Jump to content
Fom

Trojan.Backdoor.MRX FP?

Recommended Posts

i am showing with database 2013.02.16.07 that these arent detected. Please update again and rescan. ( you can just right click the file and hit scan with malwarebytes. Worse case you may have to reboot the machine to get the new defs in memory.

Share this post


Link to post
Share on other sites

OK, thanks Rich, looking good. I updated by right-clicking on the mbam icon in the system tray and got v. 2013.02.16.07. I scanned these 8 files and nothing was detected. Yay! So should I now click ignore on the scan result page? I'd prefer to click remove if that is OK (this disk isn't a boot disk, it used to be my boot disk, but I moved it from being my C: (boot) drive to my secondary drive, F: (non-boot), when I went from Vista to Win 7). Also, what about that one file that got quarantined yesterday? I don't know if it is on the F: drive or not until I navigate away from this scan result page.

Share this post


Link to post
Share on other sites

if you remove u are removing valid files and wont be able to reinstall those programs if needed without redownloading them. You can just close malwarebytes if you dont want to delete. If you go to the quaritine tab and click on the file with the mrx vendor name you can then hit the restore button to put if back where it goes.

Share this post


Link to post
Share on other sites

Thanks, Rich. I think I am good to go. I am in the middle of a big clean up of disks and folders and was going to be deleting those folders from my F drive anyway.

I looked in quarantine and the original file that got quarantined (prior to the 8 we just worked on) was from my C drive but, since I plan to get rid of this computer in a short time and since I have an idea of what that file does (uninstalls something I don't need but isn't bothering me), I think I'll just let it lie. I appreciate your help. Have a good weekend!

Share this post


Link to post
Share on other sites

I'm wondering whether I too am affected by this problem. MAlwarebytes came up with a message during live operation c:\Programfiles(x86)Eusing Free Registry Cleaner\RegCleaner.exe Trojan.FakeRP

It quarantined it then I deleted it in haste and the message came up again but this time said SDKQuarantine Failed Error code2. I have just run Spybot, latest version and nothing found and also Avast has not come up with anything. PLease can someone advise what to do next? I have just run a full scan with Malwarebytes and nothing has been detected.

Share this post


Link to post
Share on other sites

@ Ron

I finally decided to do a complete restore of the computer from a backup that was 10 days old. It meant installing a lot of updates again but, I think, in the end it is the most efficient way. You can do it with the brain in neutral.

All uninstall.exe that I could not restore from MBAM quarentine are back on the computer.

Problem solved and it shows once more how important regular backups are.

Greetings.

Okay, thanks for the follow-up. If you do need further assistance please go ahead and open a new topic in the General forum and we'll assist you.

Thanks

Share this post


Link to post
Share on other sites

Suddenly get the message something like: 'starting dangerous file blocked - uninstall.exe'. c:\program files\ccleaner\uninstell.exe - Trojan.Backdoor.MRX

I did no scan but found no startup entry in registry either.

Is it a false positive, has it didn't try starting or does it and where is the start task or registry entry.

What does Malwarebytes know about these uninstall.exe?

No other AV classified it as Trojan, but that must not show the truth.

Share this post


Link to post
Share on other sites

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Datenbank Version: v2013.02.18.11

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Administrator :: MY-PC [Administrator]

Schutz: Aktiviert

18.02.2013 23:43:47

mbam-log-2013-02-18 (23-47-40).txt

Art des Suchlaufs: Quick-Scan

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 213865

Laufzeit: 1 Minute(n), 10 Sekunde(n)

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 1

C:\Program Files (x86)\Router (Trojan.Downloader) -> Keine Aktion durchgeführt.

Infizierte Dateien: 4

C:\Program Files (x86)\Router\Router***.bat (Trojan.Downloader) -> Keine Aktion durchgeführt.

C:\Program Files (x86)\Router\Router***.vbs (Trojan.Downloader) -> Keine Aktion durchgeführt.

C:\Program Files (x86)\Router\Router***.bat (Trojan.Downloader) -> Keine Aktion durchgeführt.

C:\Program Files (x86)\Router\Router***.vbs (Trojan.Downloader) -> Keine Aktion durchgeführt.

(Ende)

Found nothing, the router scripts are my own telnet files.

Share this post


Link to post
Share on other sites

Can you please run the quick scan again with the /developer switch and post the new log.

MBAM.EXE /DEVELOPER

Also as long as there is nothing proprietary in the files can you either attach or PM me a zipped copy so that we can ensure we remove the detection and verify what caused it to be detected.

