exile360

***False positive Trojan.Downloader.ED***

362 posts in this topic

As many of you are aware, we suffered a false positive earlier today which caused many of our users' systems to be rendered inoperable. The offending database was v2013.04.15.12, and was live for only 8 minutes.

We sincerely apologize for this false positive and an update was immediately pushed out to remove the offending definition that caused this.

------------------------------------------------------------------------------------------------------------------------------------------------

For Malwarebytes Anti-Malware Users:

Option A -- if your system can boot normally

Use the Malwarebytes Anti-Malware False Positive Fix Tool:

  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat. NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system and verify that it is now working properly

NOTE: There may be extra files in quarantine that will not be restored, though the system will be bootable. These are duplicate backup files and the files in question should already be restored.

Option B -- if your system cannot boot normally

Step 1: Boot into Safe Mode with Networking:

Windows XP:

  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows XP Advanced Options menu.
  • Select the option for Safe Mode with Networking using the arrow keys.
  • Then press Enter on your keyboard to boot into Safe Mode with Networking.

You should then be presented with the Windows XP Login screen. Log in to Windows and when it prompts you about Safe Mode and asks if you'd like to continue click Yes.

Windows Vista and Windows 7:

  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows Advanced Boot Options menu.
  • Select the option for Safe Mode with Networking using the arrow keys.
  • Then press Enter on your keyboard to boot into Safe Mode with Networking.

You should then be presented with the Windows Login screen. Log in to Windows.

Step 2: Use the Malwarebytes Anti-Malware False Positive Fix Tool:

  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat. NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system normally and verify that it is now working properly.

NOTE: There may be extra files in quarantine that will not be restored, though the system will be bootable. These are duplicate backup files and the files in question should already be restored.

------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes Enterprise Edition Customers:

  • Within the console reinstall MBAM over the top (push install)
  • Use Windows tasks to execute the command (as admin): "C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe" /quarantine -restore all

If the above failed, then you may also do the following

Use the Malwarebytes Anti-Malware False Positive Fix Tool:

  • Make certain you are logged in as an administrator
  • Download the Malwarebytes Anti-Malware FP Fix Tool from here and save it to a convenient location such as your desktop
  • Extract all of the files to a folder and run RunThis.bat. NOTE: Windows Vista, Windows 7 and Windows 8 users must right-click on the file and choose Run as Administrator and click Yes or Continue to any User Account Control prompts
  • Restart your system and verify that it is now working properly

------------------------------------------------------------------------------------------------------------------------------------------------

If you are still having a problem:

For those of you still having problems, please contact support via the following links and they will assist you directly in getting your systems functioning properly again:

Home User Support

Business Support

Please be sure to include the following information to expedite the repair process:

  • OS installed (i.e. XP, Vista, 7, 8 etc.)
  • Whether you have restarted your computer yet or not
  • Whether or not the system is bootable if you have attempted a restart of your system yet
  • Whether or not you have your Windows installation media (CD, DVD, recovery discs etc.)

We have also taken extensive measures to ensure that a false positive like this never happens again. Once more, I apologize that this occurred and hopefully we will be able to get everyone's systems in proper working order once more without too much trouble.

Thank you

Share this post


Link to post
Share on other sites

I followed the steps above (reinstalling in safe networking mode) and still get that the program can't start because comctl32.dll is missing from my computer.

Share this post


Link to post
Share on other sites

I followed the steps above (reinstalling in safe networking mode) and still get that the program can't start because comctl32.dll is missing from my computer.

Please install this file from Microsoft and you should be able to open Malwarebytes Anti-Malware.

I've added the above info to the first post as well.

Share this post


Link to post
Share on other sites

These steps don't seem to help a user that is unable to logon. I have several users who receive at the logon prompt this message:

logonui.exe error - cryptui.dll missing

Clicking okay gives a black screen. Not accessible from the network. How do we get around this?

Share this post


Link to post
Share on other sites

I was able to get Windows 7 back up using safe mode and a restore point. MBAM still shows 66 system files in quar. It does not seem to do anything with restore all. Is this step needed after the restore? What should I do?

