Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Malware Bytes Scan

3 views
Skip to first unread message

Dave Cohen

unread,
Dec 3, 2009, 3:54:29 PM12/3/09
to
Just updated MalwareByte and scanned system. Getting over 400
'Trojan.Downloader' messages on files that have been on the system
forever. Avira doesn't find anything.

Victek

unread,
Dec 3, 2009, 3:57:14 PM12/3/09
to
> Just updated MalwareByte and scanned system. Getting over 400
> 'Trojan.Downloader' messages on files that have been on the system
> forever. Avira doesn't find anything.
.
I would trust MBAM, but if you want a second opinion install Hitman Pro
(free thirty day license) or SuperAntiSpyware. I find that AV is
notoriously unable to detect the types of malware that MBAM, SAS etc. are
designed to find/remove.

Message has been deleted

Rube Bumpkin

unread,
Dec 3, 2009, 6:19:16 PM12/3/09
to
FredW wrote:
> Are you sure it is MBAM and not Avast?
> ;-)
>
> I would wait for the next update and then scan again.
>
> In the meantime for a second opinion
> - SuperAntiSpyware (Free Edition)
> http://www.superantispyware.com/download.html
>
This was a problem with Update 3286 which was only out there for a
little while. It was replaced with 3287, then 3288.

There were several threads on the MBAM forums.

RB

Message has been deleted

FromTheRafters

unread,
Dec 3, 2009, 8:10:45 PM12/3/09
to
"Dave Cohen" <us...@example.net> wrote in message
news:hf98i7$62r$1...@news.eternal-september.org...

> Just updated MalwareByte and scanned system. Getting over 400
> 'Trojan.Downloader' messages on files that have been on the system
> forever. Avira doesn't find anything.

Submit one of the suspect files to Virustotal or Jotti to help ascertain
if it is a false positive.


Buffalo

unread,
Dec 3, 2009, 8:23:56 PM12/3/09
to

FredW wrote:
>
> Looks like the same kind of problem Avast had today.

Huh? Why did MBAM and Avast have problems around the same time?
What is the connection??
Do they share or steal each others definitions?
Buffalo


David H. Lipman

unread,
Dec 3, 2009, 8:30:09 PM12/3/09
to
From: "Buffalo" <Er...@nada.com.invalid>

| FredW wrote:

Pure coincidence of a rash of False Positives!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


Buffalo

unread,
Dec 3, 2009, 10:08:48 PM12/3/09
to

David H. Lipman wrote:
> From: "Buffalo" <Er...@nada.com.invalid>
>
>
>
>> FredW wrote:
>
>>> Looks like the same kind of problem Avast had today.
>
>> Huh? Why did MBAM and Avast have problems around the same time?
>> What is the connection??
>> Do they share or steal each others definitions?
>> Buffalo
>
>
>
> Pure coincidence of a rash of False Positives!

I really don't believe that explaination!
Buffalo


Rube Bumpkin

unread,
Dec 3, 2009, 10:18:49 PM12/3/09
to

I did that. When it came back 'negative', I checked the MBAM forums.

RB

David H. Lipman

unread,
Dec 3, 2009, 10:46:20 PM12/3/09
to
From: "Buffalo" <Er...@nada.com.invalid>


>> Pure coincidence of a rash of False Positives!

| I really don't believe that explaination!
| Buffalo


Sorry, that's the way it is.

Message has been deleted

FromTheRafters

unread,
Dec 4, 2009, 7:22:48 AM12/4/09
to
"Buffalo" <Er...@nada.com.invalid> wrote in message
news:hf9uev$ae6$1...@news.eternal-september.org...

If it were more than a coincidence, it would be the *same* malware being
purportedly found by each program, since you are talking about the def
files being possibly shared or stolen. For example if both entities
stole their defs from PCButts - all three would FP on the same files for
the same malware (possibly giving different malware names as a result).


FromTheRafters

unread,
Dec 4, 2009, 7:28:28 AM12/4/09
to
"Rube Bumpkin" <Som...@somewhere.world> wrote in message
news:uc%Rm.34635$Sw5....@newsfe16.iad...

Even the best programs can and will FP - it is nice to have a
programmatical consensus available online. When online is not possible,
it is nice to have an alternative program available locally for a second
opinion.


