14 replies to this topic

[Monkeys]

Hey, just did a scan with the new DB version. Was clean with a quick scan earlier.

Malwarebytes' Anti-Malware 1.25
Database version: 1083
Windows 5.1.2600 Service Pack 2

5:27:15 PM 24/08/2008
mbam-log-08-24-2008 (17-27-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 110481
Time elapsed: 21 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oembios.dat (Trojan.Agent) -> No action taken.

Virus Total result: 0/36.

False positive?

[melboy]

Developers log, if needed.


Malwarebytes' Anti-Malware 1.25
Database version: 1083
Windows 5.1.2600 Service Pack 3

21:51:55 24/08/2008
mbam-log-08-24-2008 (21-51-42).txt

Scan type: Quick Scan
Objects scanned: 48160
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oembios.dat (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761564247374856526184908485707820196
18070786774808415696685]

[lordpake]

I can confirm the false positive, also winxp home sp2.

Below is attached file from my system, if needed. Plus dev log.

Attached Files

•  oembios.zip   4.48K   166 downloads
•  mbam_log_08_25_2008__00_25_04_.txt   972bytes   141 downloads

[Rorschach112]

Got it here as well

http://www.geekstogo.com/forum/infected-Ad...ml#entry1314571

[erty]

confirm FP

[ky331]

add me to the list as well
http://www.malwarebytes.org/forums/index.p...;hl=oembios.dat

[ky331]

f/p has been fixed, in version 1085. thanks for the amazing response!

[Bosnine]

Hi, this is a first time post. Today has been a day of false positives. I ran the program and also obtained the false positive on oembios.dat. However, unlike other users, my program quarantined and deleted the file. What steps if any should I take to restore this file? Thank you for your time and assistance.

Copy of scan log.

Malwarebytes' Anti-Malware 1.25
Database version: 1083
Windows 5.1.2600 Service Pack 3

5:51:05 PM 8/24/2008
mbam-log-08-24-2008 (17-51-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 101749
Time elapsed: 46 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\oembios.dat (Trojan.Agent) -> Quarantined and deleted successfully.

[nosirrah]

this should have been fixed a few hours ago , let me know if anyone is still having problems

[melboy]

Bosnine, on Aug 25 2008, 02:08 AM, said:

Hi, this is a first time post. Today has been a day of false positives. I ran the program and also obtained the false positive on oembios.dat. However, unlike other users, my program quarantined and deleted the file. What steps if any should I take to restore this file? Thank you for your time and assistance.

hi Bosnine and welcome

See posts #1 - #5 here:

http://www.malwareby...?showtopic=5778

[jscottpanama]

Deleted this false positive without checking

Files Infected:
C:\WINDOWS\system32\oembios.dat (Trojan.Agent) -> Quarantined and deleted successfully.

My laptop now requires me to "activate" Windows, however, it hangs in "checking for connectivity". Please help!

[nosirrah]

Windows has a safty net that allows booting to safemode while a system is not activated . Tap F8 while booting and select safemode , log into your regular account . From here either restoring that file from quarentine or running system restore to the day before this problem should undo it .

[jscottpanama]

nosirrah, on Aug 25 2008, 09:08 AM, said:

Windows has a safty net that allows booting to safemode while a system is not activated . Tap F8 while booting and select safemode , log into your regular account . From here either restoring that file from quarentine or running system restore to the day before this problem should undo it .

The Quarantine was empty due to the delete, but when I logged into safemode, I was able to find the oembios.dat file in the system32 folder that was supposedly deleted! Weird! The System Restore didn't help when I went to two previous points.

I am still stuck at "checking connectivity".

[nosirrah]

Boot into safemode again .

Click start , run and type :

%systemroot%\system32\oobe\msoobe.exe /a

^^ note the space before the /a^^

This will bring up the activation window . Select activate by phone . The process is self explanitory and you have a good chance of activating without even talking to an operator . If you do need to talk to an operator tell them that you are reactivating after a problem with oembios.dat file .

[Bosnine]

melboy, on Aug 25 2008, 03:48 AM, said:

hi Bosnine and welcome

See posts #1 - #5 here:

http://www.malwareby...?showtopic=5778

melboy, thanks for the warm welcome.

I reviewed your link. My experience was like jscottpanama. Malwarebytes quarantined and deleted the false positive. It didn't save a copy in quarantine for me to restore.

I had two false positives yesterday. The other was with AVG 7.5. I was able to restore that one. With Malwarebytes, I decided to attempt a system restore to the previous day. I encountered the same kind of validation problems as jscottpanama. I entered the Microsoft CoA key code from my label and Windows XP did not accept it. I basically had to follow up on the telephone activation option. After some tediousness, I was able to enter a code to log into XP. The system restore was successful as well. Although I didn't see that oembios.dat was restored to the System 32 folder. The problem did mess up my AVG 7.5. I had to upgrade to AVG 8.0 which I had to do anyway.

I take it that oembios.dat is related to the windows authentication process. My question would be does it serve any other purpose? It seems I can log on okay. Should I just leave it where it is.

I appreciate all the posts on the thread. Posts by yourself, ky331 and nosirrah have been very helpful.