Jump to content
exile360

***False positive Trojan.Downloader.ED***

Recommended Posts

Where is the revised tool which handles WinSXS restores?

I have a customer's 64 bit Vista laptop that had 2800 quarantined .dll and exe today.

I was barely able to get it working again enough to reinstall MBAM, but after "restore all" on the quarantine tab, it still has over 2400 files that still show. When I reboot, I still have many programs that say dll and exe are missing.

Share this post


Link to post
Share on other sites

As of midnight, the fix tool fixed a 2008 R2 Remote Desktop Server that restoring "All" from the MBAM GUI did not. The symptom was that I could not login to the server in normal mode until running the fix tool.

Thanks for addressing the problem so fast, but I'm not looking forward to tomorrow morning with the Pro version installed on 200 machines.

Share this post


Link to post
Share on other sites

@MikeRepairsComputers, check post #28. This is working for us, but we would like to see a revision that will write a log file stating success/failure of the release from quarantine.

Share this post


Link to post
Share on other sites

Thanks, I ran the file from post #28 and the number wend from 2400+ down to 1400+. Many of the remainder files are the same filepath/file duplicated 20 times or more. It would be nice to have an informative log file.

Share this post


Link to post
Share on other sites

From post 28, you can run:

fixtook /quarantine -list

copy/paste to Excel and reduce duplicates.

My company is working on a PowerShell script to identify which machines need to be hit. The script is very slow, but looks at every machine to see if there was a quarantined file today. With that list we then know which machines need to be touched, and have the tool run.

Share this post


Link to post
Share on other sites

ok... so I don't understand much of this... all I know is I have windows 7 professional, 64 bit and did the install of some mbam-setup-1.75.0.1300 deal... then did an unquarantine that left 1737 files in quarantine and now when I restart my computer I get a message that says qbupdate.exe-system error: the program can't start because COMCTL32.DLL is missing from your computer. Try to reinstall to fix this problem.

Everything else so far seems to be working ok, but I am sure this shouldn't continue to pop up everytime I start my computer... and I'm not sure if I should worry about the 1737 files still quarantined... I haven't opened Malware again... and not sure I want to...

Now, keep in mind, if there is a fix for this, I need slow, step by step instructions as reading all this has been like taking a foreign language class... :/

Share this post


Link to post
Share on other sites

ok... so I don't understand much of this... all I know is I have windows 7 professional, 64 bit and did the install of some mbam-setup-1.75.0.1300 deal... then did an unquarantine that left 1737 files in quarantine and now when I restart my computer I get a message that says qbupdate.exe-system error: the program can't start because COMCTL32.DLL is missing from your computer. Try to reinstall to fix this problem.

Everything else so far seems to be working ok, but I am sure this shouldn't continue to pop up everytime I start my computer... and I'm not sure if I should worry about the 1737 files still quarantined... I haven't opened Malware again... and not sure I want to...

Now, keep in mind, if there is a fix for this, I need slow, step by step instructions as reading all this has been like taking a foreign language class... :/

Greetings,

I'm sorry that you've had this problem. Please do the following and it should correct any remaining issues you're having:

Use the Malwarebytes Anti-Malware False Positive Fix Tool:

  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system and verify that it is now working properly

Share this post


Link to post
Share on other sites

Nope :/ still get the same error message after restarting... any other ideas?

I'm sorry to hear that. Please contact Support via this link and they will work with you directly on getting your system back in proper working order.

Thank you

Share this post


Link to post
Share on other sites

I don't know if this will work for anyone else. I exited malwarebytes and then used System Restore in the system tools to restore my system to a previous date. If you have any documents open, save and close them first. I am using Windows XP but you can system restore on any.

Share this post


Link to post
Share on other sites

It will work for some but not everyone -0 on some systems, and particularly those where the user thought it was a real infection and allowed MBAM to actually delete files, critical system files, it actually breaks the Operating System, sometimes just parts of it but sometimes completely hoses it like Danny's computer. I, myself, was lucky in that I caught the FPs immediately after my MBAM DLd the database and started running a flashscan - after all, I had just reinstalled on Saturday, and I haven't had a real virus infection on any of my personal machines in almost 6 years, IIRC lol. I knew it wasn't true.

Still, though, it's worth a shot - any user that can fix his/her own system is one less person that support has to contend with tonight, and that will help ease their burdens and allow them to better take care of those already in the queues.

Share this post


Link to post
Share on other sites

What are you expecting it to do? When I ran it it didn't even write a log file, but it ran as a cmdline operation in a cmd window and restored my files - which were already restored, I was just making sure.

Share this post


Link to post
Share on other sites

What are you expecting it to do? When I ran it it didn't even write a log file, but it ran as a cmdline operation in a cmd window and restored my files - which were already restored, I was just making sure.

We've been working directly with support to modify the exe's tonight.

Our scenario is different than home users in that we have 500 machines to touch. We are using PowerShell to identify which machines are affected where possible. Once remediation occurs, we want a log file that can be audited so that our ISD can proactively reach out to specific users in the morning.

It looks like we have 30 machines that are down hard and 100 machines or so that are in some state of recoverability.

We are hitting these targeted machines first, but have some challenges as PsExec does not work.

Version mbam-repair-1.00.0.1000 worked for many files, but not all. Did not restore winsxs files.

Version mbam-repair-1.01.0.1000 restored more files, but did not leave a log of sucess/fail

Version mbam-repair-1.02.0.1000 attempts to write to a log, but there is an error in the logic, and it writes an empty log

Share this post


Link to post
Share on other sites

If the remote boxes are up and running still via UNC then you should be able to simply copy files directly to them from a working machine.

Normally in a work environment most of the computers are running the same service pack and the same or close to the same Windows update levels.

Map a drive via UNC to the remote computer OR just run a remote copy if you have Admin rights on the remote system.

Example:

COPY C:\WINDOWS\SYTEM32\OLEAAC.DLL \\COMPUTER1\C$\Windows\System32

Share this post


Link to post
Share on other sites

If the remote boxes are up and running still via UNC then you should be able to simply copy files directly to them from a working machine.

Normally in a work environment most of the computers are running the same service pack and the same or close to the same Windows update levels.

Map a drive via UNC to the remote computer OR just run a remote copy if you have Admin rights on the remote system.

Example:

COPY C:\WINDOWS\SYTEM32\OLEAAC.DLL \\COMPUTER1\C$\Windows\System32

This does not work for WInSXS

Share this post


Link to post
Share on other sites

On one Win 7 64bit computer, I deleted the remaining Quarantine items after "Restore all" had left overs. Now I worry that some winsxs files would be missing in my system? Is that true? is there a way to repair that? This could cause windows update errors/failures now?

Note to self: Do not delete the remaining Quarantine Items!

Share this post


Link to post
Share on other sites

This does not work for WInSXS

It will work for any folder that you have Admin rights on. You might need to take ownership but otherwise it will copy the files.

Share this post


Link to post
Share on other sites

I was worried that some that winsxs files would be missing in my system, but then I looked at the mbam log and when it tried to quarantine them is had an "error could not delete file code 5" so they were still there. I examined a few and they were still there. yeah!

Share this post


Link to post
Share on other sites

The solution offered worked for me, system working again. as you can imagine I really don't want this to happen again and wonder if switching off the option "Automatically quarentine filesystem threats dectected..." is the best thing to do?

Share this post


Link to post
Share on other sites

I restored a friends PC tonight by disconnecting from the Internet and using Acronis True Image, I then disabled Malwarebytes until the problem is solved and MWB is safe to update again.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.