Jump to content

**Trojan.Downloader.ED**


Recommended Posts

  • Replies 134
  • Created
  • Last Reply

Top Posters In This Topic

I was fretting about this, I thought hackers had hijacked a Malwarebytes package. This has affected just about all of my clients, about 10 to 15 PCs around town where I had Malwarebytes installed were hosed by this.

Most of them were repaired simply by doing a system restore, but one system - A Server system, was irrecoverably corrupted. It was a Windows 7 x64 machine, had no restore points (The System Restore storage had been set to "0 bytes), and it could not be booted to any mode to run Malwarebytes and restore the files.

Although it was mostly Windows 7 systems that were affected, a Windows XP system, another server, was affected, maybe 200 or more system, files, were deleted with no choice to stop the deletions. Since the system was the core of a Network which distributes a database to all of the workstations, this business suffered two whole down days. The system files incuided in the deletions were all of the files relevant to file sharing,

In a future update, we will need a "panic button" for this kind of error, to stop it and immediately restore the files. We use Malwarebytes to protect us, and we've trusted you for years with our systems. But this was a major cock-up, When I saw, 200 plus SYSTEM files in the quarantine bin, I knew that no virus I am familiar with could have infected that many system files. The users who use these systems have been trained by me, to not install anything at all. Every file affected seems to have been network-related. Not even Teamviewer was working, which is what I use to fix errors remotely, the system was totally invisible to the networks that hook into it and depend on it.

So far, I've had 15 affected systems, was able to repair all of them but one. This foul up was way too expensive, and the only reason why I am not really that angry, is because I have work this week because of this. But I need to know the probability that this will ever happen again? I already have too many false positives as it is, it takes me about an hour to enter all of the files I need to exclude from scanning- Per machine, and my work is networking, I set up multiple workstations 2 to 10 at a time. I always put Malwarebytes into them, I need to know, is it SAFE to continue using Malwarebytes? Because there really is no other Malware program that is effective.

Link to post

I never would have thought that this false positive would have come from a program that I have faithfully used for

several years and relied on to find malware. It has been such a headache to get my computer working again. If I didn't

have a second computer with the file I needed to install malwarebytes again in safe mode, I would have been @#@$#. I couldn't

even log in to windows in normal mode at first. Malwarebytes in safe mode didn't even work because it needed a missing system file. I can

imagine the frustration other people might have had if they only had one computer and a cell phone without internet access to research

the problem. If i didn't already know about computers, i'd be in the same boat as many people trying to find someone else to fix my computer.

I don't know if this was something where a hacker attacked your site and caused this false positive or just a mistake on

your part, but it seriously hurts your reputation for this to happen. I'll still use malwarebytes for now since this is the first time something

this major happened to me with you guys but if it happens again, I'll have to drop your program and go with something else.

Link to post

Clearly, what it very much needed, is a setting in Malwarebytes Prefs that allow you to tell it to ASK you first, before deleting. This was so sudden, 200 NON INFECTED SYSTEM files deleted in less than a second the moment this update was installed. My PHONE has been ringing off the hook with this, it's hard enough fixing the legit problems I come across, this has been a mega slap in the face. I always use Malwarebytes in concert with NOD32, and between the two, hardy anything gets past them. We really NEED the choice to ignore a false positive, a popup window should come up asking us what we want to do.

I don't know if Malwarebytes realizes just how Major this was, and my clients are foaming at the mouth.It has to never happen again, with protections just in case it does.

Link to post

Greetings,

You should be able to do a repair install as described here and that should get your systems back up and running again without losing any of your data.

OK - SO THESE versions of Windows 7 can do the In-Place Install, booting from the DISK? Because all of the literature I have ever read on the Microsoft Site and Technet regarding In-Place Installs for Windows 7 claim that it can only be done while in the Desktop. These will "upgrade" a system and restore it to working order? Microsoft says it can't be done this way. Is this something new? These disks CAN in-place from Boot?

Link to post

OK - SO THESE versions of Windows 7 can do the In-Place Install, booting from the DISK? Because all of the literature I have ever read on the Microsoft Site and Technet regarding In-Place Installs for Windows 7 claim that it can only be done while in the Desktop. These will "upgrade" a system and restore it to working order? Microsoft says it can't be done this way. Is this something new? These disks CAN in-place from Boot?

