Malwareremover Posted September 4, 2008 ID:26686 Share Posted September 4, 2008 I just upgraded to V 1.26 and ran a quick scan, it reported an empty folder C:\A as a trojan. I use this folder as a temporary working foilder when expanding windows files from the installation CD. I do delete all files when I am done working with them, any input on this is appreciated. I let it delete it on reboot just in case. Here is the log.Malwarebytes' Anti-Malware 1.26Database version: 1112Windows 6.0.6001 Service Pack 19/4/2008 8:38:34 AMmbam-log-2008-09-04 (08-38-34).txtScan type: Quick ScanObjects scanned: 40289Time elapsed: 2 minute(s), 6 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\A (Trojan.Agent) -> Delete on reboot. Link to post Share on other sites More sharing options...
Malwareremover Posted September 4, 2008 Author ID:26687 Share Posted September 4, 2008 I just upgraded my MBAM to v 1.26 and ran a quick scan, after the quick scan was done and I closed MBAM, my Spybot tea time popped up asking to allow 2 different registry changes, which I denied, are these registry changes due to the new version of MBAM? This never occurred with the older version. Denied (based on user decision) value "" (new data: ""%1" %*") changed in SCR Extension handler!Denied (based on user decision) value "" (new data: "regedit.exe "%1" %*") changed in REG Extension handler!I rebooted to let MBAM remove a empty folder it said was infected, see this post http://www.malwarebytes.org/forums/index.php?showtopic=6123After reboot tea timer popped up again asking to change the same registry entries., which I denied again.TIA. Link to post Share on other sites More sharing options...
nosirrah Posted September 4, 2008 ID:26690 Share Posted September 4, 2008 This is an obvious case where the expert should whitelist this folder .The other option is to unprotect the noobs . Link to post Share on other sites More sharing options...
JeanInMontana Posted September 4, 2008 ID:26712 Share Posted September 4, 2008 I've merged your topics since they are all the same issue there is no need for two separate threads.I just upgraded my MBAM to v 1.26 and ran a quick scan, after the quick scan was done and I closed MBAM, my Spybot tea time popped up asking to allow 2 different registry changes, which I denied, are these registry changes due to the new version of MBAM? This never occurred with the older version. Denied (based on user decision) value "" (new data: ""%1" %*") changed in SCR Extension handler!Denied (based on user decision) value "" (new data: "regedit.exe "%1" %*") changed in REG Extension handler!I rebooted to let MBAM remove a empty folder it said was infected, see this post http://www.malwarebytes.org/forums/index.php?showtopic=6123After reboot tea timer popped up again asking to change the same registry entries., which I denied again.TIA. Link to post Share on other sites More sharing options...
Malwareremover Posted September 4, 2008 Author ID:26725 Share Posted September 4, 2008 This is an obvious case where the expert should whitelist this folder .The other option is to unprotect the noobs .So, why did MBAM target this directory? Whitelisting does not answer the original question, thanks for your expert help. Link to post Share on other sites More sharing options...
Malwareremover Posted September 4, 2008 Author ID:26726 Share Posted September 4, 2008 I've merged your topics since they are all the same issue there is no need for two separate threads.Not sure it is the same issue.1. Why did it target an empty folder as a trojan?2. Are the registry entries being changed even related to MBAM? Link to post Share on other sites More sharing options...
nosirrah Posted September 4, 2008 ID:26744 Share Posted September 4, 2008 Before this gets out of hand I'm putting a stop to it now .Here is the deal , MBAM does not care that unusual customizations that some users make mimic those of malware and neither do I .If it come down to protecting noobs or making geeks happy guess who wins .If you know that you have something out of the ordinary and MBAM sees it you should be happy and white list it knowing that MBAM is not putting up with what could be malware activity . Link to post Share on other sites More sharing options...
