Jump to content

Why does Malwarebytes not detect a Trojan but Windows defender does DAILY!


Recommended Posts

Windows defender keeps popping up saying it has detected  TrojanDownloader:O97M/Donoff.BG and quarantines it. I have Malwarebytes premium version that runs scans even night and it has never detected it? Is windows defender a better platform for detecting malware? 

ALSO how do I get rid of what is causing  TrojanDownloader:O97M/Donoff.BG to keep apearing?!?!?!

THANKS WISE PEOPLE!!

Link to post
Share on other sites

Hello and :welcome:, @winty85:

Alas, there's no way to answer your question definitively, based on the available information.
While no anti-virus or anti-malware application can detect/remove 100% of all malware, it's also possible it could be a WD false positive, or MBAM's scan settings may be "off", etc.
We cannot say for sure.

If WD creates a user-readable log file, e.g. in a *.txt format, perhaps you could attach to your next reply BOTH your most recent MBAM scan log AND the WD scan log.
We will ask the Research Team to review the data.

OTOH, if you think you might be infected,  I suggest that you might want to please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue - the helper will guide you through scanning, cleanup and repair.

Thank you,

 

Link to post
Share on other sites

hi thanks for the answer, heres MWBS txt file for the last scan

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 31/07/2016
Scan Time: 11:52
Logfile: mal.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.07.31.03
Rootkit Database: v2016.05.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: JamesDaniel

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 300223
Time Elapsed: 20 min, 52 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Thanks for the MBAM scan log.

What would really help would be the WD scan log -- I am not familiar with the program, but I assume it creates scan logs that are accessible to the user?
Without such a log, or a malware sample (which cannot be submitted here, in this particular forum area), it's going to be hard to determine what might underlie the detection discrepancy you report.

So, please post the WD log (preferably as an ATTACHMENT), if you can.

In addition, please follow the steps in this pinned topic and ATTACH to your next reply the 3 diagnostic logs: Diagnostic Logs.
The 3 logs are: FRST.txt, Addition.txt and Checkresults.txt

OTOH, if you think you might be infected,  I suggest that you might want to please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue - the helper will guide you through scanning, cleanup and repair.

Thank you,

 

 

Link to post
Share on other sites

 

WD doesnt create logs but the event viewer shows this? Hope this helps

 

System

   
- Provider
      [ Name] Microsoft-Windows-Windows Defender
      [ Guid] {11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}
   
  EventID 1116
   
  Version 0
   
  Level 3
   
  Task 0
   
  Opcode 0
   
  Keywords 0x8000000000000000
   
- TimeCreated
      [ SystemTime] 2016-07-31T11:29:24.997870500Z
   
  EventRecordID 2181
   
- Correlation
      [ ActivityID] {F6035F16-1354-4AEA-804C-989D52C5544F}
   
- Execution
      [ ProcessID] 2344
      [ ThreadID] 4876
   
  Channel Microsoft-Windows-Windows Defender/Operational
   
  Computer dans
   
- Security
      [ UserID] S-1-5-18
- EventData
    Product Name %%827
    Product Version 4.8.0207.0
    Detection ID {8CEDCDD6-4352-44AE-A3DB-539F99961CF4}
    Detection Time 2016-07-31T11:29:08.558Z
    Unused  
    Unused2  
    Threat ID 2147710574
    Threat Name TrojanDownloader:O97M/Donoff.BG
    Severity ID 5
    Severity Name Severe
    Category ID 4
    Category Name Trojan Downloader
    FWLink http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:O97M/Donoff.BG&threatid=2147710574&enterprise=0
    Status Code 1
    Status Description  
    State 1
    Source ID 3
    Source Name %%818
    Process Name C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe
    Detection User dans\JamesDaniel
    Unused3  
    Path containerfile:_C:\Users\JamesDaniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\2d07c3be17325300\120712-0049\Att\20041f81\3223C23008400F35 (3).docm;file:_C:\Users\JamesDaniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\2d07c3be17325300\120712-0049\Att\20041f81\3223C23008400F35 (3).docm->word/vbaProject.bin
    Origin ID 1
    Origin Name %%845
    Execution ID 1
    Execution Name %%813
    Type ID 0
    Type Name %%822
    Pre Execution Status 0
    Action ID 9
    Action Name %%887
    Unused4  
    Error Code 0x00000000
    Error Description The operation completed successfully.
    Unused5  
    Post Clean Status 0
    Additional Actions ID 0
    Additional Actions String No additional actions required
    Remediation User  
    Unused6  
    Signature Version AV: 1.225.2815.0, AS: 1.225.2815.0, NIS: 116.17.0.0
    Engine Version AM: 1.1.12902.0, NIS: 2.1.12706.0
Link to post
Share on other sites

