miekiemoes

Moderators
  • Content count

    8,349
  • Joined

  • Last visited

2 Followers

About miekiemoes

  • Rank
    Forum Deity
  • Birthday 07/19/1975

Contact Methods

  • MSN
    notimetochat
  • Website URL
    http://miekiemoes.blogspot.com

Profile Information

  • Location
    Belgium

Recent Profile Visitors

35,812 profile views
  1. Hi, Thanks for reporting. This is a False Positive indeed and will get fixed in next database update.
  2. Hi Teresa, This has been fixed already since sunday. Please ask the user to update their database. Thanks!
  3. Thank you! In a meanwhile, the database has been updated to fix this. MBAM2 Version: v2017.02.11.04 MBAM3 Version: 1.0.1233
  4. Thanks for the positive feedback By the way, mind to zip and attach the following file to a next post? C:\USERS\TAINTED\DESKTOP\TOR BROWSER\BROWSER\FIREFOX.EXE Thanks!
  5. Hi, Thanks for reporting. This is a false positive indeed and will get fixed in next database. This will be out in 10 minutes.
  6. Hi, This isn't a false positive - however this isn't malware either. PUM means, Potentially Unwanted Modification. In this case, a policy was set that removes the icons representing selected drives from My Computer and from Windows Explorer. In a lot of cases, this is set by malware (especially autorun worms), but in other cases, it's set by yourself or IT department/administrator. This is why Malwarebytes alerts here as potentially unwanted, as it can't know by who/what this policy was set. So you can indeed always add it to the exclusions if you are aware of this policy.
  7. Hi, To elaborate more on this... The browser settings in the user.js file actually overrides the settings in the prefs.js - so this isn't really an addition, since it overrides. Some more info: http://miekiemoes.blogspot.be/2009/01/settings-wont-save-in-firefox.html The safebrowsing feature in Firefox is actually google's safebrowsing one, which was implemented by default in Firefox since 2007. If not mistaken, this isn't present anymore in latest builds of Firefox however and replaced with the Safe Browsing API rather if not mistaken. In this user.js file, it has settings that disables the safebrowsing feature of your Firefox browser as it has the value to "false" set here. To give some examples what's in this user.js file: user_pref("browser.safebrowsing.downloads.enabled", false); user_pref("browser.safebrowsing.malware.enabled", false); user_pref("browser.safebrowsing.enabled", false); So this means, when these settings are present in the prefs.js file as well and set as true (as how it should), the presence of your user.js file will override this. We've seen malware creating such user.js file as well, exactly with above preferences also set to false. I know the goal of yours is rather for anonimity/privacy reasons. In either way, since our engine can't know whether this is a user.js file set by malware that disables safebrowsing, or a user.js file that is set by the user himself, we believe we need to alert here still as Potentially Unwanted Modification. We are not saying it's malware, we are alerting that default settings to use safebrowsing have been disabled. So in this case, it's users choice to either have Malwarebytes deal with this, or ignore.
  8. Hi, This isn't a false positive. We are alerting here for a potentially Unwanted Modification. In your case, it looks like you have your user.js override the default settings in firefox where some default security measurements have been disabled. Eg, in your case, the safebrowsing protection has been disabled via your user.js file. This is something that is often done by malware as well, hence why we need to alert the user here. Unsure if you are aware of this though - but it's not good practice to have the safebrowsing features in Firefox disabled (in your case override via your user.js file). https://support.mozilla.org/t5/Protect-your-privacy/How-does-built-in-Phishing-and-Malware-Protection-work/ta-p/9395 In either way, if you are aware of this, then add this detection to your exclusions. Thanks!
  9. Do you have Zemana installed? As Zemana often causes this as well. In your case, I would add the detection to your exclusions/ignore list. A rootkit removal tool isn't needed here as you're not dealing with a rootkit
  10. Hi, If the scanner sees a legitimate file as "Unknown.Rootkit.Driver", then this means there's probably indeed a rootkit present (as we have seen with certain 0access variants) where the files are "forged" by the rootkit. Meaning, reads through WinAPI differs from the contents readen through low-level disk access. In such cases, malwarebytes fixes this and restores this with a "clean" one. Note, scanning the file at Virustotal, even in case it was forged by a rootkit, will always show/give you the legitimate one, as that's the one visible from Windows API. However, since this variant that forges files has been dead for a while already, another reason why Malwarebytes detects "Unknown Rootkit Drivers" in case you have software similar like Rollback Rx PC (or any software that has a rollback feature), as this "forges" files as well when there's a new driver update etc.. What helps in most of the cases here is, uninstall Rollback Rx, reboot and reinstall again. That should normally solve the problem of it forging newly installed or updated drivers.
  11. Hi, This was detected by our antiransomware component, but should have been fixed in a meanwhile, so it won't be detected anymore. Thanks for reporting!
  12. Hi, This is triggered by the Anti Exploit component in Malwarebytes. I'll report this to the correct team so they can have a look. So exclusions don't work either? Can you try to add the file manually to exclusions? This can be done via settings > Exclusions tab. There, click Add Exclusion > Exclude a previously Detected Exploit. Please let me know if that worked as a temporary workaround. Thanks!
  13. Hi, This is no false positive. We are aware this is a tool that can be used for legitimate purposes, but unfortunately, we have seen it bundled/used by malware as well, hence why we need to alert the user about this. The people who are aware they installed this can add it to their whitelist. Thanks!
  14. Hi, Detection will stay as this is a this is a generic detection for passwordstealer code. Most AVs detect this as well because of this. If this is a custom made program that you want/need, you can always add to the exclusions.
  15. Hi Becky, If this is the same as you reported earlier already, then detection will stay: