Results 1 to 5 of 5

Thread: Win32.AutoRun.tmp F/P whenever Spybot is run after you use MBAM's quarantine function

  1. #1
    Junior Member
    Join Date
    Dec 2010
    Posts
    3

    Default Win32.AutoRun.tmp F/P whenever Spybot is run after you use MBAM's quarantine function

    Hey,

    I believe there's a possible bug or F/P with Spybot that is causing it to detect a "Win32.AutoRun.tmp" Trojan in the following location which happens right after you use the program MBAM (Malwarebytes Anti-Malware) to quarantine a file:

    Trojan
    Win32.AutoRun.tmp:
    [SBI $751B1850] Settings (Registry value)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

    Picture shown below:




    Please see my post here on the MBAM F/P forums for more detail:
    http://forums.malwarebytes.org/index...howtopic=71140

    Spybot first started detecting this on my main computer, which started happening after I had used MBAM to quarantine and delete a couple program installer files that I downloaded (but never opened), in which MBAM had flagged those files as "PUPs" (potentially unwanted programs).

    I tested this out on a second computer and was able to recreate the same detection in Spybot. All I had to do was use MBAM to quarantine any file (I tested it on a file that MBAM has classified as a "PUP.Casino"), then Spybot instantly starts detecting "Win32.AutoRun.tmp" trojan in the registry. Prior to using MBAM's quarantine function, all Spybot scans came up clean.

    The file I tested this out on is the 888poker.exe program installer file from the online poker site www.888poker.com. Again please see my thread I made on the MBAM F/P Forums (linked above) for more detail.

    Restoring the quarantined file doesn't have any effect, Spybot will still pick up the "Win32". Uninstalling and reinstalling both Spybot and MBAM (by using revo uninstaller to do a full uninstall) has no affect either. Spybot will still continue picking up the "Win32".

    Ever since Spybot started picking up this detection I have: scanned my comp 5 times with full MBAM scan, Avast full scan once, and Eset online scanner twice. All those scans come up clean. Only Spybot detects this.

    Both my computers are using Windows Vista 64bit. Both computers have Spybot fully up to date, except for the TeaTimer update. I don't use TeaTimer on both computers, so didn't bother with getting the latest upgrade for it.

    The security software I use on my computer are Avast, Comodo Firewall, MBAM and Spybot. I have never had a malware problem in the past, practice safe surfing habits, and have used this computer for 15 months. My browser is Firefox v3.5.16

    I have not yet tried to use Spybot to "fix" this detection.

    Was hoping someone from the Spybot team could try this out on a third computer to confirm, and post the results here?

    I will await your reply.


    Kind regards,
    - HH89
    Last edited by HH89a; 2010-12-26 at 21:42.

  2. #2
    Member of Team Spybot Buster's Avatar
    Join Date
    Oct 2005
    Location
    Bochum/Germany
    Posts
    389

    Default

    Thanks for reporting this false positive. It will be corrected in our next detection update.
    "The advantage of wisdom is that you can always act the fool. The opposite is quite tough."

    K. Tucholsky

    _______________________________________________________________

    Please help us improve Spybot and download our distributed testing client.

  3. #3
    Junior Member
    Join Date
    Dec 2010
    Posts
    3

    Default

    Quote Originally Posted by Buster View Post
    Thanks for reporting this false positive. It will be corrected in our next detection update.
    Np, good to know it was just a F/P.

    Thanks, and have a great new years!


    Kind regards,
    - HH89

  4. #4
    Junior Member DONNA55's Avatar
    Join Date
    Jan 2011
    Location
    uk
    Posts
    1

    Default same problem

    Quote Originally Posted by Buster View Post
    Thanks for reporting this false positive. It will be corrected in our next detection update.
    Hi i did a scan today 16th jan 2011 (portable spybot s/d 1.62). and have the same f/p.
    Regards donna55

  5. #5
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    this false positive with Win32.AutoRun.tmp has been fixed with the update released on 2010-12-29, please make sure that you have updated detection rules after this date.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •