Modified system files by MBAM

[gasgpmo]

It seems that MBAM has modified LSASS.EXE, WINLOGON.EXE, SERVICES.EXE, explorer.exe, and Marcs Updater.exe (opendns application).

Why has it modified these files? My firewall tells me this is typical behavior of trojans.

I'm running on Windows 2000 SP4.

[AdvancedSetup]

Hello gasgpmo, and welcome to Malwarebytes.org

No our product does not modify these files. You may have an infection resident on your system or perhaps a false positive from your Anti-Virus.

The best thing to do is follow the instructions below and allow someone with experience to assist you. Please be patient though as it can take a couple of days before someone can get to you. There are only so many qualified helpers.

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

[gasgpmo]

It wasn't my antivirus, it was my firewall which explicitly told me that MBAM had altered the files. The files hadn't been touched by anything before I installed MBAM, updated, and scanned the system. Unless this "infection" was somehow waiting for the perfect time to strike and blame it on MBAM!...then it was MBAM, or my firewall is delusional.

I'm not looking for any Malware removal experts. I'm looking for someone who can tell me why MBAM modified the files, or at least tell me why my firewall told me that it did.

[AdvancedSetup]

Don't have an answer for you that apparently will satisfy you. I've already told you that it should not and the product is installed on millions of computers.

You can either ask for assistance scanning your system as I've posted or contact support@malwarebytes.org and they can help you to scan for any potential issue.

We open and check files but we do not alter them just like your Anti-Virus product does.

[CCMUA2009]

I'm not really computer or security savvy, but would a firewall inform one of changes to programs? I thought a firewall would inform of entries into or out of a system? By no means am I attempted to be a smart A. I'm just trying to understand and learn

by the way, i like this forum. helpful people here. I was clued into malwarebytes by members on the Norton forum who swear by malwarebytes as an adjunct to their Norton product

[GT500]

I'm not really computer or security savvy, but would a firewall inform one of changes to programs? ...

In most firewalls, when an application that accesses the Internet changes, the firewall notifies the user and asks if they still want to allow it to access the Internet.

In this case, I'm fairly certain that the user has something other than Malwarebytes' Anti-Malware, as our software makes no changes to system files on it's own. There is an internal whitelist that prevents it from changing system files, even if it detects malware in them.

Note that the screenshot below is what our software looks like when you open it, and if it does not look like that, then you have something else:

[Beenthere]

What's the name of your firewall anyway?

[Jacktivity]

@gasgpmo

You don't say so, but it sounds like you may be referring to the Defense+ component of Comodo Internet Security. I've seen Comodo throw up that kind of notification before and it IS disconcerting. However, as AdvancedSetup has stated, MBAM is not modifying your files. It does need to interact with various Windows processes in memory and this is probably what Comodo is seeing and interpreting as a modification. See this link to better understand how Defense+ works and how to set it and also this on Computer Security Policy. This behavior is one of the reasons I don't recommend Comodo for the average user. It's just too complicated and scary for many people.

@CCMUA2009

See these Wikipedia Articles for more information on Intrusion Prevention System and Comparison of Firewalls

[gasgpmo]

Yeah, I have a Comodo firewall, but I don't know what Defense+ is. If that's all that's going on, Jacktivity, then I guess there's no problem after all. Comodo is known to be aggressive, sometimes interpreting DNS queries as UDP scans.

And MBAM is installed correctly, as I downloaded it from the official website.