Strange behaviour of Malwarebytes' 1

[bronan]

When run SFC /Scannow, Malwarebytes’ –Antimalware 1.46 is reporting next malwares:
-C:\Windows\System 32\dllcashe\beep.sys as “Fake beep. sys .”
- C:\Windows\System 32\dllcashe\cdrom.sys. as “ Troyan Patched” and
- C:\Windows\System 32\dllcashe\stup.exe as “Troyan Dropper”
If I scan C:\Windows\System 32\dllcashe\ folder with Malwarebytes’ –Antimalware 1.46, no wornings , all is clean , nothing is found.
I am confused what is it- false positive or something else ?

 

[goombawaho]

I don't quite understand what you're saying, but I'm guessing English is not your first language, so let me ask you this.

You are running SFC /scannow, but what application is reporting the malware??? SFC does NOT report malware, it just replaces corrupt files. Unless you have the paid version of MBAM, I don't understand how it is reporting these malwares.

You could start up in safe mode and delete those files and then reboot and run SFC /scannow again to replace them.

You could also boot to a bootable CD (like BartPE) and then copy those files over manually from the BART PE CD to the folder on your C: drive to replace them.

 

[linney]

What support is provided by Malwarebytes? Are you able to submit files for analysis and have them fix any false report problem?

For your own peace of mind you could also copy the individual files mentioned and have them checked out via this site which will scan the files with multiple virus scanners (for free).

Jotti's malware scan

http://virusscan.jotti.org/

 

[bronan]

@goombawaho,
MBAM is reporting a/m malwares during session of SFC /Scannow .
@linney,
My problem is how to find a/m files to submit them for checking.
I try to locate them in the folder reported from MBAM, but I could not find any of them.

 

[2ffat]

Are those file stored in a recovery file or restore point? Maybe you should turn off the XP restore point and rerun MBAM.


James P. Cottingham
^{I'm number 1,229!
I'm number 1,229!}

 

[kjv1611]

Do you have the files/folder option for hidden files set to show all files?

In Windows Explorer or My Computer:
Tools -> Folder Options -> View Tab -> Under "Hidden files and folders", make sure "Show hidden files and folders" is selected.... -> Hit "OK" button...

Then look for your files.

 

[linney]

Dllcache is a Hidden and System Folder.

It may be necessary to show Both Hidden and System Files, and also to uncheck "Hide known file types" in Control Panel/ Folder Options/ View, to navigate to the mentioned location and to see file extensions.

You will probably have to logon on as an Administrative user too.

I take it that you didn't have Malwarebytes take any action on the files, such as Quarantine or Delete?

When you use Search you also have to set the Search Preferences to search both Hidden and System files via the "More Advanced" options.

 

[bronan]

All what you've suggested had done before , but there are no
a/m files in MBAM side mentioned folder.
Real some mystery.
Found the folder , but no files inside.
My Restore point is turned off all the time.
Could any one kindly search for a/m files in in his own system- to check if they really exist, or not.

 

[kjv1611]

Hmm, maybe it's something in the registry, then? Have you given a registry cleaner a go, and then run the same scan afterwards to see if resolved by cleaning out the registry?

You could try any of these 3 apps for basically a 1 or 2 click approach:
CCleaner
Glary Utilities
Advanced System Care

All 3 are free, and available at

http://www.download.com

 

[2ffat]

Do you use another AV/AS program? Could that program have put those in it's own quarantine folder?



James P. Cottingham
^{I'm number 1,229!
I'm number 1,229!}

 

[linney]

Could any one kindly search for a/m files in in his own system- to check if they really exist, or not."

Not sure what you wanted searching for, but yes I have a Quarantine folder, and yes, it is empty. I have a Quarantine Tab in the GUI of Malwarebytes, but that is empty too.

Do you have these sort of manual scan logs that you can refer to?

mbam-log-2009-09-29 (08-17-43).txt in a Logs folder?

Does your paid version make logs of malware found in realtime scanning?


