Jump to content

Double

Honorary Members
  • Posts

    47
  • Joined

  • Last visited

Posts posted by Double

  1. Hi, I've been visiting this site for years, and woke up today to find it blocked.. had to have happened Feb 7. Could someone please look into this? hxxp://www.gamebanana.com/

  2. Hi, I've recently installed 3.0.5 and have been having troubles with my system. Many of my 'startup' applications no longer run after a reboot (e.g. and are missing from the toolbar). A couple of these programs refuse to stay running, shortly after opening them. The anti-exploit module is broken, and the MBAM system tray icon is missing.

    I've uninstalled MBAM, and while many of the startup applications are opening normally again, a couple of them have not.. which suggests that 3.0.5 did something that I have no way of knowing how to fix. I did performed 'sfc scannow' and it turned up normal, so maybe there is some hope is fixing this?

    In the meantime, is there a trusted source where I can download a previous version of Malwarebytes? Is there an archive somewhere? I'll take anything that's recent from 2.0 if possible.

  3. I'm on 3.0 and tried to manually update to the latest version, but I got the error message in the first screenshot while trying to install it. I then uninstalled Malwarebytes, and got the same message while trying to install it again.

    I read somewhere that I should delete the mbae64.sys file in C:\Windows\System32\drivers, then to try installing it again, but I can't (see 2nd screenshot). Apparently the file is being used by something, but I can't identify it in the Task Manager. I'm running as administrator and even restarted.. nothing helps.

    I looked inside the Program Files\Malwarebytes\Anti-Malware folder and there is this mbae.dll file inside (3rd screenshot). I had Anti-Exploit installed before 3.0, but after 3.0 I don't know why this file is still exists. My system has been acting wonky ever since this went down.. some programs will open, but won't stay running.

    Please help.

    Capture.PNG

    Capture2.PNG

    Capture.PNG

  4. Hi, I visit a certain forum occasionally, and usually when i do, i run across a blocked connection to 'yuq.me'. What is it, and is it a false positive?

     

    This (hxxp ://www. theisozone .com/forum/viewtopic.php?f=38&t=30007&p=241106&hilit=download+cloustores#p241106) prompted the website block. It links to a thread at The Iso Zone (www.theisozone.com), a friendly emulator community site/forum. By the way, have an adblocker ready just incase.

  5. Thanks Spud for sharing that link, it was really interesting.

     

    I do have a question though, if you've got a PC with 80,000 images on it, and Malwarebytes said everything was clean, is it considered safe?

     

    I use Visipics to separate duplicates, and of the dupes it occasionally finds, the differences i find in some of these images are only related to bytes (KB/MB), not dimension or filetype. I always keep the images with the larger byte size because i feel like I'm saving the original file, keeping in mind that they might have been saved as PNG and re-converted by some as a JPG.

  6. Is this a false positive? MBAM seems to have blocked this IP multiple times in one visit attempt. Found at http://oncelebrity.com/doesn't seem like a bad site.

    Posted log below:

     
    Update, 6/4/2014 12:29:57 AM, SYSTEM, FONTAINE, Manual, Malware Database, 2014.6.4.1, 2014.6.4.2, 
    Protection, 6/4/2014 12:29:59 AM, SYSTEM, FONTAINE, Protection, Refresh, Starting, 
    Protection, 6/4/2014 12:29:59 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, Stopping, 
    Protection, 6/4/2014 12:29:59 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, Stopped, 
    Protection, 6/4/2014 12:30:27 AM, SYSTEM, FONTAINE, Protection, Refresh, Success, 
    Protection, 6/4/2014 12:30:27 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, Starting, 
    Protection, 6/4/2014 12:30:27 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, Started, 
    Detection, 6/4/2014 12:47:56 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, IP, 93.184.69.189, oncelebrity.com, 57685, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
    Detection, 6/4/2014 12:47:56 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, IP, 93.184.69.189, oncelebrity.com, 57686, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
    Detection, 6/4/2014 12:47:57 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, IP, 93.184.69.189, oncelebrity.com, 57685, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
    Detection, 6/4/2014 12:47:57 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, IP, 93.184.69.189, oncelebrity.com, 57687, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
    Detection, 6/4/2014 12:47:57 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, IP, 93.184.69.189, oncelebrity.com, 57688, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
    Detection, 6/4/2014 12:47:59 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, IP, 93.184.69.189, oncelebrity.com, 57689, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
    Detection, 6/4/2014 12:47:59 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, IP, 93.184.69.189, oncelebrity.com, 57690, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
    Detection, 6/4/2014 12:47:59 AM, SYSTEM, FONTAINE, Protection, Malicious Website Protection, IP, 93.184.69.189, oncelebrity.com, 57691, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
     
