MBAM PRO - MAJOR F/P - Trojan.Downloader.ED

I have Team Viewer 8.0,17396 installed and no problems.

Just scanned with no problems with the information below. The two version I have worked with no reported malware.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.15.13

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
Rick :: XPS_L501X-PC [administrator]

4/15/2013 7:19:10 PM
mbam-log-2013-04-15 (19-19-10).txt

Scanned this morning early with no problems.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.15.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
Rick :: XPS_L501X-PC [administrator]

4/15/2013 1:06:08 AM
mbam-log-2013-04-15 (01-06-08).txt

Rick

Its Malwarebytes. I believe you will see many flames start up tonight as people come home to discover Malwarebytes has ate their computers.......

ky331,

It was version that was quarenteening the files. I have the unpaid version, so I did not see this.

v2013.04.15.11 to version v2013.04.15.12

Rick

The problem is (was?) definitely with MBAM.   Several people are reporting the F/P there,

http://forums.malwarebytes.org/index.php?showforum=42

Several people now have UNbootable systems :-(

I don't have the database number, as I had to "kill" mbam on my system to get access to anything else

Hello, I noticed the same thing.  Today Malwarebytes marked 6881 items as Trojan.Downloader.ED on my system as well as on a buddy's system.  The only thing different on the systems that I know of is that earlier today we both installed TeamViewer 8.  Other than that no changes have been made to my system.  My buddy also installed TeamViewer 8 and has the same problem.  I don't know if it's Malwarebytes causing the trouble or if it's because of the TeamViewer 8 install. 

Any chance you also recently installed TeamViewer 8?  Anyone else have any input on the subject?

Just as a FYI, I reinstalled MBAM on my system and "unquarantined" everything and it is back to where it was. Wait it is back to its original state minus MBAM........

No problems with scans by MBAM Free on XP system (which includes TeamViewer 8) or with MBAM Pro on a Win 7 Pro system. Both scans in the last 15 minutes, so maybe the problem was corrected with the latest definition update at 6:46 EST tonight.

My apologies, it has nothing at all to do with TeamViewer.  It appears that Malwarebytes has already issued a new update that seems to correct the problem.  

My only words of advice to anyone finding that their Malwarebytes is flagging a very large number of files as Trojan.Downloader.ED...  DO NOT CHOOSE TO REMOVE THEM.  CANCEL THE SCAN AND UPDATE Malwarebytes again before running another scan.  The new update should eliminate the problem.  Good Luck.

Database v2013.04.15.13 and later has this fixed.

Rick,

yes, i have the paid (pro) version, with real-time protection enabled.   it automatically updated the database, and then started going crazy, objecting to just about every file in sight!   i "maintained my cool", but it was NOT a pleasant experience.

Additional/alternative instructions:

http://forums.malwarebytes.org/index.php?showtopic=125136

For anyone impacted by this problem, see MBAM's response at

http://forums.malwarebytes.org/index.php?showtopic=125127&st=20&p=669316&#entry669316 

Be sure to read that post, and the one immediately following about Win7.

Now that things have calmed down, I'd like to take some time to discuss the MBAM False-Positive (F/P) experience:

As a preface, let's note that, effective with version 1.70 (released on or about 27 December 2012), MBAM introduced a new feature in the PRO (paid) version, that "Threats detected by the protection module are now quarantined automatically by default".  This was documented and discussed here:   http://en.community.dell.com/support-forums/virus-spyware/f/3522/p/19483097/20261376.aspx#20261376

In that thread, I noted my concern about this option, and wanting to be in total control of the decision-making process, I UNchecked it:

I did so, out of fear of potential F/P's... but knowing that the burden of decisions would then fall entirely upon me [a task which I was willing to accept].

The MBAM F/P yesterday was major:   it was objecting to hundreds --- more likely thousands --- of critical Windows system files... as well as to several of MBAM's own modules!   Presumably, PRO users who had left the above option checked would have had all such files automatically quarantined :emotion-10: .   Worst case scenario:  Upon attempting to reboot, with critical system files missing, Windows would no longer load :emotion-9: .

What happened in my case, with the option UNchecked, was somewhat different:

Let me re-emphasize that I have the PRO (paid) version, with its REAL-TIME protection activated.   So I'm NOT simply talking about an on-demand scan that generated a whopping list of F/Ps.   Rather, shortly after MBAM automatically updated itself to database v2013.04.15.12, its real-time protection module popped-up to warn me it detected a  Trojan.Downloader.ED  infection in one of my [Windows system] files.   

As I have multiple layers of protection on my computers, and strive to keep them "squeaky clean", my first reaction was to suspect it was likely a F/P.   The choices it gave me were to ALLOW that file (either temporarily [i.e., just this once], or "permanently"), or to quarantine it.   I intended to allow it (once), so as to be able to investigate the matter further.   Unfortunately, as soon as I did so, MBAM immediately popped up with a 2nd file warning... then a 3rd... and so on.   [During all these detections, my anti-virus, Avast, was sitting by silently, not finding any problems.]

I wanted to temporarily turn-off MBAM, but was unable to simply do so:   Perhaps by virtue of strong strong self-protection, I was unable to do anything else other than reply to the allow/quarantine prompts.   Specifically, I could not interrupt the bombardment to open WinPatrol, nor the Task Manager, to "kill" MBAM.   Absolutely nothing was working... meaning I had no choice but to hold down the power button, forcing a "hard" shut down :emotion-6:  .

I was able to boot-up the system... but since MBAM was set to automatically start with Windows, the same problem was happening all over again.   So I was forced into another "hard" shut down.

This time, I started Windows in Safe Mode, and opened the Services monitor (services.msc) to DISABLE the MBAM service.   Upon doing so, I rebooted (normally this time), and Windows restarted, but without MBAM automatically running.   I now was able to use my computer, and confirmed that other people were reporting the same issue at the MBAM forum.   I posted here as quickly as possible, to alert people about what was happening.

MBAM says the faulty update was only online for about 10 minutes.  

I think there's a saying:   "Humans can make mistakes, but it takes a computer to really screw-things-up royally".  

F/P's can happen to ANY security program... none can claim immunity.    Indeed, I commend Marcin (the creator/owner of MBAM) for being forthcoming on Facebook, where he wrote:  "Hey guys, this is Marcin. Sorry for the inconvenience everyone, we really are. We're going to be working night and day to improve our false positive prevention. It's embarrassing to me and our company to ever have to address an issue like this".

The bottom line:  I will continue to use MBAM --- including its real-time protection --- just as I continue to use Avast [despite it having had such a major F/P a few years ago].   I'm just happy I was able to maintain my composure throughout this ordeal.

ky:

You beat me to the punch. I was about to make many of the same points.

I configure all of my security programs (both real-time and on-demand) to neither delete nor quarantine anything detected. We have seen too many AVs bring down systems in recent years (you mention avast, but I seem to recall AVG, ESET, and others doing the same) to appreciate the perils of FPs.

Late last night, I got around to checking my Win 7 system using MBAM Pro that I leave on 24/7. I was immediately met with a barrage of over 100 alerts about "infected" system files. Thanks to your warning, I chose to "allow" all these files, and my system was not affected, of course.

On my systems that use MSE, my default choices for detections are to "Remove", "Quarantine" or "Recommended action" (which hopefully lets me choose!) One would hope that MSE would never see a critical Windows system file as a threat, but then again who would have thought that MBAM would see its own files as such?

While it might seem counter-intuitive to some to uncheck that "Quarantine" box, I whole-heartedly agree it is the lesser of 2 evils.

Thanks again for the heads-up!