Jump to content

ParrotSlave

Honorary Members
  • Posts

    26
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. How about this: I occasionally restore my system to an earlier state via actual images, not system restore. Before re-connecting to the internet, I like to update all my software, including anti-malware programs, manually, by keeping those definitions and program updates on a separate hard drive. C:\ProgramData\Malwarebytes\MBAMService [in Windows 8.1] appears to be where all the relevant files are stored. Can I save that folder on an external drive, archiving it, say, monthly, so it's never too far out-of-date, then, after restoring my system to some earlier date, I would just overwrite the old folder with the new, or else simply replace the "important" files in that folder--whichever ones those are--after first running the most recent program installer itself to update the program proper? The files that were changed by updating the program just now include AMECIs, clean.mbdb, dbmanifest2.dat, dbupdate.log, DDSCIs, dynconfig.dat, exclusions.txt, HubbleCache, mbdigsig2.dat, rdefs.mbdb, rules.mbdb, scan.mbdb, and tids.mbdb. A number of others have changed between that moment and when I last restored a system image. I'm tempted to save just the rdefs.mbdb and rules.mbdb alone, and plop those two into that folder the next time I restore a system image. Would that be unreasonable to do? Yes, there are only a few moments between when I re-connect to the internet and when I update MBAM--along with SuperAntiSpyware and Norton, all of which seem to have coexited peacefully on my system for years--but I don't want anything untoward to happen even in those few moments. (I'm a belt-and-suspenders kind of person.)
  2. You can open reg files with Notepad; here's what that one reads: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\RENƒAƒvƒŠƒP[ƒVƒ‡ƒ“ ƒEƒBƒU[ƒh‚Ŷ¬‚³‚ꂽƒ[ƒJƒ‹ ƒAƒvƒŠƒP[ƒVƒ‡ƒ“] [HKEY_CURRENT_USER\Software\RENƒAƒvƒŠƒP[ƒVƒ‡ƒ“ ƒEƒBƒU[ƒh‚Ŷ¬‚³‚ꂽƒ[ƒJƒ‹ ƒAƒvƒŠƒP[ƒVƒ‡ƒ“\EasyConfig] "EasyConfigDlgSize"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,f0,00,00,00,7f,00,00,00,97,06,00,00,0a,04,00,\ 00 "Col0"=dword:0000002d "Col1"=dword:0000005f "Col2"=dword:0000005a "Col3"=dword:00000046 "Col4"=dword:00000046 "Col5"=dword:000000df "Col6"=dword:00000046 "Col7"=dword:00000070 "Col8"=dword:0000017e "Col9"=dword:00000032 "Col10"=dword:00000032 I was just wanting an opinion. To stick an actual malicious program into the registry itself, i.e., have the key itself be a such a program, I haven't heard of, although I could see that merging (instead of opening) a key could very easily do something nasty. It's just something that has puzzled me for a long time. The only reasonable explanation is that, maybe, it was part of an "activation" for some program or other after the program was installed. One of the problems software makers have is trying to keep people from stealing their software, and, in order to do so, they often require activation. If the activation does something simple, like stick a license key somewhere or other, for instance, somewhere in ProgramData, then it might be easy for someone to activate the program just by duplicating that file and putting it wherever it's supposed to go. There are normally some registry changes, though. By making the name of the registry key unrelated to the program itself, then nobody would guess that that particular file goes with a particular program. (https://en.wikipedia.org/wiki/Product_activation) I don't know; I'm not a programmer. I learned simple programming when I had my Amiga, thirty-odd years ago, but Windows is a mystery to me (and, apparently, also to the folks at Microsoft.😉) Maybe it is a remnant of some malware, or maybe it's a remnant of something I uninstalled or never used. Since everything works, it's not a big deal. Instead of being a tricky program application entry, it actually looks more like a reg key that would control the appearance of some GUI or another, since it's giving instructions for 10 different columns. Sorry, I just remembered that I asked about that in this very forum in 2014, and nobody knew. I don't remember sending any message to the moderators. Should I do so now?
