Potential False Positive madbasic_.bpl Files

[Eli343]

Hello. Recently I installed Malwarebytes and ran a scan that quarantined several files and which may have included two false positives, which are two same-name files in different locations, both labeled “Trojan.Loader” in the quarantined items list (both listings are attached). The file name is “madbasic_.bpl”. Since the scan, I now get an error message pertaining to those two files on startup, which I have attached, that goes away after 4 clicks on the X or ‘OK’. Through research I haven’t been able to determine whether the files are safe or not, which has brought me here. My question is, is it safe to remove both madbasic_.bpl files from quarantine?

[David H. Lipman]

Please provide a log of Malwarebytes showing this detection.

Here is how to obtain a Malwarebytes v5.x log.

After saving the log.  Please attach it.  

 

[miekiemoes]

Yes, we need the detection log and detected file as requested per above. 

[Eli343]

Here is the log.

Malwarebytes Scan Report 2024-06-09 164700.txt

[miekiemoes]

Hi,

This is a valid detection, toghether with the other detections in the log. The C:\USERS\OWNER\APPDATA\ROAMING\OIVKSDUB\PRESENTATIONHOST.EXE detection in your log is related, which is a Remote Desktop Client (Netsupport) where the attacker can perform additional tasks such as installing more malware, collecting passwords etc etc...

[Eli343]

Thank you for explaining. I'll keep everything quarantined, but what can I do about the error message?

[Porthos]

5 minutes ago, Eli343 said:

but what can I do about the error message?

Open a topic in the malware removal section and someone can assist you with cleaning the system. https://forums.malwarebytes.com/forum/7-windows-malware-removal-help-support/

[miekiemoes]

It looks like it's launched by DPMHelper.exe, which might be legit, but it tries to load the malicious dll (sideloaded). Can you check if this DPMHelper.exe is present in the C:\Users\Owner\Appdata\Roaming\Fmmon_test_v3 folder and zip and attach that file here as well? 

Then please follow the instructions posted by Porthos in above.

Edited July 1 by miekiemoes

[Eli343]

I couldn’t find Appdata under Owner for some reason but after searching I found that DPMHelper.exe is in the Fmmon_test_v3 folder. I had trouble but I believe I zipped correctly (I couldn't zip the folder for some reason so I zipped the files in it and it was automatically named DPMHelper.zip).

As a side note, in case it's helpful, all of the files were created the day malware was installed.

DPMHelper.zip

[miekiemoes]

As expected, that file is not malicious. This one does need the madbasic_.bpl file to run, but in your case, it was replaced with an adjusted/malicious madbasic_.bpl. 

You can actually delete the Fmmon_test_v3 folder. (https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-97fbc472-c603-9d90-91d0-1166d1d9f4b5#WindowsVersion=Windows_11)

In case you can't remove that folder, check your running processes and rightclick the DPMHelper.exe file in order to kill that running process. Then you should be able to delete that file. If you need additional help, please follow the instructions by Porthos posted earlier in order to clean up any remaining traces if still present.