Jump to content
exile360

***False positive Trojan.Downloader.ED***

Recommended Posts

We sincerely apologize for this false positive. An update has already been pushed out to remove the offending definition that caused this.

If your system is bootable, then please do the following:

For Malwarebytes Anti-Malware Users:

NOTE: If Malwarebytes Anti-Malware will not run, then you should also install this file from Microsoft.

Step 1

Boot into Safe Mode with Networking:

Windows XP:

  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows XP Advanced Options menu.
  • Select the option for Safe Mode with Networking using the arrow keys.
  • Then press Enter on your keyboard to boot into Safe Mode with Networking.

You should then be presented with the Windows XP Login screen. Log in to Windows and when it prompts you about Safe Mode and asks if you'd like to continue click Yes.

Windows Vista and Windows 7:

  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows Advanced Boot Options menu.
  • Select the option for Safe Mode with Networking using the arrow keys.
  • Then press Enter on your keyboard to boot into Safe Mode with Networking.

You should then be presented with the Windows Login screen. Log in to Windows.

Step 2

  • Download the installer for Malwarebytes Anti-Malware from here and install it
  • Open Malwarebytes Anti-Malware and access the Quarantine tab
  • Click on the Restore All button and click Yes when prompted for confirmation
  • Restart your computer and allow it to start up normally

NOTE: There may be extra files in quarantine that will not be restored, though the system will be bootable. These are duplicate backup files and the files in question should already be restored.

Malwarebytes Enterprise Edition Customers:

  • Within the console reinstall MBAM over the top (push install)
  • Use Windows tasks to execute the command (as admin): "C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe" /quarantine -restore all

If the above failed, then you may also do the following

Use the Malwarebytes Anti-Malware False Positive Fix Tool:

  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system and verify that it is now working properly

For those of you still having problems, please contact support via the following links and they will assist you directly in getting your systems functioning properly again:

Home User Support

Business Support

Please be sure to include the following information to expedite the repair process:

  • OS installed (i.e. XP, Vista, 7, 8 etc.)
  • Whether you have restarted your computer yet or not
  • Whether or not the system is bootable if you have attempted a restart of your system yet
  • Whether or not you have your Windows installation media (CD, DVD, recovery discs etc.)

We have also taken extensive measures to ensure that a false positive like this never happens again. Once more, I apologize that this occurred and hopefully we will be able to get everyone's systems in proper working order once more without too much trouble.

Edited by exile360

Share this post


Link to post
Share on other sites

The Enterprise "fix" you listed is not working.

First, MEE has apparently disabled the "infected" clients and none of them will accept remote commands.

Second, for the few clients we still have talking to the Management Console, the client will not re-install over itself. Error messages include:

"Installation failed. Client software has been installed and registered to this server."

and

"Installation failed. The client remote operation service might be blocked by anti-virus software such as Windows Defender."

We already have an open support request (#330121) but so far haven't gotten any useful information.

Share this post


Link to post
Share on other sites

The Enterprise "fix" you listed is not working.

First, MEE has apparently disabled the "infected" clients and none of them will accept remote commands.

Second, for the few clients we still have talking to the Management Console, the client will not re-install over itself. Error messages include:

"Installation failed. Client software has been installed and registered to this server."

and

"Installation failed. The client remote operation service might be blocked by anti-virus software such as Windows Defender."

We already have an open support request (#330121) but so far haven't gotten any useful information.

I'm sorry you're still having trouble. Support should be able to work out a solution for you promptly, though it may require direct access to the affected systems on your part as remote methods may not work.

For anyone else still having trouble after attempting to follow the instructions posted above, please contact our support team and they will assist you directly:

Home User Support

Business Support

Thank you

Share this post


Link to post
Share on other sites

Reinstalled MB on a client, and verified DB to be v2013.04.16.01. We can't restore the quarantined files either via the command you posted or the GUI. The files just keep getting re-quarantined

Share this post


Link to post
Share on other sites

Are you sure they get requarantined, or are they just never leaving the quarantine list but are actually restored to the respective default locations?

Share this post


Link to post
Share on other sites

I HAVE WINDOWS XP. TRIED THE REBOOT IN SAFE MODE, AND STILL CANNOT ACCESS THE INTERNET.

EXPLORER WILL NOT EVEN COME UP, AND FIREFOX GIVES ME AN ERROR THAT READS: " APPLICATION HAS FAILED TO START BECAUSE nss3.dll WAS NOT FOUND".

HAVE EMAILED SEVERAL TIMES BACK TO CUSTOMER SERVICE AND STILL HAVE YET TO HEAR ANYTHING BACK!!!!

VERY FRUSTRATED!!!!!!

Share this post


Link to post
Share on other sites

I DID REBOOT IN SAFE MODE WITH NETWORKING AND STILL NOTHING W/ THE INTERNET!!!! iT IS ASKING FOR A RE-INSTALL OF THE APPLICATION FOR FIREFOX!!!!

