Jump to content

Spyware.Banker

Jace

By Jace
in Malwarebytes for Windows Support Forum

 Share

Recommended Posts

Jace

Jace

Posted
Posted

I updated and then scanned - Mbam suddenly found two areas of the one problem.

I googled to see Mbam does find this thing, but I am surprised because it's a couple of months

since I installed 'Drop My Rights' and several Mbam scans didn't pick it up until yesterday.

Could anyone hazard a guess how this thing could have suddenly got into

'Drop My Rights' please ?

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ie dropmyrights

(Spyware.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\IE DropMyRights\Uninstall.exe (Spyware.Banker) -> Quarantined and deleted successfully.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Greetings Jace and welcome :P .

Though you only purchased a partial log (I see no database version or OS version), I believe this is indeed a false positive that was likely corrected yesterday. Please update MBAM and do another Quick Scan to see if it's been fixed. If not then please refer to this post: Read before reporting a false positive!

and post the info here: False Positives.

Thanks ;) .

Link to post
Share on other sites
Jace

Jace

Posted
  • Author
Posted
Greetings Jace and welcome :P .

Thanks to you Ex. - Oh yes, it's on XP Home and Mbam was updated to 2809 onboard 1.41

As shown in the log, Mbam Qu'ed, and Deleted.

I jumped too quick I guess, in asking Mbam to Delete, should have looked at

the thing to which they were referring because it didn't have an .ext - If you are still

here around Ex. can you tell me for future ref. please,

can these grubs have NO extension ? and still be Trojans or whatever ?

even if not in this case ?

Have just used a tiny App. 'Cathy', which tells me there is no sign of anything named Spyware.Banker,

but I am now wondering what exactly Mbam Deleted ?

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Yes, it's possible for malware to display no extension or use an obscure on like .dat. To restore the file, open up MBAM and go to the Quarantine tab. You should see the file listed there and be able to restore it. After doing so, update your database (current version is 2813) and do another Quick Scan. If it makes the detection again then I would suggest following the instructions in my earlier post.

Thanks :P .

Link to post
Share on other sites
Jace

Jace

Posted
  • Author
Posted
Yes, it's possible for malware to display no extension or use an obscure on like .dat. To restore the file, open up MBAM and go to the Quarantine tab. You should see the file listed there and be able to restore it. After doing so, update your database (current version is 2813) and do another Quick Scan. If it makes the detection again then I would suggest following the instructions in my earlier post.

Thanks :P .

Well didn't I ask at the wrong moment in time - After reading your reply Ex. I went to update Mbam and not only got an immediate 732 etc. error

BUT it also cut me straight off the Net with a click, gone !

Now I have noticed the long list here on the Forum re. Mbam having gone haywire for everyone -

I read one moderators 'how to' but it didn't work for the OP so I won't try that.

If this problem with Mbam gets solved I shall do as you suggested, and thanks for your help.

Link to post
Share on other sites
Jace

Jace

Posted
  • Author
Posted
Do you want to address the error 732 now?

Absolutely thanks Yardbird, BUT I prefer not to go through a whole lot of moves to no avail - I mean until

that moment I mentioned everything was going well - I think Mbam is the problem - My A-V is AVG but I

do have quite a few other security guards.

Can I ask you this please - I just took a look at my HJT list and Mbam has one there which I had not noticed

before, it ends with something like /cleanupscript

Is that a legit. Mbam item ?

Link to post
Share on other sites
yardbird

yardbird

Posted
Posted

Hi! without seeing the post? I wouldn't know? If you want to bookmark the thread & follow it go ahead... Feel free to post, in the correct forums, comment, issues or questions... we never close... As for that 732 we are always picking up new issues on it, ie: I left my pc for 10 mins ..last night so the DSL was idle, I got a 732 when I came back to download updates, I refreshed the page here, (kicked the modem so to say) and the downloads started again, no error! welcome to malwarebytes! will cya later...regards...

Link to post
Share on other sites
Jace

Jace

Posted
  • Author
Posted
Hi! without seeing the post? I wouldn't know? If you want to bookmark the thread & follow it go ahead... Feel free to post, in the correct forums, comment, issues or questions... we never close... As for that 732 we are always picking up new issues on it, ie: I left my pc for 10 mins ..last night so the DSL was idle, I got a 732 when I came back to download updates, I refreshed the page here, (kicked the modem so to say) and the downloads started again, no error! welcome to malwarebytes! will cya later...regards...

I think you misunderstood my question Yard. - was not asking about a post - I asked if the Mbam entry in HJT is a legit. entry because I had

not noticed it before this mess began, here it is thanks,

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

Link to post
Share on other sites
yardbird

yardbird

Posted
Posted
I think you misunderstood my question Yard. - was not asking about a post - I asked if the Mbam entry in HJT is a legit. entry because I had

not noticed it before this mess began, here it is thanks,

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

I'm sorry - I'm loading software & missed that... Logs are not to be posted here, some users do & we move them over to HJK forum, some people had made comments on a question like yours above. So of the admins. would like to keep it in the HJK forum. You would have to disqualify my reply: Logs I don't read unless --->http://www.malwarebytes.org/forums/index.php?showtopic=12264

see what I mean...