    (end)
  7. I can also see how malware might want to fool around with it.

     

    Still, couldn't MBAM do a better job of differentiating a change made by the user, and one made by malware? I'm glad that it is at least labeled as a 'PUM', but this only appears on MBAM 2.0, and isn't as helpful to the less savvy.

     

    For the longest time, I had been lead to believe that I was infected with a malware that was extremely conniving and hard to kill, 'jumping' from new installation to new installation, when the real cause was actually customizing the interface every time i setup one these 'new installations'.

     

    If i could have been given that answer a lot sooner, i would not have reinstalled my system as many times as i have.

  8. Being this is an intentional change by you from default windows that most users would not make, It would be safe to unquaranitine the detection add this to the ignore list.

     

    Your right in the change you made by installing xplorer2 is what is causes the detection. We have no way of telling if its intentional by you or malware doing it,  that is why we detect it as potentially unwanted modification.

    I am beginning to think the same thing, but how do i know that it's okay to release back into the wild? I've been using the product and it seems to run fine as it is, but I'm wondering if the PUM has since been reapplied. I may do another scan to check.

     

    I attached the MBAM log and a screenshot indicating that the 'Windows Explorer replacement' feature is currently enabled. No idea if this PUM would have appeared if i had not asked it to replace Windows Explorer during the install.

     

    pCeTtH8.jpg

     

    log.txt

  9. Hi, i recently reinstalled my system to refresh some things, i do this occasionally. Before I reinstalled I did a scan with MBAM, everything came up clean. After reinstalling all my programs on the new installation, i received a notification from MBAM that it had found 'PUM.Hijack.StartMenu' during a routine scan.

     

    The programs I installed were from their official sites, others using Ninite (https://ninite.com/). I then decided to download a paid app called Xplorer2 (http://www.zabkat.com/) which I have abandoned in the past, because i thought it was the cause for a "Hijack.Drives" i caught long ago. For those unaware, Xplorer2 is basically a Windows Explorer replacement.

     

    I am beginning to think Xplorer2 is the same reason for the 'PUM.Hijack.StartMenu' i just caught. There is a setting inside Xplorer2 which allows you to make Xplorer2 the 'default' explorer, which does have to make necessary changes to the registry in order for the app to trigger in place of Windows Explorer. I'll attach an image of this feature and the MBAM log in the coming hours. 

     

    What do you guys think? Is this a legitimate find, or should i un-quarantine it from MBAM if it's needed for Xplorer2? 'Hijack.Drives' is likely to similar to 'PUM.Hijack.Startmenu', just sounds slightly different because of the new MBAM 2.0 interface.. but i could be wrong.

     

    I found this little bit from Malwaretips.com:

    PUM.Hijack.StartMenu is a specific detection used by Malwarebytes Anti-Malware and other antivirus products to indicate and detect a Potentially Unwanted Modification.

