ky331

stang, the liutilites article is more than "confusing" --- it's in fact clearly self-contradictory, as i've noted in my post timed 7:51

miekiemoes, I likewise thank you for your prompt response here. Observation: I believe the liutilities page you linked to has part of its explanation backwards: their directions, under Description, assert: "Now, right-click and modify string value checkexesignatures, in the right panel, to yes which can disable signature verification". in fact, lower down, under Registry Entries, it (correctly) states: Enabled Value: Yes Disabled Value: No

same here. not saying that MBAM is "wrong", just wondering what these entries are "suddenly" testing for?

I just recently questioned the RE-inclusion of this (after it was removed months ago) here: http://www.malwarebytes.org/forums/index.php?showtopic=13986

The file in question, to the best of my knowledge, is part of the DELL Support program --- see Buitoni's response at the bottom of this thread: http://www.malwarebytes.org/forums/index.p...art=#entry53644 Let me stress that what I'm trying to question is that this file/detection was considered back in December '08, removed from MBAM's database at that point, but apparently reinstated "now" --- has something "changed" in the interim? If the verdict is that this is malware, I will accept it. Just that such a finding might impact any DELL users that have the support program installed. --------------------------- at Jotti, 6 (out of 20) scanners objected to this file: A-squared Found Riskware.AdWare.Win32.Gdown!IK antivir Found ADSPY/Gdown Dr. Web Found Adware.Gdown Ikarus Found not-a-virus:AdWare.Win32.Gdown QuickHeal Found Trojan.Agent.IRC VBA32 Found Adware.Gdown ----------------------- at VirusTotal, 13 (out of 38) scanners objected to this file: A-square: Riskware.AdWare.Win32.Gdown!IK AntiVir: ADSPY/Gdown CAT-QuickHeal: Trojan.Agent.IRC Comodo: Unclassified Malware Dr. Web: Adware.Gdown Fortinet: Adware_GTDown Ikarus: not-a-virus:AdWare.Win32.Gdown K7AntiVirus: Trojan.Win32.Malware.1 McAfee: potentially unwanted program Generic PUP McAfee+Artimus: potentially unwanted program Generic PUP McAfee-GW-Edition: Ad-Spyware.Gdown NOD32: probably a variant of Win32/Adware.Agent VBA32: Adware.Gdown

file hopefully zipped and attached... GTDownDE_87.zip GTDownDE_87.zip

as requested: Malwarebytes' Anti-Malware 1.36 Database version: 1966 Windows 5.1.2600 Service Pack 3 4/11/2009 10:47:43 AM Scan type: Quick Scan Objects scanned: 81054 Time elapsed: 5 minute(s), 32 second(s) Registry Keys Infected: 4 Files Infected: 1 Registry Keys Infected: HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> No action taken. [7070222519692669702622661824711867232024682317702567252169182424] HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> No action taken. [7070222519692669702622661824711867232024682317702567252169182424] HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> No action taken. [7070222519692669702622661824711867232024682317702567252169182424] HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> No action taken. [7070222519692669702622661824711867232024682317702567252169182424] Files Infected: C:\WINDOWS\system32\GTDownDE_87.ocx (Adware.Gdown) -> No action taken. [7070222519692669702622661824711867232024682317702567252169182424]

This file, and 4 related registry keys, had been considered in Dec. '08 (then in database 1497), here: http://www.malwarebytes.org/forums/index.p...art=#entry39944 and determined by Nosirrah to be safe/nonmalicous. Yet it's now being detected again in your recent databases (e.g., 1966)... has it been reinstated for good reason now, or is it a (repeat of an old) false positive? Malwarebytes' Anti-Malware 1.36 Database version: 1966 Windows 5.1.2600 Service Pack 3 4/11/2009 10:31:50 AM Scan type: Quick Scan Objects scanned: 81009 Time elapsed: 11 minute(s), 30 second(s) Registry Keys Infected: 4 Files Infected: 1 Registry Keys Infected: HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> No action taken. HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> No action taken. HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> No action taken. Files Infected: C:\WINDOWS\system32\GTDownDE_87.ocx (Adware.Gdown) -> No action taken.

"mbamgui.exe /install /silent" will only RUN ONCE (when you install a new/updated version of MBAM); after that, subseqent startups will show "mbamgui.exe /starttray", which results in an MBAM icon appearing in your system tray, and an MBAM service running in the background. these can be disabled by issuing the following command from a DOS/command prompt: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /uninstall after which, you can continue to run MBAM as an on-demand scanner. you can also stop SAS from auto-loading at startup: double-click on the sas/bug icon in your system tray, select PREFERENCES, be sure it opens to the GENERAL AND STARTUP tab, and under START-UP OPTIONS, UNcheck the box marked START SUPERAntiSpyware WHEN WINDOWS STARTS, and then close the window. ---- I am not familiar with NoScript. SpywareBlaster sets "kill-bits" that stop known bad ActiveX controls from loading in internet explorer. it places known bad URLs into IE's "restricted zone", which limits what can be done by these sites. it blocks known bad cookies from being accepted by IE, and by Firefox. In short: download the program, install it. check for updates, and enable all protection. note: spywareblaster (free version) does not automatically check for updates... you should do so manually, every two or three weeks. when a new update is obtained, enable any new protection. spywareblaster has other features, but i can't get into all of them here. for further information, see the following tutorial: http://www.bleepingcomputer.com/tutorials/tutorial49.html

to clarify a bit further: the free versions of mbam/sas, being "only" on-demand scanners... do NOT offer up-front "protection"... malware CAN get through. rather, these on-demand scanners can CLEAN UP the problem, after-the-fact. it is the resident programs that offer PREVENTION/PROTECTION, not allowing bad stuff to get through in the first place. there is also another class of "protection" programs, such as SpywareBlaster, that offer "protection by immunization"... and have the advantage of not using up any significant system resources. SpywareBlaster can be used in conjuction with all the the aforementioned programs.

