Anti Malwarebytes just nuked 20 of our systems with False Positive

Thanks just wasted about 5 hours restoring the systems from a week's old image. Was not so lucky at home, had to restore a month old image and one laptop is still down.

And that's the reason why false positives are a bad thing!

The false positive has done more damage than any malware over the past 4 years! damn!

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

ondemand or in real time?

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Same problem here...allover their site as well. I was on line and boom....free running with blocking action. Similar thing happened to me about 4 years ago with Bitdefender...I was simply browsing the internet (used Bitdefender IS then) and they did an update and the same thing happened....thousands were effected but they made a fix the next day.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Real Time.

It just started eating all System32 files!

Code:

013/04/15 18:44:44 -0400	a	a	DETECTION	C:\Program Files (x86)\Acronis\TrueImageHome\tishell32.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 18:56:00 -0400	a	a	DETECTION	C:\Windows\System32\taskeng.exe	Trojan.Downloader.ED	QUARANTINE
2013/04/15 18:57:02 -0400	a	a	DETECTION	c:\windows\system32\taskeng.exe	Trojan.Downloader.ED	QUARANTINE
2013/04/15 18:57:02 -0400	a	a	ERROR	Quarantine failed:  SDKQuarantine failed with error code 2
2013/04/15 18:58:02 -0400	a	a	DETECTION	c:\windows\system32\taskeng.exe	Trojan.Downloader.ED	QUARANTINE
2013/04/15 18:58:02 -0400	a	a	ERROR	Quarantine failed:  SDKQuarantine failed with error code 2
2013/04/15 18:59:02 -0400	a	a	DETECTION	c:\windows\system32\taskeng.exe	Trojan.Downloader.ED	QUARANTINE
2013/04/15 18:59:03 -0400	a	a	ERROR	Quarantine failed:  SDKQuarantine failed with error code 2
2013/04/15 19:04:31 -0400	a	a	DETECTION	C:\Windows\SysWOW64\oleaut32.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:04:31 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:14:58 -0400	a	a	DETECTION	C:\Windows\System32\RacEngn.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:30 -0400	a	a	DETECTION	C:\Windows\System32\cryptui.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:30 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:36:42 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:42 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:36:42 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:42 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:36:43 -0400	a	a	DETECTION	C:\Program Files (x86)\Malwarebytes' Anti-Malware\vbalsgrid6.ocx	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:51 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:51 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:36:51 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:51 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:36:58 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:58 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:36:58 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:36:58 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:37:03 -0400	a	a	DETECTION	C:\Windows\System32\cryptui.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:37:03 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:37:46 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:37:46 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:37:46 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:37:46 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:12 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:12 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:12 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:12 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:24 -0400	a	a	DETECTION	C:\Windows\System32\WRusr.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:24 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:36 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:36 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:36 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:36 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:44 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:44 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:44 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:44 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:52 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:52 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:39:52 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:39:52 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:02 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:02 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:02 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:02 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:08 -0400	a	a	DETECTION	C:\Windows\System32\WRusr.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:08 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:08 -0400	a	a	DETECTION	C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:08 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:08 -0400	a	a	DETECTION	C:\Program Files\Internet Explorer\IEShims.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:08 -0400	a	a	DETECTION	C:\Program Files\Internet Explorer\sqmapi.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:08 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:09 -0400	a	a	DETECTION	C:\Windows\System32\sspicli.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:09 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:09 -0400	a	a	DETECTION	C:\Windows\System32\webio.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:09 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:09 -0400	a	a	DETECTION	C:\Windows\System32\mswsock.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:09 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:09 -0400	a	a	DETECTION	C:\Program Files\Internet Explorer\ieproxy.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:09 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:10 -0400	a	a	DETECTION	C:\Windows\System32\ieui.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:10 -0400	a	a	DETECTION	C:\Windows\SysWOW64\WRusr.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:10 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:10 -0400	a	a	DETECTION	C:\Windows\System32\userenv.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:10 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:11 -0400	a	a	DETECTION	C:\Windows\System32\cryptui.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:11 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:11 -0400	a	a	DETECTION	C:\Windows\System32\WRusr.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:11 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:11 -0400	a	a	DETECTION	C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:11 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:22 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:22 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:22 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:22 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:35 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:35 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:35 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:35 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:53 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:53 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:40:53 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:40:53 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:41:10 -0400	a	a	DETECTION	C:\Windows\SysWOW64\mstask.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:43:03 -0400	a	a	DETECTION	C:\Windows\SysWOW64\userenv.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:43:04 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:43:08 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:43:08 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:43:15 -0400	a	a	MESSAGE	Stopping protection
2013/04/15 19:43:15 -0400	a	a	MESSAGE	Protection stopped successfully
2013/04/15 19:44:12 -0400	a	a	MESSAGE	Starting protection
2013/04/15 19:44:12 -0400	a	a	MESSAGE	Protection started successfully
2013/04/15 19:44:17 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:17 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:44:17 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:18 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:44:26 -0400	a	a	DETECTION	C:\Windows\SysWOW64\comdlg32.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:26 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:44:30 -0400	a	a	DETECTION	C:\Windows\SysWOW64\comdlg32.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:30 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:44:34 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:34 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:44:34 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:34 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:44:44 -0400	a	a	DETECTION	C:\Windows\SysWOW64\comdlg32.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:44 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:44:47 -0400	a	a	DETECTION	C:\Windows\SysWOW64\winmm.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:47 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code 5
2013/04/15 19:44:47 -0400	a	a	DETECTION	C:\Windows\SysWOW64\msvbvm60.dll	Trojan.Downloader.ED	QUARANTINE
2013/04/15 19:44:47 -0400	a	a	ERROR	Quarantine failed:  DeleteFile failed with error code

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Mine is Pro or real time.My wife has same thing but not effected....she was away and her pc was off.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

wooooo man i had my disable uuffff

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

To reiterate:


We are working on picking up the pieces now from this. This was a failure in the engine to ignore a bad line in the database . To make backwards compatibility work MBAM is supposed to ignore anything that is not in the engine specs and this should have qualified but it didn't. This was a serious multiple level failure that should not have been possible. Support is working on figuring out the best way to restore the systems affected.

Please feel free to contact our support options at

http://www.malwarebytes.org/support/consumer/

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Thanks!

So the price for this failure was $5k from our side...now the CEO is chewing out my ass to look for another solution since one of his systems was affected.


Thank god for re-image software.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

thanks for letting us know and hope is fixed soon

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Someone on Malware-antimalware forum said to fully restore...was a false positive...did so and all is well.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Man it just messed up my wife's laptop and she is PO'ed.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Please see here for assistance with this issue:

http://forums.malwarebytes.org/index.php?showtopic=125137

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Glad I use Iobit

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Easy fix...just restore all...worked for me. Funny...it automatically removed MBAM (after the update)...the only thing I could install was MSE...couldn't open WSA Complete, Avast, KIS, etc.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

I couldn't open anything. Wouldn't even let me log into the system. I had to go into safe mode and uninstall MBAM. Now I'm missing some system files but I can't get onto the desktop now.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

Doesn't look like any of my computers were affected at this point, but I'm uninstalling anyway. Not at all acceptable...

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

I couldn't even get into the desktop. I had to go into safemode and uninstall MBAM. I can at least now get into the desktop and do a system scan. System Restore doesn't help either. Unfortunately my wife would never allow me to backup her laptop.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

again my bacon was saved again but this time by not having mbampro running in real time

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

IF YOU CAN GET INTO SAFE MODE (some folks can't) then re-install MBAM but DO NOT UPDATE and disable real-time update (default) and then go to Quarantine Tab in MBAM and choose RESTORE ALL. This will restore all the quarantined files. Or if you indeed had some baddies in quarantine then go one by one restoring only the files that were quarantined today. Then reboot the system and you should all set, good to go.
No need to restore.


P.S.
I feel bad for the MBAM guys/gals. They have provided an amazing protection with life-time lic for one time fee and over the past years with multiple updates a day they didn't have one goof. It's just sad that one false positive goof will cause massive loss in reputation that took years to build. I really like the MBAM guys and I am fighting my ass here to make sure that we keep their licenses but boy this has really fcked us and it's not yet over. The MBAM guys/gals will be reeling with this for days, since many individual's whose system's were affected might not be back online yet or they might think that it was a legitimate malware that hit them and wiped their system. Either way, bad news for MBAM.
My Heart as an IT guy goes out to you all.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

I had both computers running with MBAM Pro, but did not experience the problem. Is it because I was not scanning?
I have the impression that scanning was not the problem, but something else.

What were y'all doing at the time?
I have reset mine not to start with Windows.
Thanks,
Jerry

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

We are working on some tools and procedures to help repair the damage.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

JerryM its probably cause you didnt manage to get the database that was only out for 15 mins with the error in it. Current databases are not affected by this.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

I'm glad i've only been using MBAM on-demand lately! I have very important data on my Laptop atm that I can't afford to loss. I'm making redundant backups now.

 

Re: Holly freaking shiat AntiMalwarebytes just nuked 20 of our systems with False Positiv

I actually uninstalled MBAM in safemode with Revo. It erased all the quarantine files. I've tried performing a few system restores without success. Running a chkdsk now and then maybe a system repair.