Thanks

Share this post


Link to post
Share on other sites
susanpl' timestamp='1360923239' post='647301']

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 913021504

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/15/2013 4:37:01 AM

mbam-log-2013-02-15 (04-37-01).txt

This is unrelated to this FP detection, per se, and please do pardon my intrusion in the topic....

Hi, Susanpl: It appears that you are running a rather ancient version of MBAM, with what may well be a similarly ancient version of the database. :)

Since your version is rather far behind the current version (with its new database numbering system), it would probably be a good idea to cleanly upgrade to the current version (1.70).

Please follow the steps for Method 2 in this pinned forum topic: MBAM Clean Removal Process

If you have any problems with the upgrade, please feel free to start a new topic in the General section of the forum >>HERE<<, and someone will be more than happy to help you.

Cheers,

daledoc1

Share this post


Link to post
Share on other sites
NoRogue' timestamp='1361227725' post='648645']

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Datenbank Version: v2013.02.18.11

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Administrator :: MY-PC [Administrator]

Schutz: Aktiviert

18.02.2013 23:43:47

mbam-log-2013-02-18 (23-47-40).txt

Sorry to intrude again -- please pardon me. :)

However, it appears that NoRogue is also running a somewhat outdated version of MBAM (although with the current detection database)?

I don't know if this contributes in any way to the ongoing FP detections discussed here in this thread, but I thought I would mention it, in case NoRogue would like to update to the current version, 1.70. :)

Cheers,

daledoc1

Share this post


Link to post
Share on other sites

Sorry to intrude again -- please pardon me. :)

However, it appears that NoRogue is also running a somewhat outdated version of MBAM (although with the current detection database)?

I don't know if this contributes in any way to the ongoing FP detections discussed here in this thread, but I thought I would mention it, in case NoRogue would like to update to the current version, 1.70. :)

Cheers,

daledoc1

Thanks daledoc1, my update box for the version was unchecked. Here is the log with developer option.

AdvancedSetup, where should I send the ZIP file?

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Datenbank Version: v2013.02.19.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Administrator :: MY-PC [Administrator]

Schutz: Aktiviert

19.02.2013 09:14:45

MBAM-log-2013-02-19 (09-15-57).txt

Art des Suchlaufs: Quick-Scan

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM

Deaktivierte Suchlaufeinstellungen: P2P

Durchsuchte Objekte: 215416

Laufzeit: 1 Minute(n), 5 Sekunde(n)

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 1

C:\Program Files (x86)\Router (Trojan.Downloader) -> Keine Aktion durchgeführt. [349b2d6ef576ca6c0d594f9dac555fa1]

Infizierte Dateien: 4

C:\Program Files (x86)\Router\Router***.bat (Trojan.Downloader) -> Keine Aktion durchgeführt. [349b2d6ef576ca6c0d594f9dac555fa1]

C:\Program Files (x86)\Router\Router***.vbs (Trojan.Downloader) -> Keine Aktion durchgeführt. [349b2d6ef576ca6c0d594f9dac555fa1]

C:\Program Files (x86)\Router\Router***.bat (Trojan.Downloader) -> Keine Aktion durchgeführt. [349b2d6ef576ca6c0d594f9dac555fa1]

C:\Program Files (x86)\Router\Router***.vbs (Trojan.Downloader) -> Keine Aktion durchgeführt. [349b2d6ef576ca6c0d594f9dac555fa1]

(Ende)

Share this post


Link to post
Share on other sites

Thanks for the developers log. This looks like a false positive indeed and will be fixed in next database update.

For future reference, please start a new thread to report an FP, because this isn't the Trojan.Backdoor.MRX FP (this to avoid confusion).

Thanks :)

Share this post


Link to post
Share on other sites

NoRogue wrote

--------------------------------

>Suddenly get the message something like: 'starting dangerous file blocked - uninstall.exe'. c:\program files\ccleaner\uninstell.exe - Trojan.Backdoor.MRX

>I did no scan but found no startup entry in registry either.

>Is it a false positive, has it didn't try starting or does it and where is the start task or registry entry.

>What does Malwarebytes know about these uninstall.exe?

>No other AV classified it as Trojan, but that must not show the truth.

Thanks miekiemoes, but my first matter was the uninstall.exe, Malwarebytes suddenly stopped it from launching (MBAM told), but I coundn't find any task or launch in registry. Has Malwarebytes more information about this exe file and has it really tried startup?

Share this post


Link to post
Share on other sites

Yes, that was a false positive and has been resolved already. It doesn't require to have a startup reference in order to have mbam detect something though.

In either way, you can dequarantine again.

In case you already deleted from quarantine, no damage was done here as the main program will still run. It's only the uninstaller that got deleted here (which you will get back if you reinstall the program again)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.