Malwareremover Posted September 4, 2008 Author ID:26752 Share Posted September 4, 2008 Before this gets out of hand I'm putting a stop to it now .Here is the deal , MBAM does not care that unusual customizations that some users make mimic those of malware and neither do I .If it come down to protecting noobs or making geeks happy guess who wins .If you know that you have something out of the ordinary and MBAM sees it you should be happy and white list it knowing that MBAM is not putting up with what could be malware activity .How on earth is this getting out of hand?Never said I had any unusual customizations, how does an empty folder named "A" mimic malware?Sorry I ever posted here.Delete my posts and membership. Please! Link to post Share on other sites More sharing options...
nosirrah Posted September 4, 2008 ID:26760 Share Posted September 4, 2008 C:\aThis is not where any folder named that should be and yes , malware does do this .We detect it because it has a malware history . Protection will also prevent malware from running from it , this cripples a complete malware family .By out of hand I mean explaining why noobs get protection preference over expert annoyance .I am sorry if I seemed harsh but we get a lot of experts with unusual configurations getting mad that thier oddly named folders in odd locations get flagged . If someone knows enough to see what has happened then they should just whitelist , the noobs that dont have a clue will still be protected . Link to post Share on other sites More sharing options...
nosirrah Posted September 4, 2008 ID:26763 Share Posted September 4, 2008 Think of it this way , what would the back hats want me to do here ? Would they want me to keep the detection or remove it along with all other heuristics of this nature ? Link to post Share on other sites More sharing options...
Malwareremover Posted September 4, 2008 Author ID:26769 Share Posted September 4, 2008 Heck all I want you to do is answer my 2 questions as directly as possible, they are questions, not allegations. geez.1. Any reason this new version said this empty directory is a trojan, when the previous version did not.2. Do the registry changes have anything to do with MBAM.Seems like a simple task to me. I am not looking for you to do anything about these issues other than give me straight forward answers if you can, if you cannot just say so. Link to post Share on other sites More sharing options...
nosirrah Posted September 4, 2008 ID:26771 Share Posted September 4, 2008 1. updates happen frequestly with MBAM , usual more than 2 a day , likely coincidence .2. I am asking Marcin , its app side and not my gig Link to post Share on other sites More sharing options...
Root Admin RubbeR DuckY Posted September 4, 2008 Root Admin ID:26774 Share Posted September 4, 2008 Hey there,Everytime you remove something Malwarebytes' Anti-Malware attempts to fix certain registry values. This is one of those cases. It notices the registry values are not default and attempts to fix them. Link to post Share on other sites More sharing options...
Malwareremover Posted September 5, 2008 Author ID:26776 Share Posted September 5, 2008 @ Marcin, thanks for the answer. The key was that this was the first time it removed anything from this particular system, so that is why I never saw the tea timer pop up before when running MBAM.@ Bruce, it was the version change from 1.25 to 1.26 that promted me to think it may have been a bug, sorry I posted it as FP, I was not sure where to post. I just read the bug fix for security providers, you have had alot on your hands lately, I do apologize if I got under anyones skin today.Thanks again for your help. Link to post Share on other sites More sharing options...
elero Posted September 5, 2008 ID:26831 Share Posted September 5, 2008 In the past we also read about empty folders which are flagged as malware. Do you know if other security software also work like this? Why not just detect the infected files? Link to post Share on other sites More sharing options...
Malwareremover Posted September 5, 2008 Author ID:26834 Share Posted September 5, 2008 In the past we also read about empty folders which are flagged as malware. Do you know if other security software also work like this? Why not just detect the infected files? I think Bruce answered that earlier in the thread, just in case you missed it."This is not where any folder named that should be and yes , malware does do this .""We detect it because it has a malware history . Protection will also prevent malware from running from it , this cripples a complete malware family ."I suppose it boils down to what that empty folder is named, whether it is targeted as potential malware or not. Link to post Share on other sites More sharing options...
nosirrah Posted September 5, 2008 ID:26857 Share Posted September 5, 2008 In the past we also read about empty folders which are flagged as malware. Do you know if other security software also work like this? Why not just detect the infected files? If a malware family uses a single install launching point then detecting that one point will cripple all installs .This prevents new family members from being able to slip past protection . Link to post Share on other sites More sharing options...
elero Posted September 5, 2008 ID:26863 Share Posted September 5, 2008 I see, thank you for that information Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now