Microsoft Works Files called Rogue.Installers

[jholland1964]

Had this come up in a thread at another forum. Are these flagged Works files false positives?

Malwarebytes' Anti-Malware 1.41

Database version: 2796

Windows 6.0.6001 Service Pack 1

9/15/2009 12:45:29 PM

mbam-log-2009-09-15 (12-45-29).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 440501

Time elapsed: 4 hour(s), 13 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{bd415a76-f3e8-45c7-8a2a-9705d9fbf529} (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Microsoft Works\cpitv11.dll (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Works\pibase11.dll (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Program Files\MATLAB71\toolbox\compiler\mcr\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

C:\Program Files\MATLAB71\toolbox\datafeed\datafeed\bbdatafeed.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

C:\Program Files\MATLAB71\toolbox\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

[jholland1964]

Also am wondering about those MATLAB71 files as they also seem to be legitimate files from a legitimate program.

[nosirrah]

Database version: 2796<- Your definitions are out of date , please update and scan again .

[jholland1964]

The data base WAS up to date for the date and time of the scan. A second scan was done several hours later and it showed clean.

Malwarebytes' Anti-Malware 1.41

Database version: 2804

Windows 6.0.6001 Service Pack 1

9/16/2009 9:28:51 AM

mbam-log-2009-09-16 (09-28-51).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 442006

Time elapsed: 4 hour(s), 10 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

But this would make sense wouldn't it, the first scan done clearly shows they were quarantined and removed so why would they show again?

My real concern is that these are known legitimate file names for files on both Works and MATLAB71 so how is the person to know they definitely were NOT false positives and how are we assured that these two programs have not been damaged by the removal of perfectly legal legitimate files?

These are not the only logs where we have seen questionable findings with this new version of MBA-M.

Earlier today we also found questionable findings in another log; I will only post the two with a question

Malwarebytes' Anti-Malware 1.41

Database version: 2812

Windows 5.1.2600 Service Pack 3

9/16/2009 1:41:52 PM

mbam-log-2009-09-16 (13-41-52).txt

Scan type: Full Scan (C:\|)

Objects scanned: 157522

Time elapsed: 1 hour(s), 16 minute(s), 5 second(s)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.

and this one:

Files Infected:

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Two more legitimate files. Yes, the j2re1 file is out of date but have never seen it flagged as bad before. These were removed and it wouldn't affect the running of the machine or the programs but they appear to us to be legitimate files.

[jholland1964]

I have additional information concerning the files flagged by MBA-M in this log:

Malwarebytes' Anti-Malware 1.41

Database version: 2796

Windows 6.0.6001 Service Pack 1

9/15/2009 12:45:29 PM

mbam-log-2009-09-15 (12-45-29).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 440501

Time elapsed: 4 hour(s), 13 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{bd415a76-f3e8-45c7-8a2a-9705d9fbf529} (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Microsoft Works\cpitv11.dll (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Works\pibase11.dll (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Program Files\MATLAB71\toolbox\compiler\mcr\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

C:\Program Files\MATLAB71\toolbox\datafeed\datafeed\bbdatafeed.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

C:\Program Files\MATLAB71\toolbox\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> Quarantined and deleted successfully.

As noted earlier, the database WAS up to date at the time of that scan. I am still concerned that these files are false positives since they are legitimate files from legitimate programs. I had the poster restore these files from MBA-M quarantine and then upload them all, one at a time to

http://virusscan.jotti.org/en

for scanning. ALL five of these files scanned CLEAN by ALL 21 scanners at jotti. He has not yet restored the Registry key which was also removed and quarantined. I have told him to hold off on the restore of this until we get the word from MBA-M.

Is there any work being done on this or are we going to have to have people scan without removal, check each file found and then have them rescan and then fix or remove?

[nosirrah]

http://www.malwarebytes.org/forums/index.php?showtopic=3228

Can I have a copy of cpitv11.dll and bbdatafeed.mexw32 please ?

Zip and attach them to you next post .

[jholland1964]

I will contact the poster and ask him to do this. Should he post them on his actual thread at daniweb or post them here or send them to me?

[nosirrah]

Posting this here will be the absolute fastest way to get this resolved .

[jholland1964]

Posting this here will be the absolute fastest way to get this resolved .

