Jump to content

MBAR found this. Is it a threat

Recommended Posts

Maybe a false positive.

Have been scanning weekly with the older versions (even scanned just 3 days ago and everything was clean), recently updated to and the same issue popped up. Try updating your definitions and see whether it goes away (it did for me).

Without clicking "remove" on MBAR. Concurrent scans with GMER, MBRCheck.exe, TDSSKILLER.exe are all clean.

Norton 360/MalwareBytes Pro/Superantispyware scans have been clean weekly as well as in safemode too.

Link to post
Share on other sites

Can you go to your MBAR folder and look at the log file that detected the infection?

I've been trying to pinpoint how the infection came because I too have had 0 things wrong with the PC (and I weekly scan with Symantec, MBAM, Superantispyware, VIPRE antivirus, Bitdefender, TrendMicro, AVAST). Scans with ASWmbr, Bootkitremoval, gmer, rootkitbuster, tdsskiller, mdrcheck, HiJackThis are all clean.

I see that a 3rd person has also had the exact Bootkit and upon looking at their log below:

(mbar-log-2013-04-17) they were using Database version: v2013.04.17.15, which was the exact same database version as me.

Now, I've scanned 5 times with MBAR in the past ~1-2 months using the previous Beta-releases (even a scan 3-4 days BEFOREhand with the older V1.01 with up-to-date defintions were absolutely clean). Unless "Bootkit.Mebromi.Sinowal.D.MBR" is a new definition file (which I doubt because it's been in the wild since 2008), I suspect it could be a false positive or something.

3 individuals detecting the same infection at the same time (around 7:00PM CST on 04/17/2013) with the same Definition File (v2013.04.17.15) would be highly irregular but not impossible:

Files Detected: 1

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Bootkit.Mebromi.Sinowal.D.MBR) -> Delete on reboot.

  • Can anyone confirm whether Bootkit.Mebromi is simply a new definiton file whereby the infection could have been missed with my previous 5-6 scans using the older versions?

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.