Yes, I have installed, and use all three without any conflicts/problems: 1) avast! antivirus [free version] offers resident (continually-running in real-time) anti-virus protection, and some degree of resident anti-spyware protection. 2) in contrast, malwarebytes anti-malware and superAntiSpyware [free versions] do not offer resident protection, so there is no basis for a conflict here: rather, each is simply an on-demand scanner/remover. each scan may be run with avast resident. [note that the PAID versions of MBAM and SAS *do* offer resident protection, so using these could indeed result in conflicts] as for the "need", most people advocate using at least two on-demand anti-malware scanners. while there is no absolute ranking here, based on my own personal experience, and what i have read from trusted sources, i would say that MBAM, SAS, and A-squared (not necessarily in any particular order) are the top candidates [among free programs], and clearly outshine the "competition". among free anti-virus programs, avira's antivir is also a great choice (alternative to avast)... but only ONE resident anti-virus program should be used.

the other thread was reporting/indicating that the detection of Adobe Reader entries as "adware.cinmus" in database 1351 was a FP (=False Positive)... meaning that it should NOT have been "detected" by MBAM --- such detection was a mistake --- and MBAM has fixed their error with creation of database 1352. if you quarantined these particular entries, they should be restored from quarantine. if you deleted these entries, check to see if adobe reader is functioning properly... and if you have any problems with it, you might need to reinstall reader.

confirmed fixed in db 1352. thanks (again) Bruce!

Malwarebytes' Anti-Malware 1.30 Database version: 1351 Windows 5.1.2600 Service Pack 3 11/1/2008 11:31:37 AM Scan type: Quick Scan Registry Keys Infected: 4 Registry Keys Infected: HKEY_CLASSES_ROOT\acroiehelper.acroiehlprobj (Adware.Cinmus) -> No action taken. HKEY_CLASSES_ROOT\acroiehelper.acroiehlprobj.1 (Adware.Cinmus) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (Adware.Cinmus) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (Adware.Cinmus) -> No action taken. ================================== for the CLSID, see http://www.castlecops.com/tk82-AcroIEhelpe...helper_dll.html

Bruce, Thank you for your amazingly prompt response. I truly admire the all the work that you, Marcin, and the rest of the team have accomplished here. Best wishes for continued success.

in response to the question of using MBAM resident in combination with Windows Defender, Hardhead replied that there was no conflict, and indeed runs both; and JeanInMontanna seemed to offer no objection either. However, I made the same inquiry several months back, and received a contradictory response from Nosirrah (Bruce) here: http://www.malwarebytes.org/forums/index.p...art=#entry12699 "MBAM is more like Defender and they should not be used together if both are in protection mode . This is just like having two antivirus applications installed at the same time , conflicts can happen." My question: Has something changed? For example, is the new protection module (implemented with version 1.29) now considered "Defender compatible"? Or does Bruce still stand by his view? [which, for the record, I highly respect --- I do not mean for this question to challenge his authority, rather, only to see if perhaps the circumstances have changed over time.]

A perhaps related question: in the PAID version, it seems that the new MBAM service is automatically loaded at startup, regardless of whether protection is enabled or DISabled... is that the way it's supposed to be? -- what purpose does the service perform when protection is DISabled; i.e., if someone is using the PAID version only as an on-demand scanner??

confirming fixed in database 1207 as always, thanks for the amazingly prompt response!

Malwarebytes' Anti-Malware 1.28 Database version: 1206 Windows 5.1.2600 Service Pack 3 9/25/2008 7:25:55 PM Scan type: Quick Scan Files Infected: 1 Files Infected: C:\WINDOWS\system32\pmspl.dll (Trojan.Agent) -> No action taken. ------------------------------------------------------------------------------------------ pmspl.dll = Microsoft LAN Manager 2.1 Network Dynamic Link Library for Microsoft Windows File version 2.10.0.1 ---------------------------- EDIT: If it helps, the detection was part of the heuristic scanning phase

f/p fixed in 1097. as always, thanks

the folder was created (dated) 1/1/2007, and had not been flagged in prior MBAM scans. I also just encountered the same detection on a second machine [used by another person --- so i think it unlikely that we both "stumbled" upon the same "malware" in the last day or so...]

Malwarebytes' Anti-Malware 1.25 Database version: 1096 Windows 5.1.2600 Service Pack 3 Scan type: Quick Scan Objects scanned: 46658 Time elapsed: 4 minute(s), 4 second(s) Folders Infected: 1 Folders Infected: C:\WINDOWS\PIF (Trojan.Agent) -> No action taken. ------------------------------------- as best as i can determine, this is a hidden folder, which is empty

f/p has been fixed, in version 1085. thanks for the amazing response

f/p has been fixed, in version 1085. thanks for the amazing response!

add me to the list as well http://www.malwarebytes.org/forums/index.p...;hl=oembios.dat