Speaking of any realtime scanning logs, can you post a short copy of what Malwarebytes is reporting about those files, their location, and what action Malwarebytes performed?

These are the files I see on my XP Partition which is on a D: drive.

D:\WINDOWS\ServicePackFiles\i386\cdrom.sys (62 KB, 14/04/2008 12:10:48 AM)
D:\WINDOWS\system32\drivers\cdrom.sys (62 KB, 14/04/2008 12:10:48 AM)

D:\WINDOWS\system32\dllcache\beep.sys (5 KB, 4/08/2004 10:00:00 PM)
D:\WINDOWS\system32\drivers\beep.sys (5 KB, 4/08/2004 10:00:00 PM)

Stup.exe is not a known file, or a typo, probably for Setup.exe, but that is too common a name to search for on my machine.
I have this file - D:\WINDOWS\system32\dllcache\Setup.exe (22.5 KB (23,040 bytes))

 

[bronan]

@linney,
As I mentioned before, after running MBAM to directly check the folder C:\Windows\System32\dllcashe, MBAM is not reporting any sort of malwares, so there is no logs to be used to see and analyze eventually found malwares.
MBAM only report those problems when I run SFC/ Scannow.
Of course I didn't accept offered solutions to delete or quarantine any of these three files- so they should be in their places in dllcashe folder, but they are not.

 

[goombawaho]

Please help me as I'm apparently unable to understand what "a/m files" is. It's killing my ability to understand this thread.

 

[kjv1611]

I've just been guessing that he meant something like "antimalware" files for a/m files.... never thought to ask.

 

[kjv1611]

I must admit that "antimalware" for a/m seems silly in context, but that was my thinking anyway.

 

[bronan]

Here you can find two log files from MBAM -first after system32/dllcache scan and second after SFC/Scannow running:

1/Malwarebytes' Anti-Malware 1.46

http://www.malwarebytes.org

Database version: 4142

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10-05-26 13:12:57
mbam-log-2010-05-26 (13-12-57).txt

Scan type: Quick scan
Objects scanned: 171
Time elapsed: 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2/Protection-log-2010-05-26

12:46:31 user MESSAGE Protection started successfully
12:46:46 user MESSAGE IP Protection started successfully
13:56:19 user IP-BLOCK 95.168.183.18
13:56:22 user IP-BLOCK 95.168.183.18
13:56:28 user IP-BLOCK 95.168.183.18
14:16:39 user IP-BLOCK 83.133.97.246
14:16:42 user IP-BLOCK 83.133.97.246
14:16:48 user IP-BLOCK 83.133.97.246
14:32:06 user DETECTION C:\WINDOWS\System32\dllcache\beep.sys Fake.Beep.sys ALLOW
14:32:38 user DETECTION C:\WINDOWS\System32\dllcache\cdrom.sys Trojan.Patched ALLOW
14:37:26 user DETECTION C:\WINDOWS\System32\dllcache\setup.exe Trojan.Dropper ALLOW

Maybe this can help you to solve this puzzle

 

[bronan]

Meanwhile run full scan of C:\ all clean , here is log file:
-Malwarebytes' Anti-Malware 1.46

http://www.malwarebytes.org

Database version: 4145

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10-05-26 16:16:35
mbam-log-2010-05-26 (16-16-35).txt

Scan type: Full scan (C:\|)
Objects scanned: 156936
Time elapsed: 38 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Then run SFC/ Scannow and try to quarantine problematic files reported by MBAM.
Reboot ,run SFC/ Scannow again and before quarantined (3)files appear again.
Hera is MBAM log file:

