Jump to content

False Positive detection(s) with latest update...


1972vet

Recommended Posts

Heads up ...

On bootup this morning, MBAM suddenly decides my video editing tool and browser protection software contain infected uninstaller(s):

DETECTION D:\Windows\Installer\SandboxieInstall32.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 03:43:04 -0600 DAVE-PC Dave DETECTION D:\Program Files\Avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 03:43:19 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2013/02/15 03:35:45 -0600 DAVE-PC Dave MESSAGE Executing scheduled update: Daily

2013/02/15 03:35:53 -0600 DAVE-PC Dave MESSAGE Starting protection

2013/02/15 03:35:53 -0600 DAVE-PC Dave MESSAGE Protection started successfully

2013/02/15 03:35:53 -0600 DAVE-PC Dave MESSAGE Starting IP protection

2013/02/15 03:36:15 -0600 DAVE-PC Dave MESSAGE Scheduled update executed successfully: database updated from version v2013.02.14.03 to version v2013.02.15.04

...

2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 03:43:20 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

2013/02/15 03:43:22 -0600 DAVE-PC Dave DETECTION d:\windows\installer\sandboxieinstall32.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 03:43:22 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

2013/02/15 03:44:45 -0600 DAVE-PC Dave DETECTION d:\windows\installer\sandboxieinstall32.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 03:44:45 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

2013/02/15 03:44:46 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 03:44:46 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

2013/02/15 05:37:18 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 05:37:19 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

2013/02/15 05:46:03 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 05:46:04 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

2013/02/15 05:48:47 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

2013/02/15 05:48:47 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

...so I assume there will be other users concerned about this as I'm sure there are plenty of SandBoxie users. And by the way, this wasn't from a manual or scheduled scan, it was just from having MBAM's real time protection active. Looks too, from the log, that the quarantine failed but those files are indeed quarantined and the associated registry keys are (at present) orphaned.

For those who may be "CCleaner" users and who routinely clean out orphaned registry keys, if you are a SandBoxie or "Avidemux" user, and have run CCLeaner (or maybe some other reg hacker), those registry keys undoubtedly would have been presented as orphaned and safe to remove. However, if you had done that, your MBAM quarantine folder will only restore the file...not those reg keys so in the unlikely event that we have any users with this type of scenario, those couple pieces of software will need to be reinstalled. Just one more good reason why one should NOT be using such registry "cleaning" programs.

Link to post
Share on other sites

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Veritabanı sürümü: v2013.02.15.04

Windows 8 x86 NTFS

Internet Explorer 10.0.9200.16466

Koruma: Devre dışı

15.02.2013 12:34:42

MBAM-log-2013-02-15 (14-17-58).txt

Tarama kipi: Derin tarama (C:\|D:\|F:\|)

Devrede olan tarama ayarları: Hafıza | Başlangıç | Kayıt defteri | Dosya Sistemi | Sezgisel/Ek | Sezgisel/Shuriken | PUP | PUM

Devre dışı olan tarama ayarları: P2P

Taranmış öğeler: 419556

Geçen süre: 1 saat, 42 dakika, 23 saniye

Bulunan Hafıza İşlemleri: 0

(Zararlı öğe tespit edilmedi)

Bulunan Hafıza Modülleri: 0

(Zararlı öğe tespit edilmedi)

Bulunan Kayıt Anahtarları: 5

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gaming Mouse (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HUAWEI DataCard Driver (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPE (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GOM Player (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VINN (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

Bulunan Kayıt Değerleri: 0

(Zararlı öğe tespit edilmedi)

Bulunan Veri Öğeleri: 0

(Zararlı öğe tespit edilmedi)

Bulunan Klasörler: 0

(Zararlı öğe tespit edilmedi)

