Malwarebytes 1.46 FP?

hey widlers,

i just did a full scan on my secondary computer (windows xp 32 bit) with MBAM 1.46 and it says 1 file is infected with trojan agent. its in the macromed folder in system 32. something related to Adobe i think.

heres the exact file location.

Files Infected:
C:\WINDOWS\system32\Macromed\Download\Download.dll (Trojan.Agent)

a false psotive or is it really a trojan?

 

do u have shuriken.heuristics checked? IME, I've never had a single FP... but there are some reports @ MBAM's forum regarding FP's due to this strong heuristics engine...

 

yes the shuriken is enabled.

the download.dll file was signed by Adobe, i deleted it but i think it was a false positive. im not sure though. adobe flashe is updated.

also, i scanned the file with hitman pro and avira and nothing came up with those.

 

yeah... most likely it's a FP, wouldn't be a bad idea to report it, though... just to let'em know...

 

i did a full scan again but now it says theres a trojan agent in system volume information?

Files Infected:
C:\System Volume Information\_restore{C22E1048-725E-4AD2-83D8-8E4B7702AB3D}\RP90\A0014696.dll (Trojan.Agent) -> Quarantined and deleted successfully.

 

It really would be best to report this by posting in MBAM's False Positives forum.

If it is indeed a False Positive, it will invariably be addressed ASAP, and as a bonus you'll also be helping fellow users in the process.

 

right,

but is download.dll from adobe a legit file?

and first it says download.dll was a trojan agent, and then i rescanned again and it says there was a trojan agent in system volume information.

i turned off system restore for now.

could that trojan have spread to the system restore folder? but still be a FP?

 

There is no "Download.dll" on my system. Have you also installed Adobe download manager or you update flash manually? If first case then might be FP, if not then your flash might have downloaded a suspicious file in its folder. Check the file via virustotal.com and submit it at MBAM forum.

 

well i arleady deleted the file and it doesnt seem to affect how flash works.

yes this computer use to have ADM, and the the date that download.dll was created was back in 2007. the download.dll was from Adobe though.

do you also have download.exe and install.exe in the macromed folder?

do you even have the macromed folder?

 

Macromed folder contains another folder named "Flash" which contains flash executable and other files. There is no executable in Macromed folder including download/install.exe. All flash executables are in "Macromed\Flash".

 

Anything is possible, but without access to a copy of the file it's hard to give any meaningful comment either way.

Again, post at the MBAM FP board, upload a copy of the file in question for staff to analyze, and that will swiftly put an end to endless speculation...

 

You can check it versus virustotal.
if the digital signature from adobe is valid it could be the new downloader for flash.
to avoid that you can chose other system here
http://get.adobe.com/flashplayer
and get the plugin-installer.

otherwise these links - always valid for latest flash offline setup
Adobe-Installer IE
► http://fpdownload.macromedia.com/ge...sing/win/install_flash_player_10_active_x.exe

Adobe-Installer Plugin (Moz/Op)
► http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player.exe

Adobe-Uninstaller
► http://fpdownload.macromedia.com/get/flashplayer/current/uninstall_flash_player.exe

 

can somrone please contact adobe and google to stop injecting system with useless services and files ? every time i install photoshop for example my system become loaded with many services that eats ram and cpu. i get rid of them manually.

 

well i already deleted the file when malwarebytes first found it. but before i deleted it i scanned it with avira and hitman pro and those came up clean.

and yes i also have the macromed flash folder as well but there is also the download folder. could this have came from adobe download manager?

 

If possible please restore this from quarantine and post it in our forums so we can confirm/fix this.

It is odd to see a FP from software this common without other reports so I am wondering just what this was.

 

hey man, sorry but malwarebytes deleted it already.

but the file was called download.dll and it was signed by adobe systems inc.

said it was a trojan agent. and also mbam found the same trojan agent in system volume information folder....

sorry that i deleted th file.

 

the reason i think this was a false positive is because when mbam flagged it as a trojan, i scanned it with hitman pro and avira before i deleted it and those came up clean.

but the weird thing is mbam said there was also a trojan in the system restore folder when i scanned my computer again with mbam.

and the file was signed by adobe and could it be connected to their adobe download manager?


check out this thread from 2008 from some guy at the sysinternals forum
http://forum.sysinternals.com/topic13589.html

 

Did you empty your malwarebytes quarantine yet? If not restore it so we can take a look at it.

On our forum we are still not getting any reports.

 

well its already deleted thats why i havent signed up and posted at the mbam forums.

i think it was a false positive cause i also scanned it with hitman pro and avira.

 

Did you empty your malwarebytes quarantine yet?

This is not the same as deleted from your system.

 

oh wow i didnt know that. yes download.dll is still in mbam and so is the system restore dll that mabam flagged also.

after i sign up on your guys forums, how do i submit the 2 dll files to you guys?

 

One should be enough, just restore C:\WINDOWS\system32\Macromed\Download\Download.dll and then zip and attach it to our FP forum.

 

ok im about to sign up on your guys' forum, but im just wondering when i click restore, where does the download.dll file go?

and what do you mean by zip?

 

Back to its original location.

Once restored go here:

C:\WINDOWS\system32\Macromed\Download

right click the file and select copy, paste it to your desktop. From there zip and attach it to a post in our FP forum.

 

i tried uploading it but it said i cant upload the file type.

how do i make it into a zip file?