Jump to content

xx521xx

Members
  • Posts

    30
  • Joined

  • Last visited

Everything posted by xx521xx

  1. I think this is some bloatware included with audio drivers. VirusTotal has one heuristic hit: link Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\alcmtr (Trojan.Refroso.Gen) -> No action taken. [8F9E1CA5A6BDC2184E8AA20A36A1F8C0] ... Files Infected: C:\WINDOWS\ALCMTR.EXE (Trojan.Refroso.Gen) -> No action taken. [8F9E1CA5A6BDC2184E8AA20A36A1F8C0] ALCMTR.zip
  2. Thanks, confirming that it's fixed in database version 3849.
  3. Two possible false positives that appeared recently, with no hits at VirusTotal: mdimon.dll and mdippr.dll. Memory Modules Infected: C:\WINDOWS\system32\mdimon.dll (Trojan.PWS) -> No action taken. [9BD76B14C57F006F3E71870F83F3063E] C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll (Trojan.PWS) -> No action taken. [9BD76B14C57F006F3E71870F83F3063E] [...] Files Infected: C:\WINDOWS\system32\mdimon.dll (Trojan.PWS) -> No action taken. [9BD76B14C57F006F3E71870F83F3063E] C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll (Trojan.PWS) -> No action taken. [9BD76B14C57F006F3E71870F83F3063E]
  4. Well, I didn't post in the Malware HJT Log forum because this isn't malware as far as I know. But regardless, I think I got rid of it. I restored a registry backup from prior to installation, thus getting rid of the service entry, and manually deleted the CSHelper.exe file. Maybe not the most graceful solution, but it worked.
  5. Sorry, I didn't see your post before that. It isn't causing any problem in particular, it just makes me suspicious when a program appears out of nowhere like that. Plus, I've been trying recently to reduce the amount of programs I have installed but never use, not add more!
  6. My bad, it's actually ArtistScope, not ArtSoft. This is what Avira says about the service executable:
  7. I already asked, and supposedly this wasn't installed intentionally and there was nothing to suggest it was being installed. The only thing in add/remove programs related to it was something like "ArtSoft plugin", which I already removed, but it just removes the Firefox plugin and leaves the background service installed. I don't see any obvious uninstaller for the service on my hard drive, either...
  8. So today, after someone else had been using my computer for a while, this program called ArtSoft CopySafe appeared on it. Now, nobody seems to know how this program got on the computer. It consists of a service (set to start automatically) and a Firefox plugin, but the uninstaller only removes the plugin while leaving the service to continue running automatically forever. Another strange thing is that the program's icon is loaded from a temporary folder. On the other hand, the service executable comes back clean at VirusTotal and "known clean" from Avira. But why would a legitimate program magically install itself onto my computer without any means to fully remove it? Does anyone know what the deal is with this program, and is there a better way to remove the service than by setting it to disabled and deleting the executable? I tried to find removal instructions on Google, but the only thing I found was another tale of this program appearing on someone's computer with no obvious means of removal, and no answer as to how to remove it...
  9. I was wondering whether someone could clarify what the status is of Malwarebytes and CouponBar. I used to see MBAM detect several components of this program as Adware.Coupons, but months ago the detections disappeared with some database update. Now, a recent database update has brought back 4 of these detections... What's going on here? Is MBAM supposed to detect this program or not?
  10. Are these trojan.agent detections false positives? They all seem to show up when MSWINSCK.OCX is scanned, not during the registry scan. VirusTotal analysis for MSWINSCK.OCX
  11. I'm using the free version, too. It doesn't usually ask me to reboot when updating, but the latest update did (only one installation out of two, though). I'm just trying to figure out why one MBAM installation asked me to reboot and the other didn't. And if it's not the expected behavior, I want to make sure the developers know about it. I agree.
  12. I'm seeing this same sort of behavior with version 1.39. On my main machine, it asked me to reboot after installation, but on a virtual machine, it behaved just like the first post described. No reboot prompt, no "the program had been updated" message, nothing. Also, the database was not automatically updated in either case. Both program installations seem to work fine, though, as far as I can tell.
