Malware Bytes Scan

[Dave Cohen]

Just updated MalwareByte and scanned system. Getting over 400
'Trojan.Downloader' messages on files that have been on the system
forever. Avira doesn't find anything.

 

[Victek]

Just updated MalwareByte and scanned system. Getting over 400

'Trojan.Downloader' messages on files that have been on the system
forever. Avira doesn't find anything.

..
I would trust MBAM, but if you want a second opinion install Hitman Pro
(free thirty day license) or SuperAntiSpyware. I find that AV is
notoriously unable to detect the types of malware that MBAM, SAS etc. are
designed to find/remove.

 

[Rube Bumpkin]

Are you sure it is MBAM and not Avast?
;-)

I would wait for the next update and then scan again.

In the meantime for a second opinion
- SuperAntiSpyware (Free Edition)
http://www.superantispyware.com/download.html

This was a problem with Update 3286 which was only out there for a
little while. It was replaced with 3287, then 3288.

There were several threads on the MBAM forums.

RB

 

[FromTheRafters]

Just updated MalwareByte and scanned system. Getting over 400
'Trojan.Downloader' messages on files that have been on the system
forever. Avira doesn't find anything.

Submit one of the suspect files to Virustotal or Jotti to help ascertain
if it is a false positive.

 

[Buffalo]

Looks like the same kind of problem Avast had today.

Huh? Why did MBAM and Avast have problems around the same time?
What is the connection??
Do they share or steal each others definitions?
Buffalo

 

[David H. Lipman]

From: "Buffalo" <[email protected]>




| Huh? Why did MBAM and Avast have problems around the same time?
| What is the connection??
| Do they share or steal each others definitions?
| Buffalo



Pure coincidence of a rash of False Positives!

 

[Buffalo]

From: "Buffalo" <[email protected]>







Pure coincidence of a rash of False Positives!

I really don't believe that explaination!
Buffalo

 

[Rube Bumpkin]

Submit one of the suspect files to Virustotal or Jotti to help ascertain
if it is a false positive.

I did that. When it came back 'negative', I checked the MBAM forums.

RB

 

[David H. Lipman]

| I really don't believe that explaination!
| Buffalo


Sorry, that's the way it is.

 

[FromTheRafters]

I really don't believe that explaination!

If it were more than a coincidence, it would be the *same* malware being
purportedly found by each program, since you are talking about the def
files being possibly shared or stolen. For example if both entities
stole their defs from PCButts - all three would FP on the same files for
the same malware (possibly giving different malware names as a result).

 

[FromTheRafters]

I did that. When it came back 'negative', I checked the MBAM forums.

Even the best programs can and will FP - it is nice to have a
programmatical consensus available online. When online is not possible,
it is nice to have an alternative program available locally for a second
opinion.

 

[Dave Cohen]

Just updated MalwareByte and scanned system. Getting over 400
'Trojan.Downloader' messages on files that have been on the system
forever. Avira doesn't find anything.

All is well. My 12/3 update installed 3287 and the scan indicated
problems I stated.
Today (12/4) I updated and installed 3289, full scan showed zero problems.
One curious note: I don't recall having to re-start the computer after
yesterday's update. Today I received and responded to that message.
Thanks for all your replies.

 

[Buffalo]

Sorry, that's the way it is.

I guess so. That kind of coincidence just throws up a red flag to me.
Thanks for the response.
Buffalo

 

[David H. Lipman]

From: "Buffalo" <[email protected]>




| I guess so. That kind of coincidence just throws up a red flag to me.
| Thanks for the response.
| Buffalo


I understand.

 

[FromTheRafters]

FTR,

Do you imagine, in the scenario described above, either entity
functioning well enough to make it to that point?

Of course, virus (or malware) description language is not a programming
language.

D

Butt's programs work reasonably well even though the data files
describing the malware are stolen from the actual people doing the
research to create them (the "engines" consuming that data are probably
stolen as well, by this has not been demonstrated as well as the other
aspect has).

If you recall the "other" thieves (from China?) - they actually gave the
same malware name (marker) in the alert, probably because the engine
(maybe even the GUI) is stolen as well.

 

[FromTheRafters]

All is well. My 12/3 update installed 3287 and the scan indicated
problems I stated.
Today (12/4) I updated and installed 3289, full scan showed zero
problems.
One curious note: I don't recall having to re-start the computer after
yesterday's update. Today I received and responded to that message.
Thanks for all your replies.

Often, that is indicative of a program update as opposed to just a
definitions update. I'm not sure if Malwarebyte's Anti-Malware shares
this nature so familiar with the AV programs.

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>


| Of course, virus (or malware) description language is not a programming
| language.

:D

| Butt's programs work reasonably well even though the data files
| describing the malware are stolen from the actual people doing the
| research to create them (the "engines" consuming that data are probably
| stolen as well, by this has not been demonstrated as well as the other
| aspect has).

| If you recall the "other" thieves (from China?) - they actually gave the
| same malware name (marker) in the alert, probably because the engine
| (maybe even the GUI) is stolen as well.


Yes, IObit's theft of the Malwarebytes database is an excellent example.

Those who decrypted the IObit database and the Malwarebytes database have *NO DOUBT* of
this theft.

 

[Rube Bumpkin]

Even the best programs can and will FP - it is nice to have a
programmatical consensus available online. When online is not possible,
it is nice to have an alternative program available locally for a second
opinion.

Oh, yeah, I also did that. I ran SAS, Spybot S&D, Ad-Aware, and Norton
AV (the corporate version), before I sent a file to VT, and checked the
forums.

RB

 

[FromTheRafters]

Oh, yeah, I also did that. I ran SAS, Spybot S&D, Ad-Aware, and Norton
AV (the corporate version), before I sent a file to VT, and checked
the forums.

It sounds like you have things pretty well covered with respect to
sorting out FP's. )

A lot depends (for me) on where a file is found as well. For instance
some months ago a had detection of malware in my IBM utilities folder -
I suspected FP's and did nothing - subsequent scans did not repeat the
issue. Some months later I got a detection in my Java jar's zip files -
I quarantined (or deleted) them, because I didn't care about saving
FPed malware in Java jars.

 

[Dustin Cook]

Huh? Why did MBAM and Avast have problems around the same time?

We had temporary problems with our database... Shrug. Sorry. We fixed it
quick, but evidently not quick enough; some systems did get the bad
definitions.

What is the connection??
None.

Do they share or steal each others definitions?

We don't share definitions with anyone. It wouldn't do much good;
Definitions are typically custom and very specific to the antimalware
engine. For example, the definitions system in use by BugHunter (my app) is
entirely 100% incompatable with the definitions system used by malwarebytes
antimalware. While some definitions can and do consist of hashes or
checksums of some sort, others do not.