Link to post
Share on other sites
Jace

Jace

Posted
  • Author
Posted
Hi Jace,

The developers are looking into this. That entry is normally not there in a HJT log. Take a look at this thread .

Thanks very much JT. for a bit of decent help and the link - Have taken a couple of scroll down pics. to read offline later -

Ex's last post suggests the same as your first sentence so hopefully your people will

come up with the problem cure.

I shall also get rid of the HJT entry later, since you mentioned it would not normally be there - I just have the feeling it only went there

after having qu'ed and deleted the possible FP referred to by Ex. in this thread, Spyware.Banker, that's the exact moment my Mbam problem began.

Have run several scans via AVG, SAS, SPYBOT S&D - zilch found.

Regards.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

AVG certainly could've also messed with MBAM, they've had a false positive of their own that has been messing with MBAM lately and some of its files. That is likely the cause of the errors.

As for the startup entry, it is the cleanup that's run when you reboot after having MBAM remove something that was detected (in this case, the Spyware.Banker which is most likely a false positive). MBAM is supposed to remove that startup entry after the quarantine is completed but it hasn't been doing so on some systems, and that's the issue being investigated by the developers.

I'd recommend you try to update MBAM again after excluding all of its files from AVG.

Please exclude the following files from your antivirus:

For Windows XP:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware\rules.ref
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\System32\drivers\mbamswissarmy.sys

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude them from it as well

Link to post
Share on other sites
Jace

Jace

Posted
  • Author
Posted
AVG certainly could've also messed with MBAM, they've had a false positive of their own that has been messing with MBAM lately and some of its files. That is likely the cause of the errors.

As for the startup entry, it is the cleanup that's run when you reboot after having MBAM remove something that was detected (in this case, the Spyware.Banker which is most likely a false positive). MBAM is supposed to remove that startup entry after the quarantine is completed but it hasn't been doing so on some systems, and that's the issue being investigated by the developers.

I'd recommend you try to update MBAM again after excluding all of its files from AVG.

Please exclude the following files from your antivirus:

For Windows XP:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware\rules.ref
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\System32\drivers\mbamswissarmy.sys

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude them from it as well

Having read that link to which JT pointed me Ex. - I noted the poster also had Mbam Qu'ed and delete whatever from his machine

and seeing as JT thought the Mbam entry in my HJT was probably not supposed to stay there, I decided to try something.

I ran a HJT scan and then tried to delete the 04 Mbam entry I referred to above but it would not delete it, so I

went into regedit and the path to 'RUN' - the same Mbam /cleanupscript entry was there, I right clicked and Deleted it.

Re-ran HJT and deleted it from there too, which it did this time.

Opened Mbam and tried to Update but got the same 732.. Error, so quickly exited so as it would not delete me

off the net again - I reopened it and ran a quick scan, no problems - I think maybe it won't update because even though I've

deleted the reg. entry it won't take effect until I reboot - So, I will reboot when offline and tomorrow see if the reg. entry deletion worked

and hopefully I will be able to update again.

If not, then I shall try your idea of adding the Mbam's to AVG' s Exceptions list - My bet is that it has nothing whatever to do with AVG

but I won't know for sure until my next reboot finds out if my thought worked - If it has then I shall be back to ask you

if deleting that Mbam entry from the reg. as I did will put the kibosh on Mbam being able to Q. and Delete any future malware ?

Regards.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Deleting that startup entry shouldn't affect MBAM's ability to remove malware in the future :P . It gets added by MBAM itself temporarily and is supposed to go away after a reboot.

Let me know how it goes. As I said, for the past several days AVG has been detecting part of MBAM and either blocking it or deleting one of its files, thus having a bad effect on MBAM. You can refer to this post from an AVG user who contacted them and they confirmed the problem and stated that they are working on fixing it.

Link to post
Share on other sites
Jace

Jace

Posted
  • Author
Posted
Let me know how it goes. As I said, for the past several days AVG has been detecting part of MBAM and either blocking it or deleting one of its files, thus having a bad effect on MBAM. You can refer to this post from an AVG user who contacted them and they confirmed the problem and stated that they are working on fixing it.

Hoping that you are still here around Ex., Yesterday I did what I said and it didn't appear to work because Mbam still showed the 732.... when I pretended to update while offline - So I then added your list to AVG Excepts., exited, and restarted AVG, tried to update Mbam, again a pretend because I was offline,

still showed the 732 - Said bugger it and switched off in disgust.

This morning I got on the Net and immediately tried to update, NO sign of the 732, updated without a hitch to 2821.

So Ex. I would have lost my bet and gladly because you saved me going via the cape, uninstall/reinstall, my sincere thanks to you,

Ex. for Expert is correct - Noted your thought re. the possible future call on /cleanupscript, so hopefully all will be OK.

Kindest Regards and Thanks.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.