Rogue.Installer: False Positive or Real Threat?

[XylemBassGuitar]

Hi Everyone,

I ran a MalwareBytes scan recently and it found a "Rogue.Installer" in a system volume directory of my computer. I quarantined the Rogue.Installer but did not delete it. Since then, my browsers (IE 7 and Firefox 3.0.13) both seem to retrieve webpages much slower than usual, sometimes not at all; though sometimes they seem to run normally. I've got another computer connected to the same router and it does not seem to have this problem at all, so I don't believe it is a connection issue.

I have a suspicion that the Rogue.Installer was a false positive and that quarantining the file has caused the issues with my slow browser performance.

So, I restored the Rogue.Installer via MBAM and then ran MBAM in Developer Mode to get a log file, which is pasted below. As a side note, I got a message before the scan started in Developer Mode that said "DDA Failed to read, Error Code: 2." I clicked OK and the Developer Mode scan seemed to run normally, but I wanted to make a note of the error in case it was an issue.

Is this a false positive, or is it a real threat?

Thank you all for your help!

-Anthony

Log File from Developer Mode Scan:

Malwarebytes' Anti-Malware 1.41

Database version: 3005

Windows 5.1.2600 Service Pack 3

10/22/2009 1:47:08 PM

Developer Mode mbam-log-2009-10-22 (13-46-58).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 216538

Time elapsed: 1 hour(s), 37 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{17B0C848-F910-4965-9B5B-FD8EE833FFB1}\RP147\A0016598.exe (Rogue.Installer) -> No action taken. [5253514247405230518072867015427984856677777083130119232622191713011717361939343

93917173622392539391717363439373939182137193938393919393735393939392136382139393

9

39233438393939393925363926393939392634393939393939262639393939393926243939393939

3

92437392239393939231838363939393921253820393939392018373839393939182237383939393

9

]

[nosirrah]

The folder where this is , is where system restore stores files and would have nothing to do with system performance on any level .

What I see indicates that you had a rogue installer that was backed up into system restore at some point in the past . I did not even need to actually infect your system to get backed up and could be months or even years old .

Either way this file is safe to keep or remove as it is only a backup and has no ability to ever execute . Personally I would just let MBAM delete it .

[XylemBassGuitar]

Excellent, thanks for the info Bruce! (and the quick reply)

You guys rock, keep up the good work!

-A

[mountaintree16]

I'd also like to add, if I may, that Firefox 3.0.13 has had a security and stability update to 3.0.14, while in Firefox go to help > check for updates to update your browser

Version 3 will be supported with security and stability updates until January 2010, after that users should update to version 3.5 of Firefox to have the most secure version of Firefox.