Jump to content


Photo

***False positive Trojan.Downloader.ED***


  • This topic is locked This topic is locked
361 replies to this topic

#1 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 15 April 2013 - 07:22 PM

As many of you are aware, we suffered a false positive earlier today which caused many of our users' systems to be rendered inoperable. The offending database was v2013.04.15.12, and was live for only 8 minutes.

We sincerely apologize for this false positive and an update was immediately pushed out to remove the offending definition that caused this.

------------------------------------------------------------------------------------------------------------------------------------------------

For Malwarebytes Anti-Malware Users:

Option A -- if your system can boot normally

Use the Malwarebytes Anti-Malware False Positive Fix Tool:
  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat. NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system and verify that it is now working properly
NOTE: There may be extra files in quarantine that will not be restored, though the system will be bootable. These are duplicate backup files and the files in question should already be restored.


Option B -- if your system cannot boot normally

Step 1: Boot into Safe Mode with Networking:

Windows XP:
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows XP Advanced Options menu.
  • Select the option for Safe Mode with Networking using the arrow keys.
  • Then press Enter on your keyboard to boot into Safe Mode with Networking.
You should then be presented with the Windows XP Login screen. Log in to Windows and when it prompts you about Safe Mode and asks if you'd like to continue click Yes.


Windows Vista and Windows 7:
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows Advanced Boot Options menu.
  • Select the option for Safe Mode with Networking using the arrow keys.
  • Then press Enter on your keyboard to boot into Safe Mode with Networking.
You should then be presented with the Windows Login screen. Log in to Windows.


Step 2: Use the Malwarebytes Anti-Malware False Positive Fix Tool:
  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat. NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system normally and verify that it is now working properly.
NOTE: There may be extra files in quarantine that will not be restored, though the system will be bootable. These are duplicate backup files and the files in question should already be restored.

------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes Enterprise Edition Customers:
  • Within the console reinstall MBAM over the top (push install)
  • Use Windows tasks to execute the command (as admin): "C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe" /quarantine -restore all
If the above failed, then you may also do the following

Use the Malwarebytes Anti-Malware False Positive Fix Tool:
  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat. NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system and verify that it is now working properly
------------------------------------------------------------------------------------------------------------------------------------------------

If you are still having a problem:

For those of you still having problems, please contact support via the following links and they will assist you directly in getting your systems functioning properly again:

Home User Support
Business Support

Please be sure to include the following information to expedite the repair process:
  • OS installed (i.e. XP, Vista, 7, 8 etc.)
  • Whether you have restarted your computer yet or not
  • Whether or not the system is bootable if you have attempted a restart of your system yet
  • Whether or not you have your Windows installation media (CD, DVD, recovery discs etc.)
We have also taken extensive measures to ensure that a false positive like this never happens again. Once more, I apologize that this occurred and hopefully we will be able to get everyone's systems in proper working order once more without too much trouble.

Thank you
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#2 Edgor

Edgor

    New Member

  • Members
  • Pip
  • 27 posts

Posted 15 April 2013 - 07:34 PM

I followed the steps above (reinstalling in safe networking mode) and still get that the program can't start because comctl32.dll is missing from my computer.

#3 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 15 April 2013 - 07:38 PM

I followed the steps above (reinstalling in safe networking mode) and still get that the program can't start because comctl32.dll is missing from my computer.

Please install this file from Microsoft and you should be able to open Malwarebytes Anti-Malware.

I've added the above info to the first post as well.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 tonydav

tonydav

    New Member

  • Members
  • Pip
  • 4 posts

Posted 15 April 2013 - 07:40 PM

These steps don't seem to help a user that is unable to logon. I have several users who receive at the logon prompt this message:

logonui.exe error - cryptui.dll missing

Clicking okay gives a black screen. Not accessible from the network. How do we get around this?

#5 KSD68

KSD68

    New Member

  • Members
  • Pip
  • 3 posts

Posted 15 April 2013 - 07:41 PM

I was able to get Windows 7 back up using safe mode and a restore point. MBAM still shows 66 system files in quar. It does not seem to do anything with restore all. Is this step needed after the restore? What should I do?

#6 Edgor

Edgor

    New Member

  • Members
  • Pip
  • 27 posts

Posted 15 April 2013 - 07:42 PM

I can't run that file. When I try to open it it says... surprise, the vb6.0-kb290887-x86.exe program can't start because comctl32.dll is missing from my computer.

