Jump to content

***False positive Trojan.Downloader.ED***


Recommended Posts

Sadly a bootable option is currently out of the question. I've asked the developers to look into it, but I'm very doubtful that it will be possible. The tool and components it uses all rely on an active/live Windows installation so making them work safely (or even at all) offline is going to be extremely difficult if not impossible.

Link to post
Share on other sites

  • Replies 361
  • Created
  • Last Reply

Top Posters In This Topic

Just a bit concerned after receiving a reply to my support email. I was only given ONE option to try and that was to try a startup repair and that failed so my support tech has advised me that my only other option would be a reformat. Although he did state that Malwarebytes is trying to come up with other options for users so they can reclaim their systems without loss of data. I won't hold my breath, but maybe I can cross my fingers that this still can get resolved. As a personal pc user, I am lucky in the fact that I am not on any time restrictions for the repair help, but I know so many of you are. I have told support this very info and I just wanted to pass this on and make sure my voice was heard. Best of Luck to all of you!

Link to post
Share on other sites

Just a bit concerned after receiving a reply to my support email. I was only given ONE option to try and that was to try a startup repair and that failed so my support tech has advised me that my only other option would be a reformat. Although he did state that Malwarebytes is trying to come up with other options for users so they can reclaim their systems without loss of data. I won't hold my breath, but maybe I can cross my fingers that this still can get resolved. As a personal pc user, I am lucky in the fact that I am not on any time restrictions for the repair help, but I know so many of you are. I have told support this very info and I just wanted to pass this on and make sure my voice was heard. Best of Luck to all of you!

Im getting the same story. The one app I thought I could depend on has destroyed my pc

To he both of you - ahve you tried using a WIndows 7 Installation DVD, booting off of it, selecting repair, then entering the System recovery console to perform a system restore off the DVD?

More than one person here last nigh reported that this worked for them in terms of making theior systems usable and without losing data.

Also, there is a method to perform an in place upgrade (as it is called) whereby you use the Windows 7 Installation DVD to reinstall Windows on top of itself - you'll lose some customizations, but none of your files nad programs,

Link to post
Share on other sites

I feel for those that are not technical, or lack some programming.

Our environment is Windows 7 Enterprise with Bitlocker. Needless to say it was a momumental task getting into safe mode for 150 PCs as each one required the bitlocker key. In the end we had to reimage about 25 machines.

This is the only way I was able to get the tool to work as intended on the machines that did not need to be reimaged. It required quite a bit of hacking.

----

Log in a local administrator

Exit mbam

open cmd "as administrator"

c:\YourPathToFile\fixtool.exe /quarantine -list > result.txt

result.txt will now have a list of all items in the text file (including an unnerving number of duplicates).

Use whatever method to parse this down. I used visual studio, but there are other means to do so.

For me, wrote a console application which essentially did:

'-----------------------------

Public Sub parselist2()

Dim strResultFile As String = Environment.CurrentDirectory & "\result.txt"

Dim lines As String() = IO.File.ReadAllLines(strResultFile)

lines = lines.Distinct().ToArray()

Dim strResultFile2 As String = Environment.CurrentDirectory & "\result2.txt"

IO.File.WriteAllLines(strResultFile2, lines)

End Sub

'-----------------------------

This took the contents of result.txt, and copied just the distinct values into result2.txt. I am sure you could use excel if you wanted to touch these manually. We used PsExec.

So now I have a text file with unique values.

Opened file in Excel, did data->columns using "\" as the separator. Played in Excel until I had the list whittled down to just the distinct folder names.

Copied to notepad, new file.

Downloaded a copy of Elevate.exe from:

http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/

Put this is the same directory as the Fix provided by MWB.

Created .vbs file to take ownership of subfolders within c:\windows\WinSXS, and the parent folder of c:\windows\SysWow64 and c:\windows\System32. Don't forget to remove these permissions when you are all done.

'----------------------------

'SetACL.vbs

'----------------------------

Set args = Wscript.Arguments

'Grant the user permissions

Dim oShell

Set oShell = WScript.CreateObject ("WScript.Shell")

oShell.run "Cacls.exe """& args(0) & """ /E /C /G YOURLOCALADMINACCOUNT:F"

Set oShell = Nothing

'-------------------------------

'End Script

'-------------------------------

'----------------------------

'RemoveACL.vbs

'----------------------------

Set args = Wscript.Arguments

Dim oShell2

Set oShell2 = WScript.CreateObject ("WScript.Shell")

oShell2.run "Cacls.exe """& args(0) & """ /E /C /R YOURLOCALADMINACCOUNT"

Set oShell2 = Nothing

'-------------------------------

'End Script

'-------------------------------

Your file of folder locations where the quarantined files are to be restored now need to have permissions applied to them to get them to accept the release from quarantine. Take your document with the unique folder names (ensure you do not have a trailing "\"), wrap in quotes, and add the SetACL in the front of each line.

For example, a valid line would look like:

SetACL.vbs "C:\Windows\winsxs\amd64_1394.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_beafdf583b909e3f"

So now we have the command needed to batch this out, and we have a means to elevate our batch files.

