Jump to content

Virus breach Malwarebytes while it was running


Recommended Posts

Hello Malwarebytes support people,

I have the free version of Malwarebytes, version 1.51.0.38.

I always update the virus signatures in my Malwarebytes before I run it, I've been using it for years and I like it very much. Malwarebytes even caught a virus in a scan after my NOD332 antivirus app missed it one time.

But on July 7th, while running Malwarebytes, my NOD32 antivirus app caught a virus that apparently had breached Malwarebytes while it was running, but fortunately my NOD 32 caught it and quarantined it so I could delete it.

Below are two screenshots showing the Eset NOD32 alert about this Malwarebytes virus breach and showing the virus while quarantined in NOD32.

Can you tell me what to do and if Malwarebytes has addressed this issue?... I'm now afraid to open or run Malwarebytes.

I heard from a friend that changing the name of the Malwarebytes .exe file solves this problem, but that sounds a little funky.

This is for a Windows 7 Ultimate machine with the free Malwarebytes version 1.51.0.38.

Thanks,

numetro

post-56507-0-86458400-1342396828.jpgpost-56507-0-03986500-1342396855.jpg

Link to post
Share on other sites

Guest Seagull

By the look of it, you should be okay. As by the look of the screenshot something did try to attempt to inject something into Malwarebytes but, ESET stopped it.

If you look at your first screenshot, the one with the red pop up window, ESET says it was an "attempt to access mbam.exe", so it looks like ESET picked it off before

it could do anything to mbam.exe. Until a real expert arrives and verifies this, I just want to help put your mind at ease and also I recommend updating Malwarebytes to the

latest version 1.62.0.1300.

I hope this helps, if you have any further questions don't hesitate to ask. :)

Link to post
Share on other sites

Hello and :welcome:

I have the free version of Malwarebytes, version 1.51.0.38.

No one security product can protect you or be 100% effective with the ever changing viruses and Malware being made every day. That being said, you are using a very old version of Malwarebytes, current version is version 1.62.0.1300. You should update to the latest version to ensure you have the latest technoloy and updates to help prevent future infections.

Also bear in mind that the Free version does not protect you in real time, you would need the PRO version to help prevent these sort of infections.

Also you are using EST version 4, you should also update that to version 5.

To get Malwarebytes updated to the latest version see below:

Please do the following:


  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here

    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.

Link to post
Share on other sites

Event occurred during an attempt to access the file by the application C:\Program Files\Malwarebytes' Anti-Malware\MBAM.exe.

Let me translate this for you. MBAM looked at wbk442b.tmp and NOD32 detected it as a malicious script. You can tell its a script by its detection HTML/. This happened because to look at a file requires accessing it and in doing so it enters memory (but not in a way that executes).

MBAM did not detect this as it is a script and MBAM attacks these differently. MBAM will potentially block the source IP, IP of the payload and the payload itself while NOD32 will cover the script itself.

In short NOD32 did its job working along side MBAM.

Link to post
Share on other sites

Hi Seagul, Firefox and nosirrah,

Thanks for all of your answers.

But each of you are telling me something a little different.

Seagull is telling me, basically, well, NOD32 caught it, so don't worry about it.

Firefox is telling me, "No one security product can protect you or be 100% effective with the ever changing viruses and Malware being made every day."... which is why I have NOD32 as my primary antivirus app and then I use Malwarebytes to detect anything else, which it did in fact do, as I mentioned at the beginning of my original post.

Then Firefox is telling me, "Also bear in mind that the Free version does not protect you in real time, you would need the PRO version to help prevent these sort of infections." But My NOD32 is my full antivirus app that provides realtime protection, which is pretty obvious since I stated that it caught this virus that was coming in through Malwarebytes while it was running. If I were to use NOD32 as a realtime antivirus app AND Malwarebtyes Pro as a reatime antivirus app, I believe they would conflict and I've never heard of using two realtime virus detectors simultaneously, and I believe that I've read that using two primary antivirus apps at the same time is not recommended.

Then Firefox tells me, "Also you are using EST version 4, you should also update that to version 5."... I know he meant NOD32 4, but since version 4 caught this virus that tried to come in while Malwarebytes was running, I don't see how version NOD32 4 versus version 5 is relevant here, in this conversation.