Bulunan Dosyalar: 27

C:\Program Files\Comodo\GeekBuddy\lps-cspm\components\core\component-2\uninstall.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Program Files\Comodo\GeekBuddy\lps-cspm\components\core\component-3\uninstall.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Program Files\Comodo\GeekBuddy\lps-cspm\components\core\component-5\uninstall.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Program Files\Gaming Mouse\uninstall.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Program Files\HUAWEI Modem Driver\uninst.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Program Files\MyPhoneExplorer\uninstall.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Program Files\GRETECH\GomPlayer\Uninstall.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Program Files\SecurityXploded\ChromePasswordDecryptor\Uninstall.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Program Files\VINN\uninst.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\ProgramData\NVIDIA\Updatus\Packages\00000eaf\drsupdate.13728286_RUNASUSER.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\ProgramData\Comodo\lps4\temp\setup_clps_boot_time_monitor_release.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\ProgramData\Comodo\lps4\temp\setup_clps_boot_time_solver_release.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\ProgramData\Comodo\lps4\temp\setup_clps_boot_time_view_release.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\ProgramData\Comodo\lps4\temp\setup_clps_browser_addons_monitor_release.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\ProgramData\Comodo\lps4\temp\setup_clps_client_transaction_release.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\ProgramData\Comodo\lps4\temp\setup_clps_license_activator_functionality_release.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\ProgramData\Comodo\lps4\temp\setup_clps_windows_event_monitor_release.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Users\Alucard\Downloads\InternetTurboSetup__404-1369862.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Users\Alucard\Downloads\liveusb-creator-3.11.7-setup.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Users\Alucard\Downloads\vtuploader2.0.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Users\Alucard\Downloads\WebInstaller.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Users\Alucard\Downloads\LinuxLive USB Creator 2.8.16.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Users\Alucard\Downloads\ttnet_toolbar.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Users\Alucard\Downloads\Programs\gtk2153-setup.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Users\Public\Documents\COMODO\binaries\lps_migration_tool_3.3.246095.64.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\lps_migration_tool_3.3.246095.64[1].exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

C:\Games\There And Back\uninstall.exe (Trojan.Backdoor.MRX) -> Eylemde bulunulmadı.

(son)

Link to post
Share on other sites

Thanks for the report 1972vet,

The faulty signature that caused the F/p's has been removed from the database so the current database should no longer be producing these F/p's.

Please can you confirm that its is fixed.

Link to post
Share on other sites

Thanks for the report 1972vet,

The faulty signature that caused the F/p's has been removed from the database so the current database should no longer be producing these F/p's.

Please can you confirm that its is fixed.

I can confirm it is, now, no longer detected. Also I can't help thinking that it's already been suggested long ago, but this might be a good time to ask, just to be sure...and that is:

I wonder why MBAM doesn't have the capability to scan quarantined files from within the quarantined folder. It's possible, but not available with mbam. In order to check whether or not mbam's signature database update has resolved NOT to flag some legitimate program, a user needs to first restore the file from quarantine, then scan again. I would rather see a "Right-click" context menu option from the quarantined folder so a user can "re-scan" any quarantined file from there without having first to restore the alleged "infected" file.

Might sound silly to some, but I am certain there are countless folks who use mbam and who may routinely delete whatever is found in the quarantined folder without doing any research or having any instruction(s) to check these things out before they delete them. There is in fact, other protection software out there which will, by default, re-scan anything it finds in the quarantined folder and restore those items...mbam team players might want to consider writing this into the program as a "fully functioning" feature available with a paid license. This option, by the way, has proven to bring in more customers who actually DO want the convenience of a "hands off" approach to their protective software.

Link to post
Share on other sites

Hello

Some time ago I downloaded a video editing programme and scanned the file. Last night I installed it, scanning before and after installation, and got the all clear (Malwarebytes pro, Superantispyware (free) and Kaspersky. This morning my scheduled Malwarebytes quick scan detected one Trojan and a subsequent full scan detected 15 more, all of them Trojan. Backdoor. MRX. I removed these items and they are currently in quarantine. In light of the recent announcement regarding false positives, should I restore these quarantined files?

Thank you for any advice

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.