16 replies to this topic

[Jace]

I updated and then scanned - Mbam suddenly found two areas of the one problem.

I googled to see Mbam does find this thing, but I am surprised because it's a couple of months
since I installed 'Drop My Rights' and several Mbam scans didn't pick it up until yesterday.
Could anyone hazard a guess how this thing could have suddenly got into
'Drop My Rights' please ?


Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ie dropmyrights
(Spyware.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\IE DropMyRights\Uninstall.exe (Spyware.Banker) -> Quarantined and deleted successfully.

[exile360]

Greetings Jace and welcome .

Though you only purchased a partial log (I see no database version or OS version), I believe this is indeed a false positive that was likely corrected yesterday. Please update MBAM and do another Quick Scan to see if it's been fixed. If not then please refer to this post: Read before reporting a false positive!
and post the info here: False Positives.

Thanks .

[Jace]

exile360, on Sep 17 2009, 02:12 AM, said:

Greetings Jace and welcome .

Thanks to you Ex. - Oh yes, it's on XP Home and Mbam was updated to 2809 onboard 1.41

As shown in the log, Mbam Qu'ed, and Deleted.

I jumped too quick I guess, in asking Mbam to Delete, should have looked at
the thing to which they were referring because it didn't have an .ext - If you are still
here around Ex. can you tell me for future ref. please,
can these grubs have NO extension ? and still be Trojans or whatever ?
even if not in this case ?

Have just used a tiny App. 'Cathy', which tells me there is no sign of anything named Spyware.Banker,
but I am now wondering what exactly Mbam Deleted ?

[exile360]

Yes, it's possible for malware to display no extension or use an obscure on like .dat. To restore the file, open up MBAM and go to the Quarantine tab. You should see the file listed there and be able to restore it. After doing so, update your database (current version is 2813) and do another Quick Scan. If it makes the detection again then I would suggest following the instructions in my earlier post.

Thanks .

[Jace]

exile360, on Sep 17 2009, 03:59 AM, said:

Yes, it's possible for malware to display no extension or use an obscure on like .dat. To restore the file, open up MBAM and go to the Quarantine tab. You should see the file listed there and be able to restore it. After doing so, update your database (current version is 2813) and do another Quick Scan. If it makes the detection again then I would suggest following the instructions in my earlier post.

Thanks .

Well didn't I ask at the wrong moment in time - After reading your reply Ex. I went to update Mbam and not only got an immediate 732 etc. error
BUT it also cut me straight off the Net with a click, gone !

Now I have noticed the long list here on the Forum re. Mbam having gone haywire for everyone -
I read one moderators 'how to' but it didn't work for the OP so I won't try that.

If this problem with Mbam gets solved I shall do as you suggested, and thanks for your help.

[yardbird]

Do you want to address the error 732 now?

[Jace]

yardbird, on Sep 18 2009, 01:22 AM, said:

Do you want to address the error 732 now?

Absolutely thanks Yardbird, BUT I prefer not to go through a whole lot of moves to no avail - I mean until
that moment I mentioned everything was going well - I think Mbam is the problem - My A-V is AVG but I
do have quite a few other security guards.
Can I ask you this please - I just took a look at my HJT list and Mbam has one there which I had not noticed
before, it ends with something like /cleanupscript
Is that a legit. Mbam item ?

[yardbird]

Hi! without seeing the post? I wouldn't know? If you want to bookmark the thread & follow it go ahead... Feel free to post, in the correct forums, comment, issues or questions... we never close... As for that 732 we are always picking up new issues on it, ie: I left my pc for 10 mins ..last night so the DSL was idle, I got a 732 when I came back to download updates, I refreshed the page here, (kicked the modem so to say) and the downloads started again, no error! welcome to malwarebytes! will cya later...regards...

[Jace]

yardbird, on Sep 18 2009, 01:39 AM, said:

Hi! without seeing the post? I wouldn't know? If you want to bookmark the thread & follow it go ahead... Feel free to post, in the correct forums, comment, issues or questions... we never close... As for that 732 we are always picking up new issues on it, ie: I left my pc for 10 mins ..last night so the DSL was idle, I got a 732 when I came back to download updates, I refreshed the page here, (kicked the modem so to say) and the downloads started again, no error! welcome to malwarebytes! will cya later...regards...

I think you misunderstood my question Yard. - was not asking about a post - I asked if the Mbam entry in HJT is a legit. entry because I had
not noticed it before this mess began, here it is thanks,

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[yardbird]

Jace, on Sep 17 2009, 06:46 PM, said:

I think you misunderstood my question Yard. - was not asking about a post - I asked if the Mbam entry in HJT is a legit. entry because I had
not noticed it before this mess began, here it is thanks,

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

I'm sorry - I'm loading software & missed that... Logs are not to be posted here, some users do & we move them over to HJK forum, some people had made comments on a question like yours above. So of the admins. would like to keep it in the HJK forum. You would have to disqualify my reply: Logs I don't read unless --->http://www.malwarebytes.org/forums/index.php?showtopic=12264

see what I mean...

[Jacktivity]

Hi Jace,

The developers are looking into this. That entry is normally not there in a HJT log. Take a look at this thread .

