Jump to content

xx521xx

Honorary Members
  • Posts

    30
  • Joined

  • Last visited

Posts posted by xx521xx

  1. I think this is some bloatware included with audio drivers. VirusTotal has one heuristic hit: link

    Registry Values Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\alcmtr (Trojan.Refroso.Gen) -> No action taken. [8F9E1CA5A6BDC2184E8AA20A36A1F8C0]

    ...

    Files Infected:

    C:\WINDOWS\ALCMTR.EXE (Trojan.Refroso.Gen) -> No action taken. [8F9E1CA5A6BDC2184E8AA20A36A1F8C0]

    ALCMTR.zip

  2. Two possible false positives that appeared recently, with no hits at VirusTotal: mdimon.dll and mdippr.dll.

    Memory Modules Infected:

    C:\WINDOWS\system32\mdimon.dll (Trojan.PWS) -> No action taken. [9BD76B14C57F006F3E71870F83F3063E]

    C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll (Trojan.PWS) -> No action taken. [9BD76B14C57F006F3E71870F83F3063E]

    [...]

    Files Infected:

    C:\WINDOWS\system32\mdimon.dll (Trojan.PWS) -> No action taken. [9BD76B14C57F006F3E71870F83F3063E]

    C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll (Trojan.PWS) -> No action taken. [9BD76B14C57F006F3E71870F83F3063E]

  3. I already asked, and supposedly this wasn't installed intentionally and there was nothing to suggest it was being installed. The only thing in add/remove programs related to it was something like "ArtSoft plugin", which I already removed, but it just removes the Firefox plugin and leaves the background service installed. I don't see any obvious uninstaller for the service on my hard drive, either...

  4. So today, after someone else had been using my computer for a while, this program called ArtSoft CopySafe appeared on it. Now, nobody seems to know how this program got on the computer. It consists of a service (set to start automatically) and a Firefox plugin, but the uninstaller only removes the plugin while leaving the service to continue running automatically forever. Another strange thing is that the program's icon is loaded from a temporary folder.

    On the other hand, the service executable comes back clean at VirusTotal and "known clean" from Avira. But why would a legitimate program magically install itself onto my computer without any means to fully remove it? Does anyone know what the deal is with this program, and is there a better way to remove the service than by setting it to disabled and deleting the executable? I tried to find removal instructions on Google, but the only thing I found was another tale of this program appearing on someone's computer with no obvious means of removal, and no answer as to how to remove it...

  5. I was wondering whether someone could clarify what the status is of Malwarebytes and CouponBar. I used to see MBAM detect several components of this program as Adware.Coupons, but months ago the detections disappeared with some database update. Now, a recent database update has brought back 4 of these detections...

    What's going on here? Is MBAM supposed to detect this program or not?

  6. Are these trojan.agent detections false positives? They all seem to show up when MSWINSCK.OCX is scanned, not during the registry scan. VirusTotal analysis for MSWINSCK.OCX

    Malwarebytes' Anti-Malware 1.40

    Database version: 2553

    Windows 5.1.2600 Service Pack 3

    8/3/2009 7:52:14 PM

    mbam-log-2009-08-03 (19-52-12).txt

    Scan type: Quick Scan

    Objects scanned: 116974

    Time elapsed: 1 minute(s), 55 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 5

    Registry Values Infected: 1

    Registry Data Items Infected: 1

    Folders Infected: 0

    Files Infected: 1

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Trojan.Agent) -> No action taken. [41345241307025661918261766267025707022702269197017672226266767712669696623]

    HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Trojan.Agent) -> No action taken. [41345241307025661918261766267025707022702269197017672226266767712669696623]

    HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Trojan.Agent) -> No action taken. [41345241307025661918261766267025707022702269197017672226266767712669696623]

    HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Trojan.Agent) -> No action taken. [41345241307025661918261766267025707022702269197017672226266767712669696623]

    HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Trojan.Agent) -> No action taken. [41345241307025661918261766267025707022702269197017672226266767712669696623]

    Registry Values Infected:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken. [3857535134304144385864365451513847536454523851615248395356345138614674688380848

    07185615674796980888461368683837079855570838474807961498077746874708461388981778

    0

    83708393398083687036776684847468368079858380774966797077]

    Registry Data Items Infected:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586436545151384753645452385161524839535634513861467468838

    08480718561567479698088846136868383707985557083847480796149807774687470846138898

    1

    77808370839347805246417077813018130117]

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    C:\WINDOWS\system32\MSWINSCK.OCX (Trojan.Agent) -> No action taken. [41345241307025661918261766267025707022702269197017672226266767712669696623]

  7. xx521xx, I've never had Malwarebytes ask for a reboot after a program update, but then I'm using the free version.

    I'm using the free version, too. It doesn't usually ask me to reboot when updating, but the latest update did (only one installation out of two, though). I'm just trying to figure out why one MBAM installation asked me to reboot and the other didn't. And if it's not the expected behavior, I want to make sure the developers know about it.

    From what I can see, the Malwarebytes developers are very interested in how their product performs and very responsive to feedback, which I think is great!

