Jump to content


  • Content Count

  • Joined

  • Last visited

About ColdlyIndifferent

  • Rank
    New Member

Recent Profile Visitors

514 profile views
  1. No new news to report except that Microsoft are refusing to budge on their sudden decision to treat PH2 as high threat malware. This link to a Process Hacker forum admin post links to relevant threads which may help others coming here in regard to this matter:- https://wj32.org/processhacker/forums/viewtopic.php?f=1&p=11304#p11304 and the other thread there:- https://wj32.org/processhacker/forums/viewtopic.php?f=40&t=3729&p=11282#p11282 In short MS, and only MS, now regard PH2 as a malware tool and their anti-virus/anti-malware programs will, depending on your settings, either quarantine or remove the main ProcessHacker.exe along with some other associated files. Malwarebytes and no other security software as of this date are jumping on the MS bandwagon. Probably a good idea to close this thread now. If there are any other developments, particularly if relevant to Malwarebytes, a new thread can always be started.
  2. Found this telling PC blog post. PH2 has been tested and absolved but MS hate it anyway seems to be real story.
  3. As a follow up I've posted about this in the appropriate MS Community forum and Process Hacker 2's forum. In the latter this MSE/Defender definitions issue (as that is what it appears to be) is also being reported. Although it is not really a Malwarebytes' matter, as that, like all other security tools it reports there being no problem it would be helpful if this thread is kept open so if there is some resolution/explanation from MS about this it can be posted. Other users coming here may find it useful information and not have to bother Malwarebytes any further with it.
  4. The uninstall you did probably left stuff behind and did you check Defender's Quarantine folder because it might still contain those quarantined items? It will delete them after a certain period of time, 30 days I think, but if you've decided to get rid of PH2 then it would be a good idea to use the Remove option if anything PH2 related is there. I do not know whether Defender is the same but MSE makes adding exclusions, once detected, as difficult as possible. Once there they also seem to persist in Quarantine even if you use the Allow option. The Allow option is only available under the All Detected items list and apparently has not removed one of the PH2 instances, the second scan I did, from Quarantine. Pretty sure I'm going to have to restore the PH2 files and uninstall the program, remove anything left in Quarantine, re-install then add the PH2 folder to MSE's exclusions list. If I don't it may well disable PH2 again at the end of the quarantine period. PH2 is often recommended and has a built in option to be used as a MS Task Manager replacement. I dread to think what problems might have been caused to if that has been the case for anyone else using Defender or MSE. It is probably a very small subset and one I'm glad I'm not in. What I'm going to try to do now is get some sense and explanation out of MS on this. I'm signed up to their forums although, unlike here, it is a lottery if you get an actual response from a genuine MS representative who knows what they're talking about let alone able to do something about it.
  5. Yes I am saying that the reason we've both had this on two different MS security platforms is that definitions have probably both been updated because somebody, somewhere has either made a mistake, added it after someone reported it as a problem without checking or some process PH2 uses has been wrongly detected as a "threat". There is a warning with the PH2 installer that one of the options is not recommended and it has been known for that it can be used as a potential conduit for malware. Whether it has or not that would be enough for it to designated as a threat. This is a quote from an article dated 2017:- "The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool. Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down." https://nakedsecurity.sophos.com/2017/11/15/ransomware-spreading-hackers-sneak-in-through-rdp/ However this blog from 2018 was posted by, wait for it, ......................................MalwarebytesLAB a year ago promoting the very same tool:- https://blog.malwarebytes.com/101/how-tos/2018/11/advanced-tools-process-hacker/ So there is a bit of problem here - the potential threat PH2 may present has been know about for years but MS have been happily not seeing it as a threat until this weekend's Defender and MSE updates. Malwarebytes doesn't see it as problem, AVAST does not see it as problem and Spybot doesn't see it as problem. That does mean that on your or my PC it has not been used to install malware, just that it is highly unlikely and the 'new' threat' is actually an old threat now redefined as a problem by the MS definitions update and nowhere else. However whilst the problem is most likely the MS definitions update (its too much of a coincidence for that not to be the most likely explanation) you should do what nasdaq