Jump to content

CaptainHindsight

Honorary Members
  • Posts

    55
  • Joined

  • Last visited

Everything posted by CaptainHindsight

  1. I have Malwarebytes Premium set up to do a complete scan every day at 05:00. Today, for the first time, it flagged a file named MKVEXTRACTGUI-2.3.0.0.ZIP as malware. It is an installer for MKVEXTRACTGUI. I have had that file on my computer (in 3 different locations) for several years now, unmodified I think, and it has never been flagged before. I attached both my MBAM scan logs as a file, as well as the file MKVEXTRACTGUI-2.3.0.0.ZIP, to this post. I also uploaded MKVEXTRACTGUI-2.3.0.0.ZIP to virustotal just now, and nothing detected it as malware. My guess is that MBAM's AI just got fooled. Details from virustotal: Basic Properties MD5 d6b7162b2126e8dbb5513f88da3e6c69 SHA-1 1e71344d155aedf54b4976069d5d346f720192bd SHA-256 2bc204c396d3beab3ef8c9614bd0156c85fd6044959813a47384918df16db137 Vhash 48e8a3083d316cebefd41dd46b8ce81c SSDEEP 24576:cX7TQN7xdNoDhn86TcmSmKbV4u05YNw/XQLUpIvE:u7Tedi98KtOAQz+IvE File type ZIP Magic Zip archive data, at least v2.0 to extract File size 1.05 MB (1099918 bytes) History First Submission 2016-04-07 08:50:28 Last Submission 2019-10-30 16:52:33 Last Analysis 2020-01-13 09:13:11 Earliest Contents Modification 2016-04-07 16:07:16 Latest Contents Modification 2016-04-07 16:09:02 Names MKVExtractGUI-2.3.0.0.zip MKVExtractGUI-2.3.0.0(2016.10.22).zip MKVExtractGUI 2 v2.3.0.0.zip MKVExtractGUI-2.3.0.0 -PORTABLE.zip MKVExtractGUI-2.3.0.0 (1).zip Prog2 - MKVExtractGUI-2.3.0.0.zip MKVExtractGUI-2.3.0.0提取 MKV 字幕、音軌工具.zip Bundle Info Warnings Contains one or more Windows executables. Contents Metadata Contained Files 2 Uncompressed Size 2.62 MB Earliest Content Modification 2016-04-07 16:07:16 Latest Content Modification 2016-04-07 16:09:02 Contained Files By Type PORTABLE EXECUTABLE 1 UNKNOWN 1 Contained Files By Extension EXE 1 TXT 1 mbam.txt MKVExtractGUI-2.3.0.0.zip
  2. I think that one of my relative's was tricked into letting someone take remote control of his computer a few weeks ago. Full details are below. My ultimate question: if he actually let someone take remote control of his computer, could they have infected it so deeply that it is hopeless to try and clean it? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Full details: Wednesday evening (2 days ago) I emailed a 90 year relative's in law that I wanted him to run a Malwarebytes scan before I come to visit him this weekend. (I had been planning to do several computer chores for him, such as swap his hard disk with an SSD. I wanted a Malwarebytes scan done before I show up just to ensure that his computer has no malware before I possibly clone his hard disk.)He emailed me this back yesterday: Oh no. Sounds like a classic scam. A brief web search found similar accounts: https://www.bleepingcomputer.com/news/security/mcafee-tech-support-scam-harvesting-credit-card-information/ https://community.mcafee.com/t5/Consumer-General-Discussions/Elaborate-Scam/td-p/589738 My relative forwarded me some emails sent to him by that company. The call themselves "AS Clout" but also seem to identify with asknet. They give this as their contact info: A web search for that US phone number 415-449-5700 found this page https://www.bbb.org/us/ca/san-francisco/profile/ecommerce/asknet-inc-1116-193791/complaints and the 03/18/2019 complaint sounds exactly like my relative's case. We called up his credit card company in a conference call and disputed the charge for 399.99, cancelled his existing credit card, and asked for a new one. The lady at the credit card company said that there were no unusual charges on his card, just ones he has made in the past. If I understood her correctly, that lady also claimed that the firm that billed the 399.99 is known to them and is not a hacker. Maybe not, but at a minimum they are scum who prey on vulnerable people like my relative. I then had my relative uninstall everything McAfee related from his computer. I think that he said that there were 5 McAfee programs. When that was done, I had him download and install Malwarebytes and start a full threat scan on his entire computer. It started last night and is still running now, maybe 9.5 hours later... (My relative has long complained that his computer, a cheap Dell all in one, is agonizingly slow. This is why I