Jump to content

HH89

Members
  • Posts

    31
  • Joined

  • Last visited

Everything posted by HH89

  1. Pokertracker is a legit program used by many online poker players for statistical analysis. Recently MBAM has started flagging one of the program's update files as being malicious. My Avast isn't picking anything up. I am almost 100% sure this is a false positive. I have been using Pokertracker for over 6 years and never had any trouble with it, nor have had MBAM flag any files pertaining to this program until recently. Below is the developer log showing the detection: (I have also attached the file in question along with this post.) Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.04.27.03 Windows Vista Service Pack 1 x64 NTFS Internet Explorer 7.0.6001.18000 HH89 :: HH89-PC [administrator] 4/27/2013 4:05:55 PM DLOG2_MBAM-log-2013-04-28 (02-52-38).txt Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 591584 Time elapsed: 2 hour(s), 13 minute(s), 38 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\HH89\Desktop\Updates for PT\PT-Install-v3.00.b29.1.exe (Trojan.Agent) -> No action taken. [60af1fced596eb4b0847d69538c9ee12] (end) Kind regards, - HH89 PT-Install-v3.00.b29.1.rar
  2. Update: I just updated MBAM again today and scanned again (with Database version: v2012.02.03.11) and MBAM is no longer detecting those 3 things as being malicious anymore (I didn't quarantine or delete them the last time I scanned). Do you still need me to send the files? Fwiw, I am using the same version of Absolute Poker (the latest version). Log below: Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Database version: v2012.02.03.11 Windows Vista Service Pack 1 x64 NTFS Internet Explorer 7.0.6001.18000 User :: USER-PC [administrator] 2/3/2012 8:50:57 PM mbam-log-2012-02-03 (20-50-57).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 515502 Time elapsed: 1 hour(s), 3 minute(s), 27 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Kind regards, - HH89
  3. I scan my computer with MBAM every 3 days. Today it started picking up "Trojan.Agent" in a couple files and a registry key related to Absolute Poker. Absolute Poker is an online poker site that I play at and hence have their software installed on my computer. Since today's MBAM update, it's been detecting Trojan.Agent in the uninstall files for the Absolute Poker software. Prior to this happening, the last time I ran a full scan was on Jan 30, 2012 in which everything came up clean. I've had the Absolute Poker software installed on my computer for the past 2 years. MBAM has never detected anything malicious from that until today. My Avast and Spybot S&D is not picking anything up. I also uploaded both the "CasinoUninstall.exe" files to VirusTotal and JottiScan and both are coming up clean. Are these false positives? Developer log below: Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Database version: v2012.02.03.03 Windows Vista Service Pack 1 x64 NTFS Internet Explorer 7.0.6001.18000 User :: USER-PC [administrator] 2/3/2012 4:42:18 AM dev-log_mbam-log-2012-02-03 (05-49-23).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 515261 Time elapsed: 1 hour(s), 3 minute(s), 16 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Absolute Poker (Trojan.Agent) -> No action taken. [84cbc78cee6e43f34f7c573068988878] Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\Poker Application\Absolute Poker\CasinoUninstall.exe (Trojan.Agent) -> No action taken. [1f30cc8771eb75c12e9d0a7d817f23dd] C:\Poker Application\_uninstallation_info\Absolute Poker\CasinoUninstall.exe (Trojan.Agent) -> No action taken. [84cbc78cee6e43f34f7c573068988878] (end) Thanks for the help Kind regards, - HH89
  4. np, Kay. I'm just glad to have gotten this issue sorted out now, I was starting to get worried that my computer might have been compromised. I also do online banking and work from home on a daily basis, so chose not to use my computer for that in the past half a week. Phew, what a relief! Now I can get back to work . Good luck with the remainder of your problem Kay! And thanks for updating this thread for me Tashi. Best of luck, and have a great new years guys! Kind regards, - HH89
  5. Hey Kay, My Spybot has started picking up the same detection, and I think there's a good chance it may be some bug or F/P with Spybot. I've posted about it here http://forums.spybot.info/showthread.php?t=61005 and am just waiting on someone from the Spybot team to reply. I've also posted it here on the MBAM forums (see my first post in this thread for links). The reason why I think this is a FP is because I have been able to recreate this same detection on another computer. Basically once you use MBAM's function to quarantine a file, then Spybot will start detecting "Win32.AutoRun.tmp". I tried this on a clean computer with a file that MBAM detects as a PUP (potentially unwanted program). The moment I use MBAM's function to quarantine/delete a file, is when Spybot starts picking up the "Win32.AutoRun.tmp". So with my limited knowledge, im guessing its either because: 1. MBAM creates a "taskman" registry value in Winlogon whenever you use its quarantine/delete function. And if Spybot finds any entries associated with taskman in Winlogon, it will auto flag it as a trojan? 2. The file I tested it on will auto release a trojan to the registry, if it detects that MBAM is trying to quarantine/delete it. (However, I think this is unlikely as Avast and Eset online scanner are both picking up nothing). 3. Some other bug with Spybot that happens whenenver you use MBAM to quarantine files. Kind regards, - HH89