Will Internet Explorer run? If not, you'll need access to a second system as well as some external media to copy the files over such as a USB flash drive or external hard drive.

Share this post


Link to post
Share on other sites

I can do a quick writeup of using FTP to DL firefox so it can be installed - but if the OSs installer assemblies are broken that will be of no use.

Still, I'll be right back with the write up.

Share this post


Link to post
Share on other sites

I APPRECIATE ALL OF THE SUGGESTIONS, BUT I CAN NOT DO ANYTHING ON MY COMPUTER!!!!! EVERYTHING I TRY TO OPEN HAS AN ERROR CODE OR MY COMPUTER BEEPS AT ME!!!! THE ERROR CODES ALL SAY UNABLE TO LOCATE COMPONENT

Share this post


Link to post
Share on other sites

Reinstalled MB on a client, and verified DB to be v2013.04.16.01. We can't restore the quarantined files either via the command you posted or the GUI. The files just keep getting re-quarantined

Apologies, looks like it's the "double up" thing you mentioned. However, as cgtracydms mentioned, we can't push the client out to the devices that can't log into Windows.

Share this post


Link to post
Share on other sites

Will Internet Explorer run? If not, you'll need access to a second system as well as some external media to copy the files over such as a USB flash drive or external hard drive.

INTERNET EXPLORER WILL NOT OPEN NOR WILL IT GIVE ME AN ERROR CODE.

AS PER THE QUARANTINE, MB WON'T EVEN OPEN TO GET TO THE TAB TO TRY TO RECOVER.

Share this post


Link to post
Share on other sites

Will Internet Explorer run? If not, you'll need access to a second system as well as some external media to copy the files over such as a USB flash drive or external hard drive.

FIRST OF ALL, I AM NOT A TECH PERSON. IS THERE NOT A REAL PERSON IN REAL TIME TO TALK TO AT TECH SUPPORT?

Share this post


Link to post
Share on other sites

Brandi, can you run a cmd window? Either from start menu, type cmd select he little black icon that says cmd.exe or else from the Run dialog, by typing in cmd and pressing Enter?

Share this post


Link to post
Share on other sites

Brandi, can you run a cmd window? Either from start menu, type cmd select he little black icon that says cmd.exe or else from the Run dialog, by typing in cmd and pressing Enter?

I DID THIS AND YES THE BLACK BOX CAME UP W/ DOCUMENTS AND SETTINGS

Share this post


Link to post
Share on other sites

Brandi, grab this file and put it on the computer that will not run Internet Explorer - then double click it to open the .ZIP and run the GetFiles2.bat inside. It will connect to Mozilla and put a copy of the Firefox installer into the C:\Users directory - it does not matter where you download this file below to - it will always put Firefox installer in C:\Users.

If you would rather make the file yourself, copy everything in the box below into notepad, then save the file with any name and a .Bat extension then run it.

Once it runs, go to C:\Users and find the file Firefox Setup 20.0.1.exe and run it to install Firefox - and then you should be able to run Firefox to keep doing what you need to do.


@echo off
echo cd //pub/firefox/releases/latest/win32/en-US>> ftpcmd.dat
echo get "Firefox Setup 20.0.1.exe" c:\Users\"Firefox Setup 20.0.1.exe">> ftpcmd.dat
echo quit>> ftpcmd.dat
ftp -A -s:ftpcmd.dat ftp.mozilla.org
del ftpcmd.dat

GetFiles2.zip

Share this post


Link to post
Share on other sites

Brandi, grab this file and put it on the computer that will not run Internet Explorer - then double click it to open the .ZIP and run the GetFiles2.bat inside. It will download a copy of Firefox to install into the C:\Users directory - it does not matter where you download it to.

If you would rather make the file yourself, copy everything in the box below into notepad, then save the file with any name and a .Bat extension then run it.

Once it runs, go to C:\Users and find the file Firefox Setup 20.0.1.exe and run it to install Firefox - and then you should be able to run Firefox to keep doing what you need to do.


@echo off
echo cd //pub/firefox/releases/latest/win32/en-US>> ftpcmd.dat
echo get "Firefox Setup 20.0.1.exe" c:\Users\"Firefox Setup 20.0.1.exe">> ftpcmd.dat
echo quit>> ftpcmd.dat
ftp -A -s:ftpcmd.dat ftp.mozilla.org
del ftpcmd.dat

I'M NOT SURE I UNDERSTAND HOW TO DO THIS!!!

I OPENED IT IN THE START MENU UNDER RUN.

IT THEN OPENED A BLACK BOXW/ c:\WINDOWS\SYSTEM32\CMD.EXE IN BLUE AT THE TOP.

BELOW IN BLACK....c:\DOCUMENTS AND SETTINGS\

HOW DO I GRAB IT AND PUT IT ON THE COMP?

