Jump to content

ColdlyIndifferent

Members
  • Content Count

    26
  • Joined

  • Last visited

Everything posted by ColdlyIndifferent

  1. I know it is an old version but for my purposes on a XP virtual machine and a Win7 system with limited speed/memory Malwarebytes v1.75.0.1300 is ideal. The definitions have updated without issue until now. As a result of a mistake I had to use System Restore yesterday. As in normal when done everything works OK but the Malwarebytes definitions database always reports it is either missing or corrupt so I click to download and install the latest version. That normally goes without a hitch but this time is seemed to hang momentarily, not connecting to the server and not downloading anything and I then get the message that I have the most recent version. I check and the Update page shows there are no definitions installed. Retrying just brings the same result. Checking in ProgramData > Malwarebytes > Malwarebytes AntiMalware the is no "rules.ref" file at all. Using System Restore again to go to another earlier point produced the same problem as did a thorough uninstall (Revo) of Malwarebytes v1.75.0.1300 and reinstall. I found an old manual definitions archived update .exe from 2014 and tried that and no problems - it installed, create a rules.ref file and worked fine apart from the fact every time I launched Malwarebytes it warned me the definitions database was outdated by over 2000 days. This is was the then current (7th August 2020) definitions update on another Win7 PC and would have been the one that was deleted during the System Restore process from the other machine. Whatever the case the definitions updated, as normal, perfectly on that date and the next day when I updated the XP VM. I suppose it could still be the Malwarebytes installation on the other machine but I've checked and unusually if I try to update the definitions on this PC I'm being given the same message that I have the latest version. The XP VM one too. That's very unusual as there is usually at least one new version update a day and its been six days since the last one. An explanation/help appreciated.
  2. No new news to report except that Microsoft are refusing to budge on their sudden decision to treat PH2 as high threat malware. This link to a Process Hacker forum admin post links to relevant threads which may help others coming here in regard to this matter:- https://wj32.org/processhacker/forums/viewtopic.php?f=1&p=11304#p11304 and the other thread there:- https://wj32.org/processhacker/forums/viewtopic.php?f=40&t=3729&p=11282#p11282 In short MS, and only MS, now regard PH2 as a malware tool and their anti-virus/anti-malware programs will, depending on your settings, either quarantine or remove the main ProcessHacker.exe along with some other associated files. Malwarebytes and no other security software as of this date are jumping on the MS bandwagon. Probably a good idea to close this thread now. If there are any other developments, particularly if relevant to Malwarebytes, a new thread can always be started.
  3. Found this telling PC blog post. PH2 has been tested and absolved but MS hate it anyway seems to be real story.
  4. As a follow up I've posted about this in the appropriate MS Community forum and Process Hacker 2's forum. In the latter this MSE/Defender definitions issue (as that is what it appears to be) is also being reported. Although it is not really a Malwarebytes' matter, as that, like all other security tools it reports there being no problem it would be helpful if this thread is kept open so if there is some resolution/explanation from MS about this it can be posted. Other users coming here may find it useful information and not have to bother Malwarebytes any further with it.
  5. The uninstall you did probably left stuff behind and did you check Defender's Quarantine folder because it might still contain those quarantined items? It will delete them after a certain period of time, 30 days I think, but if you've decided to get rid of PH2 then it would be a good idea to use the Remove option if anything PH2 related is there. I do not know whether Defender is the same but MSE makes adding exclusions, once detected, as difficult as possible. Once there they also seem to persist in Quarantine even if you use the Allow option. The Allow option is only available under the All Detected items list and apparently has not removed one of the PH2 instances, the second scan I did, from Quarantine. Pretty sure I'm going to have to restore the PH2 files and uninstall the program, remove anything left in Quarantine, re-install then add the PH2 folder to MSE's exclusions list. If I don't it may well disable PH2 again at the end of the quarantine period. PH2 is often recommended and has a built in option to be used as a MS Task Manager replacement. I dread to think what problems might have been caused to if that has been the case for anyone else using Defender or MSE. It is probably a very small subset and one I'm glad I'm not in. What I'm going to try to do now is get some sense and explanation out of MS on this. I'm signed up to their forums although, unlike here, it is a lottery if you get an actual response from a genuine MS representative who knows what they're talking about let alone able to do something about it.
  6. Yes I am saying that the reason we've both had this on two different MS security platforms is that definitions have probably both been updated because somebody, somewhere has either made a mistake, added it after someone reported it as a problem without checking or some process PH2 uses has been wrongly detected as a "threat". There is a warning with the PH2 installer that one of the options is not recommended and it has been known for that it can be used as a potential conduit for malware. Whether it has or not that would be enough for it to designated as a threat. This is a quote from an article dated 2017:- "The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool. Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down." https://nakedsecurity.sophos.com/2017/11/15/ransomware-spreading-hackers-sneak-in-through-rdp/ However this blog from 2018 was posted by, wait for it, ......................................MalwarebytesLAB a year ago promoting the very same tool:- https://blog.malwarebytes.com/101/how-tos/2018/11/advanced-tools-process-hacker/ So there is a bit of problem here - the potential threat PH2 may present has been know about for years but MS have been happily not seeing it as a threat until this weekend's Defender and MSE updates. Malwarebytes doesn't see it as problem, AVAST does not see it as problem and Spybot doesn't see it as problem. That does mean that on your or my PC it has not been used to install malware, just that it is highly unlikely and the 'new' threat' is actually an old threat now redefined as a problem by the MS definitions update and nowhere else. However whilst the problem is most likely the MS definitions update (its too much of a coincidence for that not to be the most likely explanation) you should do what nasdaq previously asked and submit the FarBar logs for review. If anything is found amiss then I'll follow. BTW Check Defender's quarantined items and I suspect you'll find it there as HackTool:Win64ProcHack and the files detected beneath. Also check C:\Programs for the Process Hacker 2 folder. That screenshot in the earlier post indicates that only very specific PH2 files are being seen as a threat by Defender. My MSE log reports exactly the same files too including the program's own uninstaller. I'd bet that most of PH2's folder content is still there including the x86 folder containing the 32bit .exe which MSE has no problems with. There are probably left overs in ProgramData and your User AppData too, folders Windows hides by default. If it truly wanted to get rid of PH2 MSE, and I'd suspect Defender too, have done a lousy job. Should you want to get rid of PH2 completely at any point do not use the Remove option. I suggest instead restoring the quarantine items and then using Revo Uninstaller or BCUninstaller. Either will do a far better and thorough job than just running the uninstaller. If you delete the main .exe and the uninstaller as MSE seems to want to do you'll have a much harder task finding and removing all PH2 files, particularly the registry keys.
  7. I think we might well have another false positive issue here. I have Microsoft Security Essentials (MSE) as a temporary AV on another PC and that too suddenly started reporting (the same weekend) that the Process Hacker 2.exe was a "high" threat after its most recent definitions update. Unfortunately for me I'd not changed MSE's default settings and in the case of a "high" threat it deals with what it sees as the offending file automatically. I expect that is what has happened here for the OP with Defender which is probably using the same MS definitions. I only realised it had been removed when I tried to launch Process Hacker 2 a few days later from my desktop shortcut and it reported the path as invalid. I went to the Process Hacker 2 folder and found its .exe was gone. I then realised what had happened. Laughably Process Hacker 2 contains both a 64bit .exe and a 32bit .exe and the latter was still there, usable and in the short time when I was using it MSE took not the slightest notice. Obviously I scanned the Process Hacker 2 folder with MB and other security software and nothing was reported. But I still deleted the installation and reinstalled it from a fresh download (MD5/SHA1 checked); all working a OK but MSE was still reporting its primary .exe as problem after a scan. On another PC which has had Process Hacker 2 for years neither the main PC's AV, MB or anti-spyware tools have ever reported any problem and that holds true. So I then uninstalled it again on the other PC and using exactly the same installer from my archived collection installed from that. MSE still reports it as a "high" threat too afterwards but still let me install it. MB reports no problem in all cases on both PCs. navigations 'problem' was 'resolved' only because Defender quarantined the file automatically. It is probably still there in the quarantined folder and I bet the rest of the Process Hacker 2 folder is still there too complete with 32bit .exe. If his 'problem' was/is not a false positive I'd be very surprised. But it is not really much to do with Malwarebytes it is MS's AV definitions that are likely the problem. However I suppose MB can usefully confirm that the Process Hacker 2 64bit .exe is no threat.
