Jump to content

ColdlyIndifferent

Honorary Members
  • Posts

    35
  • Joined

  • Last visited

Everything posted by ColdlyIndifferent

  1. Well at least two people here and I thought I'd explained why fairly clearly. Remember we are just talking about the definitions update not the actual program. Indeed I am in one case using Win XP on a VM and that means a maximum of reserved memory for the OS of 1GB. It takes very little to slow it down and, as also explained, I tried v2.0 on both that and an earlier XP laptop that only had 500MB of RAM and the slowdown of Malwarebytes scans made it practically useless. So I kept using v1.75 which was updating the definitions until 13.03.24 and working fine for my purposes. If that version of MWB has been 'let go' from the definition updates for some reason then it is damned odd timing. Windows 11 was released 3 years ago in the UK yet the MWB definitions have still been compatible with all MWB versions from v1.75 onwards until under two weeks ago. What changed that week to require the definitions to be incompatible with v1.75 or any other older version of MWB that might also be affected? We need some clarity from an official MWB spokesperson as to what is going on. As I suggested earlier it could just be that there has been some technical problem with the definitions update and there was no deliberate intention to stop them working on older versions of MWB at all. Here's hoping it is that.
  2. So why make it incompatible with older versions, if that is what they've done, with no warning and at a weird time too: mid-week in March? I'm not 100% convinced this is not a mistake, perhaps something the bods at MWB are unaware of or something else is to blame. Last time I had the same thing happen it was because my ISP's preferred DNS server was apparently blocking the definitions' update. I posted a thread here about it at the time. But repeating what I did then to resolve the problem: swapping the DNS server, has not worked on either PC. BTW months later I swapped back to check and found the MWB definitions were not being blocked any more but I did not trust them not to do it again so returned to the alternative server. This current problem can't be, actually my first suspicion back then, my anti-virus software as the two machines concerned are using different ones. In fact the VM uses another too. That's what made me think of what else it could be and led to the DNS server change solution I discovered. But in this case all I know is that the refusal to update the Malwarebytes definitions, reporting them as up to date must be due to some external cause. When I came here this thread, detailing what seems to be the same problem and with the same version, it seems too much of a coincidence.
  3. OK but the fact is that before the malware definitions version update available on 13.03.24 the definitions updates have been working on any older version. I've used Malwarebytes on three different PCs since 2010 and on two VMs since 2016. My reasons for still using an older version of Malwarebytes are that it is on those VMs in particular when using later versions eg. v2.0 onward, it slowed scans down so much it was intolerable. With that older version, the same as the OP, I could do a quick scan of a download that would take less than 10 seconds. With v2.0 I'd be waiting for 2 minutes or more. I also did not like the GUI. The fact is, as said, the definition updates have been working fine up until 13.03.24. But now, if I've understood the official responses in this thread, apparently, somebody has decided to make the definition updates incompatible with older versions or, more likely, just arbitrarily stopped them being updated if you're using an older version of Malwarebytes. Why? What does it matter if you're using an older version because you prefer its smaller footprint or for whatever reason? I suspect there are many users of older versions out there so I'd ask, nicely, if this is some arbitrary decision rather than a purely technical one of 'sudden' incompatibility, that it is reversed ASAP.
  4. I've already posted about this matter on the ISP's forum - their preferred way of initial contact and as I've found out the quickest way of getting a response. Not heard back from them yet and probably will not for several days. My suspicion is your third suggestion - it would be 'in character' for my ISP. I really doubt a system issue my end. The fact that it has affected two PCs which, whilst they share the same router, are not networked and have never even been on at the same time specifically to reduce the likelihood of cross contamination. I've done full system AV, Rootkit, MW, ADW scans on both with nothing untoward being reported. The definitions are up to date now and as said Malwarebytes is not my primary security program its really only used as an extra safety net, for which it is ideal. What I didn't mention is the fact my DNS settings were on automatic (always have been until now) and the two primary DNS (CLOUDFLARE.NET, US), presumably my ISP's preferred ones, have some sort of reported problem status when I checked using a DNS viewer/benchmark program: "DNS enquiries are not being consistently answered". They're the only two working ones available with such a status report. Not sure if that is significant or not in regard to this particular matter.
  5. Just changed the DNS (to Google) and.....................................it worked. But what does this mean? I'm using my ISPs default DNS and have been for a decade without any problems until now. Why would it be blocking one particular thing and Malwarebytes definition updates in particular? I've done a whole load of updating as I do at the end of every week without a similar problem for any of them. Anyway big thanks to those here for their help and exile360 in particular. I would never have thought to check if this was a DNS issue myself.
  6. No, no VPN or Proxy. I've not tried changing the DNS yet but what I have managed to do is copy in the most the last definitions update from the other PC so at least I have a working MB installation. When I tried just copying over the rules.ref file it didn't work, I had the missing/corruption message but I thought I'd try simply replacing all the MB's folder content ie. Program Files (x86), Program Data and User AppData. Everything but the Windows Explorer DLL (in use) copied fine. I thought that was unlikely to be problem and it wasn't. On reboot MB was showing the replacement definitions update and most importantly it works fine. In fact I've done a full scan just to be certain that this problem is as a result of some malware interfering with the update. It would appear everything in that respect is OK but it is still reporting that I have the latest definitions when I try to use the manual update.
  7. I tried the full Windows 7 resetting the DNS cache thing:- Windows 7 Click Start > All Programs > Accessories. Right-click Command Prompt and choose Run as administrator. When asked whether to allow Command Prompt to make changes to your computer, select Yes. Note: If you are asked for an administrative login, you will need to contact your system administrator. Type "ipconfig /flushdns" and press Enter. Type "ipconfig /registerdns" and press Enter. Type "ipconfig /release" and press Enter. Type "ipconfig /renew" and press Enter. Type "netsh winsock reset" and press Enter. Restart the computer. Did all that and.........................same problem. 🙁 I'll try an alternative DNS later. I'm not with Xfinity or Comcast.
  8. I do not rely on Malwarebytes and treat it like an adjunct to my security software, scanning downloads and doing weekly scans just to check that nothing untoward has sneaked onto my system. When I tried updating to a more recent version on the PCs in question I found that just scanning manually an individual download took three times as long rendering it pretty much redundant for quick check purposes. I think I posted here about that at the time. The fact is I've had no trouble downloading the definitions updates until this week, I'm guessing 9th August or around that date. Whatever the problem it appears to be across both the two Win 7 (64bit) PCs concerned and XP (32bit) VM running on one of them. They're all reporting that I have the latest definitions despite the fact one is showing it was updated on 07.08.20, the other two 08.08.20 and I have not been able to update them manually since. Two PCs plus a VM not able to download/install up to date definitions - that's too much of a coincidence. Consequently I have one PC with no Malwarebytes definitions at all rendering it useless and the other two with almost week old definitions. That can't be right and my concern is that Malwarebytes has done something without warning to make the definition updates incompatible with the older version I'm using. I'm hoping it is not that but it would really help to know. Instead I'm possibly wasting my time looking for other causes and/or a fix when there is none.
  9. I know it is an old version but for my purposes on a XP virtual machine and a Win7 system with limited speed/memory Malwarebytes v1.75.0.1300 is ideal. The definitions have updated without issue until now. As a result of a mistake I had to use System Restore yesterday. As in normal when done everything works OK but the Malwarebytes definitions database always reports it is either missing or corrupt so I click to download and install the latest version. That normally goes without a hitch but this time is seemed to hang momentarily, not connecting to the server and not downloading anything and I then get the message that I have the most recent version. I check and the Update page shows there are no definitions installed. Retrying just brings the same result. Checking in ProgramData > Malwarebytes > Malwarebytes AntiMalware the is no "rules.ref" file at all. Using System Restore again to go to another earlier point produced the same problem as did a thorough uninstall (Revo) of Malwarebytes v1.75.0.1300 and reinstall. I found an old manual definitions archived update .exe from 2014 and tried that and no problems - it installed, create a rules.ref file and worked fine apart from the fact every time I launched Malwarebytes it warned me the definitions database was outdated by over 2000 days. This is was the then current (7th August 2020) definitions update on another Win7 PC and would have been the one that was deleted during the System Restore process from the other machine. Whatever the case the definitions updated, as normal, perfectly on that date and the next day when I updated the XP VM. I suppose it could still be the Malwarebytes installation on the other machine but I've checked and unusually if I try to update the definitions on this PC I'm being given the same message that I have the latest version. The XP VM one too. That's very unusual as there is usually at least one new version update a day and its been six days since the last one. An explanation/help appreciated.