#7 Jekko

Jekko

    Staff

  • Staff
  • PipPipPip
  • 115 posts
  • Gender:Male

Posted 15 April 2013 - 07:44 PM

I followed the steps above (reinstalling in safe networking mode) and still get that the program can't start because comctl32.dll is missing from my computer.


Edgor,

Is your system running Windows XP? If Exile's instructions do not work, please try installing this file from Microsoft. It should reinstall comctl32.dll onto your system.
Jon Eco
Quality Assurance

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 Edgor

Edgor

    New Member

  • Members
  • Pip
  • 27 posts

Posted 15 April 2013 - 07:45 PM

No, I'm using Win7, I think the 64bit version.

#9 Mainard

Mainard

    Forum Admin

  • Administrators
  • PipPipPipPipPipPip
  • 1,718 posts
  • Gender:Male
  • Location:San Jose, CA
  • Interests:Ice Hockey
    Guild Wars 2 & League of Legends

Posted 15 April 2013 - 07:46 PM

Please download, then unzip, then place this file in C:\Windows\system32

Attached Files


Grant Gardiner
Software Development Engineer in Test

Posted Image

Follow us: Twitter, Become a fan: Facebook

#10 Penelope

Penelope

    New Member

  • Experts
  • Pip
  • 16 posts
  • Gender:Female

Posted 15 April 2013 - 07:46 PM

Your fix won't work for me because I'm missing the CRYPTUI.dll file needed to boot my computer. (Malwarebytes quarantined it.)

#11 Edgor

Edgor

    New Member

  • Members
  • Pip
  • 27 posts

Posted 15 April 2013 - 07:46 PM

I can't run the validation because I don't have internet access. Malwarebytes managed to screw that up too.

#12 RichCreedy

RichCreedy

    New Member

  • Members
  • Pip
  • 11 posts

Posted 15 April 2013 - 07:48 PM

I had to do a system restore on windows 8, as I was unable to get to safe mode, luckily I had a restore point only a couple of days ago, so didn't lose to many programs, malwarebytes anti-malware straight away picked up the new update, so now I am up and running, with only 1 program to reinstall.

#13 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 15 April 2013 - 07:48 PM

For any of you having any remaining problems after attempting to follow the above instructions, please contact support directly and they will assist you in getting your systems back in working order:

Home User Support
Business Support

Thank you
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 Edgor

Edgor

    New Member

  • Members
  • Pip
  • 27 posts

Posted 15 April 2013 - 07:51 PM

Says I need permission to perform this action. Now what?

BTW, there is a comctl32 already in that folder that it would be overwriting. Your file is 637K, the one in there is 619K from 11/20/2010.

#15 Achi

Achi

    New Member

  • Members
  • Pip
  • 3 posts

Posted 15 April 2013 - 07:51 PM

I am in touch with tech support and they keep telling me to download a fix file but malwarebyte screwed up my browsers so I cannot access anything online....

#16 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 15 April 2013 - 07:52 PM

Says I need permission to perform this action. Now what?

BTW, there is a comctl32 already in that folder that it would be overwriting. Your file is 637K, the one in there is 619K from 11/20/2010.

Please contact support and they will assist you directly in getting the software to run so that you may restore the files from quarantine:

Home User Support
Business Support

Thank you
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 Edgor

Edgor

    New Member

  • Members
  • Pip
  • 27 posts

Posted 15 April 2013 - 07:52 PM

Support here is about 10x faster than waiting on emails all night. I have work to do. You guys really should be calling people to get this fixed instead of snail mailing.

#18 Edgor

Edgor

    New Member

  • Members
  • Pip
  • 27 posts

Posted 15 April 2013 - 07:53 PM

I've received 10 responses here in the time I've received one email.

#19 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 15 April 2013 - 07:56 PM

I am in touch with tech support and they keep telling me to download a fix file but malwarebyte screwed up my browsers so I cannot access anything online....

If you have a second system with internet access as well as a portable storage media such as a USB flash drive, external hard drive or blank CD, then you may download the required files using that system and transfer them to the affected PC using your portable media.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#20 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,016 posts
  • Gender:Male

Posted 15 April 2013 - 07:57 PM

I've received 10 responses here in the time I've received one email.

Yes, unfortunately our Support helpdesk is quite busy at the moment due to this issue as most affected users have gone there for assistance but they are working as fast as they can and are getting caught up finally.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users