previously asked and submit the FarBar logs for review. If anything is found amiss then I'll follow. BTW Check Defender's quarantined items and I suspect you'll find it there as HackTool:Win64ProcHack and the files detected beneath. Also check C:\Programs for the Process Hacker 2 folder. That screenshot in the earlier post indicates that only very specific PH2 files are being seen as a threat by Defender. My MSE log reports exactly the same files too including the program's own uninstaller. I'd bet that most of PH2's folder content is still there including the x86 folder containing the 32bit .exe which MSE has no problems with. There are probably left overs in ProgramData and your User AppData too, folders Windows hides by default. If it truly wanted to get rid of PH2 MSE, and I'd suspect Defender too, have done a lousy job. Should you want to get rid of PH2 completely at any point do not use the Remove option. I suggest instead restoring the quarantine items and then using Revo Uninstaller or BCUninstaller. Either will do a far better and thorough job than just running the uninstaller. If you delete the main .exe and the uninstaller as MSE seems to want to do you'll have a much harder task finding and removing all PH2 files, particularly the registry keys.
  6. I think we might well have another false positive issue here. I have Microsoft Security Essentials (MSE) as a temporary AV on another PC and that too suddenly started reporting (the same weekend) that the Process Hacker 2.exe was a "high" threat after its most recent definitions update. Unfortunately for me I'd not changed MSE's default settings and in the case of a "high" threat it deals with what it sees as the offending file automatically. I expect that is what has happened here for the OP with Defender which is probably using the same MS definitions. I only realised it had been removed when I tried to launch Process Hacker 2 a few days later from my desktop shortcut and it reported the path as invalid. I went to the Process Hacker 2 folder and found its .exe was gone. I then realised what had happened. Laughably Process Hacker 2 contains both a 64bit .exe and a 32bit .exe and the latter was still there, usable and in the short time when I was using it MSE took not the slightest notice. Obviously I scanned the Process Hacker 2 folder with MB and other security software and nothing was reported. But I still deleted the installation and reinstalled it from a fresh download (MD5/SHA1 checked); all working a OK but MSE was still reporting its primary .exe as problem after a scan. On another PC which has had Process Hacker 2 for years neither the main PC's AV, MB or anti-spyware tools have ever reported any problem and that holds true. So I then uninstalled it again on the other PC and using exactly the same installer from my archived collection installed from that. MSE still reports it as a "high" threat too afterwards but still let me install it. MB reports no problem in all cases on both PCs. navigations 'problem' was 'resolved' only because Defender quarantined the file automatically. It is probably still there in the quarantined folder and I bet the rest of the Process Hacker 2 folder is still there too complete with 32bit .exe. If his 'problem' was/is not a false positive I'd be very surprised. But it is not really much to do with Malwarebytes it is MS's AV definitions that are likely the problem. However I suppose MB can usefully confirm that the Process Hacker 2 64bit .exe is no threat.
  7. Test scanned the file on another PC this morning with the same older MB version installed and the same 30th November definitions too. Threat detected. Just installed this afternoon the latest v4 version of Malwarebytes free on my primary system and used that to check the file copy I'd extracted. No threat detected. Launched the XP VM and updated the (older) MB to latest 2nd December definitions and scanned the Outlook Express folder. No threat detected. Hmmm, did somebody add the Outlook Express msimn.exe to the white-list earlier today?
  8. Thanks for the very quick replies. I am using an older version of MB v1.75.0.1300 on the Windows XPMode OS VM. Running MB 2.0 or higher on that, at least as I want to use it, I found very early on when trialing v2.0 that it would take up to 2 minutes to do an an on demand scan against often less than 15 secs using that earlier version. It would probably be different if it was auto-running all the time but with only 1GB of dedicated RAM on the VM I do not want anything else slowing it down. I was forced to change the anti-virus I was using with on that particular OS earlier this year and the slow down impact, particularly when launching or shutting down the VM, is significant. It pretty much doubled the time and often won't allow you to launch any system tool until it has updated its definitions. A real pain; I can't have MB adding to that as well. But it seems as if you're both saying it is a false positive which has already been white-listed in later MB versions definitions. As I expected then but it does prompt some questions:- Why is that not part of the MB general definition updates package? To have been specifically white-listed in v3.0 and v4.0 MB versions suggests it has been reported before as a false positive. Why has my version of MB suddenly started reporting it as problem ie. something must have been changed in or by the latest definitions update? As explained I've never used Outlook Express, I've never even launched it on any machine I've ever had and the only time I go online with the XP VM is to update my security software and that includes MB. As described none of the other security tools I use from inside or outside the VM are reporting a problem with that msimn.exe file.
