Malwarebytes anti-malware home premuim found a virus

AmirAcle · 29 Dec 2015

Hey guys my Malwarebytes anti-malware home premuim found a virus on 12/28/2015 the virus is called Registry Keys: 2Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe, Quarantined, [9bde31124b3fcf67160c05712fd509f7],
Trojan.Agent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe, Quarantined, [8ced152e4a40989eeb370472f311a15f],

and its already on quarantine do i need to do more stuff to it to get a rid of virus or my Malwarebytes anti-malware home premuim has take care of virus? because my windows defender is not working..

AmirAcle · 29 Dec 2015

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 12/28/2015
Scan Time: 9:00:15 PM
Logfile:
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.03.09.05
Rootkit Database: v2015.02.25.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: AmirAcle

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 343845
Time Elapsed: 2 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe, Quarantined, [9bde31124b3fcf67160c05712fd509f7],
Trojan.Agent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe, Quarantined, [8ced152e4a40989eeb370472f311a15f],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

AFTER THAT I DID ANOTHER SCAN AND IT WAS CLEAN

axe0 · 30 Dec 2015

You don't have to do anything more then let Malwarebytes do its job :)

Also, I would enable rootkit detection and self protection.
Rootkit
Attachment 56062

Self protection
Attachment 56064

davehc · 30 Dec 2015

I believe that is aperiodic file (updated now and again) in windows updates. It is a backup and more intensive scan of your computer for viruses. It is, as far as I am aware, a legit MS program.

irelandguy · 30 Dec 2015

Your Malwarebytes Anti-Malware is out of date, please download current version.

Version: 2.2.0.1024
Database Version: v2015.12.30.02

MoxieMomma · 30 Dec 2015

irelandguy said:

Your Malwarebytes Anti-Malware is out of date, please download current version.

Version: 2.2.0.1024
Database Version: v2015.12.30.02

Not only is your PROGRAM version out of date, but your DATABASES are SERIOUSLY outdated, as well.
So, there's a decent chance the detection was a false-positive, based on the old database.

Scan Date: 12/28/2015
Scan Time: 9:00:15 PM
Logfile:
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.03.09.05
Rootkit Database: v2015.02.25.01

NOTE: If you cleanly upgrade the program now, without first restoring the file from quarantine, the uninstall will permanently remove the quarantined files from your system. If it was a false-positive, and if the file *is* a legit, important file, it could damage your system. (EDIT: See below for why a clean upgrade, rather than an on-top upgrade, is suggested.)

If you are reasonably sure it is a false positive hit on a legit file, you can update the databases, reboot and then restore the file from quarantine.
If you then rescan with the current database and it is no longer detected, then it was a F/P because of the old database.

BUT, if you are not sure, it would be safer to:
1) Leave the item in quarantine for now (until it can be determined to be safe).
2) Update the MBAM DATABASES and then re-scan.
3) If it was a false positive because, then it should no longer be detected.
4) If you're not sure, you can submit a new scan log with the current database AND the file in question for analysis HERE.

Since your PROGRAM version is very old, once you sort this file detection issue with the current database, I suggest a clean upgrade to the current version.
Please carefully follow the steps in this pinned topic to uninstall your current version of MBAM and reinstall the latest build - MBAM Clean Removal Process 2x
EDIT: If you do have Self-Protection enabled, it must be disabled before attempting a clean reinstall/upgrade.
It is important to reboot when prompted by the removal tool. It's a good idea to reboot again AFTER the upgrade.

Thanks,

MM

P.S. The detection was a "Trojan", not a virus. All viruses are malware, but not all malware are (true) viruses. In fact > 95% of malware these days is non-viral malware.

b1rd · 30 Dec 2015

Also, I don't know if this was already mentioned and I missed it, but I did note where you said; ".... because my windows defender is not working.."

I don't think MalwareBytes is a good replacement for your anti-virus, but moreover something to be used in addition with. See HERE.

b1rd

MoxieMomma · 30 Dec 2015

b1rd said:

Also, I don't know if this was already mentioned and I missed it, but I did note where you said; ".... because my windows defender is not working.."

I don't think MalwareBytes is a good replacement for your anti-virus, but moreover something to be used in addition with. See HERE.

b1rd

Correct!
Good catch, @b1rd!
MBAM Premium is designed to run alongside an AV, to provide complementary protection against zero-hour and zero-day, non-viral malware threats!

MM

mrgeek · 04 Jan 2016

davehc said:

I believe that is aperiodic file (updated now and again) in windows updates. It is a backup and more intensive scan of your computer for viruses. It is, as far as I am aware, a legit MS program.

Agree. MRT is their Malware Removal Tool. At least if he removed it from quarantine and computer, Windwos Update will reproduce it at next Check for Updates.