  8. Test scanned the file on another PC this morning with the same older MB version installed and the same 30th November definitions too. Threat detected. Just installed this afternoon the latest v4 version of Malwarebytes free on my primary system and used that to check the file copy I'd extracted. No threat detected. Launched the XP VM and updated the (older) MB to latest 2nd December definitions and scanned the Outlook Express folder. No threat detected. Hmmm, did somebody add the Outlook Express msimn.exe to the white-list earlier today?
  9. Thanks for the very quick replies. I am using an older version of MB v1.75.0.1300 on the Windows XPMode OS VM. Running MB 2.0 or higher on that, at least as I want to use it, I found very early on when trialing v2.0 that it would take up to 2 minutes to do an an on demand scan against often less than 15 secs using that earlier version. It would probably be different if it was auto-running all the time but with only 1GB of dedicated RAM on the VM I do not want anything else slowing it down. I was forced to change the anti-virus I was using with on that particular OS earlier this year and the slow down impact, particularly when launching or shutting down the VM, is significant. It pretty much doubled the time and often won't allow you to launch any system tool until it has updated its definitions. A real pain; I can't have MB adding to that as well. But it seems as if you're both saying it is a false positive which has already been white-listed in later MB versions definitions. As I expected then but it does prompt some questions:- Why is that not part of the MB general definition updates package? To have been specifically white-listed in v3.0 and v4.0 MB versions suggests it has been reported before as a false positive. Why has my version of MB suddenly started reporting it as problem ie. something must have been changed in or by the latest definitions update? As explained I've never used Outlook Express, I've never even launched it on any machine I've ever had and the only time I go online with the XP VM is to update my security software and that includes MB. As described none of the other security tools I use from inside or outside the VM are reporting a problem with that msimn.exe file.
  10. As requested by nasdaq I'm starting a new topic here about this. Refer to the original thread for more information but essentially: a MB scan after the most recent definitions update on a Windows XP virtual machine is reporting MS Outlook Express email client's main .EXE as a "Trojan Agent.Patched". Here is a copy of the (zipped) msimn.exe file:- msimn.zip Look forward to knowing the result.
  11. It sounds as if all that has happened is that the OP's default browser has been changed to Edge. https://www.computerworld.com/article/3229068/how-to-replace-edge-as-the-default-browser-in-windows-10-and-why-you-should.html
  12. I have Windows XP on a VM and do weekly scans on it with Malwarebytes, AdwCleaner, a dedicated AV and an anti-spyware tool. Apart from weekly updating XP compatible software and Malwarebytes, the AV's and anti-spyware definitions it has not been used for anything else for months. Malwarebytes previous week's scan reported nothing. Now after the latest definition updates Malwarebytes is reporting Outlook Express's main .EXE: msinm.exe as a "Trojan. Patched". I have never used Outlook Express, bundled with XP, ever on any PC let alone this one. As it is unused and redundant I had a mind to uninstall Outlook Express but after reading up on that as it is not a simple process, I decided against it. I've scanned the whole Outlook Express folder with everything else I have on the VM and the VM itself, including the whole XPMode folder where it resides, from outside by the parent OS tools, including Malwarebytes and nothing except Malwarebytes on the XP VM is reporting it as problem. This is clearly something new due to the updated definitions. I can find no information that Outlook Express is considered a general problem by any other security software so what is this all about?
  13. I discovered what the 'problem' was - not the UAC settings. If you do a Adwcleaner scan then immediately go to Settings > Exclusions to add the exclusions before doing anything else ie. Skip or Clean, the buttons are disabled. I made the assumption this was because I was not being allowed to add the exclusions as I did not have the correct permissions. Changing the compatibility setting to run as admin seemed to confirm that. But what I was actually doing was just relaunching Adwcleaner and that was all that is necessary to get the Exclusions buttons to function. Adwcleaner simply disables those Exclusions options after a scan, presumably for security reasons so no settings changes can be made before the notified threat from a scan has been addressed one way or the other. Anyway that is sorted now and the advice to add the exclusions directly via the right mouse click context menu, which I had not thought to try, does work and scans now report 'No Problems'. I guess you were correct about it being being a value data issue not the key itself. Good call. But is it not a bit strange that you can add exclusions via the context menu immediately after a scan but not do the same via the Settings > Exclusion screen.
