Malware False Alarm?

[Vicious]

So, early I was on my laptop which is connected to our Router, one that has a firewall. Problem with my laptop is that the anti-virus has expired, and now I'm running MSE. Something I'm not very confident in. Anyway, as I was on my laptop my PC came out of it's screensaver mode on its own. So I don't know if I'm being super paranoid, but I was afraid a malware or virus went through the wireless network, which caused a process to run. Paranoia aside, I restarted my computer and as soon as I logged into Malwarebytes Pro told me it detected a malware, I didn't really look at the exact message, but I specifically remember that it DID NOT say what the file was or what the virus/malware was. So I hit Quarantine anyway, when I opened up MBAM Pro, their was nothing in the Quarantine section, and my logs didn't mention anything about a infection. I then did a Flash Scan, a Quick Scan, and a Full Scan. Nothing was picked up. I also did a full system scan with ESET Smart Security and once again nothing was picked up. So why did it say I had an infection? Should I run MBAM in Safe Mode? or was this all a bug?

Also, I was afraid that this might have happened due to have both running real-time, even though I never had a problem with it in the last week since I installed ESET, or the prior 3 months with Norton Internet Security 2011. But if it is a conflicting issue between the two programs, is there anyway to disable real time protection on MBAM Pro, but keep the IP Blocker function and still have it on startup?

Thanks in advanced.

[daledoc1]

Hi, Vicious, and welcome to MBAM:

I am just a home user, not an MBAM staffer.

And you didn't mention what OS & Service Pack, what version of MBAM, what the specific detection message was, whether you are experiencing any computer behavior suggestive of infection, whether there is anything in MBAM quarantine, etc.

So, until one of them comes along with more expert advice, I'll just mention a couple of things that come to mind from your description.

• It sounds as if some program or process awakened the laptop from sleep -- that isn't necessarily indicative of infection or malware, as your system may be set up in such a way that legitimate programs are allowed to do so, including MBAM.
  
• The MBAM detection message should be in your MBAM logs -- if you open the main program interface and click the "logs" tab, you can scroll through them to find the one in question. The MBAM expert may request that you copy/paste the contents into a reply post, so they can look at it. Without knowing whether the detection was an IP block or a malware detection on a file on your computer, it's hard to say what actually happened.
  
• It sounds as if you have run or are running at least 3 different AV programs recently (Norton, MSE, and ESET). This is very dangerous and actually renders your system MORE vulnerable, not less. I would suggest you completely uninstall 2 of the 3, using their respective removal tools, as needed.
  
• MBAM PRO (with real-time protection and IP protection) can run -- and is designed to run -- perfectly alongside any of the major AV products. So, it would not be recommended or necessary to disable the real-time protection module, as long as the correct exclusions and permissions are set up between MBAM and your AV.
  
• Finally,the fact that all your subsequent scans have been clean is reassuring.
  
• However, since we cannot work on malware diagnosis or cleaning here in this forum, you may wish to have an expert take a look at your system.
  

If so, then please read & carefully follow the instructions in this article,

and then please start a NEW topic in the malware removal section.

One of the trained malware experts will assist you for free in checking your system.

Please be patient, as it can sometimes take 24-48 hours for a helper to become available. Please do not bump your topic during that time.

Hope this helps a bit,

daledoc1

[Vicious]

My apologies for not being clear. I was in a bit of a panic. I have TWO computers connected to a Router, at the time my desktop PC was idle, and the screensaver was active. During this time I was surfing the web on an older laptop. My LAPTOP has Microsoft Security Essentials installed, while my DESKTOP has ESET Smart Security 5 and MBAM Pro. What has me concerned is that, while I was surfing the web on my laptop, my desktop PC went off idle for no reason. So I decided to turn off my Desktop. When I turned my desktop back on I received a message from MBAM stating that my computer had been infected, but it DID NOT state the name of the file that was infected or what the malware/virus that caused the infection was. It gave me an option to ignore this infection or Quarantine, naturally, I chose Quarantine. However, when I checked the Quarantine tab under MBAM, the file wasn't there. Not only that but my logs, which I'll past below, never mentioned that my computer was infected!

Afterwards I ran a Flash Scan, a Quick Scan, and a Full Scan with MBAM, and it found nothing. I also ran a FULL IN-Depth scan with ESET and likewise, it said I was clean. So what I want to know is, what was the infection MBAM detected? What was the file? and where did it go? Was this all a bug?

When I mentioned Norton Internet Security, I only mentioned it because it was my old AV that I ran alongside MBAM Pro and that their was never any conflicts. As of now, my desktop freshly reformatted and only has ESET Smart Security and MBAM Pro installed. My Laptop that also had Norton Internet Security was uninstalled with their removal tool, and now has Microsoft Security Essentials and MBAM Pro. I've been running ESET with MBAM for the past week now and I never experienced any conflicts, so I'm wondering whether what just happened now was due to running both at the same time?

Here is my Log.

03:19:42 Robert MESSAGE Protection started successfully

03:19:45 Robert MESSAGE IP Protection started successfully

03:25:10 Robert MESSAGE IP Protection stopped

03:43:01 Robert MESSAGE IP Protection started successfully

04:19:18 Robert MESSAGE Protection started successfully

04:19:21 Robert MESSAGE IP Protection started successfully

04:28:26 Robert MESSAGE IP Protection stopped

05:18:04 Robert MESSAGE IP Protection started successfully

05:23:35 Robert MESSAGE Protection started successfully

05:23:39 Robert MESSAGE IP Protection started successfully

05:26:46 Robert MESSAGE Protection started successfully

05:26:49 Robert MESSAGE IP Protection started successfully

05:41:31 Robert MESSAGE IP Protection stopped

06:05:06 Robert MESSAGE IP Protection started successfully

As you can see... No mention of an infection at all! I'm very confused and concerned. I don't want to have to reformat again...

[daledoc1]

Hi, Vicious:

Thanks for the update and clarification.

This is a bit beyond my expertise, so I've asked one of the MBAM Staff Moderators to assist you further.

Please await his advice.

Thanks very much for your patience and understanding!

daledoc1

[Vicious]

Oops... Forgot to mention, I'm running...

Windows 7 Ultimate 64-bit with the latest service pack and all updates installed.

Malwarebytes' Anti-Malware 1.51.2.1300 with database 7844

ESET Smart Security 5.0.93.0 with database 6510.

Like I mentioned earlier, I found nothing in logs, nothing in Quarantine, and as far as my computer goes, it's just as fast as always. The detection message itself just stated that I had an infection and gave me the option to ignore it or Quarantine. It made no mention of the file infected or what the Malware or Virus was. I rebooted to see if it would pop up again, but it didn't.

[LDTate]

Topic moved

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

[Vicious]

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7844

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

10/2/2011 6:45:59 AM

mbam-log-2011-10-02 (06-45-59).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 374911

Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----------------------------

That was a scan I just did a few minutes ago. The only strange behavior I found was Malwarebytes reporting an infection, but not telling me which file was infected, and how it was infected. It gave me the option to Quarantine or Ignore. I chose Quarantine, but the file is not in the Quarantine tab in MBAM Pro. Logs for the entire day show nothing about an infection being found either.

[Vicious]

I googled the issue and found a screenshot of the message I got now. Sorry if I confused anyone earlier. This was the message. But it didn't say what the file starting was, and when I hit Quarantine, nothing shows up in the Quarantine tab.

Malwarebytes' Anti-Malware has detected a malicious process attempting to start and has blocked the execution attempt. Please select an option below.

Ignore or Quarantine

[LDTate]

My guess would be it stopped it at the door, so nothing was deleted.

Keep an eye on it, but I would say you're good to go

[LDTate]

Is it showing that now?

[Vicious]

No, it's no longer showing it when I restarted. What I'm concerned about is the fact that it never told me what it was trying to stop, and when I Quarantined it.. It just vanished, I can't find the Quarantined file. I'm concerned that it didn't truly get rid of it, or that it might be a conflicting issue with ESET, or that it possibly deleted something important.

[LDTate]

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

[Vicious]

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=f2b1635f0eea8f4cbb070e8338d0a1da

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-10-02 02:23:32

# local_time=2011-10-02 07:23:32 (-0700, US Mountain Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776573 100 94 0 69107937 0 0

# compatibility_mode=8206 39157117 100 74 0 212066497 0 0

# scanned=191860

# found=1

# cleaned=1

# scan_time=925

# nod_component=V3 Build:0x30000000

E:\Downloads\Installations\Programs\Winamp Media Player 5.621.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C

-----------------------------------------

I checked the Winamp Media, and it's a confirmed false positive. This wouldn't even have anything to do with the malicious process attempt, because Winamp doesn't open on start-up for me.

[LDTate]

My guess would be it stopped it at the door, so nothing was deleted.

Keep an eye on it, but I would say you're good to go

[Vicious]

Thank you so much, I feel relieved now. On a side note, can you tell me if its safe to have both MBAM Pro Real-time and ESET Smart Security Real-Time active at the same time? Should I disable MBAM and only use it as a scheduled scanner? or should I make any exclusions for both? I found not instructions for how to run ESET and MBAM together.

[LDTate]

I haven't seen any issues with both being active.

[Vicious]

Wonderful. Thank you again for all your help.

[LDTate]

You're more than welcome.

Glad we were able to help

Peace be with you

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!