Another False Positive from MBAM?

Discussion in 'Spyware' started by Buffalo, Feb 4, 2009.

  1. Buffalo

    Buffalo Guest

    Winnit\System32\internat.exe in Windows 2000Pro.

    When that file is checked alone by MBAM, nothing is detected.

    When doing a Full Scan, it is detected.
    Probably by the hueristics portions, I imagine.

    MBAM 1724 ver 1.33
    I checked that file with VirusTotal, SAS, Norton, and Avira with no hits.

    Tomorrow, I will submit it to MBAM by following their protocol. I am too
    tired tonight.
    Buffalo

    PS: It is a MS file dated 1999 and it is a Keyboard Language Indicator
    Applet, version 5.0.2920.0.
     
    Buffalo, Feb 4, 2009
    #1
    1. Advertisements

  2. Buffalo

    Ron Guest

    Same here...XP Pro
     
    Ron, Feb 4, 2009
    #2
    1. Advertisements

  3. Buffalo

    1PW Guest

    Hello Buffalo:

    FWIW:

    Windows XP Pro 32bit SP3 Up-to-date.

    Paid MBAM 1.33 / *1725* Full Scan: No Trouble Found

    Paid SAS 4.25.1012 / Full Scan: No Trouble Found

    AntiVir Personal: No Trouble Found


    I know this doesn't help you much and I was unable to catch the MBAM
    database with version 1724. Sorry.

    Pete
     
    1PW, Feb 4, 2009
    #3
  4. Buffalo

    Buffalo Guest

    It even finds it during a quick scan, but it happens at the end when it is
    doing the extra and hueristics scan even with the 1725 update. I'll send it
    in this morning.
     
    Buffalo, Feb 4, 2009
    #4
  5. Buffalo

    1PW Guest

    I thought I would recheck & post an update again.

    Although I found no threats in the scan report, I /did/ see a slight
    change in behavior:

    I brought up the scanning window where database version 1725 was still
    present from the last/full scan. I first selected the "Updates" tab and
    then clicked "Check for updates". In the past, if no newer database is
    present, I usually see a rapidly appearing dialog box stating that no
    newer updates are available.

    However, this time a 1577KB database file /did/ download and seemed to
    install, followed by a dialog box stating: "The database was
    successfully updated from version 1725 to version 1725." Yes, 1725 >
    1725. I don't remember seeing /this/ before. I was able to repeat this
    at will.

    Subsequently, no threats were reported at the end of my 6 minute quick scan.

    Maybe we'll see a posting from Dustin Cook or Marcin later.

    FWIW

    Pete
     
    1PW, Feb 4, 2009
    #5
  6. Buffalo

    Buffalo Guest

    I just updated and it also dl'd a 1577kb file and said it updated from
    version 1725 to version 1725. Very unusual.
    It, however, still finds that file as a Trojan Agent on my Win2000Pro sp4
    system.
    I also get the same 1577kb dl each time I try the update. I really wonder
    what is going on, also.
     
    Buffalo, Feb 4, 2009
    #6
  7. Buffalo

    Buffalo Guest

    It was corrected today with the database version 1731.
    Pretty quick work, overall.
    Buffalo
     
    Buffalo, Feb 5, 2009
    #7
  8. Buffalo

    1PW Guest

    Thanks for the heads up. The behaviors I saw also have returned to what
    I remember. Good news.

    Pete
     
    1PW, Feb 5, 2009
    #8
  9. Buffalo

    Dustin Cook Guest

    You do realize we have a forum where you can post suspected false positives
    and we'll get them taken care of. Posting here at best, will cause delays
    in getting this resolved for you.
     
    Dustin Cook, Feb 11, 2009
    #9
  10. Buffalo

    Buffalo Guest

    I did both. I just posted here to advise others who had the same detections
    so they would not delete those files.
     
    Buffalo, Feb 11, 2009
    #10
  11. Buffalo

    Ron Guest

    Exactly! I might check in her once a week, at best, and I;m glad I saw
    the info...that is the exact kind of false-positive, that makes Spy
    Sweeper worth $20.00 a yr.
     
    Ron, Feb 12, 2009
    #11
  12. Buffalo

    Ron Guest

    Or if you happen to be using XP, the free version of Spyware Doctor
    from Google Pack.
     
    Ron, Feb 12, 2009
    #12
  13. Buffalo

    Buffalo Guest

    I will stick with paid SAS and free MBAM. :)
     
    Buffalo, Feb 12, 2009
    #13
  14. Buffalo

    Dustin Cook Guest

    You could just read the popular forums for assistance with Malware
    Removal. MBAM is constantly recommended to get you out of a jam, not
    spyware doctor. And certainly not something from google pack. :)
     
    Dustin Cook, Feb 16, 2009
    #14
  15. Buffalo

    Dustin Cook Guest

    Thanks. While we're obviously not pleased with ourselves for this, we do
    apologize for anyone affected by this FP.
     
    Dustin Cook, Feb 16, 2009
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.