Jump to content
Trueborn

Fakse Positives?

Recommended Posts

Hi. First time posting. Hope I post in the proper format.

Something tripped off my virus shield last night while I was surfing. I'd run virus checks over the weekend, but, as a precaution, I ran several of the programs I normally use to eliminate spyware/adware/viruses. The first couple of programs I ran turned up nothing out of the ordinary. Then I ran the version of MBAM I had installed. It also turned up no infections.

I hadn't updated MBAM in several weeks, so, this morning, I updated MBAM to the current version of the software and definitions file, and re-ran the sweep. This time, it detected three infections. Since all other sweeps - including an old version of MBAM came up negative - I'm a little skeptical this isn't a set of false positives. After I post this, I'll rerun some other software to see if any problems pop up. For what it's worth, nothing seems out of the ordinary. The last time I had a virus problem was several months ago when an adware app got through.

It appears I was running Malwarebytes' Anti-Malware 1.28, Database version: 1215 before today's update.

Is this legit, or is it some sort of f/p? If it is an f/p, is it ok to let MBAM delete the "infections"?

Thanks.

Today's logfile:

Malwarebytes' Anti-Malware 1.30

Database version: 1335

Windows 5.1.2600 Service Pack 2

10/29/2008 9:12:32 AM

mbam-log-2008-10-29 (09-12-17).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 168579

Time elapsed: 52 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> No action taken. [4054423730518072867015468677857481777013019266207069221925251471222225142171237

014256922681424211768672371252617192694]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> No action taken. [4054423730518072867015567479347985748774838684130192672321712166246814262468261

41818696614256769701471232367666918702071206694]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db893839-10f0-4af9-92fa-b23528f530af} (Dialer) -> No action taken. [4054423730377466777083130192696725262025202614181771171421667126142619716614671

92022192571222017667194]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

I added a new location where MBAM looks for malware GUIDs .

Your log is showing you traces of long dead malware because of this new location .

Your system is clean but these are not FPs .

Share this post


Link to post
Share on other sites
Please download/install the latest Notepad++

Several alerts seen by MBAM.

Cheers,

Gerard

I'm sorry. I don't quite understand what this means. Am I just supposed to update the software? What exactly are the alerts going to tell me?

Since my "infections" are just traces of a past problem (probably the adware; it's the only serious problem I've ever had on this PC), should I just let MBAM delete them so they don't appear again? Is it safe to do that? I'm hardly an expert, so I dislike fooling with the registry unless it's necessary.

Share this post


Link to post
Share on other sites
I'm sorry. I don't quite understand what this means. Am I just supposed to update the software? What exactly are the alerts going to tell me?

Since my "infections" are just traces of a past problem (probably the adware; it's the only serious problem I've ever had on this PC), should I just let MBAM delete them so they don't appear again? Is it safe to do that? I'm hardly an expert, so I dislike fooling with the registry unless it's necessary.

I am sorry, nothing to do with your original post.

Gerard

Share this post


Link to post
Share on other sites
Please download/install the latest Notepad++

Several alerts seen by MBAM.

Cheers,

Gerard

Link me please , I dont use it myself .

Share this post


Link to post
Share on other sites
I'm sorry. I don't quite understand what this means. Am I just supposed to update the software? What exactly are the alerts going to tell me?

Since my "infections" are just traces of a past problem (probably the adware; it's the only serious problem I've ever had on this PC), should I just let MBAM delete them so they don't appear again? Is it safe to do that? I'm hardly an expert, so I dislike fooling with the registry unless it's necessary.

Remove and they are gone for good , these are nothing more than "infection was here" tags .

Share this post


Link to post
Share on other sites
Please download/install the latest Notepad++

Several alerts seen by MBAM.

Cheers,

Gerard

This should have already been taken care of...

Please post a developer log if this is still happening to you.

Share this post


Link to post
Share on other sites

Thanks for that Dustin , I kind of thought so 2 .

Lets double check that its not a setup file or something .

Share this post


Link to post
Share on other sites

Hello Bruce and Dustin

Notepad++ is not detected by the MBAM scan but is detected by the PM.It took three terminate attempts for the PM window to close.

note.jpg

Share this post


Link to post
Share on other sites
Hello Bruce and Dustin

Notepad++ is not detected by the MBAM scan but is detected by the PM.It took three terminate attempts for the PM window to close.

Ahh, we have tracked the issue down, and the next def update should! correct it. Please let us know if you have any further FP issues. :) as for the 3 tries to terminate it, yes... That's because the nullsoft installer keeps re-creating the file. It's actually nsexec.dll with 4 bytes different. As for why the bytes are different, I do not know.. but, I know it loads it 3 times and deletes it when it's done.

Share this post


Link to post
Share on other sites

Hello Dustin

Problem fixed on my side, job well done. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.