Jump to content

Mbam Disabled


Recommended Posts

While using Bing Images. Pop um from Mbam advised protection had been disabled and icon dissapered.

On checking Mbam I found all settings had been altered and drive C: had been added to excluded. After resetting all my usual settings a full scan found a trojan. Which remains in quarantine for now. Log  follows

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 02/02/2015
Scan Time: 11:24:48
Logfile: scan.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.02.02
Rootkit Database: v2015.01.14.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 366633
Time Elapsed: 5 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Trojan.Agent, C:\Users\User\AppData\Local\Temp\D18A.tmp, 4104, Delete-on-Reboot, [133e38bf0e7b5ed857437a9e04fed62a]

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Generic Host Process, C:\Users\User\AppData\Roaming\Mozilla\svchoste.exe, Quarantined, [b49df0071a6fa591a4f6e73157ab46ba]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
Trojan.Agent, C:\Users\User\AppData\Local\Temp\D18A.tmp, Delete-on-Reboot, [133e38bf0e7b5ed857437a9e04fed62a],
Trojan.Agent, C:\Users\User\AppData\Roaming\Mozilla\svchoste.exe, Quarantined, [b49df0071a6fa591a4f6e73157ab46ba],

Physical Sectors: 0
(No malicious items detected)

(end)

 

Further scans with Mbam and Eset show system clean.

 

Link to post
Share on other sites

Hi:
 

C:\Users\User\AppData\Roaming\Mozilla\svchoste.exe


That sure doesn't look like a normal file path for anything with Firefox.

IOW it looks like a proper detection (to my home-user eyes).

 

If you think this could be a False Positive detection by MBAM, I suggest the following:

Otherwise, I suggest that you may want to please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with checking the system for possible malware remnants and with cleaning the system.

 

Thank you,

Link to post
Share on other sites

Thanks Guys & Gals

This was more a heads up for the Mbam team its not a FP but real I have left the Trojans in quarantine in case they are wanted. My system is being double checked by a malware expert on another site.

Link to post
Share on other sites

Thanks Guys & Gals

This was more a heads up for the Mbam team its not a FP but real I have left the Trojans in quarantine in case they are wanted. My system is being double checked by a malware expert on another site.

 

As it's already detected, I don't know that one would need to submit the samples to the MBAM Research Team?

 

But the stickies at the top of this forum >>here<< explain how to do that, if you wish to do so.

 

Thanks,

Link to post
Share on other sites

Perhaps I should make clear it allowed Mbam to be disabled plus windows firewall, removed all mbam settings and then excluded the C: drive from scans. It was only after I reset everything that it was detected. This is why I am reporting it. 

Link to post
Share on other sites

Hi, Corrine: :)

 

No, not a f/p. MBAM was right in removing it, although as Mike said, it was able to disable MBAM protection and the firewall before he reset everything. Take a closer look: C:\Users\User\AppData\Roaming\Mozilla\svchoste.exe

Yes,thanks very much for the expert input.

Neither Firefox nor I ever suspected that this was a FP, based on the file name and the file path. ;)

(As a home user I am not specifically authorized to provide "expert" malware advice, even for an obvious case such as this one. So I parsed my words a bit.)

 

That sure doesn't look like a normal file path for anything with Firefox.

IOW it looks like a proper detection (to my home-user eyes).

 

The OP asked if it "could be" a FP (although it appears that his post may have been subsequently edited to remove that query).

As we do not address FP submissions here in this forum section, I merely provided him with the standard referral to that FP sub-forum.

Then the OP asked if the file might be of value to the Research Team.

As we do not handle possible malware submissions here, either, I likewise provided the standard referral to the Research Center sub-forum.

 

I apologize if this created confusion or misunderstanding for anyone.

 

Thanks again, all,

Link to post
Share on other sites

Hi, MikeW:

 

Malware submissions or possible malware submissions need to be submitted in the special forum area reserved for that purpose.

Only staff and malware experts have access to those samples submitted there.

That is for the protection of casual forum visitors.

(IOW, if one were to attach a possibly malicious file here, in this forum section, anyone could download it. In that special forum area, only qualified experts have access.)

 

Moreover, the Research Team closely monitors the Research Center for submissions; they may or may not promptly notice such a discussion here in the forum area reserved for general MBAM support.

 

Information was merely provided to point you to the correct areas and the advice for expediting the review by the appropriate team members of any possible malware samples.

 

I apologize if that did not meet your needs.

 

Thank you again,

Link to post
Share on other sites

  • Root Admin

Not an FP and nothing new here. There are many infections that target security applications and disable or even delete them. The best way to attempt to prevent that is to enable our Self Protection Module.

As the issue appears to now be resolved I will go ahead and close this topic. Thank you

Ron

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.