  13. I've had trouble finding information about these files, but as far as I know, they are used by a certain type of setup program. I've seen them when installing other legitimate programs as well. The file name tends to be is-[random string].exe, which makes it hard to find info about it. It also has an associated .lst file and a .msg file. I uploaded all of these to VirusTotal and got no detections from them. The file is-[random string].exe is added to the system startup programs list, then deleted after it has run once. The purpose of this file is apparently to register some other files, and these files are specified in the .lst file. According to the .lst file added during setup of the latest version of MBAM, it registers the following files in this case, all in the MBAM program folder: mbamext.dll ssubtmr6.dll vbalsgrid6.ocx If you want to look it up, a common string associated with these files is InnoRegSetupFile. BleepingComputer thinks they're safe: http://www.bleepingcomputer.com/startups/i....exe-16618.html It appears that MBAM has begun to use this type of setup file as of the latest version, 1.39.
  14. Version 1.39 hasn't been officially announced in the announcements forum, for one reason or another, but its release was mentioned here: http://www.malwarebytes.org/forums/index.p...ost&p=98022 The download page (linked in that post) also mentions it.
  15. Hi, today I went to update MBAM and it downloaded the new version. At first it went as usual, installing the new files. Spybot asked whether I wanted to allow the new startup entry from MBAM, which I declined since I use the free version, as I always do when updating. After that, past versions have just told me that they were successfully installed, but the new version asked me to restart my computer. Spybot also asked about an InnoSetupRegFile startup entry, which I allowed before rebooting since it was from MBAM. There's no apparent problem here, and the setup entry was deleted after the reboot, as expected. But then, I decided to update an MBAM installation on a virtual machine as well, and something is different about it. After I decline the MBAM startup entry addition, MBAM doesn't seem to do anything else. It doesn't ask me to reboot nor give me a message stating that the update finished successfully, MBAM doesn't reopen, and Spybot doesn't ask about an InnoSetupRegFile startup entry. There's no obvious MBAM-related process listed in task manager, either. So I deleted the changes to my virtual machine, tried again, same result. Then I deleted the changes once again, tried one more time, and this time allowed the MBAM startup entry. But MBAM still doesn't do anything else... The program does seem to work correctly afterward, though. Is this supposed to happen?
  16. Is this a bug? Since updating to 1.38, MBAM keeps downloading the latest database version, even if I already have it. I checked for updates, and after downloading, MBAM told me "the database has been successfully updated from version 2299 to version 2299." To verify the problem, I closed the program, opened it again, and checked for updates again. Same thing.
  17. I agree, and thanks for confirming these as FPs.
  18. You mean SUPER.exe? http://www.virustotal.com/analisis/08751b5...6f8e-1244695780 5 detections, that's far from a majority, but still enough to be suspicious. But on the other hand, 4 of them are heuristic detections, and the other looks like a detection of the file's compression scheme. I just find it hard to believe that SUPER, a fairly well-known program (or so it seems to me), is a trojan but hasn't been assigned a specific detection by any major antivirus vendors...
  19. I think I'll wait for the verdict from someone at Malwarebytes before I make that decision.
  20. Never mind my previous question, I restored the files and zipped them. meta4.zip meta4.zip
  21. I found MBAM's quarantine. Is it alright to zip up the quarantined files and submit them?
  22. No sign of the files on my virtual machine after installing the program, then converting a few files and rebooting for good measure. Strange. Maybe they were only added by older versions, and then never removed? I've had older versions on my machine before. Do I need to restore the files to submit them? If not, where do I find the quarantined files?
  23. I still have the previous version (2009.build.35), I didn't know there was a new one. I haven't added any additional add-ons for the program. I'm 99% sure I got it from erightsoft.com, but it's been a while. I don't know for sure whether those files are supposed to be part of SUPER or not, that's just what I found elsewhere on the web. But some people with SUPER don't have those files... I still have the same installer I used, so I think I'll install it on a virtual machine and see whether those files show up.
  24. New detections after updating my MBAM database today... a quick Google search suggests these files are added by SUPER, a popular video converter which I have installed. Apparently they have a history of detection by antivirus software, some of which have later removed the detection as false positives. They do get some hits on VirusTotal, though. What do you think? The "hijack" entries are unrelated changes that I made myself and haven't set MBAM to ignore.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.