Malwarebytes 1.46 FP?

Discussion in 'other anti-malware software' started by wutsup, Sep 21, 2010.

Thread Status:
Not open for further replies.
  1. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    hey widlers,

    i just did a full scan on my secondary computer (windows xp 32 bit) with MBAM 1.46 and it says 1 file is infected with trojan agent. its in the macromed folder in system 32. something related to Adobe i think.

    heres the exact file location.

    Files Infected:
    C:\WINDOWS\system32\Macromed\Download\Download.dll (Trojan.Agent)

    a false psotive or is it really a trojan?
     
  2. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    do u have shuriken.heuristics checked? IME, I've never had a single FP... but there are some reports @ MBAM's forum regarding FP's due to this strong heuristics engine...
     
  3. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    yes the shuriken is enabled.

    the download.dll file was signed by Adobe, i deleted it but i think it was a false positive. im not sure though. adobe flashe is updated.

    also, i scanned the file with hitman pro and avira and nothing came up with those.
     
    Last edited: Sep 21, 2010
  4. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    yeah... most likely it's a FP, wouldn't be a bad idea to report it, though... just to let'em know...:thumb:
     
  5. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    i did a full scan again but now it says theres a trojan agent in system volume information?

    Files Infected:
    C:\System Volume Information\_restore{C22E1048-725E-4AD2-83D8-8E4B7702AB3D}\RP90\A0014696.dll (Trojan.Agent) -> Quarantined and deleted successfully.
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    It really would be best to report this by posting in MBAM's False Positives forum.

    If it is indeed a False Positive, it will invariably be addressed ASAP, and as a bonus you'll also be helping fellow users in the process.
     
  7. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    right,

    but is download.dll from adobe a legit file?

    and first it says download.dll was a trojan agent, and then i rescanned again and it says there was a trojan agent in system volume information.

    i turned off system restore for now.

    could that trojan have spread to the system restore folder? but still be a FP?
     
  8. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    There is no "Download.dll" on my system. Have you also installed Adobe download manager or you update flash manually? If first case then might be FP, if not then your flash might have downloaded a suspicious file in its folder. Check the file via virustotal.com and submit it at MBAM forum.
     
  9. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    well i arleady deleted the file and it doesnt seem to affect how flash works.

    yes this computer use to have ADM, and the the date that download.dll was created was back in 2007. the download.dll was from Adobe though.

    do you also have download.exe and install.exe in the macromed folder?

    do you even have the macromed folder?
     
  10. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Macromed folder contains another folder named "Flash" which contains flash executable and other files. There is no executable in Macromed folder including download/install.exe. All flash executables are in "Macromed\Flash".
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Anything is possible, but without access to a copy of the file it's hard to give any meaningful comment either way.

    Again, post at the MBAM FP board, upload a copy of the file in question for staff to analyze, and that will swiftly put an end to endless speculation...
     
  12. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    You can check it versus virustotal.
    if the digital signature from adobe is valid it could be the new downloader for flash.
    to avoid that you can chose other system here
    http://get.adobe.com/flashplayer
    and get the plugin-installer.

    otherwise these links - always valid for latest flash offline setup
    Adobe-Installer IE
    http://fpdownload.macromedia.com/ge...sing/win/install_flash_player_10_active_x.exe

    Adobe-Installer Plugin (Moz/Op)
    http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player.exe

    Adobe-Uninstaller
    http://fpdownload.macromedia.com/get/flashplayer/current/uninstall_flash_player.exe
     
  13. bollity

    bollity Registered Member

    Joined:
    May 9, 2009
    Posts:
    179
    can somrone please contact adobe and google to stop injecting system with useless services and files ? every time i install photoshop for example my system become loaded with many services that eats ram and cpu. i get rid of them manually.
     
  14. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    well i already deleted the file when malwarebytes first found it. but before i deleted it i scanned it with avira and hitman pro and those came up clean.

    and yes i also have the macromed flash folder as well but there is also the download folder. could this have came from adobe download manager?
     
  15. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    If possible please restore this from quarantine and post it in our forums so we can confirm/fix this.

    It is odd to see a FP from software this common without other reports so I am wondering just what this was.
     
  16. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    hey man, sorry but malwarebytes deleted it already.

    but the file was called download.dll and it was signed by adobe systems inc.

    said it was a trojan agent. and also mbam found the same trojan agent in system volume information folder....

    sorry that i deleted th file.
     
  17. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    the reason i think this was a false positive is because when mbam flagged it as a trojan, i scanned it with hitman pro and avira before i deleted it and those came up clean.

    but the weird thing is mbam said there was also a trojan in the system restore folder when i scanned my computer again with mbam.

    and the file was signed by adobe and could it be connected to their adobe download manager?


    check out this thread from 2008 from some guy at the sysinternals forum
    http://forum.sysinternals.com/topic13589.html
     
    Last edited: Sep 23, 2010
  18. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Did you empty your malwarebytes quarantine yet? If not restore it so we can take a look at it.

    On our forum we are still not getting any reports.
     
  19. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    well its already deleted thats why i havent signed up and posted at the mbam forums.

    i think it was a false positive cause i also scanned it with hitman pro and avira.
     
  20. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Did you empty your malwarebytes quarantine yet?

    This is not the same as deleted from your system.
     
  21. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    oh wow i didnt know that. yes download.dll is still in mbam and so is the system restore dll that mabam flagged also.

    after i sign up on your guys forums, how do i submit the 2 dll files to you guys?
     
  22. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA

    One should be enough, just restore C:\WINDOWS\system32\Macromed\Download\Download.dll and then zip and attach it to our FP forum.
     
  23. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    ok im about to sign up on your guys' forum, but im just wondering when i click restore, where does the download.dll file go?

    and what do you mean by zip?
     
  24. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Back to its original location.

    Once restored go here:

    C:\WINDOWS\system32\Macromed\Download

    right click the file and select copy, paste it to your desktop. From there zip and attach it to a post in our FP forum.
     
  25. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    i tried uploading it but it said i cant upload the file type.

    how do i make it into a zip file?
     
Loading...
Thread Status:
Not open for further replies.