Jump to content
whatmeworry?

Trojan.Crypt - 3 False Positives?

Recommended Posts

I ran a full scan of MBAM today, and to my surprise it claimed to find 3 files that it said contained Trojan.Crypt. They were all in a commercial program called Button Shop that I bought and installed last winter, but I don't think I've used it. I run frequent quick scans of MBAM and they never turned up these infected files. I've also run occasional full scans, including one two days ago with version 1.40 (the others were with version 1.39 or earlier), and these scans also did not turn up these Trojan.Crypt files.

After today's full scan (which was run after MBAM had automatically updated its definitions), I decided not to take any action. I closed MBAM and then opened it again and ran a Quick Scan. It turned up nothing. Since more than once I've read MBAM personnel say here that a quick scan is as good as a full scan, I'm a little surprised that the quick scan didn't turn up these trojans. I'm also surprised that earlier full scans didn't turn them up either.

I then went to the folders where the supposedly infected files were located and used MBAM from the context menu to scan them. That turned up nothing, nor did similar right-click scans with McAfee and with SpyBot.

I'm beginning to think that today's MBAM full scan produced three false positives, something that has never before happened when I've used MBAM. I thus tried to follow the instructions to run mbam.exe /developer and do another full scan. However, when the scan began, a box popped up informing me that SwissArmy failed to initialize, error code: 0. I let it go ahead anyway. The scan results unfortunately look like normal scan results, not the more detailed ones that I would have expected. Anyway, the full scan turned up no malware.

Should I just assume that the earlier full scan results were false positives? And what should I do about the fact that SwissArmy failed to initialize?

Thanks in advance for your help.

Share this post


Link to post
Share on other sites
Without either scan log\developers log, no one can answer anything about these potential false\positives

Please read the sticky in the forum:

http://www.malwarebytes.org/forums/index.php?showtopic=3228

Perhaps you should re-read my message. I said I tried to follow the instructions above to run mbam.exe /developer, and then to run another full scan, but I got an error message about SwissArmy not initializing. I was also seeking advice about what to do since I got that error message about SwissArmy.

I realize that you guys get a zillion messages each day, and I admire the fact that you respond as helpfully as you often do. But still....

I'd still like some useful advice about what to do.

Share this post


Link to post
Share on other sites
Without either scan log\developers log, no one can answer anything about these potential false\positives

I obviously don't have a developer's log, but if the scan log will be of use, here it is:

Malwarebytes' Anti-Malware 1.40

Database version: 2635

Windows 5.1.2600 Service Pack 2

8/16/2009 6:10:04 PM

mbam-log-2009-08-16 (18-10-04).txt

Scan type: Full Scan (C:\|)

Objects scanned: 251997

Time elapsed: 53 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites
The only incident that I know of involving this was here :

http://www.malwarebytes.org/forums/index.php?showtopic=21738

Does this seem related ?

Hi, Bruce. Thanks very much for your response. Yes, there seem to be definite similarlities between the three files MBAM flagged on my system and the location of the supposedly infected files on the system in the URL you provided. Here are the three from my computer:

C:\Documents and Settings\username\Local Settings\Application Data\Xenocode\ApplianceCaches\\Button Shop.exe_v430C9CC4\Native\STUBEXE\@PROGRAMFILES@\Opera 9\opera.exe

C:\Documents and Settings\username\Local Settings\Application Data\Xenocode\ApplianceCaches\\Button Shop.exe_v430C9CC4\Native\STUBEXE\@SYSTEM@\verclsid.exe

C:\Documents and Settings\username\Local Settings\Application Data\Xenocode\ApplianceCaches\\Button Shop.exe_v430C9CC4\Native\STUBEXE\@WINDIR@\hh.exe

Does this seem related to you? What do you make of this? And what should I do about the fact that SwissArmy failed to initialize when I tried to run mbam.exe /developer?

Share this post


Link to post
Share on other sites

The "SwissArmy failed to initialize" error can be caused by a few things . The two most common ones I see are starting and stopping a scan over and over without a reboot and starting a scan right as the system gets to the desktop . This error is only a problem if it happens often and for what seems to be no reason at all .

The detections themselves were FPs (that I fixed) and were being caused by encryption VERY similar to malware type encryption .

In both cases you have nothing to worry about .

Share this post


Link to post
Share on other sites

Bruce, thanks VERY much for your very fast and reassuring response. I'm again immensely impressed with Malwarebytes' responsiveness. You guys have set a standard that I haven't seen equalled anywhere else in the anti-malware world.

Share this post


Link to post
Share on other sites
The detections themselves were FPs (that I fixed) and were being caused by encryption VERY similar to malware type encryption ..

Back in mid-August, I ran a Malwarebytes full scan that turned up three files supposedly infected with Trojan.Crypt. Since they were part of a software program I had had on my computer for quite a while without MBAM ever flagging them, I thought they might be a FP. Sure enough, after some discussion, nosirrah offered the above assurance that the detections were a FP and had now been fixed. Today, I ran another full scan, and the same three files were again flagged as Trojan.Crypt. Here is the scan log:

Malwarebytes' Anti-Malware 1.40

Database version: 2734

Windows 5.1.2600 Service Pack 2

9/3/2009 2:58:22 PM

mbam-log-2009-09-03 (14-58-11).txt

Scan type: Full Scan (C:\|)

Objects scanned: 222587

Time elapsed: 1 hour(s), 9 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\username\Local Settings\Application Data\Xenocode\ApplianceCaches\Button Shop.exe_v430C9CC4\Native\STUBEXE\@PROGRAMFILES@\Opera 9\opera.exe (Trojan.Crypt) -> No action taken.

C:\Documents and Settings\username\Local Settings\Application Data\Xenocode\ApplianceCaches\Button Shop.exe_v430C9CC4\Native\STUBEXE\@SYSTEM@\verclsid.exe (Trojan.Crypt) -> No action taken.

C:\Documents and Settings\username\Local Settings\Application Data\Xenocode\ApplianceCaches\Button Shop.exe_v430C9CC4\Native\STUBEXE\@WINDIR@\hh.exe (Trojan.Crypt) -> No action taken.

If indeed this detection was in error and had been fixed several weeks ago, why am I again being told the files are malware?

Thanks in advance for your help.

Share this post


Link to post
Share on other sites
This should be fixed .

Thanks very much, Bruce. I've just run a full scan with version 1.40, database 2743, and it turned up no problems, so the FP seems to have been fixed.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.