     

    The PUM.Hijack.StartMenu detections are not actually false\positives or actual infections but rather settings which may have been changed by various programs.
    A PUM (Potentially Unwanted Modification) is an unwanted change made to your computer’s settings. PUMs can be performed by both legitimate applications and malware, though changes made by malware are more likely to cause serious problems.
    PUMs often modify settings at the system level. On Windows systems, this usually involves modifying the Windows registry.
    PUM.Hijack.StartMenu is a modification in the Windows Registry, which will hijack your Windows Start Menu while there are a few legitimate programs that may trigger this behavior, in most cases this modification is due to a computer infection.

     

  10. Take a look at the source code and then do a search for

    jpg

    And see all the different links that the images are being loaded from in real time.

    Sorry i think I've misunderstood this part, what you are trying to say here? source code? how to search with the jpg extension? real time?

     

    Hi, Double: :)

     

    In addition to what JLG advised, it sounds from what you describe as if MBAM IP-blocking is doing its job.

     

    Thanks,

     

    daledoc1

     

    P.S. You mentioned that you ran MBAM scan in Safe Mode. That's not how it was designed to work. It's best run in normal Windows mode. Safe mode scanning is only for use if it cannot run normally because of severe infection. In that case, there are other tools, such as Chameleon, that can be used to run it. <just sayin'>

    Thanks, I'll keep that advice in mind.. but it's hard to believe it was designed to be run that way only.

     

    Ever since I got caught up in the Internet Security 2010 malware years ago, it sorta conditioned myself to enter safemode by default. I laugh at the infection now, but it was scary back then. I should also mention that in the past, I have found additional infections in safemode that otherwise would not have been found in normal Windows.

  11. The reason it blocks is simple.  Google is not hosting those images, it is linking to them - so when you view those images  you are, for all intents and purposes, already visiting the site.

     

    Google recently made changes to Gmail, they now host content sent from every email. It's probably impossible for them to host every image on Google Images, considering how expansive the World Wide Web is.

     

    Another thing worth noting, pictures of all kinds can trigger these IP blocks, but you've got to know where to look, and it helps to be specific (e.g. 'Siberian Husky' instead of 'Husky'). Using the sites' Reverse Image technique on a local image on your computer can reveal sites that trigger IP blocks too.

  12. I tried what you wanted. Did a search for random stuff, cars, buildings, computers, landscapes, animals. Did a preview on about 30 pics on each of those searches and didn't get any blocks at all

     

    Searching for adult content related to sexy women or those hard-to-find images, or even high resolution images are the biggest triggers. 

     

     

    Hi, Double: :)

     

    Please post a recent protection log (attached to your next reply) showing the blocks.

    Also, please run the tool below and attach both logs, as well.

    The staff will review the logs and advise you further.

     

    FWIW, if you are seeing a lot of these, then it could be a sign of infection.

    You might wish to follow the advice in this pinned topic: Available Assistance for Possibly Infected Computers.

    A malware expert will assist you with looking into the issue.

     

    Thanks,

     

    daledoc1

    ----------------------------

    Please run the FRST tool and send back both logs as attachments to your next reply.

    Download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. The one that runs will be the right version.

    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your next reply.

     

     

    I'm not infected, a full scan in safemode normally says I'm clean. Aside from a couple random webpages, the IP blocks I receive have only ever happened inside Google Images, I hardly get them anywhere else, and I'm generally a safe surfer--only sticking to sites I know can be trusted using Web Of Trust (WOT). Will post a log, but I'm gonna wait until I come across another IP block, I'm trying to avoid them.

  13. I'm trying to figure out why Malwarebytes blocks so many IPs when browsing through Google Images, it's a hotbed for IP blocks. I understand the pics all lead to different sites, but why does Malwarebytes block an IP address if the website hasn't even been visited yet??? I haven't tried Bing or Yahoo's images search engines, but I'd imagine they act the same.

     

    If you go to http://www.google.com/imghp, search for something and open up a preview on some photo, you've literally got a 25-50% chance of receiving an IP block. It's that ridiculous.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.