Unfortunately it seems not. You might try some of the methods mentioned here as they may help, particularly running SFC offline if you've not yet done so, as it should be able to restore critical system files which were quarantined which should hopefully get the system into a bootable state again so that you can log into safe mode and run our fix tool to restore the rest.
Link to post
Unfortunately it seems not. You might try some of the methods mentioned here as they may help, particularly running SFC offline if you've not yet done so, as it should be able to restore critical system files which were quarantined which should hopefully get the system into a bootable state again so that you can log into safe mode and run our fix tool to restore the rest.

In Windows 7 I could not get into any usable mode of operation, the files required to boot were just gone. There was no command line safe mode, no regular safe mode, no VGA mode, no "use earlier version that worked" mode. Windows 7, if you have no restore points or backup image, cannot be repaired. Luckily I only had to do one full reinstall, but it was a server, the whole shop was running Tracs, an invoicing program for automotive. And the server machine was the one that cold not be restored.

Fortunately as well, Napa Tracs was easily re-installed and it restored their database to the exact way it was before this happened.

Link to post

Sorry - No editing function - The other thing was that they use a Brother Printer that uses Wireless, I could not get that fixed, I had to move on to two other shops today. I was able to set up a temporary printer with the USB cable and share that printer with the rest of the 5 workstations - I can't even get back there tomorrow to finish, I have several more places to go plus machines at my house that need to be attended to. So, this is a work-fest for me, but I understand the POV of these businesses.

Link to post

Unfortunately the Win7 CD I have (original to each computer are OEM) and will not allow upgrade repair.

Link above indicates to run from CD after you log in... Again unfortunately I cannot log in. Al I get is Black screen with movable cursor. I do not wish to reload from scratch as these computer have programs which will take hours to reload. We have backups (files only) no image.

Issue: Black Screen and Cursor (movable)

It does not appear that I have any other recourse but to reinstall. - 2 tonight and 2 more to do tomorrow - (Sure makes my week !@!#)

Link to post

HOBOcs, I tried building a Windows system with the OS on the D drive. I connected the hard drive from one of the "black screen" systems and mounted the drive as the C drive. I then copied the Quarantine directory from C drive to the D drive, opened MBAM and restored all the files to the C drive. However, this still did not work even after restoring all the files it could. Many didn't restore since there were system files in place.

Did you try running the SFC command from Windows recovery console? This resolved about half of our black screen systems.

Steps:

1. Run "bcdedit | find "osdevice" to figure out the drive.

2. Run "sfc /scannow /offbootdir=c:\ /offwindir=c:\windows"

3. Reboot and boot into safe mode

4. Run latest MBAM fix

Link to post

I'm going to throw my 2 cents in on this as I had a dozen or so clients affected with this. The easiest fix for me was to boot off a windows disk and do a system restore. That being said it affected 32bit machines a bit more than my 64bit machines. Some of my 64bit machines were able to boot in either safe mode or normal mode and get to the control panel and get to system restore. My 32bit machines I had to use a windows disk for since nothing worked.

Link to post

HOBOcs, I tried building a Windows system with the OS on the D drive. I connected the hard drive from one of the "black screen" systems and mounted the drive as the C drive. I then copied the Quarantine directory from C drive to the D drive, opened MBAM and restored all the files to the C drive. However, this still did not work even after restoring all the files it could. Many didn't restore since there were system files in place.

Did you try running the SFC command from Windows recovery console? This resolved about half of our black screen systems.

Steps:

1. Run "bcdedit | find "osdevice" to figure out the drive.

2. Run "sfc /scannow /offbootdir=c:\ /offwindir=c:\windows"

3. Reboot and boot into safe mode

4. Run latest MBAM fix

Yes, GoalTrain - I was able to use the Windows 7 CD and get to the recovery options -ie Command Prompt and run the exact SFC command you have (using drive D:). I kept getting a message - "Windows Resource Protection could not start the repair service". So.. I was not able to run it.

No Resolution and time a ticking:

My last resort - I removed drives and backed up User Files (docs, mail etc) and I did a Windows Reinstall over night and will be spending the day at customers seeking out and reloading custom software and rebuilding their environments.

Link to post

Hi FF

You can edit the batch file with notepad to see what it's doing. Difficult to say how long it would really take from one system to another as hardware is also a factor.

If you need further help with it let us know please

I let it run about another hour or so and it did not finish, I Ctrl C out of it, and then opened MBAM and just went to the Quarantine folder and restored all and after that rebooted.

What about all the files or listings left in the Quarantine folder after the restore, they still show listed, do those need to be removed?

Link to post
  • Root Admin

Same as an infection FF - you can leave them there for a while until you're sure they're not needed. No harm in them sitting in the quarantine. Just double check that the files found in quarantine can be found on the system overall.

The very first post on this topic has more details

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.