===

Ensure you are logged in as a local administrator

1) right-click on cmd.exe and "run as administrator"

you now have an elevated cmd.exe prompt

2) within the window, type:

runas /user:YOURLOCALADMINACCOUNT cmd.exe <enter>

You now will have an elevated cmd.exe running under the context of YOURLOCALADMINACCOUNT

I tried various scenarios, and this 1-2 combination was the ONLY way I could get the tool to work.

====

Once open, rightclick and copy your entire list of commands, and paste into this cmd.exe

You will probably have many entries that look like:

elevate.exe SetACL.vbs "C:\Windows\winsxs\amd64_1394.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_beafdf583b909e3f"

elevate.exe SetACL.vbs "C:\Windows\system32"

elevate.exe SetACL.vbs "C:\Windows\SysWOW64"

elevate.exe SetACL.vbs "C:\Windows\winsxs\somefolderA"

elevate.exe SetACL.vbs "C:\Windows\winsxs\somefolderB"

etc

As you paste the list, they will execute one-by-one.

You have now set the affected folders so that YOURLOCALADMINACCOUNT can write to them.

Now, within that same cmd.exe that is elevated, and running under the context of YOURLOCALADMINACCOUNT, execute the "RunThis.bat"

The .bat file is terribly inefficient due to all the duplicates in the quarantine. For 2000 entries plan on this process taking 3-4 hours. The process could be sped up if the script was more efficient, because it essentially runs (with 2000 entries) 8000 times, at 2 seconds per step, when it could really just be something like 20 unique entries X 4 = 80 times.

You will find that this will actually restore the files to the directories.

Reboot, test, and it should work (or at least did for my organization).

Don't forget to go back and remove the ACLs that you applied earlier. Just change up your methodology so that RemoveACL.vbs replaces the SetACL.vbs.

Link to post
Share on other sites

@kapcreations, that is nice.

Hopefully MBAM can revise their official fix tool tto be his efficient at removing duplicates, fewer passes, taking proper ownership, and replacing ALL the files. Currently I am having to reinstall several computers because so many winsxs files were not restored. I am watching 3 right now run the fix too for several hours only to later be faced with the fact that as soon as I reboot, all is not fixed I will see errors like "HP Solution center cannot open because ATL90.dll is missing"

Link to post
Share on other sites

Actually, I wonder if the fix tool could run with similar privileges as a program installer, thus giving it access to the SXS folders without having to change and restore perms?

Of course, the flip side is that I'm pretty positive that they don't want a tool with those capabilities out in the wild!

Link to post
Share on other sites

  • Root Admin

@kapcreations

Did not go through your method with a fine tooth comb but what you should do first is save a copy of all the current permissions to a file (the icacls tool supports that)

Then do what you're doing and then play back the permissions file you originally saved otherwise there simply is no valid way to properly restore permissions on Windows 7. Even Microsoft changed their article for that and no longer supports restoring default permissions on Windows 7

The Trusted Installer must remain the owner and other accounts read and execute otherwise there are some anomalies in how some underlying programs call others that will no longer work.

As for the Bitlocker just glad I don't have to work in a shop that uses it. Too many problems with it for me.

If you really have time and resources though using Imaging would really be a much better solution as you could then even remotely reimage any computer you want on the fly by booting to the network and running the reimage. Normally one would redirect and save all data to a server so in theory almost nothing would be lost for the workstation. There are even tools to allow point in time snapshots for reimaging. Or going the VMware virtual desktop route is also a pretty good solution for almost zero downtime ever.

Thanks for your input and ideas to try and help users here.

Link to post
Share on other sites

Hi Guys, two clients comps today, both not booting. Boot in safe mode on both successful, browsers not loading, system restore could not be loaded. Installed and ran repair tool from usb (took about an hour). On reboot lots of dlls etc not working but could make image backups with macrium reflect. Next: System Restore, Closed error messages saying system restore could not start and it worked anyway. Both machines been through several reboots and now working well. Sorry I've tapped this out in a bit of a hurry but have to go out.

Link to post
Share on other sites

Sorry for the trouble Gerrynz but glad you were able to get things going again and thank you for the follow-up

No worries, these things happen. Congrats on building a bloody good program in the first place. Long may MWBs live

Link to post
Share on other sites

Yes, it should.

My computer at work was corrupted I managed to get back into Windows and restore most of the dlls but now I have these issues

1 My NIC card and Network connection wont pick up the internet

2 My Internet explorer does not load and google is not picking up the internet

3 I have Cisco Anyconnect secure mobility client installed and this error pops up - "The VPN client client agent was unable to initialize the system network socket support" and this message "VPN service not available"

4 When I try to check out the system properties I get error message - SystemPropertiesProtection.exe - ALT90.dll missing.

Can someone help as this is my work laptop.

Link to post
Share on other sites

My computer at work was corrupted I managed to get back into Windows and restore most of the dlls but now I have these issues

1 My NIC card and Network connection wont pick up the internet

2 My Internet explorer does not load and google is not picking up the internet

3 I have Cisco Anyconnect secure mobility client installed and this error pops up - "The VPN client client agent was unable to initialize the system network socket support" and this message "VPN service not available"

4 When I try to check out the system properties I get error message - SystemPropertiesProtection.exe - ALT90.dll missing.

