Jump to content

***False positive Trojan.Downloader.ED***


Recommended Posts

Where is the revised tool which handles WinSXS restores?

I have a customer's 64 bit Vista laptop that had 2800 quarantined .dll and exe today.

I was barely able to get it working again enough to reinstall MBAM, but after "restore all" on the quarantine tab, it still has over 2400 files that still show. When I reboot, I still have many programs that say dll and exe are missing.

Link to post
Share on other sites

  • Replies 361
  • Created
  • Last Reply

Top Posters In This Topic

As of midnight, the fix tool fixed a 2008 R2 Remote Desktop Server that restoring "All" from the MBAM GUI did not. The symptom was that I could not login to the server in normal mode until running the fix tool.

Thanks for addressing the problem so fast, but I'm not looking forward to tomorrow morning with the Pro version installed on 200 machines.

Link to post
Share on other sites

From post 28, you can run:

fixtook /quarantine -list

copy/paste to Excel and reduce duplicates.

My company is working on a PowerShell script to identify which machines need to be hit. The script is very slow, but looks at every machine to see if there was a quarantined file today. With that list we then know which machines need to be touched, and have the tool run.

Link to post
Share on other sites

ok... so I don't understand much of this... all I know is I have windows 7 professional, 64 bit and did the install of some mbam-setup-1.75.0.1300 deal... then did an unquarantine that left 1737 files in quarantine and now when I restart my computer I get a message that says qbupdate.exe-system error: the program can't start because COMCTL32.DLL is missing from your computer. Try to reinstall to fix this problem.

Everything else so far seems to be working ok, but I am sure this shouldn't continue to pop up everytime I start my computer... and I'm not sure if I should worry about the 1737 files still quarantined... I haven't opened Malware again... and not sure I want to...

Now, keep in mind, if there is a fix for this, I need slow, step by step instructions as reading all this has been like taking a foreign language class... :/

Link to post
Share on other sites

  • Staff

ok... so I don't understand much of this... all I know is I have windows 7 professional, 64 bit and did the install of some mbam-setup-1.75.0.1300 deal... then did an unquarantine that left 1737 files in quarantine and now when I restart my computer I get a message that says qbupdate.exe-system error: the program can't start because COMCTL32.DLL is missing from your computer. Try to reinstall to fix this problem.

Everything else so far seems to be working ok, but I am sure this shouldn't continue to pop up everytime I start my computer... and I'm not sure if I should worry about the 1737 files still quarantined... I haven't opened Malware again... and not sure I want to...

Now, keep in mind, if there is a fix for this, I need slow, step by step instructions as reading all this has been like taking a foreign language class... :/

Greetings,

I'm sorry that you've had this problem. Please do the following and it should correct any remaining issues you're having:

Use the Malwarebytes Anti-Malware False Positive Fix Tool:

  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system and verify that it is now working properly

Link to post
Share on other sites

I don't know if this will work for anyone else. I exited malwarebytes and then used System Restore in the system tools to restore my system to a previous date. If you have any documents open, save and close them first. I am using Windows XP but you can system restore on any.

Link to post
Share on other sites

It will work for some but not everyone -0 on some systems, and particularly those where the user thought it was a real infection and allowed MBAM to actually delete files, critical system files, it actually breaks the Operating System, sometimes just parts of it but sometimes completely hoses it like Danny's computer. I, myself, was lucky in that I caught the FPs immediately after my MBAM DLd the database and started running a flashscan - after all, I had just reinstalled on Saturday, and I haven't had a real virus infection on any of my personal machines in almost 6 years, IIRC lol. I knew it wasn't true.

Still, though, it's worth a shot - any user that can fix his/her own system is one less person that support has to contend with tonight, and that will help ease their burdens and allow them to better take care of those already in the queues.

Link to post
Share on other sites

What are you expecting it to do? When I ran it it didn't even write a log file, but it ran as a cmdline operation in a cmd window and restored my files - which were already restored, I was just making sure.

We've been working directly with support to modify the exe's tonight.

Our scenario is different than home users in that we have 500 machines to touch. We are using PowerShell to identify which machines are affected where possible. Once remediation occurs, we want a log file that can be audited so that our ISD can proactively reach out to specific users in the morning.

It looks like we have 30 machines that are down hard and 100 machines or so that are in some state of recoverability.

We are hitting these targeted machines first, but have some challenges as PsExec does not work.

Version mbam-repair-1.00.0.1000 worked for many files, but not all. Did not restore winsxs files.

Version mbam-repair-1.01.0.1000 restored more files, but did not leave a log of sucess/fail

Version mbam-repair-1.02.0.1000 attempts to write to a log, but there is an error in the logic, and it writes an empty log

Link to post
Share on other sites

  • Root Admin

If the remote boxes are up and running still via UNC then you should be able to simply copy files directly to them from a working machine.

Normally in a work environment most of the computers are running the same service pack and the same or close to the same Windows update levels.

Map a drive via UNC to the remote computer OR just run a remote copy if you have Admin rights on the remote system.

Example:

COPY C:\WINDOWS\SYTEM32\OLEAAC.DLL \\COMPUTER1\C$\Windows\System32

Link to post
Share on other sites

If the remote boxes are up and running still via UNC then you should be able to simply copy files directly to them from a working machine.

Normally in a work environment most of the computers are running the same service pack and the same or close to the same Windows update levels.

Map a drive via UNC to the remote computer OR just run a remote copy if you have Admin rights on the remote system.

Example:

COPY C:\WINDOWS\SYTEM32\OLEAAC.DLL \\COMPUTER1\C$\Windows\System32

This does not work for WInSXS

Link to post
Share on other sites

On one Win 7 64bit computer, I deleted the remaining Quarantine items after "Restore all" had left overs. Now I worry that some winsxs files would be missing in my system? Is that true? is there a way to repair that? This could cause windows update errors/failures now?

Note to self: Do not delete the remaining Quarantine Items!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.