  6. Cross posted this over to the Spybot forums (thread shown here: http://forums.spybot.info/showthread.php?t=61005.
  7. Hey guys, I've also started getting this same "Win32.AutoRun.tmp" Trojan detection from Spybot in the same location in the registry. I believe there's a good chance this might be a bug/glitch in Spybot that starts detecting this after you use MBAM to quarantine and delete a file. I've been able to recreate this exact same detection on another computer. I've made a post on it here: http://forums.malwarebytes.org/index.php?showtopic=71138 And have also cross posted it over to the F/P forum, thread shown here: http://forums.malwarebytes.org/index.php?showtopic=71140 I suggest you guys take a look. Kind regards, - HH89
  8. Hey guys, I think either I have an infection or there is a bug in Spybot S&D which is causing it to show a F/P infection "Win32.AutoRun.tmp" Trojan in your registry whenever a user uses MBAM to quarantine/delete a file. I believe it might be a bug/false positive on Spybot's part as I was able to reproduce the same detection on another computer right after I used MBAM to quarantine/delete a file (a file which MBAM just has classified as a PUP - potentially unwanted program). Let me begin from the start though: This is what Spybot S&D started picking up yesterday (Dec 23, 2010): Trojan Win32.AutoRun.tmp: [sBI $751B1850] Settings (Registry value) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman Picture of the Spybot Detection shown here: Before that, the last time I scanned using Spybot was on Dec 19, 2010 at 6:20pm. In which the Spybot scan came up clean. I thought this was kind of weird, since the only thing I did in between Dec 19 and Dec 23 was: surf the web, and download two program files for two online poker sites (888poker and William Hill Poker), which I ended up never opening. I play online poker on a daily basis, so that was quite normal for me. I also use Avast anti-virus and Comodo Firewall to keep track of everything that connects to the internet. I practice safe surfing habits, and I have also never gotten any malware problems in the past before and have been using this computer for the last 15 months. First, I would like to point out that when I downloaded the two setup files for the two online poker sites mentioned above. The first thing I did was scan them both with MBAM and Avast. MBAM picked up the infection (Application.Casino) for the 888poker installer file and (Adware.Casino) for the William Hill Poker installer file. Avast showed them both as clean. I decided not to open them anyways, and so just deleted them from my computer manually via sending it to the recycle bin and clearing the bin. Later on that day (Dec 19, 2010 at 6:20pm) I scanned my comp with Spybot and every thing came up clean. Since both those setup files are from legit companies, I figured those two infections that MBAM showed where probably F/P's and so I decided to post about them on the MBAM F/P forums (thread shown here http://forums.malwarebytes.org/index.php?showtopic=70753). I downloaded the two setup files again, and ran MBAM in developer mode to get the log. After I got the developer log and made my post in the MBAM forums, I decided to delete the files again. This time I used MBAM to remove them using Quarantine and Delete - this was also the first time I ever used MBAM to quarantine and delete something on this computer. Later on, someone from the MBAM team called "Shadowwar" replied to me in that thread saying that those programs weren't actually malicious; they were not trojans, just potentially unwanted programs (PUP) and that they could be safely added to my ignore list. Following that, the MBAM team changed the detection on those two files to show a PUP prefix instead. In the end, I decided I didn't have enough time to setup a new poker account at those two sites anyways, and so never downloaded the files again. Fast forward to yesterday (Dec 23, 2010). I scan using Spybot S&D (the last time I updated Spybot was when I scanned on Dec 19, 2010, in which the Spybot scan came up clean). This time Spybot S&D picks up the trojan "Win32.AutoRun.tmp" in my registry (pic of the detection shown above). At this point I figured I probably picked up an infection from surfing the web. However, the websites I visited in the last week are the exact same websites I've been visiting in the past 15 months since I bought this computer (mostly facebook, youtube, gmail). And I have never had a malware problem in the past (i've only had MBAM detect a couple