  10. No new news to report except that Microsoft are refusing to budge on their sudden decision to treat PH2 as high threat malware. This link to a Process Hacker forum admin post links to relevant threads which may help others coming here in regard to this matter:- https://wj32.org/processhacker/forums/viewtopic.php?f=1&p=11304#p11304 and the other thread there:- https://wj32.org/processhacker/forums/viewtopic.php?f=40&t=3729&p=11282#p11282 In short MS, and only MS, now regard PH2 as a malware tool and their anti-virus/anti-malware programs will, depending on your settings, either quarantine or remove the main ProcessHacker.exe along with some other associated files. Malwarebytes and no other security software as of this date are jumping on the MS bandwagon. Probably a good idea to close this thread now. If there are any other developments, particularly if relevant to Malwarebytes, a new thread can always be started.
  11. Found this telling PC blog post. PH2 has been tested and absolved but MS hate it anyway seems to be real story.
  12. As a follow up I've posted about this in the appropriate MS Community forum and Process Hacker 2's forum. In the latter this MSE/Defender definitions issue (as that is what it appears to be) is also being reported. Although it is not really a Malwarebytes' matter, as that, like all other security tools it reports there being no problem it would be helpful if this thread is kept open so if there is some resolution/explanation from MS about this it can be posted. Other users coming here may find it useful information and not have to bother Malwarebytes any further with it.
  13. The uninstall you did probably left stuff behind and did you check Defender's Quarantine folder because it might still contain those quarantined items? It will delete them after a certain period of time, 30 days I think, but if you've decided to get rid of PH2 then it would be a good idea to use the Remove option if anything PH2 related is there. I do not know whether Defender is the same but MSE makes adding exclusions, once detected, as difficult as possible. Once there they also seem to persist in Quarantine even if you use the Allow option. The Allow option is only available under the All Detected items list and apparently has not removed one of the PH2 instances, the second scan I did, from Quarantine. Pretty sure I'm going to have to restore the PH2 files and uninstall the program, remove anything left in Quarantine, re-install then add the PH2 folder to MSE's exclusions list. If I don't it may well disable PH2 again at the end of the quarantine period. PH2 is often recommended and has a built in option to be used as a MS Task Manager replacement. I dread to think what problems might have been caused to if that has been the case for anyone else using Defender or MSE. It is probably a very small subset and one I'm glad I'm not in. What I'm going to try to do now is get some sense and explanation out of MS on this. I'm signed up to their forums although, unlike here, it is a lottery if you get an actual response from a genuine MS representative who knows what they're talking about let alone able to do something about it.
