Jump to content

False Positive? Trojan Dropper


daledoc1

Recommended Posts

Hello:

Excuse me if I am doing this wrong, since this is my first detection using MBAM, and I think it is a false positive.

I awoke this AM to find a dialog box from MBAM (database version 4350) that it had detected & quarantined the following file as Trojan Dropper:

C:\ProgramFiles(x86)\MediaMonkey\Vishelper.exe

As this file has never been detected before by MBAM (or any other security app), and since MediaMonkey has been installed on this computer for months (no recent updates), I think this is a FP.

I tried to run an MBAM Quick Scan in developer mode. It, along with a screenshot of the detection pane, is attached.

Since the file is now in Quarantine, I cannot find the file path in C:\ProgramFiles..., so although I know how to zip a file, I do not know how to locate the exact file to zip it for submission for evaluation.

AFAIK, my system is clean (all scans with MBAM, SAS and McAfee are clean), and everything is fully patched, and there is no suspicious behavior to suspect infection.

(I have yet to fire up my laptop, which also has MediaMonkey installed, so I don't know if MBAM will detect this same file on that system.)

Unfortunately, I will be away from both computers all day today until early evening, local time.

So, I will be unable to see your response, to reply to you, or to send you any needed additional information until then.

Until then, I will leave the file in quarantine, and I anxiously await your evaluation and advice, and I thank you most sincerely for your excellent software and support,

daledoc1

Link to post
Share on other sites

Hello, nosirrah:

Thanks for getting back to me so quickly.

Sorry, I am a bit of a computer illiterate when it comes to this sort of thing.

When I tried to find the file in the file path, it isn't there.

I assume that's because it is already in Quarantine?

As far as the developer scan, it and "regular" scans (including today's scheduled Quick Scan at 0500h) say they are clean.

So, I don't know how this detection occurred.

When I type "mbam.exe /developer" (without quotes) into the search pane after clicking the start orb on this Win7/64 system, it pulls up mbam.exe developer; do I need to R click and "run as administrator" even though I have admin privs (this is the only account)?

I guess I need more specific detailed, simplified, step-by-step instructions on how to: 1) run the developer mode scan and 2) restore/zip the file in question, please.

I am very sorry for the inconvenience and appreciate your assistance.

Thanks,

daledoc1

Link to post
Share on other sites

Hello, Tony:

Thanks for your VERY fast and much more expert help. [Edit: I mean -- more expert THAN ME, not than Nosirrah, of course!!!]

I will await Nosirrah's more detailed instructions for the computer illiterate that I am (since I may need to do this again some time), but it looks as though this will turn out to be a FP?

daledoc1

Link to post
Share on other sites

Same here on the quick scan (many of them).

I **think** I completed the dev mode scan correctly this time (it had a long string of numbers at the very top of the pane -- 72500965 -- rather than the program name?), but it was also clean.

When I look at the log file, it looks the same to my newbie eyes as the regular mode scan log, so I still don't know if I've done it correctly.

However, I have not yet run a FULL scan (I only run MBAM Quick Scans, since I'm told that this is all that's needed, unless Quick Scan detects something).

So, I am puzzled about Tony's observations that it was detected on a full scan.

I don't know how this file got into Quarantine! :)

I may not have time to do this now, since I have to go to work and will powering down the system until this evening.

Since Tony has already sent the zipped file, I assume I don't need to do so, but I would still greatly appreciate your instructions on how to do this, for future reference.

I assume it involves first restoring the file out of quarantine, then navigating to the file path and either R click > save as zip file, or using WinZip, etc?

Needless to say, I'd rather NOT restore the file until I know it's safe.

Thanks to both Nosirrah and TonyKlein.

I'll wait for further instructions and advice.

daledoc1

Link to post
Share on other sites

All fine here. File restored, Quick Scan with 4351 clean.

@Tony: Yes, I do know how to Zip files. :) :) It's just that I wasn't sure how to do so with a file that was in Quarantine -- For future reference, I assume one has to restore it first? (Needless to say, I wasn't ecstatic about restoring it, in the event that it had been a "real" infection. So, is there some way to zip a file from the Quarantine?)

Thanks to both of you -- sorry for being such a noob.

daledoc1

Link to post
Share on other sites

@ Nosirrah : np, you're very welcome Bruce. :)

@ daledoc1 : I've never thought of zipping a file from quarantine, but I do suppose you can go to the %UserName%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine folder , find the (renamed) quarantined file in there, and zip it right there.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.