F/Ps and the incident with the two online poker setup files which MBAM now detects as PUPs - also explained in the above paragraph). So I figured there was a chance also that it could be a F/P in Spybot, however since I had not updated the defintions for Spybot S&D since my last clean scan, I was a little confused. Following this, I decided to scan using MBAM, Avast and Eset online scanner. All came up clean. It is only Spybot that is picking up this detection. I also googled and read a ton of threads regarding people picking up "Win32.AutoRun.tmp" in Spybot in the same registry location as me. In a couple threads, it seemed as if this detection popped up after they used MBAM's function to quarantine and delete a file. And the only thing I've done since my last clean scan in Spybot is use MBAM to quarantine and delete files + surf the web. So I figured there might be a possibility of some bug/glitch in Spybot that is causing it to detect a FP Trojan named "Win32.AutoRun.tmp" in your registry, whenever you use MBAM to quarantine and delete a file. I decided to do an experiment and try this out on a second computer to see if I could reproduce the detection in Spybot if I used MBAM to quarantine/delete a file. It worked. Here's exactly what I did on my second computer in the following order: 1. First I updated Spybot and MBAM. 2. Scanned with both Spybot and then MBAM. Both results come up clean. 3. Restart my computer. 4. Scanned again using Spybot to double check. Results came up clean. 5. Download the 888poker software installation file (from http://www.888poker.com). MBAM will detect this file as (PUP.Casino), so I decided to just use this file to test things out. 6. Do a full system scan using MBAM. It will pick up the detection noted above on the 888poker.exe installer file. It will also pick up the same detection on one of the cache files in Mozilla (which I think is probably the cache file for the download of the 888poker.exe installer file?) 7. Exited MBAM without doing anything to the above files. 8. Did another scan using Spybot. Results came up clean. 9. Manually delete 888poker.exe via sending it to the recycle bin, and clear Mozilla's cache files. 10. Scanned again using MBAM to check if it detects anything. Everything comes up clean. 11. Scanned again using Spybot to test if deleting the file manually will cause any detection. Everything comes up clean. 12. Restarted my computer. 13. Scanned using Spybot again to double check. Everything still comes up clean. 14. Downloaded the 888poker.exe software again. 15. Scanned both the 888poker.exe file and the Mozilla cache files with MBAM once more to verify the detections are there. Both detections of PUP.Casino verified in both files like it should be. 16. Restarted my computer. 17. Scanned again using Spybot. Results come up clean. 18. Did a full scan using Avast. Everything comes up clean. 19. Restarted my computer. 20. Scanned again using Spybot to double check. Everything still comes up clean. 21. Scan the 888poker.exe installer file using MBAM. Then use MBAM to quarantine and delete it. MBAM will prompt you to restart your computer to finish the quarantine/delete process, in which I clicked yes. 22. Right after my computer started up, I scanned using Spybot once more. Spybot now shows the "Win32.AutoRun.tmp" Trojan detection in the Registry (pic shown above). So as you can see, the moment I used MBAM to quarantine and delete a file. Any subsequent Spybot scans will start picking up the "Win32.AutoRun.tmp" detection. So far I've tried restoring the file from the MBAM quarantine, and scanning with Spybot again. But Spybot will still show the same detection. I've also tried uninstalling and re-installing Spybot (using Revo Uninstaller to do a full uninstall and restarting my computer before installing it again), it will still show the same detection. I am going to try uninstalling and reinstalling MBAM the same way and see if that helps. I have not yet tried to use Spybot to "fix" this detection as I am not sure if it might do any harm to my computer if I delete this registry value. As I've read a thread over on the Spybot forums where someone did just that, and it ended up screwing up his computer (see thread here http://forums.spybot.info/showthread.php?t=60684). Anyways, is there someone from the MBAM team that could try this out on a third computer to confirm, and post the results here? And see if the same detection pops up in Spybot? I am also going to cross post this over to the Spybot forums and see what they say. Will post the link here to that thread when done. I will await your reply. I appreciate any help, and Happy Holidays. And sorry for the long post, I just wanted to be as thorough as possible. Note: I also cross posted this over to the Malware Removal forum, just in case this detection did come up because I have a trojan. But as of right now, I believe its most likely a F/P on Spybot's part. Kind regards, - HH89
