Jump to content

miekiemoes

Staff
  • Posts

    10,867
  • Joined

Everything posted by miekiemoes

  1. No, it's just because, when the file is in use, Malwarebytes might alter the PE header in some cases for a successful removal, so that results in a different sha256, but restores this again if not quarantined or unquarantined. Or it might also be because rooitkit scanning sees a slight difference in files when checked at kernel level in comparison with usermode level (forged files), but that often happens when the file is in use as well.
  2. Yes, files are ok. The reason why it started to detect since recently is because I created that generic detection rule recently as well :)
  3. Yes, that's because of the rootkit scanning. But don't worry and don't be nervous. I wrote the actual detection rule and know it might involve a handful of FPs when rootkit scanning is enabled which happened here in your case. :)
  4. That file is clean. This is really because of the rootkit scanning being enabled though. I will adjust the detection rule to make it a little less generic so this won't be triggered anymore when rootkit scanning is enabled.
  5. That's correct, nothing harmfull was installed on your pc :)
  6. Thanks! That's a 2GB+ file, so unsure if this is the installer. Did he zip the entire contents of his stick? I'll hide the above post for public, just in case something personal is in this zipped file. Edited to add. This is indeed an installer and looks completely legit/safe.
  7. Hi, This is indeed a false positive by our additional machinelearning engine we have implemented. This will get fixed. Thanks for reporting!
  8. Hi, Unfortunately we can't do anything with the above info or verify if an FP since we don't have the file or don't know either as what it is detected. So can you post/attach the file and the detection log please?
  9. Hi, This is indeed a false positive by our additional machinelearning engine we have implemented. This will get fixed. Thanks for reporting!
  10. Given you had rootkit scanning enabled, that might be the reason since this reads usermode with kernelmode version and when a file is in use at the time, it might see a difference here. This doesn't mean it's a rootkit though. This might just happen when the file is in use. Sometimes this also gives unpredictable results as that engine works slightly different. This is exactly why rootkit scanning is disabled by default when you install Malwarebytes. Also because our current engines are powerful enough already to deal with rootkits even when rootkit scanning is disabled.
  11. VT only has files if they are uploaded to there. So in your case, the sha256 that was detected (EC25CAA16313E987285266D0F30BABB33712C427F01A6039F31A1D37B95B4B2D) was never seen by VT. That doesn't necessarily mean the file is bad, but it also makes it more suspicious, since, if it would be a file that is quite popular, Virustotal should have seen it at least once.
  12. Hi, Above shouldn't be detected anymore either with my previous fix already. I just verified. While you tested the above/modified your above file, you probably didn't have the latest update of our database yet with the fix :)
  13. I don't think you ever installed that program as it's just an installer file that was detected. You probably downloaded it once/or got downloaded with another program where the download/save location was accidentally that MobileSync\Backup location that session. In either way, don't worry about it too much, even if you had installed it, it's harmless :)
  14. Since we don't have the older file to compare against with, we can't tell if it was a false positive or not. It might have been a modified/patched version though, hence why we detected (but was a generic def). In either way, since this new file comes up clean and isn't detected, you should be ok.
  15. Hi, This looks like a different generic detection by our other engine. I'll get this fixed as well :)
  16. It's the installer for DriverEasy, a program that checks for outdated drivers. This program comes often installed without user knowledge, as part of another bundled installer, as we have seen many times already, hence why most AVs detect this as a potential Unwanted program: https://www.virustotal.com/gui/file/bd27f2f5bb93a9458bb3d7b9056e376f4cb71178b284a961ee747efc42b374cf/detection Please note, this isn't malware. In your case, it's located in the D:\Users\Oldbl\AppData\Raming\Apple Computer\MobileSync\Backup\ Most probably because it was a file that was synced via another PC.
  17. This file is not related with itunes or icloud at all, so you should be ok :)
  18. Hi, I forced a rescan on Virustotal, so it scans with recent database (as VT is always a little delayed). This isn't detected anymore now: https://www.virustotal.com/gui/file/57e11461fd3640718002ce16dbfe415714a984cd53349216a5b258aa1473ba3c?nocache=1
  19. Hi, This is a valid detection. We will adjust the name of the detection to PUP.Optional.DriverEasy. Note, this isn't malware, but a Potentially Unwanted Program. If you have willingly installed this, you can create an exclusion for it. Otherwise, you can have malwarebytes delete it. It looks like an installer file anyway, so these are safe to delete.
  20. Thanks for reporting. I'll get this fixed as well and make sure to prevent detection for future versions. This will be a database update, but that's usually fixed/applied within 2-3 hours.
  21. Hi, This is a valid detection. We don't detect as Malware, but as PUP.Optional.IWin, which means, potentially unwanted program since this is often installed without user consent. If this is willingly installed, you can create an exclusion for this. In case you want to dispute, please see here:
  22. Hi, This is indeed a false positive by our additional machinelearning engine we have implemented. This will get fixed. Thanks for reporting!
  23. Hi, This is indeed a false positive by our additional machinelearning engine we have implemented. This will get fixed. Thanks for reporting!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.