Can someone help as this is my work laptop.

Also it's killed my System Event Notification Service. It's not starting and I can't start it.

Link to post
Share on other sites

I cannot boot any more to Windows.

Last night I managed to boot to Linux Mint from a USB stick, to rescue data files.

Is there anything I can do to correct this problem from Linux?

I understand that the system files have been moved somewhere to quarantine them.

Using Linux could I move them back?

Could you make a fix to to do this automatically?

Jim

Link to post
Share on other sites

To he both of you - ahve you tried using a WIndows 7 Installation DVD, booting off of it, selecting repair, then entering the System recovery console to perform a system restore off the DVD?

More than one person here last nigh reported that this worked for them in terms of making theior systems usable and without losing data.

Also, there is a method to perform an in place upgrade (as it is called) whereby you use the Windows 7 Installation DVD to reinstall Windows on top of itself - you'll lose some customizations, but none of your files nad programs,

John....Here is my situation. I don't own the installation disk for Win 7. What I have is an UPGRADE disk for Win 7. I originally had XP on this machine and upgraded it to Win 7 and I have been told by my tech from Malwarebytes that this disk most likely wouldn't even work to even reformat my machine, much less do what you are asking me to do. I am one of those less tech savvy people that are just plain stuck up a creek so to speak.

I was able to boot into the Recovery Environment and try the start up repair option and it stated nothing found. I booted using the F8 key with no disk, but trying to get into Safemode was another story. That is where the problem of the missing cryptui.dll comes into play. I really hate having to come in here and try to get advice AND work with a member of support at the same time, but it seems very apparent to me that I am fighting a losing battle on the email side of things. I want to be hopeful, but I am slowly losing faith that I can't get my machine back up and running. So much so I just ordered a new tower to replace the crippled one I am now dealing with. Truth be told, I am just siick over all this. Luckily, I had everything backed up onto 3 different external drives. I pay way too much money for some of my programs and graphic related items to let them fall prey to a crash such as this one!

Link to post
Share on other sites

We are running MB Enterprise and had 200 machines become doorstops all at once. 36 hours later and we are pretty much back to 100%.

If Malwarebytes wants to be taken serious in the enterprise you need to institute QA for releases and create a telephone number for enterprise customers to call. This is the only enterprise product I have that doesn't have a number I can call for support.

Enough of my rant. I want to share with others something that saved a dozen or so of our machines from having to be reloaded. We had Windows 7 machines boot up with just a black screen and cursor or with a message about missing dll's.

1st - Ran the MB repair tool via a remote command line on the machine. Reboot the machine from the remote command line. This fixed about 8 machines.

2nd - If the machine still only shows the black screen with cursor.

a) Boot from Windows 7 CD.

b) Select repair computer

c) Select the Windows 7 installation. Note the drive letter that Windows is installed to.

d) Launch command line.

e) sfc /scannow

f) if you get a message about an impending update or it fails go to the next line

g) sfc /scannow /offbootdir=d:\ /offwindir=d:\windows\

h) it will take 15 minutes or so to run. It will tell you if there were corrupt files.

i) Reboot and you should be good

Link to post
Share on other sites

Good info, Andertrack and jkrysinski.

If you need some software to burn .ISO files to a blank DVD, CDBurner XP (works in win7 too) would be a good choice. When you run Setup for CDBurner XP, there will be a choice to associate .ISO files with CDBurner XP. Select that and when setup is done, you can just double-click on your downloaded .ISO, slip a DVD in your drive and click the Burn Disc button. Keep the disc on hand, but I'd suggest waiting for MBAM support to help you should you actually need to use it to repair your system.

Link to post
Share on other sites

Is there anyway to retrieve dll's out of quarantine for itunes and winamp. My system wont run either because of missing dll's. Would I be safer to go and download them from somewhere else and put them in the respective folders or should I get them out of quarantine.

Also, my Internet Explorer no longer plays vids and some pages dont load since all this happened. However, my mozilla works fine. Should I just reinstall IE? Do you think that would fix it.

Link to post
Share on other sites

Okay running the tool or System Restore I have fixe over 155 pcs now. BUT on 3 critical pcs after running the tool it will boot to normal mode BUT I get tons of errors looking for COMCTL32.dll and I do not have time to start hunting all over to figure this out. Is there an easy fix for it? I still have well over 100 more PC';s to fix.

These pc's for some reason all had System Restore protection turned off and have NO RESTORE POINTS. I need this resolved ASAP!!!

Link to post
Share on other sites

I tried the fix in the above linr but I cant locate files COMCTL32.dll and MSVCM90.dll. The DVD is Windows Ultimate. Do you know where they are stored ? Thanks,

Those instructions are for XP....

Things to try:

http://forums.malwarebytes.org/index.php?showtopic=125136&view=findpost&p=669962

http://forums.malwarebytes.org/index.php?showtopic=125136&view=findpost&p=669406

http://forums.malwarebytes.org/index.php?showtopic=125136&view=findpost&p=669700

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.