Share this post


Link to post
Share on other sites

No, that window was just a test to see if CMD could run.

Whatever device you're using right now to read this, click on the file and download it - then use a USB thumb drive or portable Hard drive to copy this file over to your computer that is messed up, and put that file anywhere you can get access to it to - and then open it and run the file inside.

Then, on that computer, once it is done, in the C:\Users directory will be a copy of the Firefox installer. You can then run it by typing the following command into that black cmd.exe box exactly like it is below:

"c:\Users\Firefox Setup 20.0.1.exe"

Include the quotation marks in that command. You should then see the installer for Firefox pop up - just follow the prompts and let it install and then let it run once it finishes.

GetFiles2.zip

Share this post


Link to post
Share on other sites

I have all my clients install Malwarebytes and today 18% of them that were hit cannot even after all this get back into their PC's. It looks like the only way I maybe able to get them running is a backup of data and reload their PC's from scratch. What is Malwarebytes going to do for these clients that are now looking at 2-4 hours of service bills from technicians like me? I think this is more than fair of a question to ask and expect an answer.

Share this post


Link to post
Share on other sites

As much as I love MBAm, I have to agree - Although the number of clients I personally support is smaller, I know of 2 already that are in dire straights. And you're right, it is a valid question.

Just last week I was in the forums getting rid of moneypak on my Dad's computer (which I don't get paid for) and one of the 'clients' I'm referring to is my Mom's computer - I had her log in and it threw more popups about missing files at her in a minute than I've seen from Malware trying to bombard a user on his desktop with pr0n.

I've been in here most of the night since this broke and I figured out what was going on and reported it, and I have yet to touch her computer - let alone start to repair it. And I won't be getting paid for that job either :P

Share this post


Link to post
Share on other sites

I have all my clients install Malwarebytes and today 18% of them that were hit cannot even after all this get back into their PC's. It looks like the only way I maybe able to get them running is a backup of data and reload their PC's from scratch. What is Malwarebytes going to do for these clients that are now looking at 2-4 hours of service bills from technicians like me? I think this is more than fair of a question to ask and expect an answer.

All we can do is offer our assistance via our Support team to help as best we can to get these systems in proper working order again. Support is pretty bogged down by this at the moment obviously, but they are working as quickly as possible to get everyone's systems fixed.

Share this post


Link to post
Share on other sites

Soap Box On.

This has happen twice now. in the past few months with false positives. You all had better find a more reliable way of testing your product before releasing it on us.

I support many corperate clients they are PISSED. And I now have to eat my words saying the Malwarebytes will protect their systems.

You all have created HUGE problem!
But I guess you have figured that out by now.

Right now I'm trying to fix my system and I received an email from the tech helping me and in his last email he said "Some of our team are still working with users on the forums and in support as well. Most have finally gone home."

WHAT DO YOU MEAN "GONE HOME". Put some cots in the room, take a nap, bring in food and help us fix the mess you created! and restore confidence in your product.

Soap Box Off.

Share this post


Link to post
Share on other sites

Soap Box On.

This has happen twice now. in the past few months with false positives. You all had better find a more reliable way of testing your product before releasing it on us.

I support many corperate clients they are PISSED. And I now have to eat my words saying the Malwarebytes will protect their systems.

You all have created HUGE problem!
But I guess you have figured that out by now.

Right now I'm trying to fix my system and I received an email from the tech helping me and in his last email he said "Some of our team are still working with users on the forums and in support as well. Most have finally gone home."

WHAT DO YOU MEAN "GONE HOME". Put some cots in the room, take a nap, bring in food and help us fix the mess you created! and restore confidence in your product.

Soap Box Off.

I agree completely, I'm a photographer and need my laptop to edit my work for my clients.

I can't even boot my laptop in safe mode!

How am I going to fix this, because I'm not going to foot the bill if I have to send it to a shop to be fixed!

Share this post


Link to post
Share on other sites

All we can do is offer our assistance via our Support team to help as best we can to get these systems in proper working order again. Support is pretty bogged down by this at the moment obviously, but they are working as quickly as possible to get everyone's systems fixed.

Unacceptable! I can guarantee considering your testing team obviously screwed up that this was poor quality control on release of a new patch and this is costing people hours and hours of available time on thier PC's for their jobs therefore money lost there and also paid out to peoplelike myself to resolve the testing teams screw up. My clients are furious and so am I as this is 3AM my time and I see not time to sleep in the near future to get all these resolved as quickly as possible so they can get back to work. Pro licenses handed out to free users would go a long way to stopping a law suit I am sure and for the users that have Pro licenses a couple years free. To say all you can do is help them get them running again is terrible considering the horrible testing of an update someone did to not seee this happen. Is that person canned? Should be, they opened the company to a massive multi-million dollar lawsuit. And still it is 18% of the people that I have seen that had this and restarted the PC's are screwed beyond repair, full reinstall or recovery from backup images. DISGUSTING !!!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.