Firefox also advises me to "Download and run mbam-clean.exe", but why would I need to do that since my computer is still virus free.

And there is a way to update my Malwarebytes app that can be done directly through the application, so why would I need to install the new free version from another installer?

Then in a different bit of advice from nosirrah, basically suggesting that Malwarebytes detected something, meaning wbk442b.tmp, but it didn't alert me to it, but because Malwarebytes was looking at it, then NOD32 detected it and quarantined it and sent up an alert signal like I would have hoped that Malwarebytes would have done.

Another response that I got from Tom Mercado with Malwarebytes support suggests that it was all a false positive and that NOD32 was mistaken, in spite of the detailed information about the virus and it's original method of entry that NOD32 gave that Malwarebytes did not.

Do you see why I'm a little confused by four distinctly different answers?

And then I have a fifth opinion from my friend who had a similar experience when running her Malwarebytes app a few days before my similar experience, but her primary antivirus app did not catch the virus, and it got in to her computer and she had to remove it with yet a different anti-malware app outside of Malwarebytes, but it still said that the virus had come in through her Malwarebytes app while it was running, and the advice that she received was to actually change the name of her mbam.exe file to stop any further invasion of viruses through Malwarebytes.

Can you please look at the five different options that I've gathered here and advise me further?

Thank you very much,

numetro

Link to post
Share on other sites

Guest Seagull

Sorry for the confusion numetro. In all, according to nosirrahs post, Malwarebytes didn't detect it because its a script and it handles scripts differently, and NOD32 did detect because it was a malicious script and NOD32 is designed to take out malicious scripts, like nosirrahs said, NOD32 did its job along side with Malwarebytes, NOD32 picked off a nasty that Malwarebytes didn't, the same can happen vise versa, no program alone will detect 100% of everything.

You need to remember and know one thing, NOD32 is a full fledged Anti-Virus, Malwarebytes is not, its an Anti-Malware program, so you can have both NOD32 and Malwarebytes run in realtime together and they shouldn't conflict. I am currently running ESET Smart Security 5 with Malwarebytes PRO on 3 different computers in my household and they get along great together. I highly recommend purchasing Malwarebytes PRO, the license is a lifetime license so its well worth it.

Firefox is trying to explain to update your software as NOD32 version 5 is out and you have version 4. The upgrade to version 4 to version 5 is free so I recommend updating to the latest version as well as there are enhancements and likely better threat detection, version 4 and 5 both use the same signature database so both versions would have caught this. Also the version of Malwarebytes on your computer is outdated, version 1.62.0.1300 is out now, you should be able to download it and install it right over the version you have now without any issues.

As for the support issues and being a false positive, to me it looks like a legit block on ESET's behalf, but I am not going to say anymore as I don't want to confuse you anymore then you are, someone with more knowledge on the matter should be along soon to help clear this up.

I hope this helps clear up some confusion. Both me and nosirrah seem to be on the same page, which is, NOD32 blocked it and your safe. :)

Link to post
Share on other sites

Seagul,

Thanks again for your reply.

I'm wondering, if this virus was just something that Malwarebytes couldn't see, which is understandable, then why did my NOD32 only find it WHILE Malwarebytes was running and it identified it as something that entered through Malwarebytes?

And if NOD32 detected the virus at all, and it was already on my machine before I was running Malwarebytes, then why didn't NOD32 detect it when it was first coming in with the realtime detector instead of catching it later WHILE Malwarebytes was running.

In other words, NOD32 didn't detect a virus that was already there while I was running a NOD32 daily scan, but NOD 32 actually caught this virus with it's realtime detector while nothing else was happening on the computer besides Malwarebytes running a scan... no internet surfing or email coming in was taking place while Malwarebytes was running and NOD 32 detected the incoming virus with it's realtime detection, as seen in my original screenshots.

And NOD 32 identifies the virus as coming THROUGH Malwarebytes.

Thanks,

numetro

Link to post
Share on other sites

I'm wondering, if this virus was just something that Malwarebytes couldn't see, which is understandable, then why did my NOD32 only find it WHILE Malwarebytes was running and it identified it as something that entered through Malwarebytes?

This happens because scanning a file requires that it be in memory, even if it is just to examine it, it does not need to be actively executing. NOD32 would have also detected this file had you opened it, moved it, edited it ....... As I mentioned above the file being detected by NOD32 is a script and wont not be detected by MBAM as these infections are handled differently.