12:46:31 user MESSAGE Protection started successfully
12:46:46 user MESSAGE IP Protection started successfully
13:56:19 user IP-BLOCK 95.168.183.18
13:56:22 user IP-BLOCK 95.168.183.18
13:56:28 user IP-BLOCK 95.168.183.18
14:16:39 user IP-BLOCK 83.133.97.246
14:16:42 user IP-BLOCK 83.133.97.246
14:16:48 user IP-BLOCK 83.133.97.246
14:32:06 user DETECTION C:\WINDOWS\System32\dllcache\beep.sys Fake.Beep.sys ALLOW
14:32:38 user DETECTION C:\WINDOWS\System32\dllcache\cdrom.sys Trojan.Patched ALLOW
14:37:26 user DETECTION C:\WINDOWS\System32\dllcache\setup.exe Trojan.Dropper ALLOW
15:36:21 user MESSAGE IP Protection stopped
15:37:16 user MESSAGE Database updated successfully
15:37:26 user MESSAGE IP Protection started successfully
15:37:39 user MESSAGE IP Protection stopped
15:37:50 user MESSAGE IP Protection started successfully
16:21:58 user DETECTION C:\WINDOWS\System32\dllcache\beep.sys Fake.Beep.sys QUARANTINE
16:21:59 user ERROR Quarantine failed: UtilityReadFile failed with error code 2
16:22:14 user DETECTION C:\WINDOWS\System32\dllcache\cdrom.sys Trojan.Patched QUARANTINE
16:22:15 user ERROR Quarantine failed: UtilityReadFile failed with error code 2
16:26:01 user DETECTION C:\WINDOWS\System32\dllcache\setup.exe Trojan.Dropper QUARANTINE
16:26:03 user ERROR Quarantine failed: UtilityReadFile failed with error code 2
16:31:03 user MESSAGE Protection started successfully
16:31:29 user MESSAGE IP Protection started successfully
16:32:59 user DETECTION C:\WINDOWS\System32\dllcache\beep.sys Fake.Beep.sys QUARANTINE
16:33:00 user ERROR Quarantine failed: UtilityReadFile failed with error code 2
16:33:20 user DETECTION C:\WINDOWS\System32\dllcache\cdrom.sys Trojan.Patched QUARANTINE
16:33:21 user ERROR Quarantine failed: UtilityReadFile failed with error code 2
16:37:18 user DETECTION C:\WINDOWS\System32\dllcache\setup.exe Trojan.Dropper QUARANTINE
16:37:19 user ERROR Quarantine failed: UtilityReadFile failed with error code 2

Please advice me what to do.

 

[linney]

This is similar to what "goombawaho" suggested earlier on in the post. You said you tried everything mentioned, can you clarify that you tried this suggestion?

Can you create something similar to a BartPE CD and load that. If you can you can then remove those 3 mentioned files via Bart and then replace them from your XP CD or another non-infected machine of the same XP Service Pack.

You might be able to do something similar with the Recovery Console.

Links, and other suggestions in here.

Cannot logon to winxp...losing lots of valuable documents
thread779-975236




If not you can wade through some of these with a view of cleaning your machine of Rootkits and other nasty malware.

http://www.google.com.au/search?q=F...ox&ie=&oe=&redir_esc=&ei=JHr9S9DsFYPQcYa6rMoJ

http://www.google.com.au/search?q=c...ox&ie=&oe=&redir_esc=&ei=7H_9S5fBCorJcdKe6OgB

http://www.google.com.au/search?hl=...opper&btnG=Search&aq=f&aqi=&aql=&oq=&gs_rfai=

 

[goombawaho]

I am honored that you quoted my idea Linney.

If you did boot to BART PE CD that was made from an XP SP3 CD, you could just copy and paste (and overwrite) those files mentioned which would guarantee that they would be clean.

If you could also set up some type of offline malware scanner (which you could do with BartPE & Mcafee Plugin), you could also scan the entire drive OUTSIDE of windows.

 

[linney]

I am honored that you quoted my idea", which just goes to prove that I'm not too fussy and will steal anybodies ideas.




Avira presents a FREE data recovery rescue CD

http://www.avira.com/en/company_news/rescue_cd_.html

Avira AntiVir Rescue System
The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Avira AntiVir Rescue System

http://www.avira.com/en/support/support_downloads.html

In these difficult cases it is sometimes just as easy to consider saving data and reformatting and reinstalling.