Since he is not a member here I will try to contact him, have him register and then lead him to this thread. I am not certain of his geographic location so not sure of the time difference involved but I will contact him and have him do this. I hope he will be allowed to post within this thread.

[jholland1964]

There was also a link for the developer mode in your previous post. I assume this goes here also or someplace else?

[jholland1964]

Can you also give instructions on exactly how to save these files? I attempted to do this on my own computer so that I could give him some understandable instructions on how to do this but no where is there an option to send to a zip file or save as a zip file so I could not compose easily understood instructions for him to follow.

[nosirrah]

I will look at the developers log first , I may be able to resolve this with just that info .

[jholland1964]

I have notified him of the need for the developers log and given instructions for retrieving that. I will post that as soon as I receive it from him. Thanks!

[jholland1964]

I finally received the developers log from my poster. Here is what he replied to me:

Ran the developer scan. Now only the matlab files were detected. Here is the log.

Malwarebytes' Anti-Malware 1.41

Database version: 2804

Windows 6.0.6001 Service Pack 1

9/20/2009 10:57:32 AM

mbam-log-2009-09-20 (10-57-24).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 445525

Time elapsed: 4 hour(s), 25 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\MATLAB71\toolbox\compiler\mcr\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> No action taken. [4948455830466677886683701549666876708301070701524259383020192423250107070155385

15242484730393445523801070701525351424740523021252613012421232224252421323232323

2

32323232323232323232323232323232323232323232323232323232323232323232323232323232

3

23232323232323232323232323232323232323232323232323232241923212318242123183232323

2

32323232323232323232323232323232323232323232323232323232323232323232323232323232

3

23232323232323232323232323232323232323232323232323223212318242123183232323232323

2

32323232323232323232323232323232323232323232323232323232323232323232323232323232

3

23232323232323232323232323232323232323232323232322419232223362339232032323232323

2

32323232323232323232323232323232323232323232323232323232323232323232323232323232

3

23232323232323232323232323232323232323221190107070152535142474052301919192419130

1

17171717171717171717171717171717171717171717171717171717171717171717171717171717

1

71717171717171717171717171717171717171717171717010707015253514247405230192623201

9

13011717171717171717171717171717171717171717171717171717171717171717171717171717

1

717171717171717171717171717171717171717171717171717]

C:\Program Files\MATLAB71\toolbox\datafeed\datafeed\bbdatafeed.mexw32 (Malware.Packer) -> No action taken. [4948455830466677886683701549666876708301070701524259383020192423250107070155385

15242484730393445523801070701525351424740523021252613012421232224252421323232323

2

32323232323232323232323232323232323232323232323232323232323232323232323232323232

3

23232323232323232323232323232323232323232323232323232241923212318242123183232323

2

32323232323232323232323232323232323232323232323232323232323232323232323232323232

3

23232323232323232323232323232323232323232323232323223212318242123183232323232323

2

32323232323232323232323232323232323232323232323232323232323232323232323232323232

3

23232323232323232323232323232323232323232323232322419232223362339232032323232323

2

32323232323232323232323232323232323232323232323232323232323232323232323232323232

3

23232323232323232323232323232323232323221190107070152535142474052301919192419130

1

17171717171717171717171717171717171717171717171717171717171717171717171717171717

1

71717171717171717171717171717171717171717171717010707015253514247405230192623201

9

13011717171717171717171717171717171717171717171717171717171717171717171717171717

1

717171717171717171717171717171717171717171717171717]

C:\Program Files\MATLAB71\toolbox\matlab\verctrl\verctrl.mexw32 (Malware.Packer) -> No action taken. [49484558304666778866837015496668767083010707015242593830201924232501070701553

[jholland1964]

Looking at my previous post with the developer log it appears that it did not fully appear. I am going to attach and see if it all comes through.

Malwarebytes_Developer_Log.doc

[nosirrah]

These logs are nearly 30 updates behind , please update and check again , I am almost certain that these are fixed .

[jholland1964]

I have notified my poster. You know there is nothing in the instructions concerning the developer log stating the program should be updated before doing this. My poster asked me and since I was following your instructions and they didn't say to update as normal before a scan I told him no since you instructions did not say to do so. You should change the instructions because they say nothing about updating first.

1. Click the Start Menu.

2. Click Run.

3. Type in "mbam.exe /developer", without the quotes.

4. Run the same type of scan you did before and save the logfile and post it.