And NOD 32 identifies the virus as coming THROUGH Malwarebytes.

This is incorrect, please read this carefully:

Event occurred during an attempt to access the file by the application C:\Program Files\Malwarebytes' Anti-Malware\MBAM.exe.

This means that MBAM is looking at the file in question. There is no mention of anything going through anything else.

Link to post
Share on other sites

  • Staff

Nosirrah is correct here. Eset detected this file cause malwarebytes accessed that directory and scanned the files there so Eset then noticed it. Eset would not of noticed it before cause it was not in memory till the mbam tried to scan the directory or you ran a full scan with eset. This is only a script and not a virus. It only runs when your browser accesed that particular page that had the script embedded. If you noticed its in temporary internet files.

If you are not sure who to believe we are staff and research this stuff as part of our job.

Also understand. Malwarebytes is not an antivirus application and is designed to run alongside your antivirus of your choice. Even with both full time applications.

The only reason you would rename mbam.exe is to get it to run if you are already infected and it wont run. Chameleon Tech negates this need anymore though.

Link to post
Share on other sites

I hope all has been cleared up for you if not don't hesitate to ask.

Looks like Seagull (Thanks Seagull) had cleared up my instructions if not I can help clear it you should you like.... Mainly I am just suggesting you update your software so you can have the latest software with better threat detection methods and added features.

Link to post
Share on other sites

Hello gentlemen and/or ladies,

I didn't include this screenshot before of the log within NOD32 showing that this virus was detected with the realtime detection and not with the daily scan, though I mentioned this before.

Since the NOD32 virus signature database is updated four times a day or so automatically by Eset and I have NOD32 set to run daily scans, and since NOD32 detects in realtime as well, and NOD32 did indeed detect the virus with it's realtime detection, as seen in my screenshot below, then how would the virus already have been on my computer before I was running Malwarebytes? NOD32 would have caught it before I was running Malwarebytes when the virus was supposedly first entering my computer via my web browser or whatever, which it did not.

I am not having any more virus detections from NOD32 and I wasn't any longer after NOD32 first detected the one's in question and quarantined them... then I took the screenshots and deleted the viruses on 07/07.

I am asking if there is a way to keep these malware attacks from coming in through Malwarebytes again since they seem to be attacking specifically the Malwarebytes app while it is runnin... this has apparently happened to other people too.

Thanks again,

numetro

___________________

SCREENSHOT BELOW

post-56507-0-35116100-1342456854.jpg

Link to post
Share on other sites

then how would the virus already have been on my computer before I was running Malwarebytes?

First of all its not a virus, its a potentially malicious HTML file in your temporary internet files folder and it could have been there for a while.

Second, MBAM does not actually have anything to do with this at all. All our software did was look at a file that was already in your system as part of a scan. NOD32 would have done the same thing had you tried to view the file yourself or if any other scanner had looked at it.

I am asking if there is a way to keep these malware attacks from coming in through Malwarebytes again since they seem to be attacking specifically the Malwarebytes app while it is runnin... this has apparently happened to other people too.

I am unsure why you have 2 security applications installed if you do not one of them to sometimes catch something the other does not. We have said many times now that MBAM will not detect HTML files, we deal with exploit attacks differently. We will stop either the IPs involved or negate the payload. NOD32 will stop the script or the payload but not the IPs so there is a good overlap between the two. All in all what you are seeing is exactly why you should use MBAM with your favorite AV, so that each can cover the other.

Link to post
Share on other sites

Hi nosirrah and shadowwar,

Thanks for your replies again.

First of all its not a virus, its a potentially malicious HTML file in your temporary internet files folder and it could have been there for a while.

Whatever you call it, virus or malware, isn't really what the issue is here. I understand that Malwarebytes will not detect some forms of virus or malware or whatever you want to call it.

But if NOD32 detected this "HTML file" while Malwarebytes was running with NOD32's realtime detection, not a NOD32 daily scan, then why wouldn't NOD32 have detected the "HTML file" when it first invaded my computer, as you say? That doesn't quite make sense... which was first, the chicken or the egg, kind of thing.

Second, MBAM does not actually have anything to do with this at all. All our software did was look at a file that was already in your system as part of a scan. NOD32 would have done the same thing had you tried to view the file yourself or if any other scanner had looked at it.