  14. As a follow up to this, although unnecessary as those Adwcleaner designated "threats" reappear every time Spybot definitions are updated, I decided to add them to the exclusions list. The problem I'm having now is that despite the paths being (laboriously0 individually copied direct from the Adwcleaner scan log and added to the Exclusions list those exclusions are being ignored and with each new scan they being reported again. I've checked and the exclusions are all there and exactly the same paths so why are those locations still being reported? Annoyingly I discovered you can't just add them in the default mode either you have to launch Adwcleaner in admin mode (right click > Properties > Compatibility > and tick: always run as administrator) for the Add Exclusions button and other options to become available. Also I'm not sure what, for the particular files listed in my original post, I should be using as the Exclusion Type. 'Family' being set as default I don't understand - I just wanted those very particular paths excluded but whatever I use it seems it is being ignored. I'm probably writing them in the wrong way or something like that so if someone can explain it would b appreciated.
  15. Thanks for the reply/information. I guessed the registry key value 4 meant the domain was one of those on the restricted list, useful to have that confirmed.
  16. I've used an old version of Spybot for years as a low level additional protection as it has a very small profile/low resource use and doesn't interfere with anything very much. I've run scans with AdwCleaner in the past and its has never had a problem but at some point, I think fairly recently, it has been reporting the following on my PC:- PUP.Optional.Legacy HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com PUP.Optional.Legacy HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com PUP.Optional.Legacy HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com PUP.Optional.Legacy HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com PUP.Optional.Legacy HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com PUP.Optional.Legacy HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com First time it happened, like a good boy, I allowed AdwCleaner to clean and restart. All gone, all good............but a couple of weeks later I ran the scan again and they're all back. This kept on happening and then I eventually noticed something - every time after I'd used AdwCleaner and then later updated Spybot definitions and applied what it calls browser immunisation it showed 6 items as unprotected. It took some time to click even then but when it did and I did a bit of research I found "Zonemap" is used by browsers IE in particular as the designated registry location for restricted and trusted web sites. Spybot adds its own definitions to this list and those six items AdwCleaner is deleting as PUPs are apparently from Zonemap's list of restricted domains. Identifying what is trusted and what is restricted from the Zonemap lists is not clear (anyone here know?) but the registry entries for the IE trusted sites are slightly different from the bulk of the others I've looked at. I am pretty sure those six are restricted domains. It would appear AdwCleaner is actually removing protection from my system by deleting these entries. Obviously I can add them to an exclusion list from now on but I thought it worth mentioning this matter here now I've discovered what they are and why they keep reappearing. The restricted domains shown in Zonemap are very numerous, there are hundreds of them covering everything dodgy from gambling web sites to HC porn so the question that also has to asked is why are only those six considered PUPs?
  17. I'm was getting this with WinXP running on a VM both timedate.cpl and an associated cache.dll causing me to do a full system scan as the supposed trojan sounded extra nasty. So time wasted worrying and doing that not appreciated. However I can also confirm the later update in the day: v2019.05.25.06 appears to have fixed the problem. Thanks for that. Was this a WinXP 32bit only thing? I ask because I updated my host 64bit OS's Malwarebytes definitions at the same time and did my at least weekly quick scan at the same time and it did not flag up the same file(s) either from outside scanning the VM XP installation or indeed its own timedate.cpl files, present in both the System32 and SysWOW64 folders. The file concerned appears to be the OS clock so how on earth did that rather important system file end up getting identified as a trojan anyway?
  18. I've just updated to v7.2.2 and suddenly from a system free of threats had a nasty 'surprise' and found it reporting almost 200 very similar entries (all just as others have described) have now been flagged as PUPs etc. I went back and tried v7.2.0 and that reports my system is free of threats. Clearly some issue with the new version but what? So I come here and find it is a problem between the new AdwCleaner version and Spybot, which I have used for years quietly, in the background without problems. Mind put at rest for the time being. IMHO it is pretty pointless adding these to AdwCleaner exclusions unless you desperately want to use the new version for some reason. It is has a fault, it shouldn't be doing this, previous versions certainly didn't and TBH I'm not really concerned about why just that it is fixed as soon as conveniently possible, please. That other (helpful) thread is from a month ago so this conflict has been known for some time. Until then going back to the previous version must be the more sensible reaction.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.