Jump to content
Ktulu

Microsoft C++ Redistributable Triggering MBAM

Recommended Posts

I understand that MalwareBytes is extra rough on executables in the %systemroot%, but if you have the Microsoft C++ Redistributable installed to the default location, which is the %systemroot%, and if it is running, MalwareBytes will see it as Malware, and also its corresponding registry entry.

...I'm doing the scan in developer mode now, so the log is soon to follow.

Alert me if you need more information.

Share this post


Link to post
Share on other sites

The C++ installer file is called 'Install.exe'

...so it makes sense why it would flag it.

Share this post


Link to post
Share on other sites

OK here's the developer log from MalwareBytes 1.38. This doesn't flag the corresponding registry key. 1.39 does though, at least it did on the other machine I tested, which I don't currently have access to.

lwarebytes' Anti-Malware 1.38

Database version: 2305

Windows 5.1.2600 Service Pack 2

7/20/2009 12:49:36 PM

mbam-log-false-positive

Scan type: Quick Scan

Objects scanned: 155906

Time elapsed: 12 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\install.exe (Trojan.Agent) -> No action taken. [3857535134303627617479848566777715708970]

Share this post


Link to post
Share on other sites

Database Version: 2452

also sees

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Delete on reboot.

Share this post


Link to post
Share on other sites

If you want to use root as a storage folder please use the ignore list to kill any FPs . MBAM is aggressive against executables in this folder as no executables should be here and there is also a huge problem with malware loading from this location .

The reg hit is actually linked to the file , if you move the file or set it to ignore it should go away .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.