MBAM false positives?

essexboy · April 23, 2010, 8:11pm

You can remove the log attachments now Tech, there are no tasks on your system. Not even hidden ones as OTL would show them as locked even if they could not be identified
%systemroot%\Tasks*.job /lockedfiles

It may well be a MBAM false positive. I am not sure how they are reported as they usually need the file to play with

To remove OTL run the programme and hit the cleanup button and it will disappear ;D

Lisandro · April 23, 2010, 8:33pm

Wow! My computer is clean then!
Thanks for the help. Although a mystery…

system · April 23, 2010, 8:36pm

hello tech

i know im not qualified to post here but i like also to share some of my experience about this.
this dynamic link library (dll) virus is difficult to see.
it some kind of murfer process, its run only by service host.

this one don’t have a registry that’s why resident protection cannot detect it.

if you willing to try my idea, it simple only but maybe it will help

Regards!!!

Lisandro · April 23, 2010, 8:37pm

Ok, bong2x, but if it is so, how to remove it?

system · April 23, 2010, 8:48pm

we will try,
first unhide your system folder

then using search option, search the file sshnas21.dll,

and open the command prompt, at the end of string type tasklist/svc

this revealed all the service host

let check irrelevant service running there.

Lisandro · April 23, 2010, 9:00pm

Look… the file isn’t there… There is no reason to search…

essexboy · April 23, 2010, 9:08pm

No netsvc indications on OTL either

Lisandro · April 23, 2010, 9:13pm

Essexboy, why does MBAM is detecting it?
Is there any other scanning I could do to check if my computer is clean?
No abnormal activity in the computer as far I can see…

system · April 23, 2010, 9:18pm

tech if the file is hidden cannot be seen physically even in search option,

you must unhide it first. (folder option show hidden files and folder)

sorry i am not good at expressing a word,

ok, how about the service host is there anything you found running not related to any of your application?

Regards!!

essexboy · April 23, 2010, 9:36pm

For pure peace of mind we can run Combofix - I see nothing on your system that would cause problems, so I am happy for you to run it

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Lisandro · April 23, 2010, 9:42pm

No offense, but this is obvious. I’ve done it.

system · April 23, 2010, 10:02pm

if the file is physically not there, then its end up of chasing ghost.

tech, how many times did you format your hard drive?

it cannot be a bad sector of hard drive nor virtual generator.

i can manually guide you to remove virus but if not there, its a big problem, how can we removed nothing?

ok, tech i think there is nothing to remove there,

edit: no wonder it cannot be found this thing merge with this - C:\WINDOWS\system32\svchost.exe

if you try to removed it you are trying to shut down everything.

this things i think subject for investigation, something like x86 update ??? :

Best Regards!!!

Lisandro · April 24, 2010, 1:29am

I’ve done 15 days ago :-[

No, all my disk is completely clean, no physical damage, bad sectors, etc.
I run chkdsk when necessary.

Lisandro · April 24, 2010, 11:59am

Essexboy, how could I fully uninstall Combofix? Seems that a lot of files and folders are installed…

essexboy · April 24, 2010, 12:31pm

No indications of any malware there at all Tech. CF removal follows ;D

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Lisandro · April 24, 2010, 12:46pm

Hmmm…
C:\ComboFix was created after I’ve manually delete it…
I’ve received a message of fully uninstall Combofix though.

essexboy · April 24, 2010, 12:55pm

Just delete that folder - any other entries in your system should be gone

Lisandro · April 24, 2010, 1:05pm

Thanks. Done.
Now the only mystery is MBAM…

essexboy · April 24, 2010, 2:16pm

The thing is how do we give MBAM a copy of a file that does not exist ?

Lisandro · April 24, 2010, 3:49pm

I’ve sent an email for them. Hope they could take a look into this thread.

MBAM false positives?

Announcements