    I agree. :(

  8. I'm seeing this same sort of behavior with version 1.39. On my main machine, it asked me to reboot after installation, but on a virtual machine, it behaved just like the first post described. No reboot prompt, no "the program had been updated" message, nothing. Also, the database was not automatically updated in either case. Both program installations seem to work fine, though, as far as I can tell.

  9. I've had trouble finding information about these files, but as far as I know, they are used by a certain type of setup program. I've seen them when installing other legitimate programs as well. The file name tends to be is-[random string].exe, which makes it hard to find info about it. It also has an associated .lst file and a .msg file. I uploaded all of these to VirusTotal and got no detections from them. The file is-[random string].exe is added to the system startup programs list, then deleted after it has run once.

    The purpose of this file is apparently to register some other files, and these files are specified in the .lst file. According to the .lst file added during setup of the latest version of MBAM, it registers the following files in this case, all in the MBAM program folder:

    mbamext.dll

    ssubtmr6.dll

    vbalsgrid6.ocx

    If you want to look it up, a common string associated with these files is InnoRegSetupFile. BleepingComputer thinks they're safe:

    http://www.bleepingcomputer.com/startups/i....exe-16618.html

    It appears that MBAM has begun to use this type of setup file as of the latest version, 1.39.

  10. Hi, today I went to update MBAM and it downloaded the new version. At first it went as usual, installing the new files. Spybot asked whether I wanted to allow the new startup entry from MBAM, which I declined since I use the free version, as I always do when updating. After that, past versions have just told me that they were successfully installed, but the new version asked me to restart my computer. Spybot also asked about an InnoSetupRegFile startup entry, which I allowed before rebooting since it was from MBAM. There's no apparent problem here, and the setup entry was deleted after the reboot, as expected.

    But then, I decided to update an MBAM installation on a virtual machine as well, and something is different about it. After I decline the MBAM startup entry addition, MBAM doesn't seem to do anything else. It doesn't ask me to reboot nor give me a message stating that the update finished successfully, MBAM doesn't reopen, and Spybot doesn't ask about an InnoSetupRegFile startup entry. There's no obvious MBAM-related process listed in task manager, either. So I deleted the changes to my virtual machine, tried again, same result. Then I deleted the changes once again, tried one more time, and this time allowed the MBAM startup entry. But MBAM still doesn't do anything else... The program does seem to work correctly afterward, though.

    Is this supposed to happen?

  11. You mean SUPER.exe?

    http://www.virustotal.com/analisis/08751b5...6f8e-1244695780

    5 detections, that's far from a majority, but still enough to be suspicious. But on the other hand, 4 of them are heuristic detections, and the other looks like a detection of the file's compression scheme. I just find it hard to believe that SUPER, a fairly well-known program (or so it seems to me), is a trojan but hasn't been assigned a specific detection by any major antivirus vendors...

  12. No sign of the files on my virtual machine after installing the program, then converting a few files and rebooting for good measure. Strange. Maybe they were only added by older versions, and then never removed? I've had older versions on my machine before.

    Do I need to restore the files to submit them? If not, where do I find the quarantined files?

  13. I still have the previous version (2009.build.35), I didn't know there was a new one. I haven't added any additional add-ons for the program. I'm 99% sure I got it from erightsoft.com, but it's been a while. I don't know for sure whether those files are supposed to be part of SUPER or not, that's just what I found elsewhere on the web. But some people with SUPER don't have those files... I still have the same installer I used, so I think I'll install it on a virtual machine and see whether those files show up.

  14. New detections after updating my MBAM database today... a quick Google search suggests these files are added by SUPER, a popular video converter which I have installed. Apparently they have a history of detection by antivirus software, some of which have later removed the detection as false positives. They do get some hits on VirusTotal, though. What do you think?

    The "hijack" entries are unrelated changes that I made myself and haven't set MBAM to ignore.

    Malwarebytes' Anti-Malware 1.37

    Database version: 2259

    6/10/2009 5:13:09 PM

    mbam-log-2009-06-10 (17-13-09).txt

    Scan type: Quick Scan

    Objects scanned: 101545

    Time elapsed: 1 minute(s), 22 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 1

    Registry Data Items Infected: 1

    Folders Infected: 0

    Files Infected: 2

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Not selected for removal. [3857535134304144385864365451513847536454523851615248395356345138614674688380848

    07185615674796980888461368683837079855570838474807961498077746874708461388981778

    0

    83708393398083687036776684847468368079858380774966797077]

    Registry Data Items Infected:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Not selected for removal. [5138494534363830414438586436545151384753645452385161524839535634513861467468838

    08480718561567479698088846136868383707985557083847480796149807774687470846138898

    1

    77808370839347805246417077813018130117]

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    c:\WINDOWS\meta4.exe (Trojan.Agent) -> Quarantined and deleted successfully. [41345241302324712218671866251971671818676767266921252371246870211868692022]

    c:\WINDOWS\MOTA113.exe (Trojan.Agent) -> Quarantined and deleted successfully. [41345241307166712623701720671720241922676825182368181869226671171726232518]

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.