  3. Thanks. Out of curiosity--and this is clearly not related to whatever was happening--a number of years ago, I discovered a registry entry in HKCU\Software that puzzled me. This is it: HKEY_CURRENT_USER\Software\ƒAƒvƒŠƒP[ƒVƒ‡ƒ“ ƒEƒBƒU[ƒh‚Ŷ¬‚³‚ꂽƒ[ƒJƒ‹ ƒAƒvƒŠƒP[ƒVƒ‡ƒ“ I did not trust it, since I had no idea what it was, so I renamed it by adding REN to it, which would make whatever was using the path not function:: HKEY_CURRENT_USER\Software\RENƒAƒvƒŠƒP[ƒVƒ‡ƒ“ ƒEƒBƒU[ƒh‚Ŷ¬‚³‚ꂽƒ[ƒJƒ‹ ƒAƒvƒŠƒP[ƒVƒ‡ƒ“ Nothing that I know of stopped working when I renamed it, so I still, after at least six years or so, have no clue as to what it goes with. Have you ever seen that key before? Oddball key in HKCU.zip
  4. I mentioned that the problem had disappeared this morning, before I wrote my post. I was wondering whether there was a false positive problem with MBAM that had been corrected with today's update, or if there really was a problem on my system. I did run the fix anyway, though. I had already investigated whether it was the individual Excel files that were the problem or whether it was Excel itself (or something affecting Excel.) My first thought was also, hey, maybe it was just that one file, since that one was in my Dropbox, which I regard as a potential security risk. I did check other worksheets, and MBAM did the same thing to each, in the same amount of time. It closed Excel even if I just opened up the program instead of opening up an old spreadsheet. I don't know if you noticed this, but in those FRST lists, there were references to some QuickTime plugins. Apple stopped patching the program in 2016, and we're all supposed to have removed it from our systems. But, because I need it every now and then, instead of uninstalling it, what I did was to remove the QuickTime program folder (in Program Files (x86)), and put the folder on a removable drive. My old SoundForge Pro needs the QuickTime dlls to process mp4s, and I also use QuickTime to do non-destructive editing of mov and mp4 files. Very few programs will allow you to edit such files without re-encoding them when they're finished, which lowers the quality. So, whenever I want to use the program, which might be once a month, I disconnect from the internet, then move that folder back into Program Files (x86), do what I need to do, then get rid of the folder again. In other words, it's not there to compromise my system, but there are references to it in the registry. Most technical support people would freak out at the thought that the program might be active. Fixlog.txt
  5. I had just restored my system to an April Macrium image, and updated everything, when MBAM started blocking Excel. (It did not block Word.) It wasn't the individual file it was blocking: opening Excel itself would last about 15 seconds or so before MBAM would block it. This is on a Win8.1 64-bit system that has, as resident, MBAM, Norton Internet Security, SuperAntiSpyware Pro, and Zemana Anti-Logger. When the message came up a couple of times, I ran the Sophos Virus Removal Tool, and it found nothing. I also ran AdwCleaner and FRST, as suggested in-- The reason I had just restored my system to that April image is that I'm somewhat paranoid about my system--even though I don't go anywhere I shouldn't go on the internet, for real. Even if I wanted to, I wouldn't go to a porn site, since that's where you get viruses. However, whenever "weird" things happen--which might be due to Windows itself, or to malware, or both--I just revert my system, then update everything. In this case, my mouse had been acting "funny"--it had started lagging, not just in one browser, but in them all, and in other programs, which makes me worried about keyloggers--despite my security precautions. It wasn't just the battery in the mouse: I tried several different ones I have on hand. When I restore my system, I work offline, and update whatever needs it (browsers, Adobe Air, even offline antimalware definitions) before connecting to the internet, then letting Windows Update do its thing. I didn't realize that, this time, the very first visit there, it hadn't installed anything. I remember a necessary reboot screen, and I'd left the computer for hours, all by its lonesome, so I'd assumed that everything was normal, when WU showed no available updates. The next day, though, I was puzzled when it told me that there were more updates available, and, without checking the installation history, I went ahead and let it do its thing again. One of the recent updates was supposed to protect against a heap memory exploit. When I kept getting MBAM blocking Excel, I finally decided to re-revert my system, and decided to manually download all the Windows updates this time, to do that offline as well, which was when I discovered that I'd been going a day without those updates. When I did that, I also ran the Windows Malicious Software tool by itself, and it found nothing. But my preliminary hypothesis then became that, somehow, I'd had some kind of real heap memory exploit. As I was getting ready to choose which system image to revert to, I opened up an Excel file of my image list, since I have them on several different removeable drives--I'm a belt and suspenders guy--and, voila, Excel stayed open. So, now I'm wondering if this was a MBAM glitch that has been fixed in an update of the last day, or if something was really there. If something was really there, even if it seems to be gone, I need to do a re-restoration, just to be safe. I'm attaching FRST.txt and Addition.txt, my second run of FRST. When I ran it the first time, I discovered more than half a dozen different VLC player dlls with different versions, so I uninstalled it and reinstalled it: I'm going to have to start doing things the old-fashioned way again, i.e., not trusting programs to update themselves, except those ones where it's a hassle to reinstall due to activation issues. I do have a couple of programs that offered PUPs, but I've used them for years. FRST.txt Addition.txt AdwCleaner[S00].txt AdwCleaner_Debug.log
  6. It seemed to have been fixed, but it has, apparently been "unfixed." Several weeks ago, I had to manually exclude the file from MBAM's detection engine. MBAM had not detected CareUEyes 1.20, but after the program updated itself to v1.21, MBAM ate the 1.21 exe. Since I had had no problem with v1.20, I uninstalled v1.21, then installed 1.20 again, then unchecked the "check for updates automatically" in the CareUEyes gui. Somehow, CareUEyes updated itself anyway, which made me assume that, when MBAM ate it again, MBAM didn’t like the presumably newer version of careueyes.exe. I had no problems with it after that until today, when MBAM did the same thing. which, annoyingly, when that happens, requires a reboot: MBAM has to completely digest it before it can be restored. My friend Norton reminded me that the digital signature on careueyes.exe is invalid, but that's not the problem. Only one out of 66 engines at Virus Total flag the file. The careueyes.exe that's in AppData\Roaming\CareUEyes says product version 1.1.0.6 and product version 2017.7.28.1. The spooky thing is that, a few days ago, I’d restored my system to a Macrium image I made after I’d first installed CareUEyes but before I’d manually excluded it from MBAM, and MBAM was happy with it for several days before deciding that it was evil.