  14. Yes I am saying that the reason we've both had this on two different MS security platforms is that definitions have probably both been updated because somebody, somewhere has either made a mistake, added it after someone reported it as a problem without checking or some process PH2 uses has been wrongly detected as a "threat". There is a warning with the PH2 installer that one of the options is not recommended and it has been known for that it can be used as a potential conduit for malware. Whether it has or not that would be enough for it to designated as a threat. This is a quote from an article dated 2017:- "The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool. Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down." https://nakedsecurity.sophos.com/2017/11/15/ransomware-spreading-hackers-sneak-in-through-rdp/ However this blog from 2018 was posted by, wait for it, ......................................MalwarebytesLAB a year ago promoting the very same tool:- https://blog.malwarebytes.com/101/how-tos/2018/11/advanced-tools-process-hacker/ So there is a bit of problem here - the potential threat PH2 may present has been know about for years but MS have been happily not seeing it as a threat until this weekend's Defender and MSE updates. Malwarebytes doesn't see it as problem, AVAST does not see it as problem and Spybot doesn't see it as problem. That does mean that on your or my PC it has not been used to install malware, just that it is highly unlikely and the 'new' threat' is actually an old threat now redefined as a problem by the MS definitions update and nowhere else. However whilst the problem is most likely the MS definitions update (its too much of a coincidence for that not to be the most likely explanation) you should do what nasdaq previously asked and submit the FarBar logs for review. If anything is found amiss then I'll follow. BTW Check Defender's quarantined items and I suspect you'll find it there as HackTool:Win64ProcHack and the files detected beneath. Also check C:\Programs for the Process Hacker 2 folder. That screenshot in the earlier post indicates that only very specific PH2 files are being seen as a threat by Defender. My MSE log reports exactly the same files too including the program's own uninstaller. I'd bet that most of PH2's folder content is still there including the x86 folder containing the 32bit .exe which MSE has no problems with. There are probably left overs in ProgramData and your User AppData too, folders Windows hides by default. If it truly wanted to get rid of PH2 MSE, and I'd suspect Defender too, have done a lousy job. Should you want to get rid of PH2 completely at any point do not use the Remove option. I suggest instead restoring the quarantine items and then using Revo Uninstaller or BCUninstaller. Either will do a far better and thorough job than just running the uninstaller. If you delete the main .exe and the uninstaller as MSE seems to want to do you'll have a much harder task finding and removing all PH2 files, particularly the registry keys.
  15. I think we might well have another false positive issue here. I have Microsoft Security Essentials (MSE) as a temporary AV on another PC and that too suddenly started reporting (the same weekend) that the Process Hacker 2.exe was a "high" threat after its most recent definitions update. Unfortunately for me I'd not changed MSE's default settings and in the case of a "high" threat it deals with what it sees as the offending file automatically. I expect that is what has happened here for the OP with Defender which is probably using the same MS definitions. I only realised it had been removed when I tried to launch Process Hacker 2 a few days later from my desktop shortcut and it reported the path as invalid. I went to the Process Hacker 2 folder and found its .exe was gone. I then realised what had happened. Laughably Process Hacker 2 contains both a 64bit .exe and a 32bit .exe and the latter was still there, usable and in the short time when I was using it MSE took not the slightest notice. Obviously I scanned the Process Hacker 2 folder with MB and other security software and nothing was reported. But I still deleted the installation and reinstalled it from a fresh download (MD5/SHA1 checked); all working a OK but MSE was still reporting its primary .exe as problem after a scan. On another PC which has had Process Hacker 2 for years neither the main PC's AV, MB or anti-spyware tools have ever reported any problem and that holds true. So I then uninstalled it again on the other PC and using exactly the same installer from my archived collection installed from that. MSE still reports it as a "high" threat too afterwards but still let me install it. MB reports no problem in all cases on both PCs. navigations 'problem' was 'resolved' only because Defender quarantined the file automatically. It is probably still there in the quarantined folder and I bet the rest of the Process Hacker 2 folder is still there too complete with 32bit .exe. If his 'problem' was/is not a false positive I'd be very surprised. But it is not really much to do with Malwarebytes it is MS's AV definitions that are likely the problem. However I suppose MB can usefully confirm that the Process Hacker 2 64bit .exe is no threat.
  16. Test scanned the file on another PC this morning with the same older MB version installed and the same 30th November definitions too. Threat detected. Just installed this afternoon the latest v4 version of Malwarebytes free on my primary system and used that to check the file copy I'd extracted. No threat detected. Launched the XP VM and updated the (older) MB to latest 2nd December definitions and scanned the Outlook Express folder. No threat detected. Hmmm, did somebody add the Outlook Express msimn.exe to the white-list earlier today?
