question about number of threats actually detected and removed

[JohnnySokko]

Hello.

 

I visited a website the other day and knew right away that I picked up an infection. I scanned with Malwarebytes, and after the scan was finished, it reported that 4 infected items were found. (See attached screenshot. A text file of the scan log is also attached.)

 

I selected the option to quarantine the threats, then I rebooted my computer. All is now well.

 

Today, however, out of curiosity I looked at the quarantine and noticed that only 2 of the 4 items are shown there. (See attached screenshot.)

 

My question is . . .

 

Why doesn't the number of threats that were found (i.e., four) match the number of items shown in quarantine (i.e., two)? Where are the other two items?

 

And a separate-but-related question . . .

 

Although quarantine was chosen as the action that I wanted applied to the threats, I noticed the scan log lists the action taken as delete on reboot. (See attached screenshot.) 

 

My understanding regarding quarantine is that when a file is quarantined, the file is not actually deleted. Instead, the file is just isolated from the rest of the system so that it can no longer pose any danger.

 

If that's the case, why does the scan list delete on reboot as the applied action even though I chose to quarantine them? I don't follow. Sorry.

 

MBAM scan log showing the four threats that were found.txt

[JohnnySokko]

Ugh, most of my images were cut off. I'm going to try uploading the one showing delete on reboot again. Hope it works this time.

[gonzo]

Someone might correct me (and that's fine if they do), but three of the four files all share the same MD5 hash, so reporting them based on the hash is accurate.  It is misleading to the user, but the hash is the most accurate representation of the file.  We just don't easily identify things that way.  They are all set to delete on reboot, so once you reboot the computer, they should all be gone.

[Firefox]

Hello and Welcome....

 

Just to add, delete on reboot was used cause the file was open (locked) and could not be fully quarantined until you rebooted the computer, this is why Malwarebytes will ask you to reboot after an item is cleaned.

 

HTH

[JohnnySokko]

Someone might correct me (and that's fine if they do), but three of the four files all share the same MD5 hash, so reporting them based on the hash is accurate. It is misleading to the user, but the hash is the most accurate representation of the file. We just don't easily identify things that way. They are all set to delete on reboot, so once you reboot the computer, they should all be gone.

 

gonzo,

 

Thanks. I looked at the scan log again (relevant part pasted below), and assuming the MD5 hash that you referred to is this 32-digit number 42d1b4986f1bdf573c6e991208fbd828, then yes, I see that three of the four files all share the same MD5 hash.

 

However, even though the MD5 may be the same, the files names are different. The first is mf.dll, the second is 8afc49b02429a, and the third is ugcqysiaeo.tmp. So are these, then, all different or not? Having said that, I just noticed that this number 9A88E103-A20A-4EA5-8636-C73B709A5BF8 (whatever this number is called) is the same for all four of them, so now I'm confused. Sorry.

 

Folders: 1

Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}, Delete-on-Reboot, [42d1b4986f1bdf573c6e991208fbd828],

Files: 3

Trojan.FakeMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\mf.dll, Delete-on-Reboot, [4ec5fa52b4d6b97d32ec83aeb64c11ef],

Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a, Delete-on-Reboot,

[42d1b4986f1bdf573c6e991208fbd828],

Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\ugcqysiaeo.tmp, Delete-on-Reboot,

[42d1b4986f1bdf573c6e991208fbd828], 

 

Most important, I'm still wondering why the scan results are not consistent with the quarantine list. That is, why are four threats listed as being detected in the scan log but only two of them appear listed in quarantine? What happened to the other two?

 

If you could explain it a little better, I would really appreciate it.

 

Just to add, delete on reboot was used cause the file was open (locked) and could not be fully quarantined until you rebooted the computer, this is why Malwarebytes will ask you to reboot after an item is cleaned.

 

So are they actually in quarantine now — or were they deleted and removed from the system when the computer was rebooted?

[gonzo]

For all intents and purposes, the MD5 hash represents the threat.  One of the threats has three components to it.  Some threat components can be eliminated easily, and some require reboot to finish eliminating them.  If there is anything remaining in your Quarantine, they are waiting for you to choose whether to delete them or restore them.  It appears that what is left is a DLL file and the folder which contained it.  The temp file and (what I assume was) the payload were deleted already.

 

Sometimes, files that you know are legitimate can be flagged as threats.  Putting it in Quarantine allows you to see it and determine for yourself.  If you don't recognize the file, its likely NOT legitimate, and can be deleted.  If it were a legitimate file, removing the folder which contained it would make the file non-restorable...you can't put it back where it came from if you deleted the place it came from.

 

If it still shows up in Quarantine, you have to choose whether to delete it or restore it.

 

That really long code that starts with "9A88" is one of the reasons cleaning a system is an art form.  Microsoft makes the innards of the system extremely cryptic and hard to figure out.  Most people abandon the effort.  People who write malware know that and use the difficulty to understand the system to their advantage.  Most things that are important in a Windows operating system have a code like that attached to them.  Every installed program and every user also have a code like that as well.