell_91xx_1.2.0.1016\marvell_91xx_1.2.0.1016\drvSetup.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Users\Public\Documents\DriverGenius\Temp\Marvell_9xxx_1.2.0.1019WHQL\Marvell_9xxx_1.2.0.1019WHQL\drvSetup\drvSetup.exe (Trojan.Backdoor.MRX) -> No action taken.

C:\Users\Public\Documents\DriverGenius\Temp\Marvell_9xxx_1.2.0.1032\Marvell_9xxx_1.2.0.1032\drvSetup.exe (Trojan.Backdoor.MRX) -> No action taken.

Share this post


Link to post
Share on other sites

I got as many other people yesterday several false positives on Trojan.Backdoor.MRX.

For me, it was in these to folders and I have deleted them from quarantine:

c:\programdata\nvidia\updatus\packages\0000175b\drsupdate.14225440_runasuser.exe

c:\programdata\nvidia\updatus\packages\00000229\drsupdate.13143727_runasuser.exe

Can it affect my computer in the future that I got them removed?

Thank you in advance.

Cheers,

René

Share this post


Link to post
Share on other sites

Hi Morena,

No, this won't affect anything in the future at all since these appear to run only once when an nvidia update is applied. So in this case, the update was applied already. A next time, when you update your nvidia, it will recreate a new package for it again.

Share this post


Link to post
Share on other sites

Hello Franz,

On my own system at home I had several files that were quarantined but all of them restored for me just fine. Are you sure you did not have something else such as antivirus or other security tool blocking the restore?

Share this post


Link to post
Share on other sites

Can you please run the following scanner and post back the logs so we can see more what's going on with your system.

Please create an mbam-check log:

  • Download mbam-check.exe from here and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post, instead please attach the log CheckResults.txt file which should now be located on your desktop to your next post

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.


    When done, DDS will open two (2) logs:

    1. DDS.txt
    2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.

Getting a bit late for me but maybe one of the Researches can chime in after reading the logs or if not then I'll try to get back to you sometime over the weekend if I can.

Thanks

Share this post


Link to post
Share on other sites

Last night mbam quarantined one file with Trojan.Backdoor.MRX. I read about the false positives on this forum, and that the problem had been solved in the new database, so I updated the database and ran a full scan overnight. However eight more detections were found.

1. If these really are false positives, why am I still getting detections and what should I do next?

2. On the scan result screen, does remove mean quarantine? Since I don't need these eight files, I'm inclined to remove them even though this may be a false positive. My options are remove selected, ignore, save log, main menu, exit. If I remove them does it just delete those files or does it make changes to the registry as well that I might regret?

3. I would look at the mbam help files but I'm concerned about navigating away from the scan result screen.

Other info:

I also run Eset NOD32.

Yesterday, before these detections happened, I downloaded a free open source utility called winmerge from winmerge.org via sourceforge.net. Although I tried to check it out before downloading it and it seemed safe and well reviewed, it makes me very wary since I have never downloaded an executable, at least not for many years.

Share this post


Link to post
Share on other sites

Can you please post a scan log? this shouldnt be detected if you are truly up to date. If you remove they should go to quaritine. I wouldnt remove them as this may disable uninstallers and installers of programs. You can also zip and attach one of the files here for me to verify.

Share this post


Link to post
Share on other sites

Thanks, Shadowwar. Here is the log file. The 8 most recently affected files are not on my boot drive. (I'm not sure about the one that was detected originally, no log file was created.) These 8 are on my F drive which is an internal drive but is not used to install programs or for the OS. In this case, would it be OK to remove them? I'm not feeling comfortable saying Ignore.

Log file:

=====================

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.16.02

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

name :: CINDY-PC [administrator]

Protection: Enabled

2/16/2013 2:51:55 AM

MBAM-log-2013-02-16 (12-18-41) 8 detections after updating mbam db.txt

Scan type: Full scan (C:\|F:\|G:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 670370

Time elapsed: 2 hour(s), 42 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 8

F:\Program Files\McAfee\SiteAdvisor\Download\s1vo.1 (Trojan.Backdoor.MRX) -> No action taken.

F:\Puggs_Backup\HTC HD2 Backups\Drag&Drop\HD2yyy20111231\Storage Card\Multimedia Sync by doubleTwist.exe (Trojan.Backdoor.MRX) -> No action taken.

F:\Puggs_Backup\HTC HD2 Backups\Drag&Drop\HD2yyy20120321\Storage Card\Multimedia Sync by doubleTwist.exe (Trojan.Backdoor.MRX) -> No action taken.

F:\Puggs_Backup\Seagate\Seagate FreeAgent GoFlex\Disk 13\Seagate\SeagateDashboard\SeagateDashboard.exe (Trojan.Backdoor.MRX) -> No action taken.

F:\Puggs_Backup\Seagate\Seagate FreeAgent GoFlex\Disk 13\Seagate\SeagateDashboard\Products\Memeo_Instant_Backup_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

F:\Puggs_Backup\Seagate\Seagate FreeAgent GoFlex\Disk 13\Seagate\SeagateDashboard\Products\Memeo_Send_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

F:\Puggs_Backup\Seagate\Seagate FreeAgent GoFlex\Disk 13\Seagate\SeagateDashboard\Products\Memeo_Share_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

F:\Puggs_Backup\Seagate\Seagate FreeAgent GoFlex\Disk 13\Seagate\SeagateDashboard\Products\Memeo_Sync_Setup.exe (Trojan.Backdoor.MRX) -> No action taken.

(end)

MBAM-log-2013-02-16 (12-18-41) 8 detections after updating mbam db.txt

Share this post


Link to post
Share on other sites

Can you please zip and attach one of those files being detected. Also if you can run a scan in dev mode. Instructions are here: http://forums.malwarebytes.org/index.php?showtopic=3228

I wouldnt remove these yet. They arent in memory and i am pretty sure this is a false positive. I just need this extra info to narrow it down on my end. Also please try to update one more time and rescan the f drive.

Share this post


Link to post
Share on other sites

Sorry to be dense, here, but how do I handle the open scan result window? If I leave it open (mbam scan result winsow) and cc an in dev mode, will that be ok? To zip, do I buy winzip from winzip.com or is something built into Win 7 or ...?

Share this post


Link to post
Share on other sites

you just right click the file and hit send to compressed. then attach the file like you did the log. If you can get me one of the files at least that should be what i need

Share this post


Link to post
Share on other sites

Corrected post with additional question (sorry, working from alternate device away from computer):

Sorry to be dense, here, but how do I handle the open scan result window? If I leave it open and scan in dev mode, will that be ok? Or are you suggesting I click ignore? To zip, do I buy winzip from winzip.com or is something built into Win 7 or ...? Also, to be prudent, should I not use the computer until this is worked out?

Share this post


Link to post
Share on other sites

Sorry, Rich. I am getting confused here. Here is a second affected file. Please use this one instead.

In the first one I sent, I thought I had compressed s1vo.1 but I see that the zip file is s1vo. Since the folder contains two files s1vo (7KB uncompressed) and s1vo.1 (3550 KB uncompressed), I am wondering if I accidentally compressed the wrong (and therefore unaffected) file. However, it may be that the compression doesn't completely use the original file name. At any rate, please use the file I have sent here (Memeo_Sync_setup).

Memeo_Sync_Setup.zip

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.