Dave Cohen

unread,
Dec 4, 2009, 12:11:03 PM12/4/09
to

All is well. My 12/3 update installed 3287 and the scan indicated
problems I stated.
Today (12/4) I updated and installed 3289, full scan showed zero problems.
One curious note: I don't recall having to re-start the computer after
yesterday's update. Today I received and responded to that message.
Thanks for all your replies.

Buffalo

unread,
Dec 4, 2009, 3:13:32 PM12/4/09
to

David H. Lipman wrote:
> From: "Buffalo" <Er...@nada.com.invalid>
>
>
>>> Pure coincidence of a rash of False Positives!
>

>> I really don't believe that explanation!


>> Buffalo
>
>
> Sorry, that's the way it is.

I guess so. That kind of coincidence just throws up a red flag to me.
Thanks for the response.
Buffalo


Leonard Agoado

unread,
Dec 4, 2009, 4:37:11 PM12/4/09
to

"FromTheRafters" <err...@nomail.afraid.org> wrote


> For example if both entities stole their defs from

> PCButts - all three would FP on the same files for the same malware...


FTR,

Do you imagine, in the scenario described above, either entity
functioning well enough to make it to that point?

Regards,

Len Agoado
ago...@msn.com


David H. Lipman

unread,
Dec 4, 2009, 5:26:17 PM12/4/09
to
From: "Buffalo" <Er...@nada.com.invalid>


I understand.

FromTheRafters

unread,
Dec 4, 2009, 6:05:07 PM12/4/09
to
"Leonard Agoado" <ago...@msn.com> wrote in message
news:pt-dnbbWtKiRHITW...@giganews.com...

>
> "FromTheRafters" <err...@nomail.afraid.org> wrote
>
>
>> For example if both entities stole their defs from
>> PCButts - all three would FP on the same files for the same
>> malware...
>
>
> FTR,
>
> Do you imagine, in the scenario described above, either entity
> functioning well enough to make it to that point?

Of course, virus (or malware) description language is not a programming
language.

:oD

Butt's programs work reasonably well even though the data files
describing the malware are stolen from the actual people doing the
research to create them (the "engines" consuming that data are probably
stolen as well, by this has not been demonstrated as well as the other
aspect has).

If you recall the "other" thieves (from China?) - they actually gave the
same malware name (marker) in the alert, probably because the engine
(maybe even the GUI) is stolen as well.


FromTheRafters

unread,
Dec 4, 2009, 6:09:05 PM12/4/09
to
"Dave Cohen" <us...@example.net> wrote in message
news:hfbfr9$mch$1...@news.eternal-september.org...

Often, that is indicative of a program update as opposed to just a
definitions update. I'm not sure if Malwarebyte's Anti-Malware shares
this nature so familiar with the AV programs.


David H. Lipman

unread,
Dec 4, 2009, 6:34:20 PM12/4/09
to
From: "FromTheRafters" <err...@nomail.afraid.org>

>> "FromTheRafters" <err...@nomail.afraid.org> wrote


>> FTR,

::oD


Yes, IObit's theft of the Malwarebytes database is an excellent example.

Those who decrypted the IObit database and the Malwarebytes database have *NO DOUBT* of
this theft.

Rube Bumpkin

unread,
Dec 4, 2009, 7:16:30 PM12/4/09
to

Oh, yeah, I also did that. I ran SAS, Spybot S&D, Ad-Aware, and Norton
AV (the corporate version), before I sent a file to VT, and checked the
forums.

RB

FromTheRafters

unread,
Dec 4, 2009, 8:38:58 PM12/4/09
to
"Rube Bumpkin" <Som...@somewhere.world> wrote in message
news:ADhSm.59570$%j4.3...@newsfe18.iad...

It sounds like you have things pretty well covered with respect to
sorting out FP's. :o)

A lot depends (for me) on where a file is found as well. For instance
some months ago a had detection of malware in my IBM utilities folder -
I suspected FP's and did nothing - subsequent scans did not repeat the
issue. Some months later I got a detection in my Java jar's zip files -
I quarantined (or deleted) them, because I didn't care about saving
FPed malware in Java jars.


