OliPicard

Confirming that I am also getting this detection. Backdoor.NanoCore, C:\USERS\USER\DOWNLOADS\RAZERSYNAPSEINSTALLER_DT_V1.0.67.89.EXE

Dear Malwarebytes, This extention c9users.io hosts a multiude of user code and websites. The company that operates this site is C9.io recently acquired by Amazon Web Services. Any attempt to visit this site is automatically blocked. I am unsure why this is the case but it would be great to lift this ban so customers can visit there sites and pages. The IP address is 23.251.133.229 Many Thanks

No. gstatic is for static content. (pages and scripts deployed by Google's content delivery network.) They are not "spying" on us and it's a perfectly normal url.

any ETA on when this update will be pushed out?

Malwarebytes should issue an update later today. Might be in a couple of hours. Until then you can add the site to an exception list to prevent the pop-ups.

I believe Malwarebytes may have accidently blocked gstatic.com (Google's static CDN for webpages and services.) as such you may have difficulty getting access to the site.

Realtime protection is blocking ssl.gstatic.com and www.gstatic.com. Logs Domain: ssl.gstatic.com IP: 172.217.18.3 Port: 64161 Domain: www.gstatic.com IP: 172.217.18.163 Port: 64160

Just to confirm what I've mentioned above, I have just tested Malwarebytes on a Automated Virtual Machine running windows 10. I can confirm that after getting the install setup running, mbam setup creates two start-up icons instead of just a single shortcut. Both lead to the same software. This should be able to provide you with a good grounds of being able to recreate the bug in the lab.

I should of mentioned that when you run the malwarebytes installer. It creates two shortcuts in the start menu. 1. Malwarebytes Anti-Malware Notifications 2. Malwarebytes Anti-Malware Both point to the same program and as such the 1st shortcut is not needed. In addition search Prioritizes Notifications over Anti-Malware which then results in the shortcut displaying what could be seen as a different program. Ideally I would advise removing the Notifications shortcut and keeping the old Malwarebytes Anti-Malware shortcut. This is something the end user can do if you don't have MBAM internal protection disabled, If you do then you will have to disable internal protection before removing the secondry shortcut file. As mentioned before the shortcut path and destination is the exact same as the normal Anti-Malware shortcut so deleting the 2nd one won't do any damage to your system.

Dear Malwarebytes, I am running a Windows 10 machine, I have upgraded to Malwarebytes without issues in the past however today I have noticed that the shortcut name has changed from Malwarebytes Anti-Malware to Malwarebytes Anti-Malware Notifications. Upon looking at each shortcut I can see the path is the exact same. If I delete the shortcut Malwarebytes Anti-malware notifications shortcut the Malwarebytes Anti-Malware shortcut displays correctly. Please note I have done the following. 1) Run mbam-clean.exe 2) Ensured that the Operating System is reset (which has been done 4 times with the same end result being a bad shortcut.) OS type: 64 Bit OS Version: Windows 10 I believe that this new shortcut was created in-error by Malwarebytes. Just wanted to provide a quick bug report to hopefully get this fixed in newer versions :-)

I can also confirm this bug is present in the latest build of malwarebytes, Malwarebytes opens up when the update schedule is triggered on boot, I've noticed other applications also having the same effect (Adobe Creative Cloud). I'm wondering if it's a new API implimented on MBAM and CC or a windows update that has broken the task scheduler's old tasks.

Hey pbust, Many thanks for clarifying, It seems like GOG is bundling in the PDF reader without user concent. MAE is detecting the request as an expliot attempt. I have asked along with a couple of other users to get them to change the reader to an opt-in mode. For now i'll let MAE contiune to block the PDF reader as I have no use for it. Thanks again Oliver

Hey pbust, sorry about that. I'm attaching the logs now. mbae-config.zip

Hi Malwarebytes, Just wanted to give a quick heads up, I'm currently using a client from gog.com, The client bundles in foxit reader and upon installation of the game, the temp file foxitreader.tmp is blocked by MAE. Once a game has been downloaded using the client, the foxitreader.tmp file is executed however MAE blocks the file believing that it's malware. {WinDrive}:\Users\{user}\AppData\Local\temp\is-7O2RL.tmp\Foxitreader.tmp {WinDrive}:\Users\{user}\AppData\Local\temp\is-BHS5U.tmp\Foxitreader.tmp {WinDrive}:\Users\{user}\AppData\Local\temp\is-IRBBV.tmp\Foxitreader.tmp "Foxitreader.tmp has been blocked from executing though foxit reader." Just to say that this isn't malware and hopefully can be sorted out in the next update? Thanks Oliver