I'm not sure what you mean here nosirrah... NOD32 did find the "HTML file", not through it's daily scan but with it's realtime detection. We are kind of going in circles. Again, how would the file have been on my computer already if NOD32 was able to detect it with it's realtime detection at all? NOD32 caught the "file" while Malwarebytes was running.

I am unsure why you have 2 security applications installed if you do not (use) one of them to sometimes catch something the other does not.

??... that is exactly what I do and that's exactly what we are talking about. I have 2 security apps installed on my computer and I use Malwarebytes to catch things that NOD32 does not... that's what happened here in this situation that we are talking about now, right?

But this time it worked in reverse... NOD32 caught something that Malwarebytes was mysteriously allowing to access this computer through Malwarebytes itself while it was running.

That is why I'm using Malwarebytes along with NOD32... but now I'm afraid to run Malwarebytes at all.

I understand that you would like me to purchase the pro version of Malwarebytes and that is somewhat skewing what are good intentioned answers here, but I'm trying to determine why Malwarebytes is being breached and itself allowing malware to try to get in to my computer.

As I said before, I am not the first person to encounter this problem with Malwarebytes. If changing the name of the mbam.exe file keeps this from happening, as a friend of my has testified, then the idea that this malware was already on my computer is not only dis-proven by that fact, but by the facts that I stated above.

If a virus or malware or an "HTML file" as you refer to it can come in through my temporary internet files folder from web browsing, then it could come in through that same folder while Malwarebytes is running.

I understand that you'd like to sell as many copies of the Malwarebytes Pro app as possible and I understand that it is difficult to admit that Malwarebytes has a flaw here and someone is trying to exploit it with a virus or malware that detects when Malwarebytes is running and tries to get it via Malwarebytes itself, but looking past some motives now will only help people to solve this problem, so in the future maybe they will rely on Malwarebytes enough to go ahead and buy the Pro version.

Thanks again,

numetro

Link to post
Share on other sites

I am sorry but if you are not willing to accept that some of your preconceptions of what happened are wrong you are not ever going to understand what happened and that it was nothing abnormal. I am going to make you a chart that may explain it better. These are the the 4 points at which you can typically stop an script origin infection and where Malwarebytes Anti-Malware and NOD32 come into play:


Malwarebytes Anti-Malware NOD32

YES NO IP of website where exploit is found
NO YES Exploit/script file itself
YES NO IP of malware payload download by exploit/script
YES YES executable payload

As you can see the only place in the Malwarebytes Anti-Malware chain that there is not protection is the actual script file which is what NOD32 detected. Your system is not actually infected BTW, those temporary files do nothing but sit there.

In reality what likely happened is that you hit a site with an exploit and one of the following occurred:

1. The exploit download but due to your system being up to date the exploit failed to function.

2. The exploit functioned and its target payload was blocked by Malwarebytes Anti-Malware IP blocking.

3. The exploit functioned and either Malwarebytes Anti-Malware or NOD32 killed the payload.

In any event your logs do not show an active infection.

Link to post
Share on other sites

  • Staff

Malwarebytes was never breached. The script on your computer came in from internet explorer. Malwarebytes had nothing to do with it coming in or malwarebytes being exploited. Unfortunately you are making a lot of incorrect assumptions here.

The reason nod32 showed the detection like it did was mbam was scanning that folder. Nod32 said a program is accessing this file i have definitions for and i know its bad so it flashed an alert.

Any program that would of scanned the temporary internet files folder would of caused the same thing to happen with Nod32. Basically nods on access file protection kicked in cause it saw another program accessing the temp internet folder directory and files contained in it. That script would never be in memory or the files accessed in temp internet files unless you went back to the same infected page it came from. The only way nod would know its there was till something accessed the file or you ran a full scan. Whatever program accessed those files would of replace the malwarebytes name in the alert. The file also could have came in before nod32 had a signature for it. So once nod updated it now had a signature and alerted on the file as a program accesses the file. In this case its cause the mbam scan looked at the file and nod32 then saw the file.

Link to post
Share on other sites

One point no one mentioned. If you set your browser to delete all temp files, cookies, and other crud upon shutdown, those files would have been deleted automatically.