Dustin Cook

unread,
Dec 13, 2009, 2:15:21 PM12/13/09
to
"Buffalo" <Er...@nada.com.invalid> wrote in news:hf9ob3$ap6$1...@news.eternal-
september.org:

> FredW wrote:
>>
>> Looks like the same kind of problem Avast had today.
>
> Huh? Why did MBAM and Avast have problems around the same time?

We had temporary problems with our database... Shrug. Sorry. We fixed it
quick, but evidently not quick enough; some systems did get the bad
definitions.

> What is the connection??

None.

> Do they share or steal each others definitions?

We don't share definitions with anyone. It wouldn't do much good;
Definitions are typically custom and very specific to the antimalware
engine. For example, the definitions system in use by BugHunter (my app) is
entirely 100% incompatable with the definitions system used by malwarebytes
antimalware. While some definitions can and do consist of hashes or
checksums of some sort, others do not.

--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Dustin Cook

unread,
Dec 13, 2009, 2:15:56 PM12/13/09
to
FredW <fr...@blackholespam.net> wrote in
news:djthh5p5538iahpe7...@4ax.com:

> On Thu, 3 Dec 2009 20:08:48 -0700, "Buffalo" <Er...@nada.com.invalid>
> wrote:
>>David H. Lipman wrote:
>>> From: "Buffalo" <Er...@nada.com.invalid>
>>>> FredW wrote:
>>>
>>>>> Looks like the same kind of problem Avast had today.
>>>
>>>> Huh? Why did MBAM and Avast have problems around the same time?
>>>> What is the connection??
>>>> Do they share or steal each others definitions?
>
>>>

>>> Pure coincidence of a rash of False Positives!
>>
>>I really don't believe that explaination!
>

> Sometimes the reality is amazing.
> :-))
>

Even better than science fiction.

Dustin Cook

unread,
Dec 13, 2009, 2:17:18 PM12/13/09
to
"Leonard Agoado" <ago...@msn.com> wrote in news:pt-
dnbbWtKiRHITWn...@giganews.com:

> "FromTheRafters" <err...@nomail.afraid.org> wrote
>
>
>> For example if both entities stole their defs from
>> PCButts - all three would FP on the same files for the same malware...
>
>
> FTR,
>
> Do you imagine, in the scenario described above, either entity
> functioning well enough to make it to that point?

You would have to have the entire staff from both companies really,
insanely out of their heads for this to happen; and actually go live. :)

Dustin Cook

unread,
Dec 13, 2009, 2:18:53 PM12/13/09
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:hfc69...@news3.newsguy.com:

Hard to have doubt when it's line for line, character for character.
Hell, iobit modified their software to support our definitions! <G>

Dustin Cook

unread,
Dec 13, 2009, 2:20:20 PM12/13/09
to
"FromTheRafters" <err...@nomail.afraid.org> wrote in news:hfc4ql$ssg$1
@news.eternal-september.org:

No. Our engine update consists of a new version installation. We do not
presently do things the way some, but not all antivirus companies do.

FromTheRafters

unread,
Dec 13, 2009, 5:24:39 PM12/13/09
to
"Dustin Cook" <bughunte...@gmail.com> wrote in message
news:Xns9CE0923D161...@69.16.185.247...

> "FromTheRafters" <err...@nomail.afraid.org> wrote in
> news:hfc4ql$ssg$1
> @news.eternal-september.org:
>
>> "Dave Cohen" <us...@example.net> wrote in message
>> news:hfbfr9$mch$1...@news.eternal-september.org...
>>> Dave Cohen wrote:
>>>> Just updated MalwareByte and scanned system. Getting over 400
>>>> 'Trojan.Downloader' messages on files that have been on the system
>>>> forever. Avira doesn't find anything.
>>>
>>> All is well. My 12/3 update installed 3287 and the scan indicated
>>> problems I stated.
>>> Today (12/4) I updated and installed 3289, full scan showed zero
>>> problems.
>>> One curious note: I don't recall having to re-start the computer
>>> after
>>> yesterday's update. Today I received and responded to that message.
>>> Thanks for all your replies.
>>
>> Often, that is indicative of a program update as opposed to just a
>> definitions update. I'm not sure if Malwarebyte's Anti-Malware shares
>> this nature so familiar with the AV programs.
>
> No. Our engine update consists of a new version installation. We do
> not
> presently do things the way some, but not all antivirus companies do.

Thanks for the info Dustin.


0 new messages