Jump to content

Mbam Detects Phantom Files in User Temp Folder


Recommended Posts

For about one week now I have strange phantom files appearing in my user temp folder when scanning with mbam.

I normally run a quick scan. The found "infections are always *.log files and descried as Extension Mismatch.

The files aren't there, even checked for them offline from a Linux Live CD.

Coincidence is that I've set up my Windows all new 2 days ago, so I didn't care much. Now after a fresh install these files appear again...

Even stranger: With a content of 7 files in total in my Temp folder, Malwarebytes scans 44!!.

Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5851

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2/23/2011 5:46:59 PM

mbam-log-2011-02-23 (17-46-56).txt

Scan type: Quick scan

Objects scanned: 44

Time elapsed: 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\users\e23\appdata\local\temp\setupexe(20110221002703a20).log (Extension.Mismatch) -> No action taken.

c:\users\e23\appdata\local\temp\setupexe(20110221003052fc8).log (Extension.Mismatch) -> No action taken.

I made an experiment and copied the whole temp foler to another location. Now Malwarebytes scans 7 files without infection..

Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5851

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2/23/2011 5:47:36 PM

mbam-log-2011-02-23 (17-47-36).txt

Scan type: Quick scan

Objects scanned: 7

Time elapsed: 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hmmm.. what's going on here.

My Setup

Win 7 x86

Malwarebytes' Anti-Malware 1.50.1.1100

avast free 5.1.889

Mamutu 3.0.0.18

Link to post
Share on other sites

  • 2 weeks later...

Exact thing happened to me -- 45 infected files (all long filenames of random letters/numbers with .txt, .html, .log extensions) in AppData\Local\Temp folder, but they aren't there.

But, in my case, an even bigger problem. I choose to repair; Malwarebytes asked to reboot. Upon reboot, I get: Runtime Error 48, File Not Found: mbam. Maywarebytes will not open now. Huh? It killed itself?

And, to make matters worse, MyMovies, which catalogs my collection of 2000 movies, will not open either (this is the second this has happened, so I'm fairly confident it's linked to this). So I am in the process of restoring (again) an image of my C: drive I fortunately made this morning prior to all this. I won't run Malwarebytes again until we can find out what's up.

I would attach my log file from this morning, but didn't think to save it offline until after I started the image restore. But all it lists are those 45 files int eh Tmep directory, labeled as Extension MisMatch, with "No Action Taken" attributed to each.

Link to post
Share on other sites

Hello and welcome, Bruce Phillips:

Sorry to hear that you are having issues resulting from a computer infection.

There are plenty of folks here to help.

In order to expedite matters and to get your post the attention it deserves, it would be best not to "hijack" the OP's thread here.

This is especially so because we don't work on malware-related issues in this particular sub-forum.

Instead, please do the following (note: the blue, bold, underlined words are hyperlinks to other pages here at the forums):

1. First, please go to THIS PAGE, print out, read and follow as many instructions as you can, skipping any you are unable to complete.

2. Then, please describe your computer's symptoms as best you can and post the requested logs by starting a new thread at the Malware Removal-HJT forum .

One of the authorized, trained experts will then assist you as soon as possible for one-on-one malware detection and removal.

They can also assist you with stability or performance issues resulting from the infection.

When you post, please be sure to select "Track This Topic" & choose one of the email options, so that you will be notified when someone responds; allow 24-48 hours before bumping your thread.

Other Support Options:

Alternatively, as a paying customer using MBAM PRO, you may wish instead to start a support ticket by contacting support at: support@malwarebytes.org; or

Premium, fee-based support options are available here.

Also, please use the "Add Reply" button when replying here & at the other boards, so that it will be easier for everyone to follow the thread.

I hope this gets you started on cleaning up your system,

daledoc1

PS The ability to edit posts comes after some minimum post count. I can't recall exactly, but it may be 10 or 25?

Link to post
Share on other sites

Thanks, I know the drill, having gone through it last summer for another issue. Before I proceed, though, I'd kinda like to know why this program takes my stable system and renders it unstable, even shooting itself in the process. Doesn't give me a lot of confidence in running it again. I was hoping to find others who shared this experience that might be able to shed some light on it.

Link to post
Share on other sites

Hi, again:

I'm not a computer engineer (just a home user), but I expect based on what I've learned here and elsewhere, is that it's actually the infection, not MBAM that corrupts important OS and other files. Some rootkits and other malware can cause severe damage deep in the OS & other critical locations.

Removing the infection may leave behind some problems, but most of the time these are fixable, with some help.

Other times, there may be underlying issues with the particular system, and the infection or its removal only unmasks them.

Moreover, there's no way I (or likely even the malware experts) can say much that is definitive about what is going on with your particular system without some basic stats and info, as would be generated by running DDS or the other recommended scanners.

Anyway, to reiterate, it would be best to start your own thread (even though the OP here has not responded in quite some time).

And, the best place to do it would be the HJT forum.

If you haven't yet followed all the recommended steps in the "I'm Infected" article, then I would still start your topic with whatever data you have. (Perhaps include in your post a link back to this thread, for reference.)

Or, you may wish to use on of the other support options listed in my original reply.

I'm afraid that's all I am comfortable to advise -- perhaps one of the more experienced folks will have some additional insights.

Good luck,

daledoc1

Link to post
Share on other sites

  • Root Admin

Normally this is seen when another driver is blocking our driver, often Anti-Virus. Try fully disabling your Anti-Virus or even temporarily uninstalling it and scan again to see if it still finds those files or not.

Make sure you re-enable or re-install your Anti-Virus when done testing.

Link to post
Share on other sites

Following the course this thread is taking.....

1) This is not an infection, this is a false positive. Try this: Create those bogus files yourself and the infection will miraculously disappear, delete the files again and the "infection" returns.

2) For two years there has never been a problem with my security setup, only recently these false positives have started to occur. MBAM only runs on demand on my system, for all its files exceptions have been created in other security software.

3) It's not helpful to put off every problem that appears with eiher "You're infected" or "there's a conflict with other software". There's also a third consideration to be made: "Does THIS software deliver a reliable result or is it just smoke and mirrors...."

Link to post
Share on other sites

  • Root Admin

Do you still need help then or are you satisfied with your own findings.

I did not say you were infected, in fact I told you it probably was a false positive and potentially what may be causing it. If you're unwilling or not wanting to accept that answer then there isn't much else we can do to assist you.

The others that have posted as one stated are home user just like you offering potential advice that it might be an infection and guiding you to a forum where someone with real expertise can assist you.

Link to post
Share on other sites

@eden and Bruce Phillips:

If you think you are dealing with a false positive, then please read this article: http://forums.malwarebytes.org/index.php?showtopic=3228

and then report it to this forum here: http://forums.malwarebytes.org/index.php?showforum=42

The FP forum specifically addresses possible FPs for review by the MBAM engineers.

Sorry I couldn't assist you.

Regards,

daledoc1

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.