  9. Hey guys, I think either I have an infection or there is a bug in Spybot S&D which is causing it to show a F/P infection "Win32.AutoRun.tmp" Trojan in your registry whenever a user uses MBAM to quarantine/delete a file. I believe it might be a bug/false positive on Spybot's part as I was able to reproduce the same detection on another computer right after I used MBAM to quarantine/delete a file (a file which MBAM just has classified as a PUP - potentially unwanted program). Let me begin from the start though: This is what Spybot S&D started picking up yesterday (Dec 23, 2010): Trojan Win32.AutoRun.tmp: [sBI $751B1850] Settings (Registry value) HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonTaskman Picture of the Spybot Detection shown here: Before that, the last time I scanned using Spybot was on Dec 19, 2010 at 6:20pm. In which the Spybot scan came up clean. I thought this was kind of weird, since the only thing I did in between Dec 19 and Dec 23 was: surf the web, and download two program files for two online poker sites (888poker and William Hill Poker), which I ended up never opening. I play online poker on a daily basis, so that was quite normal for me. I also use Avast anti-virus and Comodo Firewall to keep track of everything that connects to the internet. I practice safe surfing habits, and I have also never gotten any malware problems in the past before and have been using this computer for the last 15 months. First, I would like to point out that when I downloaded the two setup files for the two online poker sites mentioned above. The first thing I did was scan them both with MBAM and Avast. MBAM picked up the infection (Application.Casino) for the 888poker installer file and (Adware.Casino) for the William Hill Poker installer file. Avast showed them both as clean. I decided not to open them anyways, and so just deleted them from my computer manually via sending it to the recycle bin and clearing the bin. Later on that day (Dec 19, 2010 at 6:20pm) I scanned my comp with Spybot and every thing came up clean. Since both those setup files are from legit companies, I figured those two infections that MBAM showed where probably F/P's and so I decided to post about them on the MBAM F/P forums (thread shown here http://forums.malwarebytes.org/index.php?showtopic=70753). I downloaded the two setup files again, and ran MBAM in developer mode to get the log. After I got the developer log and made my post in the MBAM forums, I decided to delete the files again. This time I used MBAM to remove them using Quarantine and Delete - this was also the first time I ever used MBAM to quarantine and delete something on this computer. Later on, someone from the MBAM team called "Shadowwar" replied to me in that thread saying that those programs weren't actually malicious; they were not trojans, just potentially unwanted programs (PUP) and that they could be safely added to my ignore list. Following that, the MBAM team changed the detection on those two files to show a PUP prefix instead. In the end, I decided I didn't have enough time to setup a new poker account at those two sites anyways, and so never downloaded the files again. Fast forward to yesterday (Dec 23, 2010). I scan using Spybot S&D (the last time I updated Spybot was when I scanned on Dec 19, 2010, in which the Spybot scan came up clean). This time Spybot S&D picks up the trojan "Win32.AutoRun.tmp" in my registry (pic of the detection shown above). At this point I figured I probably picked up an infection from surfing the web. However, the websites I visited in the last week are the exact same websites I've been visiting in the past 15 months since I bought this computer (mostly facebook, youtube, gmail). And I have never had a malware problem in the past (i've only had MBAM detect a couple F/Ps and the incident with the two online poker setup files which MBAM now detects as PUPs - also explained in the above paragraph). So I figured there was a chance also that it could be a F/P in Spybot, however since I had not updated the defintions for Spybot S&D since my last clean scan, I was a little confused. Following this, I decided to scan using MBAM, Avast and Eset online scanner. All came up clean. It is only Spybot that is picking up this detection. I also googled and read a ton of threads regarding people picking up "Win32.AutoRun.tmp" in Spybot in the same registry location as me. In a couple threads, it seemed as if this detection popped up after they used MBAM's function to quarantine and delete a file. And the only thing I've done since my last clean scan in Spybot is use MBAM to quarantine and delete files + surf the web. So I figured there might be a possibility of some bug/glitch in Spybot that is causing it to detect a FP Trojan named "Win32.AutoRun.tmp" in your registry, whenever you use MBAM to quarantine and delete a file. I decided to do an experiment and try this out on a second computer to see if I could reproduce the detection in Spybot if I used MBAM to quarantine/delete a file. It worked. Here's exactly what I did on my second computer in the following order: 1. First I updated Spybot and MBAM. 2. Scanned with both Spybot and then MBAM. Both results come up clean. 3. Restart my computer. 4. Scanned again using Spybot to double check. Results came up clean. 5. Download the 888poker software installation file (from http://www.888poker.com). MBAM will detect this file as (PUP.Casino), so I decided to just use this file to test things out. 6. Do a full system scan using MBAM. It will pick up the detection noted above on the 888poker.exe installer file. It will also pick up the same detection on one of the cache files in Mozilla (which I think is probably the cache file for the download of the 888poker.exe installer file?) 7. Exited MBAM without doing anything to the above files. 8. Did another scan using Spybot. Results came up clean. 9. Manually delete 888poker.exe via sending it to the recycle bin, and clear Mozilla's cache files. 10. Scanned again using MBAM to check if it detects anything. Everything comes up clean. 11. Scanned again using Spybot to test if deleting the file manually will cause any detection. Everything comes up clean. 12. Restarted my computer. 13. Scanned using Spybot again to double check. Everything still comes up clean. 14. Downloaded the 888poker.exe software again. 15. Scanned both the 888poker.exe file and the Mozilla cache files with MBAM once more to verify the detections are there. Both detections of PUP.Casino verified in both files like it should be. 16. Restarted my computer. 17. Scanned again using Spybot. Results come up clean. 18. Did a full scan using Avast. Everything comes up clean. 19. Restarted my computer. 20. Scanned again using Spybot to double check. Everything still comes up clean. 21. Scan the 888poker.exe installer file using MBAM. Then use MBAM to quarantine and delete it. MBAM will prompt you to restart your computer to finish the quarantine/delete process, in which I clicked yes. 22. Right after my computer started up, I scanned using Spybot once more. Spybot now shows the "Win32.AutoRun.tmp" Trojan detection in the Registry (pic shown above). So as you can see, the moment I used MBAM to quarantine and delete a file. Any subsequent Spybot scans will start picking up the "Win32.AutoRun.tmp" detection. So far I've tried restoring the file from the MBAM quarantine, and scanning with Spybot again. But Spybot will still show the same detection. I've also tried uninstalling and re-installing Spybot (using Revo Uninstaller to do a full uninstall and restarting my computer before installing it again), it will still show the same detection. I am going to try uninstalling and reinstalling MBAM the same way and see if that helps. I have not yet tried to use Spybot to "fix" this detection as I am not sure if it might do any harm to my computer if I delete this registry value. As I've read a thread over on the Spybot forums where someone did just that, and it ended up screwing up his computer (see thread here http://forums.spybot.info/showthread.php?t=60684). Anyways, is there someone from the MBAM team that could try this out on a third computer to confirm, and post the results here? And see if the same detection pops up in Spybot? I am also going to cross post this over to the Spybot forums and see what they say. Will post the link here to that thread when done. I will await your reply. I appreciate any help, and Happy Holidays. And sorry for the long post, I just wanted to be as thorough as possible. Kind regards, - HH89 Cross posted this over to the Spybot forums (thread shown here: http://forums.spybot.info/showthread.php?t=61005.
  10. Hey Shadow, So these two programs are safe then? I won't have to worry about any Registry/Memory getting infected if I install these applications? And does Adware mean it just gives popups while the poker software application is open? Or random popups if I just have my internet browser open, with the poker software closed? Thanks for the help and Happy Holidays! Kind regards, - Carl
  11. I play online poker quite frequently as a hobby. There where two sites that I was going to sign up to play at, but MBAM is flagging their software as being malware. One site is 888poker the other is William Hill Poker. Both are legit poker sites that have been in the industry for years. The parent company of William Hill Poker is "William Hill" which is also one of the UK's largest bookmakers and is listed on the London Stock Exchange (more information here http://en.wikipedia.org/wiki/William_Hill_(bookmaker)). 888poker is owned by "888 Holdings PLC" which also owns and operates one of the biggest online casinos as well as several other gambling websites and is also traded on the London Stock Exchange (more information here http://en.wikipedia.org/wiki/888_Holdings). So I believe they are most likely F/Ps, but wanted to verify with you guys. MBAM seems to be flagging their software as Application.Casino and Adware.Casino as shown below in the log: Malwarebytes' Anti-Malware 1.50 www.malwarebytes.org Database version: 5358 Windows 6.0.6001 Service Pack 1 Internet Explorer 7.0.6001.18000 12/19/2010 8:56:32 PM dlog_fullscan_Dec19_mbam-log-2010-12-19 (20-56-11).txt Scan type: Full scan (C:\|D:\|E:\|F:\|) Objects scanned: 439586 Time elapsed: 47 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\Users\Carl\AppData\Local\Mozilla\Firefox\Profiles\2t7fsgke.default\Cache\3d60f963d01 (Adware.Casino) -> No action taken. [05e9c64e03fd1ae6a06b32f81fe607f9] c:\Users\Carl\AppData\Local\Mozilla\Firefox\Profiles\2t7fsgke.default\Cache\4645d17bd01 (Application.Casino) -> No action taken. [be301afae818ac54bc4ebee4a163da26] c:\Users\Carl\AppData\Local\Temp\ep4+fvk1.exe.part (Application.Casino) -> No action taken. [16d8130146ba9b65ea201a88867eac54] c:\Users\Carl\Desktop\new poker sites\888poker.exe (Application.Casino) -> No action taken. [25c943d1d32d926e50ba59499f650af6] c:\Users\Carl\Desktop\new poker sites\setuppoker_51a6b9_en.exe (Adware.Casino) -> No action taken. [c9251400d12ffc04a16a200afd080af6] "888poker.exe" is the install file for 888poker.com's online poker client software. "Setuppoker_51a6b9_en.exe" is the install file for William Hill's online poker client software. FWIW, the name of the install file for William Hill Poker changes everytime you reload their website. The two files in question can be downloaded from the following websites: www.888poker.com and poker.williamhill.com The two infected files located in the Mozilla Firefox are what I believe to be the cached versions of those two install files (that got saved in the Mozilla Firefox cache when I downloaded them). As when I clear Firefox's browsing history and cache, MBAM no longer picks up anything malicious in the Firefox cache folder. The other file located in my Temp folder called "ep4+fvk1.exe.part" that shows the infection (Application.Casino) is a file that gets generated and placed into my Temp folder every time I initiate the download of the 888poker.exe software from the 888poker site, but then cancel it. What I mean by that is if I click the download link for the 888poker software, then click "save file" and then when Mozilla Firefox asks me where I want to save the file I click "cancel" instead of save. If I do that, then a ".exe.part" file with a random name will get generated in my Temp folder; which in this case it was called "ep4+fvk1.exe.part". A new file with a different name will appear each time I do that (initiate the download, then click cancel when Firefox asks me where to save the file). And MBAM also flags each one of those files as being malicious with the same infection as "888poker.exe" (Application.Casino). Those temp files are also digitally signed by "888 Holdings PLC". Also, if I just download the install file (and not cancel it when Firefox asks me where I want to save it) then those files won't get generated in the Temp folder. Anyways, I just had two questions: 1. Are these two infections F/Ps? 2. If they aren't F/Ps, what exactly is "Application.Casino" and "Adware.Casino" and what do they do? For what its worth, I have like 12 different poker sites installed on this computer and MBAM never finds anything malicious with them or their installation files. 3 of those even run on the same network as William Hill Poker (which is the iPoker network) and use the same software platform. I was really looking forward to playing poker on those two sites but would rather not if their install files are infected with malware that could harm me or my computer in any way. Avast Anti-virus doesn't seem to pick up anything wrong with these install files, but upon uploading them to VirusTotal, there are several different other programs that do. But since they are from legitimate companies, I'm not really sure what to think. I will await your reply. Kind regards, - Carl