I do have a question about how MBAM Pro which I have installed would have handled this? First, there is IP blocking which is basically a black listing. Assume this IP is not black listed. Next is MBAM pro's realtime protection. Just what does that do? Appears that it doesn't scan scripts or any downloads for that matter. Is it only monitoring .exes in memory for malious activity(Hueristics?) or for a known signature?

Link to post
Share on other sites

Guys, I understand all the stuff that you are saying with the charts and such. But the fact remains that NOD32 caught this file, be it an HTML file or whatever, with it's realtime detector, so if the file was already there for a while, however long, why wouldn't NOD32 found caught the same file with it's realtime detections when it originally came in to the computer via my web browser?... that issue hasn't been addressed so far in you responses, and I keep repeating it.

In any event your logs do not show an active infection.

I know it the logs don't show an active infection because NOD32 caught it while coming in during the Malwarebytes scan and quarantined the files and then allowed me to screenshot the logs and then delete the malware, or whatever you want to call it.

The file also could have came in before nod32 had a signature for it. So once nod updated it now had a signature and alerted on the file as a program accesses the file. In this case its cause the mbam scan looked at the file and nod32 then saw the file.

I already considered that NOD32 didn't have the virus signature for that particular malware file when it got on my computer and then it did when the file was accessed by Malwarebytes, but the clink in that argument is that I ran daily scans with NOD32, including earlier that day and everyday before my Malwarebytes scan, so NOD32 would have had a chance to find that malware file before I ran Malwarebytes... so still, why wouldn't have NOD32 found that malware file before I ran Malwarebytes instead WHEN is was running Malawarebytes?

Thanks again,

numetro

Link to post
Share on other sites

  • Staff

I explained this before. The file doesn't reside in memory so nod32 doesn't scan it unless its accessed by something or You would have to run a full scan with nod32. Its just sitting there inactive in temporary internet files.

then it did when the file was accessed by Malwarebytes, but the clink in that argument is that I ran daily scans with NOD32, including earlier that day and everyday before my Malwarebytes scan, so NOD32 would have had a chance to find that malware file before I ran Malwarebytes

What you said there backs up my argument about nod32 not having a signature for it till before you ran the last scan. Did you happen to notice the created day on the file nod found?

Link to post
Share on other sites

PS: In spite of having all of my preferences for this forum set to receive email notices for threads that I'm on and having selected the option to follow this thread right here on the thread, I still don't get any email notices for replies from this forum and I've already been checking my junk mail folder.

Link to post
Share on other sites

Shadow, again, I did run a full scan with NOD32 every day before I ran Malwarebytes, including the day that all this happened... I said that twice, I think, so far.

... or You would have to run a full scan with nod32. Its just sitting there inactive in temporary internet files...

...What you said there backs up my argument about nod32 not having a signature...

No, what I said does not back up your argument, it contradicts your argument.

Link to post
Share on other sites

First, I have never used Eset Nodad32.

There is an old thread over at Wilder's Security forum that for some reason I can't paste into this reply. It applies to an old version of nod32, V2, I believe. Anyway, the discussion is how AMON will not 100% prevent you against malicous scripts. There is talk about Imon tweaks to beef up script protection. You need to get with the eSet people to insure your installation is properly configured to protect against HTTP scripts.

Link to post
Share on other sites

DonZ, I appreciate the input, but I actually went through setting up my NOD32 to scan everything including HTTP scripts with a top Eset manager quite a ways back while doing some checks with him over the phone.

What is AMON? What is IMON? Forgive me, but what are you talking about there?

And I don't have NOD32 v2... I have NOD32 v4, which has the same signature database as v5.

Thanks.

Link to post
Share on other sites

Ignore my comments on AMON and IMON. Appears to apply to earlier versions of nod32 and possibly only the commercial versions.

Since you did configure eSET to block HTTP scripts and it obviously did not, I guess you have to get with eSET about that. As said previously, they possibly did not not have a sig. for it at the time the script was downloaded. Script sat in IE temp file until MBAM accessed it via the manual scan at which time an updated nod32 virus database sig caught it as stated previously.

Question is was that script run prior to the MBAM access by using sleath malware from infected web site?

BTW - MBAM Pro has scheduled update/scan options. I update hourly and run a flash memory scan also only available in the Pro version scan after every update.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.