Greetings Malwarebytes, I have noticed that the Battlelog Plugin has been flagged as a back door by Malwarebytes. Location: Backdoor.Bot.ED, Battlelog Web Plugins\helper.exe battlelog-web-plugins_2.6.2_157.exe (executable that i downloaded from the battlefield website.) Database Versions: Malware Database: v2015.02.19.07 Rootkit Database: v2015.02.03.01 battelog-web-plugins_2.6.2_157.exe has been scanned over at Virus Total: https://www.virustotal.com/en/file/825d7d5867c21bd23f8df180256ca5e60076c5f5e00c3069f6befff14e79c62d/analysis/1424368822/ helper.exe has also been scanned over at Virus Total: https://www.virustotal.com/en/file/8b60506b61d55beaa664c29e914ecf3e5fa4ffef25d211f937f61e4336fbb510/analysis/1424369136/ Note that these plugins belong to Battlefield's default plugins that allow players to connect to servers from Battlefield 3, 4 and Battlefield Hardline. The original name of the program was ESN Sonar however the studio has been aquired by Eletronic Arts and is now known as uprise.se

Should mention that this is still being flagged in the following Databases. Malware Database: v2015.02.19.07 Rootkit Database: v2015.02.03.01

Greetings Malwarebytes. I'm also seeing a False Postive on two files. battlelog-web-plugins_2.6.2_157.exe (the installer/executable) and Program Files (x86)\Battlelog Web Plugins\helper.exe Both reporting Backdoor.Bot.ED

exe name: SketchUpReader.exe Identified as: Backdoor.Bot Location: A:\Program Files\Autodesk\3ds Max 2013 Hashes MD5 0e05099f2f9e6b898db5c8405aa01d14SHA1 980667da76e6cef1e0fce24f95a6e3a893db3f4fSHA256 2bce4c6689910bca5e1c7c7bf44986e7c98ae2b12411879bf5e88cdba911ace7Virustotal scan

Hi Guys, I recently purchased Typing of the dead on steampowered.com, I noticed that MBAM has blocked the program involved. The EXE: HOTD_NG.exe MD5: d1a893bf87fd4cc727dba38fd13207a5 Result: Spyware.zbot VirusTotal Scan Your help to get this noticed as FP would be awesome Thanks Oliver

@miekiemoes Thanks for the confirmation, I have also gone ahead and attached another VT scan at D:\Steam\steamapps\common\Tribes\Binaries\Win32\SteamIndentifer.exe which is above this post.

Just heard on the mbam FP forum that this is a false postive. (I have also provided additional scan logs by VT to ensure this is dealt with.) Thanks Oliver

VT Scan for SteamIdentifer.exe https://www.virustotal.com/en/file/a5b8f829e23c9305147de8515c0fbb4bcc65bb5557b538fb9c7118585f5a3ac3/analysis/1366736015/

Sorry for the repost by the way, just wanting to see if anyone else can confirm or not confirm if this could be an FP. I have rescanned D:\Steam\steamapps\common\Planetside 2\awesomium_process.exeand MBAM hasent detected it as Trojen.Agent.ED

Hi MBAM, Wanted to quickly see if anyone else is getting the same problems as me. Location: D:\Steam\steamapps\common\Tribes\Binaries\Win32\SteamIndentifer.exe D:\Steam\steamapps\common\Planetside 2\awesomium_process.exe Threat Type: Trojen.Agent.ED VirusTotal Scan: https://www.virustotal.com/en/file/55ba2672384d4426c77f7b8e4eb8113c64403284bd5756e5b3c9d5c273b8e8e4/analysis/1366733266/ Your help in removing/figuring out if this is a FP would be awesome!

Hi MBAM, I have found another FP, Location: D:\Steam\steamapps\common\Tribes\Binaries\Win32\SteamIndentifer.exe D:\Steam\steamapps\common\Planetside 2\awesomium_process.exe Threat Type: Trojen.Agent.ED VirusTotal Scan: https://www.virustotal.com/en/file/55ba2672384d4426c77f7b8e4eb8113c64403284bd5756e5b3c9d5c273b8e8e4/analysis/1366733266/