  9. As requested by nasdaq I'm starting a new topic here about this. Refer to the original thread for more information but essentially: a MB scan after the most recent definitions update on a Windows XP virtual machine is reporting MS Outlook Express email client's main .EXE as a "Trojan Agent.Patched". Here is a copy of the (zipped) msimn.exe file:- msimn.zip Look forward to knowing the result.
  10. It sounds as if all that has happened is that the OP's default browser has been changed to Edge. https://www.computerworld.com/article/3229068/how-to-replace-edge-as-the-default-browser-in-windows-10-and-why-you-should.html
  11. I have Windows XP on a VM and do weekly scans on it with Malwarebytes, AdwCleaner, a dedicated AV and an anti-spyware tool. Apart from weekly updating XP compatible software and Malwarebytes, the AV's and anti-spyware definitions it has not been used for anything else for months. Malwarebytes previous week's scan reported nothing. Now after the latest definition updates Malwarebytes is reporting Outlook Express's main .EXE: msinm.exe as a "Trojan. Patched". I have never used Outlook Express, bundled with XP, ever on any PC let alone this one. As it is unused and redundant I had a mind to uninstall Outlook Express but after reading up on that as it is not a simple process, I decided against it. I've scanned the whole Outlook Express folder with everything else I have on the VM and the VM itself, including the whole XPMode folder where it resides, from outside by the parent OS tools, including Malwarebytes and nothing except Malwarebytes on the XP VM is reporting it as problem. This is clearly something new due to the updated definitions. I can find no information that Outlook Express is considered a general problem by any other security software so what is this all about?
  12. I discovered what the 'problem' was - not the UAC settings. If you do a Adwcleaner scan then immediately go to Settings > Exclusions to add the exclusions before doing anything else ie. Skip or Clean, the buttons are disabled. I made the assumption this was because I was not being allowed to add the exclusions as I did not have the correct permissions. Changing the compatibility setting to run as admin seemed to confirm that. But what I was actually doing was just relaunching Adwcleaner and that was all that is necessary to get the Exclusions buttons to function. Adwcleaner simply disables those Exclusions options after a scan, presumably for security reasons so no settings changes can be made before the notified threat from a scan has been addressed one way or the other. Anyway that is sorted now and the advice to add the exclusions directly via the right mouse click context menu, which I had not thought to try, does work and scans now report 'No Problems'. I guess you were correct about it being being a value data issue not the key itself. Good call. But is it not a bit strange that you can add exclusions via the context menu immediately after a scan but not do the same via the Settings > Exclusion screen.
  13. As a follow up to this, although unnecessary as those Adwcleaner designated "threats" reappear every time Spybot definitions are updated, I decided to add them to the exclusions list. The problem I'm having now is that despite the paths being (laboriously0 individually copied direct from the Adwcleaner scan log and added to the Exclusions list those exclusions are being ignored and with each new scan they being reported again. I've checked and the exclusions are all there and exactly the same paths so why are those locations still being reported? Annoyingly I discovered you can't just add them in the default mode either you have to launch Adwcleaner in admin mode (right click > Properties > Compatibility > and tick: always run as administrator) for the Add Exclusions button and other options to become available. Also I'm not sure what, for the particular files listed in my original post, I should be using as the Exclusion Type. 'Family' being set as default I don't understand - I just wanted those very particular paths excluded but whatever I use it seems it is being ignored. I'm probably writing them in the wrong way or something like that so if someone can explain it would b appreciated.
  14. Thanks for the reply/information. I guessed the registry key value 4 meant the domain was one of those on the restricted list, useful to have that confirmed.
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.