  12. Hey guys, was this detection just fixed in todays update? Because I just updated to the latest database (database version: 3466) and did a scan, and everything came up clean this time. Log file here: Malwarebytes' Anti-Malware 1.43 Database version: 3466 Windows 6.0.6001 Service Pack 1 Internet Explorer 7.0.6001.18000 12/31/2009 11:33:21 PM mbam-log-2009-12-31 (23-33-21).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 322362 Time elapsed: 31 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I did not delete or quarantine the infected registry key from before prior to this. Any confirmation from the MBAM team would be awesome. Anyways, Happy New Years guys! Kind regards, - HH89
  13. woops, I totally forgot to post the developer mode log in the OP. Heres the new log: Malwarebytes' Anti-Malware 1.43 Database version: 3462 Windows 6.0.6001 Service Pack 1 Internet Explorer 7.0.6001.18000 12/31/2009 7:51:04 AM devlog_dec31st_mbam-log-2009-12-31 (07-50-38).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 321985 Time elapsed: 33 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\PTECH (Adware.21Nova) -> No action taken. [43E5B9A79BC8C95307BD517BAC8620F0] Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  14. Hey guys, the latest MBAM update has started detecting this on my computer: Malwarebytes' Anti-Malware 1.43 Database version: 3462 Windows 6.0.6001 Service Pack 1 Internet Explorer 7.0.6001.18000 12/31/2009 4:14:46 AM adware_dec31st_mbam-log-2009-12-31 (04-14-28).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 321697 Time elapsed: 32 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\PTECH (Adware.21Nova) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) _______________________________________________________________________________ Apparently "HKEY_LOCAL_MACHINE\Software\PTECH" is a generic PlayTech registry key, which will exist if you install any PlayTech casino. There are a bunch of online poker sites that use the Playtech software engine, which makes up the online poker network called "iPoker". More info found here http://en.wikipedia.org/wiki/Playtech. Anyways, I do play some online poker and have two of these sites installed (Poker Plex and NoblePoker), both of which use the Playtech casino/gaming software. My question is, is there a chance that this detection could be a F/P? FWIW, the last scan I did was on Dec 29th, and everything came up clean then. If this is not a F/P, is this something I need to be really worried about? Will it pose as a serious threat to me or my computer? And lastly, will quarantining and deleting this registry key cause any problems with running the online poker software? Thanks for the help!
  15. Ohh alright, in that case i'll just go ahead and set MBAM to ignore it. Thanks once again Exile!
  16. Oh alright, thanks for the reply Exile. Would it be harmful if I just quarantined, then deleted it (what exactly would happen if I did delete it?)? Or is setting MBAM to ignore the detection the best thing to do?
  17. Hey guys, I recently purchased this computer, and I just reformatted with OS Windows Vista Premium 64bit. After installing my drivers and running windows updates, then installing Avast Anti Virus and Comodo Firewall, I installed and scanned with MBAM and the following came up: Heres the developers log: Malwarebytes' Anti-Malware 1.41 Database version: 2853 Windows 6.0.6001 Service Pack 1 9/23/2009 8:22:46 PM hijack.displayproperties.mbam-log-2009-09-23 (20-22-28) Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 172847 Time elapsed: 9 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830417475666876153774848177669049838081708385747084130141443858644 54836344564463436414247386152483953563451386146746883808480718561567479698088846 1 36868383707985557083847480796149807774687470846138898177808370839347803468857487 7 037708476858081367366797270843018130117] Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Is this something I should be worried about?