  7. It was longer ago than I remembered offhand. And, yes, I do have other protection: full versions of SUPERAntiSpyware, NIS and Zemana Anti-Logger. The only hassle is having to configure Norton to ignore the SAS and MBAM folders so that they don't conflict. You couldn't do that long ago, but Windows has improved in some ways. Also, every few weeks, I run a scan with the Sophos free tool, and, being ultra-paranoid, I do also occasionally take advantage of Trend Micro's free online system scan.
  8. Having just uninstalled and reinstalled both versions 2 and 3 in the last while, version 2 "remembers" my lifetime pro license even after the uninstall, and is activated upon installation, presumably because of a license file somewhere that even Revo did not remove (I didn't use the MBAM Removal Tool). Alas, version 3 doesn't "see" the license, so the automatic protection isn't on anyway, For the moment, I'm back to version 2 with a database about a year old. I cannot find any archived exe files of MBAM rules, just the most recent, which I don't want to install. The thing is, for about the last 6 months or so, even the old version of MBAM would give the "protection off" error on occasion.
  9. I reinstalled 2.2.1.1043 after these problems just now, and the same thing keeps happening: malicious website protection is disabled, but trying to select the "Enabled" button doesn't work: the active button immediately reverts to Disabled.
  10. Me three. I came here and looked around and began to wonder if MBAM's server had been hacked: one cannot help but wonder, since the forum here was hacked a year or two ago, according to haveibeenpwned. Is it possible that there's an exploit in the program itself? I decided to see if killing MBAM in task manager, then restarting it, would help, but every time I clicked on an MBAM task, the CPU activity went up, eventually to 100%. I finally had to do a hard shutdown, and the first thing I did upon rebooting was to use Revo to remove all of MBAM. I think I'll reinstall MBAM-2.2.1.1043
  11. Here are the files you requested. On one of them, keep in mind that some of the access denied errors referred to are probably due to one of my drives, onto which I install some of the infrequently used program files instead of on C: itself, is bitlocker protected and I don't always unlock it. And, shortly before running the logs, I'd had an issue with Norton blocking a Copernic update from 4.2 to 4.3 (it detected msi9b1c.tmp as "SONAR.Module!Gen1" heuristically.) FRST.txt Addition.txt CheckResults.txt
  12. I can't swear that it began in January, since I restored a Macrium image from a month or two prior to that at that time, so it might have been doing this in December. But starting in mid-January, I've been getting two automatic threat scans every day. The first will be at about 2:30 AM, and the next will be between 14 and 20 minutes later. The automatic schedule is for one at 2:44:01 AM (since 3/25/14). The automatic update check has been for once an hour, but I just changed it to once a day (I never even looked at it before; I just took the default settings.) I could imagine an automatic scan different than the schedule once in a great while, such as if you'd discovered some kind of a major malware outbreak, but, otherwise, I'm having difficulty in seeing why it's doing two scans.
