PDA

View Full Version : Possible bug in Spybot is causing it to detect a F/P Trojan whenever MBAM is used.



HH89a
2010-12-25, 08:40
Hey guys, I think either I have an infection or there is a bug in Spybot S&D which is causing it to show a F/P infection "Win32.AutoRun.tmp" Trojan in your registry whenever a user uses MBAM to quarantine/delete a file.

I believe it might be a bug/false positive on Spybot's part as I was able to reproduce the same detection on another computer right after I used MBAM to quarantine/delete a file (a file which MBAM just has classified as a PUP - potentially unwanted program).


Let me begin from the start though:

This is what Spybot S&D started picking up yesterday (Dec 23, 2010):

Trojan
Win32.AutoRun.tmp:
[SBI $751B1850] Settings (Registry value)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

Picture of the Spybot Detection shown here:

http://img838.imageshack.us/img838/1110/trojanpic.jpg


Before that, the last time I scanned using Spybot was on Dec 19, 2010 at 6:20pm. In which the Spybot scan came up clean. I thought this was kind of weird, since the only thing I did in between Dec 19 and Dec 23 was: surf the web, and download two program files for two online poker sites (888poker and William Hill Poker), which I ended up never opening. I play online poker on a daily basis, so that was quite normal for me. I also use Avast anti-virus and Comodo Firewall to keep track of everything that connects to the internet. I practice safe surfing habits, and I have also never gotten any malware problems in the past before and have been using this computer for the last 15 months.

First, I would like to point out that when I downloaded the two setup files for the two online poker sites mentioned above. The first thing I did was scan them both with MBAM and Avast. MBAM picked up the infection (Application.Casino) for the 888poker installer file and (Adware.Casino) for the William Hill Poker installer file. Avast showed them both as clean. I decided not to open them anyways, and so just deleted them from my computer manually via sending it to the recycle bin and clearing the bin.

Later on that day (Dec 19, 2010 at 6:20pm) I scanned my comp with Spybot and every thing came up clean. Since both those setup files are from legit companies, I figured those two infections that MBAM showed where probably F/P's and so I decided to post about them on the MBAM F/P forums (thread shown here http://forums.malwarebytes.org/index.php?showtopic=70753). I downloaded the two setup files again, and ran MBAM in developer mode to get the log. After I got the developer log and made my post in the MBAM forums, I decided to delete the files again. This time I used MBAM to remove them using Quarantine and Delete - this was also the first time I ever used MBAM to quarantine and delete something on this computer.

Later on, someone from the MBAM team called "Shadowwar" replied to me in that thread saying that those programs weren't actually malicious; they were not trojans, just potentially unwanted programs (PUP) and that they could be safely added to my ignore list. Following that, the MBAM team changed the detection on those two files to show a PUP prefix instead. In the end, I decided I didn't have enough time to setup a new poker account at those two sites anyways, and so never downloaded the files again.

Fast forward to yesterday (Dec 23, 2010). I scan using Spybot S&D (the last time I updated Spybot was when I scanned on Dec 19, 2010, in which the Spybot scan came up clean). This time Spybot S&D picks up the trojan "Win32.AutoRun.tmp" in my registry (pic of the detection shown above). At this point I figured I probably picked up an infection from surfing the web. However, the websites I visited in the last week are the exact same websites I've been visiting in the past 15 months since I bought this computer (mostly facebook, youtube, gmail). And I have never had a malware problem in the past (i've only had MBAM detect a couple F/Ps and the incident with the two online poker setup files which MBAM now detects as PUPs - also explained in the above paragraph). So I figured there was a chance also that it could be a F/P in Spybot, however since I had not updated the defintions for Spybot S&D since my last clean scan, I was a little confused.

Following this, I decided to scan using MBAM, Avast and Eset online scanner. All came up clean. It is only Spybot that is picking up this detection. I also googled and read a ton of threads regarding people picking up "Win32.AutoRun.tmp" in Spybot in the same registry location as me. In a couple threads, it seemed as if this detection popped up after they used MBAM's function to quarantine and delete a file. And the only thing I've done since my last clean scan in Spybot is use MBAM to quarantine and delete files + surf the web.


So I figured there might be a possibility of some bug/glitch in Spybot that is causing it to detect a FP Trojan named "Win32.AutoRun.tmp" in your registry, whenever you use MBAM to quarantine and delete a file.

I decided to do an experiment and try this out on a second computer to see if I could reproduce the detection in Spybot if I used MBAM to quarantine/delete a file. It worked.


Here's exactly what I did on my second computer in the following order:

1. First I updated Spybot and MBAM.

2. Scanned with both Spybot and then MBAM. Both results come up clean.

3. Restart my computer.

4. Scanned again using Spybot to double check. Results came up clean.

5. Download the 888poker software installation file (from http://www.888poker.com). MBAM will detect this file as (PUP.Casino), so I decided to just use this file to test things out.

6. Do a full system scan using MBAM. It will pick up the detection noted above on the 888poker.exe installer file. It will also pick up the same detection on one of the cache files in Mozilla (which I think is probably the cache file for the download of the 888poker.exe installer file?)

7. Exited MBAM without doing anything to the above files.

8. Did another scan using Spybot. Results came up clean.

9. Manually delete 888poker.exe via sending it to the recycle bin, and clear Mozilla's cache files.

10. Scanned again using MBAM to check if it detects anything. Everything comes up clean.

11. Scanned again using Spybot to test if deleting the file manually will cause any detection. Everything comes up clean.

12. Restarted my computer.

13. Scanned using Spybot again to double check. Everything still comes up clean.

14. Downloaded the 888poker.exe software again.

15. Scanned both the 888poker.exe file and the Mozilla cache files with MBAM once more to verify the detections are there. Both detections of PUP.Casino verified in both files like it should be.

16. Restarted my computer.

17. Scanned again using Spybot. Results come up clean.

18. Did a full scan using Avast. Everything comes up clean.

19. Restarted my computer.

20. Scanned again using Spybot to double check. Everything still comes up clean.

21. Scan the 888poker.exe installer file using MBAM. Then use MBAM to quarantine and delete it. MBAM will prompt you to restart your computer to finish the quarantine/delete process, in which I clicked yes.

22. Right after my computer started up, I scanned using Spybot once more. Spybot now shows the "Win32.AutoRun.tmp" Trojan detection in the Registry (pic shown above).


So as you can see, the moment I used MBAM to quarantine and delete a file. Any subsequent Spybot scans will start picking up the "Win32.AutoRun.tmp" detection. So far I've tried restoring the file from the MBAM quarantine, and scanning with Spybot again. But Spybot will still show the same detection. I've also tried uninstalling and re-installing Spybot (using Revo Uninstaller to do a full uninstall and restarting my computer before installing it again), it will still show the same detection. I am going to try uninstalling and reinstalling MBAM the same way and see if that helps. I have not yet tried to use Spybot to "fix" this detection as I am not sure if it might do any harm to my computer if I delete this registry value. As I've read a thread on the Spybot forums where someone did just that, and it ended up screwing up his computer (see thread here http://forums.spybot.info/showthread.php?t=60684).


Anyways, is there someone from the Spybot team that could try this out on a third computer to confirm, and post the results here? And see if the same detection pops up in Spybot?

I have also cross-posted this over to the MBAM forums (thread shown here: http://forums.malwarebytes.org/index.php?showtopic=71140). I suggest you check it out as well. I will await your reply.


I appreciate any help, and Happy Holidays. And sorry for the long post, I just wanted to be as thorough as possible.


Note: I also cross posted this over to the Malware Removal forum over on MBAM, just in case this detection did come up because I caught a trojan. But as of right now, I believe its most likely a F/P on Spybot's part.


Kind regards,
- HH89

tashi
2010-12-26, 21:36
New topic posted in False Positives forum: http://forums.spybot.info/showthread.php?t=61021 (http://forums.spybot.info/showthread.php?t=61021)

:)