Question about MBAM Pro real-time protection

[tomdkat]

Ok, a friend of mine purchased MBAM at my suggestion and it's been running fine on her Dell Studio desktop system running Windows Vista Home Premium 64-bit edition (SP2). On April 14, 2013, MBAM detected some system DLLs as being infected by a TrojanDownloader. It quarantined a TON of DLLs and ultimately rendered the system close to unusable.

I managed to get things back to normal by running a system restore. After doing that, I updated MBAM and Avira AntiVir, scanned the system with each and nothing was detected. I also ran some Windows updates and those installed without any issues. The system's purring like a kitten.

The reason I'm starting this thread is it seems odd that the system DLLs MBAM detected as being infected with the TrojanDownloader appeared to be detected "suddenly". Here's a snipet from the log file I have:

2013/04/15 13:29:16 -0700 TOMDKAT-PC (null) MESSAGE Executing scheduled update:  Hourly | Silent
2013/04/15 13:29:23 -0700 TOMDKAT-PC (null) MESSAGE Scheduled update executed successfully:  database updated from version v2013.04.15.08 to version v2013.04.15.10
2013/04/15 13:29:23 -0700 TOMDKAT-PC (null) MESSAGE Starting database refresh
2013/04/15 13:29:23 -0700 TOMDKAT-PC (null) MESSAGE Stopping IP protection
2013/04/15 13:29:25 -0700 TOMDKAT-PC (null) MESSAGE IP Protection stopped successfully
2013/04/15 13:29:28 -0700 TOMDKAT-PC (null) MESSAGE Database refreshed successfully
2013/04/15 13:29:28 -0700 TOMDKAT-PC (null) MESSAGE Starting IP protection
2013/04/15 13:29:29 -0700 TOMDKAT-PC (null) MESSAGE IP Protection started successfully
2013/04/15 15:44:46 -0700 TOMDKAT-PC (null) MESSAGE Executing scheduled update:  Hourly | Silent
2013/04/15 15:44:53 -0700 TOMDKAT-PC (null) MESSAGE Scheduled update executed successfully:  database updated from version v2013.04.15.10 to version v2013.04.15.12
2013/04/15 15:44:53 -0700 TOMDKAT-PC (null) MESSAGE Starting database refresh
2013/04/15 15:44:53 -0700 TOMDKAT-PC (null) MESSAGE Stopping IP protection
2013/04/15 15:44:53 -0700 TOMDKAT-PC (null) MESSAGE IP Protection stopped successfully
2013/04/15 15:44:57 -0700 TOMDKAT-PC (null) MESSAGE Database refreshed successfully
2013/04/15 15:44:57 -0700 TOMDKAT-PC (null) MESSAGE Starting IP protection
2013/04/15 15:44:58 -0700 TOMDKAT-PC (null) MESSAGE IP Protection started successfully
2013/04/15 15:44:59 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\System32\mshtml.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:45:00 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\System32\mspaint.exe Trojan.Downloader.ED QUARANTINE
2013/04/15 15:45:00 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\System32\shlwapi.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:45:00 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:49:02 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\System32\spool\drivers\x64\3\E_YASKHWA.DLL Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\SysWOW64\shlwapi.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\SysWOW64\msvcrt.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6002.18305_none_88f3a38569c2c436\comctl32.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\SysWOW64\oleaut32.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\SysWOW64\uxtheme.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:07 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) DETECTION C:\Program Files (x86)\Avira\AntiVir Desktop\ccguard.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\GdiPlus.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) DETECTION C:\Program Files (x86)\Avira\AntiVir Desktop\ccwkrlib.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\SysWOW64\netapi32.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\SysWOW64\activeds.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\SysWOW64\credui.dll Trojan.Downloader.ED QUARANTINE
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) ERROR Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 15:50:08 -0700 TOMDKAT-PC (null) DETECTION C:\Windows\SysWOW64\iertutil.dll Trojan.Downloader.ED QUARANTINE

My friend is running MBAM Pro 1.75.0.1300 and as of today, June 1, 2013, the system has been scanned clean with the latest versions of both MBAM and AntiVir, both updated with the latest database definitions.

Since this is June and the problems above happened in April, I think they encountered the problem, turned the system off and just left it off until now. I'm not sure if there was an issue with the MBAM detection database, at that time or on that day, but everything's running just fine now.

Any ideas on what could have happened on April 15, 2013 that caused this?

Thanks!

Peace...

[tomdkat]

Nevermind. I found the sticky thread above and answered my own question.

Peace...

[DarkSnakeKobra]

Yes this was an unfortunate database issue that has been taken care. Malwarebytes' now has a few things in place such as a database test server and updated policies (as noted in the sticky) to prevent any major issues from happening in the future.