  13. I just noticed in HKCU\Software a new key, HKEY_CURRENT_USER\Software\ƒAƒvƒŠƒP [ƒVƒ‡ƒ“ ƒEƒBƒU [ƒh‚Å ¶ ¬‚³‚ꂽƒ  [ƒJƒ‹ ƒAƒvƒŠƒP [ƒVƒ‡ƒ“ I have no reason to suspect that I might be infected by malware, since I have MBAM Pro, NIS, SAS Pro, as well as Zemana, but one never knows. Perhaps that key is merely a software license of some program or other, but one would expect a programmer to hide it a little better. I could export it, delete it, then wait and see if something stops working. There is no data on any of the subkeys that gives me a clue as to what it is. I do visit the registry regularly, and I would think that I would have seen it if it had been there all this time. The subkey is EasyConfig which has 13 value entries, one default, 11 different "Col" DWord values, plus a binary value named EasyConfigDlgSize. My friend Google tells me about a program called EasyConfig, but I've never heard of it. Does anyone have any idea what this is or if it is related to malware? Doing a Google search for part of the key value gives me only 9 hits, but the relevant ones all seem to be concerned about malware, but are, alas, in other languages. https://www.google.com/search?num=30&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=fflb&q=%C3%86%E2%80%99A%C3%86%E2%80%99v%C3%86%E2%80%99%C3%85%C2%A0%C3%86%E2%80%99P%C3%82&oq=%C3%86%E2%80%99A%C3%86%E2%80%99v%C3%86%E2%80%99%C3%85%C2%A0%C3%86%E2%80%99P%C3%82&gs_l=serp.3...3430.3876.0.4778.2.2.0.0.0.0.115.221.0j2.2.0....0...1c.1.58.serp..2.0.0.X3ucO6z-hD0
  14. MBAM is now reporting mp3Tag as a virus, Trojan.FakeMS.ED. The attached program files, one of the installer, the other of the exe in program files, are zipped with the password being "mbam" (in lower case): virustotal scan of the exe in C:\ProgramFiles(x86)\mp3Tag--https://www.virustotal.com/en/file/76a99a8a007271ad04ece9294f072075a55472b6b1690734a036f4c0c2d1deb7/analysis/ Rescanning of the exe in program files today gives MBAM as the only one reporting it as a positive: https://www.virustotal.com/en/file/76a99a8a007271ad04ece9294f072075a55472b6b1690734a036f4c0c2d1deb7/analysis/1414446816/ Scanning of the installer (which I may have renamed, I don't remember), Mp3tag_v2.65.exe, gives no positives in virustotal's old scan, from 10 hours ago: https://www.virustotal.com/en/file/d52a6e3a37b35188215f1307f1b6a8545256dd45b8bc4b3ae2fc57b54dde0adb/analysis/ Rescanning the installer by virustotal gives MBAM as the only one reporting a positive: https://www.virustotal.com/en/file/d52a6e3a37b35188215f1307f1b6a8545256dd45b8bc4b3ae2fc57b54dde0adb/analysis/1414449014/ The files are digitally signed by Florian Heidenreich on Oct 18, 2014, at 5:03:42 AM for the exe and at 5:03:52 AM for the installer exe. Neither file shows any modification according to Windows. So, either the file has magically changed without Windows knowing about it, or MBAM did something in its definitions to add it as a risk. I am assuming that the program is not doing anything it shouldn't do, i.e., that it hasn't been malicious all this time with MBAM being the first one to discover it. What is exceedingly peculiar is that I cannot find the original MBAM log reporting it as a positive when it was in ProgramFiles(x86). MBAM kept bugging me via systray for at least 30 minutes, but I was busy gathering information to report a false positive to Sophos, since its virus removal tool had suddenly decided that ipresetall.exe was a trojan,*** so I was ignoring MBAM for a while. Before restoring the file from quarantine, I went to an external drive to find the original installer, and put that in my downloads folder, which is the only place that I could find MBAM reporting either the installer or the program file, despite MBAM having been bugging me for at least half an hour about the exe in program files. I then scanned the installer file and, upon finding that virustotal thought it was safe, went ahead and restored the item from MBAM's quarantine. After it quarantines the file, MBAM cannot then find it itself: there are a couple of dozen entries like this in the protection log: Detection, 10/27/2014 4:16:02 PM, SYSTEM, HAL9000B, Protection, Malware Protection, File, Trojan.FakeMS.ED, c:\program files (x86)\mp3tag\mp3tag.exe, Quarantine Failed, 2, The system cannot find the file specified. , [cde61efba9d33ef8cad1d00856ab4ab6] [***You might take a look at ipresetall, since a number of vendors are starting to report it as a postive. Virustotal reports that 12 of 54 find it a threat, whereas Norton was the only one for a long time to think that it was evil. I finally got Norton to whitelist it a couple of months ago. If more vendors are finding it to be evil, you might very well also in the near future, unless you already have it whitelisted. See https://www.virustotal.com/en/file/485e79900bd33ae201f685834a7999d588e6909d7031b73dc344e8b783cbf871/analysis/; the file is available via a link on http://www.eightforums.com/network-sharing/18945-error-when-resetting-tcp-ip-stack.html.]
  15. Thanks. Maybe I shouldn't argue with MBAM, though. I was never able to get either one of those programs to do what I wanted to do. Maybe I should have let MBAM keep the files quarantined.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.