Jump to content

Malwarebytes

FP, C:\A will not remove on reboot?

Started by recruiting, Sep 08 2008 11:48 AM

2 replies to this topic

#1
recruiting
Posted 08 September 2008 - 11:48 AM

    New Member

  • Members
  • Pip
  • 6 posts
I keep getting this as a TROJAN.AGENT ever since I removed ANTIVIRUS XP 2008 a week ago (that AXP2008 thing is a bad one)

I also got the messed up security Keys See below for the last scan I ran. :unsure:


Malwarebytes' Anti-Malware 1.27
Database version: 1130
Windows 5.1.2600 Service Pack 2

9/8/2008 9:39:17 AM
mbam-log-2008-09-08 (09-39-17).txt

Scan type: Quick Scan
Objects scanned: 52777
Time elapsed: 1 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\A (Trojan.Agent) -> Delete on reboot.

#2
recruiting
Posted 08 September 2008 - 11:57 AM

    New Member

  • Members
  • Pip
  • 6 posts
Ok I fixed this issue. I had a directory named C:\A and for some strange reason your product detected it as as A.EXE?

Can't the scanner tell the difference between a folder and a file, does it look for the bad code?

After changing the name of the folder from C:\A to C:\ A1A it no longer detected it as an infection.... very odd

#3
Tigger93
Posted 08 September 2008 - 04:26 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,658 posts
  • Gender:Male
Shows it detected C:\A, not A.exe.

This has been brought up before:

Quote

Yup , if anyone names something the same as well known malware it will be detected .

In these cases the only three options is to unprotect everyone to allow one persone to keep an special case install name for only their system .
Ask the user to whitelist those detections .
Ask the user to use a different install directory .

MBAM has a whitelist for the cases where a user wants to be different enough to make their normal installs look like malware .

Back to False Positives · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Malwarebytes Anti-Malware Support
  3. False Positives

Products

About

Partners

Follow Us