0 Replies Latest reply on Sep 30, 2010 2:13 AM by BeemerBiker

    8.7i: deleted all .exe that MalwareBytes (mbam) was scanning

      I just did an update to mbam followed by a quick scan and VirusScan 8.7 (p2) deleted all .exe files in c:\windows\SysWOW64 that mbam scanned.  It thought they were the dx trojan.  I assume there is no problem with mbam since I used it last year to get rid of an "antivirus 2009" that McAfee could not delete and all I did was update to their latest database.  I stopped the mbam scan so not all .exe's were deleted, just ones in alphabetical order from "1033b.exe" thru "APOMngrg.exe"

       

      Is this a case of "false positives"?

      The system seems to be working fine even though most of the files starting with "A" have been deleted from SysWOW64.  Can I find them somewere and restore them?

      I was unable to upload a picture of the problem from my computer thru the McAfee upload interface.  I was able to ftp the picture to my web site and upload it from there.  Is this a known problem with the McAfee pic upload interface?  Thanks for looking!

       

       

      I ran some tests.

       

      To start off, I following the following instructions on adding mbam support to McAfee
      Basic Procedures to correct disappearing programs

       


      I then brought up the mcafee quarantine manager and un-quaranteened (restored to syswow64) accessibilitycplw.exe. I then ran a McAfee scan on c:\system\syswow64 and accessibilitycplw.exe was reported as a dx trojan and re-quaranteened. None of the other 100+ exes in the syswow64 directory had a problem, just that one I pulled out of the quarantine. I then restored another, accessibilitycpls.exe, went to the command prompt and changed to c:\system\syswow64 and copied "write.exe" and "accessibilitycpls.exe" to a new subdirectory I created, "c:\scanx". The executable "write.exe" was copied, but not accessibilitycpls.exe. It was re-quaranteened.

       

      I then brought up MalwareBytes and scanned c:\scanx and it scanned "write.exe" just fine and McAfee did not find anything wrong after the scan completed.
      I then brought McAfee back up and un-did all the changes that were recommended in that link above and then scanned c:\scanx. There was no problem.

       

      I cannot account for why the first "quick scan" after the update to mbam created all those trojans (if indeed it did). The fact that that McAfee stopped reporting trojans the instant I stopped the mbam scan is suspicious. However, running mbam again just a few minutes ago on the directory c:\scanx did not cause any trojans to appear in the executable "write.exe"

       

      I am looking for another vista64 system so I can restore those files. I will try that sfc /scannow and then reboot with my fingers crossed.

       

      http://stateson.net/images/mbam_problem2.png

       

       

      Message was edited to add results of some test I ran after reading some suggestions at the MalwareBytes forum. on 9/30/10 2:13:18 AM CDT