Jump to content

False Positives for first time


Recommended Posts

WIN 7: New MBAM upgrade found these two items as 'malicious software.' Didn't have this issue with 1.46 or 1.50. Here is the log file: Looks like a false positive to me. See near bottom: Registry Data Items Infected. Help appreciated. Thank you...

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5377

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/22/2010 12:58:08 PM

mbam-log-2010-12-22 (12-57-38).txt

Scan type: Flash scan

Objects scanned: 100426

Time elapsed: 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

mbam_log_2010_12_22__12_57_38_.txt

Link to post
Share on other sites

  • Staff

This setting is actually something which was changed by another piece of software likely a registry tool(IOLO) and is only detected because of that. This isn't really a false positive in malwarebytes. Malwarebytes sees and reports that the association for these files are not the default ones as set by Windows (since malware may alter these associations as well). When you select to remove in mbam, mbam restores it to the default associations again (as set by Windows).

You can either add it to your ignore list or allow it to be quarantined. There will be no negative affect on your system either way.

Link to post
Share on other sites

This setting is actually something which was changed by another piece of software likely a registry tool(IOLO) and is only detected because of that. This isn't really a false positive in malwarebytes. Malwarebytes sees and reports that the association for these files are not the default ones as set by Windows (since malware may alter these associations as well). When you select to remove in mbam, mbam restores it to the default associations again (as set by Windows).

You can either add it to your ignore list or allow it to be quarantined. There will be no negative affect on your system either way.

Wow, what a terriffic reply and youre right, I do use IOLO software. Thanks for your outstanding advise and quick reply. MBAM is great! :)

Link to post
Share on other sites

Wow, what a terriffic reply and youre right, I do use IOLO software. Thanks for your outstanding advise and quick reply. MBAM is great! :)

Win 7; MBAM 1.50.1: Same problem here. Although problems added to the "Ignore" tab ( and they show up there) a re-scan finds the same issue. They don't appear to be 'ignored.' For me, both issues are the result of some software changes ( IOLO) but not REAL threats, thus the use of the "Ignore" tab. Thanks for any help

Link to post
Share on other sites

  • Root Admin

Please post your recent scan and protection logs

Log File Locations

Quick Scan and Full Scan Logs

  • Windows 2000 & Windows XP:

    C:\Documents and Settings\<USERNAME>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

  • Windows Vista & Win7:

    C:\Users\<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs

File Protection and IP Protection Logs

  • Windows 2000 & Windows XP:

    C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

  • Windows Vista & Win7:

    C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Link to post
Share on other sites

Please post your recent scan and protection logs

Log File Locations

Quick Scan and Full Scan Logs

  • Windows 2000 & Windows XP:

    C:\Documents and Settings\<USERNAME>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

  • Windows Vista & Win7:

    C:\Users\<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs

File Protection and IP Protection Logs

  • Windows 2000 & Windows XP:

    C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

  • Windows Vista & Win7:

    C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Here is the files that you requested. Both 'registry data items. are listed under "Ignore" tab

Protection Log 2010-12-23

00:00:10 captfbgnet MESSAGE Scheduled update executed successfully

00:00:45 captfbgnet MESSAGE IP Protection stopped

00:00:47 captfbgnet MESSAGE Database updated successfully

00:00:47 captfbgnet MESSAGE IP Protection started successfully

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5382

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/23/2010 7:51:43 AM

mbam-log-2010-12-23 (07-51-27).txt

Scan type: Quick scan

Objects scanned: 143339

Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Have never seen exclusions ignored before and cannot duplicate. Please try a clean removal as shown below and then scan and add to the ignore list again. Then reboot and rescan again and let me know if it detects again.

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Windows Vista and Windows 7:

  • Click on the Start vista-7-start.png button and select Control Panel
  • Click on Programs and Features
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Link to post
Share on other sites

Seems like an "axe solution since all worked well with 1.46 & 1.50. The 'on-going issue seems to be with IOLO (System Mechanic) changing the above two reg entries, and MBAM scan thinks original keys are 'infected because of the change by IOLO and thus the error message. Toggleing back and forth with both programs has verified this problem. MBAM simply needs to 'ignore' this issue , but does not. Can you think of anything else beside the above? Thanks

Link to post
Share on other sites

  • Root Admin

Well over 20 million installations of the program and you are the only report I've seen where the ignore feature is not working, thus the axe solution provided to do a clean installation.

This procedure can be performed in less than 2 minutes on a fast machine, much less time than guessing what might be the cause. If that does not fix it then we can try to do some deeper analysis but please try as suggested first.

Thanks

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.