Addendum:

It appears that there are no user-readable scan logs for WD under Win 8/8.1, according to this forum thread here:

http://www.eightforums.com/system-security/16710-windows-defender-where-scan-results.html

Quote

Obviously, you are able to see when it last ran by opening Windows Defender and looking at the last scan details on the bottom left. If it detected something, it would alert you and also log it in the 'History' section.

If you want to see more detailed logs, you can view them in Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

It will show as 'information' for when it has ran, etc. If it has detected malware, etc. it will show as 'Warning' with a yellow warning sign and details of process, severity, etc. If it's stopped before completion it will also show under a yellow warning sign.

So, please post that info, if you can, as well as the 3 requested diagnostic logs (attached, please).

Thanks,

Link to post
Share on other sites

Thanks.

When you are ready, please also post the 3 diagnostic logs, as previously requested.
FRST.txt, Addition.txt and Checkresults.txt.

If you can, please ATTACH all 3 logs as *.txt files. Let us know if you need help doing that.

>>Also: a quick question -- are you sure your WD definitions are current and up-to-date?

Thank you,

 

Link to post
Share on other sites

If this is your trojan "TrojanDownloader:O97M/Donoff.BG" it is an Office Document Macro Downloader.


Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files.  That means MBAM will not target; JS, JSE,  PY, .HTML, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

MZ-binary.jpg

 


 
 

C:\Users\JamesDaniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\2d07c3be17325300\120712-0049\Att\20041f81\3223C23008400F35 (3).docm

 

The file is a MS Word Document that uses macros and has the DOCm extension.  You are getting this in email.  The email must be deleted.

 

Please proceed to the Malware Removal sub-form as suggested by DD1 in Post ID #4.

 

NOTE:  Malwarebytes' Anti-Exploit ( MBAE ) is designed to deal with many of the types of malware associated with scripts, documents and media files where MBAE will protect the computer against Exploitation attempts whether they were exploits of software vulnerabilities or taking advantage of an application in an unusual way and works at an "action level" and not a "file level" like MBAM. MBAE provides protection of applications that are commonly  known to be associated with and normally used by the file type.
Reference:  MBAE FAQ

 

Edited by David H. Lipman
Link to post
Share on other sites

12 minutes ago, daledoc1 said:

In addition, please follow the steps in this pinned topic and ATTACH to your next reply the 3 diagnostic logs: Diagnostic Logs.
The 3 logs are: FRST.txt, Addition.txt and Checkresults.txt

Our posts are crossing in cyberspace.

So, I will log off for now until we get caught up.

What we need now are the 3 diagnostic logs.

We will then ask the Research Team to review the data.

Thank you,

Link to post
Share on other sites

Quote

I have Malwarebytes premium version that runs scans even night and it has never detected it? Is windows defender a better platform for detecting malware? 

One option, it is a filetype not targeted by MBAM like a offic file type or it is to old not seen in the wild

Link to post
Share on other sites

Hi, @winty85:

This is getting a bit messy and confusing.

At this time I suggest that the best course of action might be to head over to the malware removal section of the forum for expert help, as previously suggested by me and by David.
To do so, I suggest that you might want to please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue - the helper will guide you through scanning, cleanup and repair.

You are welcome to post the requested diagnostic logs here in this forum section, as we requested. However, based on the expert advice from @David H. Lipman, we will likely need to send you to the malware removal area anyway, once we see those logs.

In other words, it will be more efficient for you to head to the malware removal section directly.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.