  17. Thanks for the very quick replies. I am using an older version of MB v1.75.0.1300 on the Windows XPMode OS VM. Running MB 2.0 or higher on that, at least as I want to use it, I found very early on when trialing v2.0 that it would take up to 2 minutes to do an an on demand scan against often less than 15 secs using that earlier version. It would probably be different if it was auto-running all the time but with only 1GB of dedicated RAM on the VM I do not want anything else slowing it down. I was forced to change the anti-virus I was using with on that particular OS earlier this year and the slow down impact, particularly when launching or shutting down the VM, is significant. It pretty much doubled the time and often won't allow you to launch any system tool until it has updated its definitions. A real pain; I can't have MB adding to that as well. But it seems as if you're both saying it is a false positive which has already been white-listed in later MB versions definitions. As I expected then but it does prompt some questions:- Why is that not part of the MB general definition updates package? To have been specifically white-listed in v3.0 and v4.0 MB versions suggests it has been reported before as a false positive. Why has my version of MB suddenly started reporting it as problem ie. something must have been changed in or by the latest definitions update? As explained I've never used Outlook Express, I've never even launched it on any machine I've ever had and the only time I go online with the XP VM is to update my security software and that includes MB. As described none of the other security tools I use from inside or outside the VM are reporting a problem with that msimn.exe file.
  18. As requested by nasdaq I'm starting a new topic here about this. Refer to the original thread for more information but essentially: a MB scan after the most recent definitions update on a Windows XP virtual machine is reporting MS Outlook Express email client's main .EXE as a "Trojan Agent.Patched". Here is a copy of the (zipped) msimn.exe file:- msimn.zip Look forward to knowing the result.
  19. It sounds as if all that has happened is that the OP's default browser has been changed to Edge. https://www.computerworld.com/article/3229068/how-to-replace-edge-as-the-default-browser-in-windows-10-and-why-you-should.html
  20. I have Windows XP on a VM and do weekly scans on it with Malwarebytes, AdwCleaner, a dedicated AV and an anti-spyware tool. Apart from weekly updating XP compatible software and Malwarebytes, the AV's and anti-spyware definitions it has not been used for anything else for months. Malwarebytes previous week's scan reported nothing. Now after the latest definition updates Malwarebytes is reporting Outlook Express's main .EXE: msinm.exe as a "Trojan. Patched". I have never used Outlook Express, bundled with XP, ever on any PC let alone this one. As it is unused and redundant I had a mind to uninstall Outlook Express but after reading up on that as it is not a simple process, I decided against it. I've scanned the whole Outlook Express folder with everything else I have on the VM and the VM itself, including the whole XPMode folder where it resides, from outside by the parent OS tools, including Malwarebytes and nothing except Malwarebytes on the XP VM is reporting it as problem. This is clearly something new due to the updated definitions. I can find no information that Outlook Express is considered a general problem by any other security software so what is this all about?
  21. I discovered what the 'problem' was - not the UAC settings. If you do a Adwcleaner scan then immediately go to Settings > Exclusions to add the exclusions before doing anything else ie. Skip or Clean, the buttons are disabled. I made the assumption this was because I was not being allowed to add the exclusions as I did not have the correct permissions. Changing the compatibility setting to run as admin seemed to confirm that. But what I was actually doing was just relaunching Adwcleaner and that was all that is necessary to get the Exclusions buttons to function. Adwcleaner simply disables those Exclusions options after a scan, presumably for security reasons so no settings changes can be made before the notified threat from a scan has been addressed one way or the other. Anyway that is sorted now and the advice to add the exclusions directly via the right mouse click context menu, which I had not thought to try, does work and scans now report 'No Problems'. I guess you were correct about it being being a value data issue not the key itself. Good call. But is it not a bit strange that you can add exclusions via the context menu immediately after a scan but not do the same via the Settings > Exclusion screen.
  22. As a follow up to this, although unnecessary as those Adwcleaner designated "threats" reappear every time Spybot definitions are updated, I decided to add them to the exclusions list. The problem I'm having now is that despite the paths being (laboriously0 individually copied direct from the Adwcleaner scan log and added to the Exclusions list those exclusions are being ignored and with each new scan they being reported again. I've checked and the exclusions are all there and exactly the same paths so why are those locations still being reported? Annoyingly I discovered you can't just add them in the default mode either you have to launch Adwcleaner in admin mode (right click > Properties > Compatibility > and tick: always run as administrator) for the Add Exclusions button and other options to become available. Also I'm not sure what, for the particular files listed in my original post, I should be using as the Exclusion Type. 'Family' being set as default I don't understand - I just wanted those very particular paths excluded but whatever I use it seems it is being ignored. I'm probably writing them in the wrong way or something like that so if someone can explain it would b appreciated.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.