  18. Developer Log here: Malwarebytes' Anti-Malware 1.40 Database version: 2630 Windows 6.0.6001 Service Pack 1 8/15/2009 6:15:06 PM 56TrojansHEM_D-Log_mbam-log-2009-08-15 (18-14-52).txt Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|) Objects scanned: 373311 Time elapsed: 1 hour(s), 0 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 56 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v006DBC2F\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v006DBC2F\Native\STUBEXE\@SYSTEM@\conime.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v006DBC2F\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v006DBC2F\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v006DBC2F\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v09930AC1\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v09930AC1\Native\STUBEXE\@SYSTEM@\conime.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v09930AC1\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v09930AC1\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v09930AC1\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v12EFC15E\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v12EFC15E\Native\STUBEXE\@SYSTEM@\conime.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v12EFC15E\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v12EFC15E\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v12EFC15E\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\Native\STUBEXE\@SYSTEM@\conime.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@PROGRAMFILES@\Microsoft Office\OFFICE11\WINWORD.EXE (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@PROGRAMFILES@\Mozilla Firefox\firefox.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\DBControlPanel.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@SYSTEM@\conime.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@WINDIR@\splwow64.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\dw20.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v2B34C5A3\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\Native\STUBEXE\@SYSTEM@\conime.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v5B04D48C\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMArticles.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v5B04D48C\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v5B04D48C\Native\STUBEXE\@SYSTEM@\conime.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v5B04D48C\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v5B04D48C\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v5B04D48C\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\dw20.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v5B04D48C\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v6B68FA03\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v6B68FA03\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v72674296\Native\STUBEXE\@PROGRAMFILES@\Mozilla Firefox\firefox.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v72674296\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v72674296\Native\STUBEXE\@SYSTEM@\conime.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v72674296\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v72674296\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v72674296\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v77810409\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMArticles.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v77810409\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v77810409\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v77810409\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319] C:\Users\Carlton\AppData\Local\Xenocode\ApplianceCaches\HoldemManager.exe_v77810409\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe (Trojan.Crypt) -> No action taken. [5253514247405230221818191301232020342236222522192339233924212239211924222326233 62321223622252022193820192236222323372236241923222336232223182420232222362220242 1 242223192122242523221938241723212319]
  19. scanning with developer mode now, will post results once finished. Kind regards, - HH89/Eclipse86 (on 2+2)
  20. After todays MBAM update, scans starting picking up this file as being infected: Malwarebytes' Anti-Malware 1.39 Database version: 2502 Windows 6.0.6001 Service Pack 1 7/26/2009 12:24:55 AM displaymanager.dll_developerlog_mbam-log-2009-07-26 (00-24-33).txt Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|) Objects scanned: 378973 Time elapsed: 58 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files (x86)\pacific hand grabber\DisplayManager.dll (Malware.Packer.T) -> No action taken. [52535142474052302318191301211717171717361722212325232223372326232123181917] Is this a false positive? Also can someone let me know what "Malware.Packer.T" is, and how harmful it is?
  21. Everything is now corrected with the latest updates, thanks!
  22. Just glad we could help =). And, thank you for being so attentive. It is much appreciated. Kind regards, - HH89
  23. Here is an updated Developers Log for Database version: 2458. Just in case you guys might need to take a look at it. Malwarebytes' Anti-Malware 1.39 Database version: 2458 Windows 5.1.2600 Service Pack 2 7/18/2009 10:18:20 AM DeveloperLog_DB2458_2009-07-18 (10-17-52).txt Scan type: Full Scan (A:\|C:\|D:\|E:\|) Objects scanned: 107731 Time elapsed: 12 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files\WinRAR\Default.SFX (Spyware.Banker) -> No action taken. [5253514247405230251823171713012122221721362118212021222123212621362122212121362 12417172219212221382118213721222121213621241717192224201917192224201917192224201 7 17212421222221221721182220222022242139221921212018171721182220]
  24. This could very well be why Exile didn't pick up anything malicious on his scan, perhaps he's using the newest build of winrar? FWIW, i did some googling and found that spyware.banker is actually a trojan which monitors what you're doing and trys to steal account information and passwords, especially those pertaining to online banking. With that being said, before this file can actually be confirmed as 100% safe, I urge everyone to take extra precaution and to not log into any personal accounts that hold anything valuable. You can never be too safe these days =(.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.