[Jace]

Jacktivity, on Sep 18 2009, 02:31 AM, said:

Hi Jace,

The developers are looking into this. That entry is normally not there in a HJT log. Take a look at this thread .

Thanks very much JT. for a bit of decent help and the link - Have taken a couple of scroll down pics. to read offline later -
Ex's last post suggests the same as your first sentence so hopefully your people will
come up with the problem cure.
I shall also get rid of the HJT entry later, since you mentioned it would not normally be there - I just have the feeling it only went there
after having qu'ed and deleted the possible FP referred to by Ex. in this thread, Spyware.Banker, that's the exact moment my Mbam problem began.

Have run several scans via AVG, SAS, SPYBOT S&D - zilch found.

Regards.

[exile360]

AVG certainly could've also messed with MBAM, they've had a false positive of their own that has been messing with MBAM lately and some of its files. That is likely the cause of the errors.

As for the startup entry, it is the cleanup that's run when you reboot after having MBAM remove something that was detected (in this case, the Spyware.Banker which is most likely a false positive). MBAM is supposed to remove that startup entry after the quarantine is completed but it hasn't been doing so on some systems, and that's the issue being investigated by the developers.

I'd recommend you try to update MBAM again after excluding all of its files from AVG.

Please exclude the following files from your antivirus:

For Windows XP:

• C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  
• C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware\rules.ref
  
• C:\Windows\System32\drivers\mbam.sys
  
• C:\Windows\System32\drivers\mbamswissarmy.sys

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude them from it as well

[Jace]

exile360, on Sep 18 2009, 04:08 AM, said:

AVG certainly could've also messed with MBAM, they've had a false positive of their own that has been messing with MBAM lately and some of its files. That is likely the cause of the errors.

As for the startup entry, it is the cleanup that's run when you reboot after having MBAM remove something that was detected (in this case, the Spyware.Banker which is most likely a false positive). MBAM is supposed to remove that startup entry after the quarantine is completed but it hasn't been doing so on some systems, and that's the issue being investigated by the developers.

I'd recommend you try to update MBAM again after excluding all of its files from AVG.

Please exclude the following files from your antivirus:

For Windows XP:

• C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  
• C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware\rules.ref
  
• C:\Windows\System32\drivers\mbam.sys
  
• C:\Windows\System32\drivers\mbamswissarmy.sys

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude them from it as well

Having read that link to which JT pointed me Ex. - I noted the poster also had Mbam Qu'ed and delete whatever from his machine
and seeing as JT thought the Mbam entry in my HJT was probably not supposed to stay there, I decided to try something.

I ran a HJT scan and then tried to delete the 04 Mbam entry I referred to above but it would not delete it, so I
went into regedit and the path to 'RUN' - the same Mbam /cleanupscript entry was there, I right clicked and Deleted it.
Re-ran HJT and deleted it from there too, which it did this time.

Opened Mbam and tried to Update but got the same 732.. Error, so quickly exited so as it would not delete me
off the net again - I reopened it and ran a quick scan, no problems - I think maybe it won't update because even though I've
deleted the reg. entry it won't take effect until I reboot - So, I will reboot when offline and tomorrow see if the reg. entry deletion worked
and hopefully I will be able to update again.

If not, then I shall try your idea of adding the Mbam's to AVG' s Exceptions list - My bet is that it has nothing whatever to do with AVG
but I won't know for sure until my next reboot finds out if my thought worked - If it has then I shall be back to ask you
if deleting that Mbam entry from the reg. as I did will put the kibosh on Mbam being able to Q. and Delete any future malware ?

Regards.

[exile360]

Deleting that startup entry shouldn't affect MBAM's ability to remove malware in the future . It gets added by MBAM itself temporarily and is supposed to go away after a reboot.

Let me know how it goes. As I said, for the past several days AVG has been detecting part of MBAM and either blocking it or deleting one of its files, thus having a bad effect on MBAM. You can refer to this post from an AVG user who contacted them and they confirmed the problem and stated that they are working on fixing it.

[Jace]

exile360, on Sep 18 2009, 05:26 AM, said:

Let me know how it goes. As I said, for the past several days AVG has been detecting part of MBAM and either blocking it or deleting one of its files, thus having a bad effect on MBAM. You can refer to this post from an AVG user who contacted them and they confirmed the problem and stated that they are working on fixing it.

Hoping that you are still here around Ex., Yesterday I did what I said and it didn't appear to work because Mbam still showed the 732.... when I pretended to update while offline - So I then added your list to AVG Excepts., exited, and restarted AVG, tried to update Mbam, again a pretend because I was offline,
still showed the 732 - Said bugger it and switched off in disgust.
This morning I got on the Net and immediately tried to update, NO sign of the 732, updated without a hitch to 2821.

So Ex. I would have lost my bet and gladly because you saved me going via the cape, uninstall/reinstall, my sincere thanks to you,
Ex. for Expert is correct - Noted your thought re. the possible future call on /cleanupscript, so hopefully all will be OK.

Kindest Regards and Thanks.

[exile360]

Hello again Jace .

I'm glad you got it sorted out. If you need anything more, just post .