Share this post


Link to post
Share on other sites

I can't run that file. When I try to open it it says... surprise, the vb6.0-kb290887-x86.exe program can't start because comctl32.dll is missing from my computer.

Share this post


Link to post
Share on other sites
I followed the steps above (reinstalling in safe networking mode) and still get that the program can't start because comctl32.dll is missing from my computer.

Edgor,

Is your system running Windows XP? If Exile's instructions do not work, please try installing this file from Microsoft. It should reinstall comctl32.dll onto your system.

Share this post


Link to post
Share on other sites

Please download, then unzip, then place this file in C:\Windows\system32

comctl32.zip

Share this post


Link to post
Share on other sites

Your fix won't work for me because I'm missing the CRYPTUI.dll file needed to boot my computer. (Malwarebytes quarantined it.)

Share this post


Link to post
Share on other sites

I can't run the validation because I don't have internet access. Malwarebytes managed to screw that up too.

Share this post


Link to post
Share on other sites

I had to do a system restore on windows 8, as I was unable to get to safe mode, luckily I had a restore point only a couple of days ago, so didn't lose to many programs, malwarebytes anti-malware straight away picked up the new update, so now I am up and running, with only 1 program to reinstall.

Share this post


Link to post
Share on other sites

For any of you having any remaining problems after attempting to follow the above instructions, please contact support directly and they will assist you in getting your systems back in working order:

Home User Support

Business Support

Thank you

Share this post


Link to post
Share on other sites

Says I need permission to perform this action. Now what?

BTW, there is a comctl32 already in that folder that it would be overwriting. Your file is 637K, the one in there is 619K from 11/20/2010.

Share this post


Link to post
Share on other sites

I am in touch with tech support and they keep telling me to download a fix file but malwarebyte screwed up my browsers so I cannot access anything online....

Share this post


Link to post
Share on other sites

Says I need permission to perform this action. Now what?

BTW, there is a comctl32 already in that folder that it would be overwriting. Your file is 637K, the one in there is 619K from 11/20/2010.

Please contact support and they will assist you directly in getting the software to run so that you may restore the files from quarantine:

Home User Support

Business Support

Thank you

Share this post


Link to post
Share on other sites

Support here is about 10x faster than waiting on emails all night. I have work to do. You guys really should be calling people to get this fixed instead of snail mailing.

Share this post


Link to post
Share on other sites

I've received 10 responses here in the time I've received one email.

Share this post


Link to post
Share on other sites

I am in touch with tech support and they keep telling me to download a fix file but malwarebyte screwed up my browsers so I cannot access anything online....

If you have a second system with internet access as well as a portable storage media such as a USB flash drive, external hard drive or blank CD, then you may download the required files using that system and transfer them to the affected PC using your portable media.

Share this post


Link to post
Share on other sites

I've received 10 responses here in the time I've received one email.

Yes, unfortunately our Support helpdesk is quite busy at the moment due to this issue as most affected users have gone there for assistance but they are working as fast as they can and are getting caught up finally.

Share this post


Link to post
Share on other sites

a direct link to the file and a download manager will work as well.

Share this post


Link to post
Share on other sites

Just do a system restore:

To open the System Recovery Options menu on your computer


  • Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer using the computer's power button.

  • Do one of the following:

    • If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.

    • If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to repair, and then press and hold F8.

    [*]

    On the Advanced Boot Options screen, use the arrow keys to highlight Repair your computer, and then press Enter. (If Repair your computer isn't listed as an option, then your computer doesn't include preinstalled recovery options, or your network administrator has turned them off.)

    [*]

    Select a keyboard layout, and then click Next.

    [*]

    On the System Recovery Options menu, click a tool to open it.

Share this post


Link to post
Share on other sites

@Edgor, you're lucky to have received a reply. I'm still waiting for any acknowledgement!

Share this post


Link to post
Share on other sites

I finally had to system restore back to 5 days ago. Folks, this better never happen again or I'm moving to a different vendor.

Already have to uninstall and reinstall my virus program and several other things as a result of this mess. My entire evening has been wasted.

Share this post


Link to post
Share on other sites

By the way first email response 8:09, last one 8:41, none since.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.