originally wanted to replace his hard drive with an SSD.) What I want to know is if my relative's computer hopelessly infected at this point. If he truly let someone take remote control of his computer, could they have installed malware so deeply that nothing can restore it? Say, with malware embdedded in his firmware or something? I tried to probe my relative exactly on what happened. His memory is fuzzy. He cannot recall for sure if he downloaded a program that let the other person take over his computer. He also said that even when the person claimed to be working on his computer, he saw almost no activity (e.g. his mouse rarely or never moved?). It is not obvious to me if his computer actually was taken over. If I replace his existing hard drive with the new SSD that I bought him this weekend, I am likely going to use Dell's operating system recovery approach to cleanly install Windows 10 on the SSD. https://www.dell.com/support/article/us/en/04/sln299044/how-to-download-and-use-the-dell-os-recovery-image-in-microsoft-windows?lang=en
  3. Thanks for your reply and for confirming my understanding. Old style mechanical hard drives have been pretty durable for years (a few decades?) now. The sole concern that I am aware of is with SSDs. It is true that SSDs do have write limitations. Key specs to look out for are "Drive Writes Per Day" (DWPD) and "Terabytes Written" (TBW). For example, my latest laptop is a Dell 7530 Precision Mobile Workstation with a Samsung 970 EVO 2 TB SSD. Its product page gives a "Terabytes Written" spec of "1,200 TBW with a 5-year limited warranty, achieving 50 percent higher than the previous generation". That's 600 full drive writes. However, since when has reading an SSD been an issue? To my knowledge, massive disk reading is almost all that a full disk malware scan should be doing, but almost no writing. So I see zero issue with doing full disk scans and SSD degradation. I have been doing full disk scans for ~5 years on my old desktop's SSD, an Samsung 840 EVO 500 GB, and I have seen zero issues with it so far. Samsung Magician reports the drive's status as Good. Thanks a million! There has to be many others like me who want this. I have zero problem if you limit this feature to your Premium product. One feature needed in the CLI: I should in the GUI be able to save a named custom scan configuration, and then refer to that custom scan as a command line argument. Much better than supplying a dozen command line arguments.
  4. MBAM: I really hope that you are looking at this thread. I am a Premium user and I have a huge need for command line support I want to run a full MBAM scan every day as part of a suite of nightly processes. The only way to properly do this is to have a command line script that says "do process 1" and then when that is over "do process 2" etc. But because MBAM lacks command line support, I have to resort to scheduling scans. But that is a deeply inadequate substitute, because all the processes in the suite have variable execution times. So, with scheduling, I am forced to make very conservative assumptions about execution times, and this causes the entire suite to take 3X longer to completely finish than it ought to.
  5. Reading the wiki link on reCAPTCHA more, is MBAM using the NoCAPTCHA version? The wiki link says: "Because NoCAPTCHA relies on the use of Google cookies that are at least a few weeks old, reCAPTCHA has become nearly impossible to complete for people who frequently clear their cookies." I clear my entire browser cookies every time that I shut it down, which is more than once a week. Furthermore:
  6. I just logged into my MBAM account at https://my.malwarebytes.com/en/login# That login was agonizing because this MBAM website uses the horrid reCAPTCHA as an extra layer of alleged protection. I hate reCAPTCHA with an unmitigated passion. It took me many screens to pass that ******* test. Once logged in, I tried to file a support ticket. Once again, the website made me do a reCAPTCHA test before I could click on the Submit Ticket button. Why? I had already done that upon login?! I tried several times that pass this reCAPTCHA, but eventually had to give up. Death to reCAPTCHA. MBAM if you have any thoughts for your users, please eliminate reCAPTCHA. I think that you need no CAPTCHA at all, but if you insist, gimme something like an arithmetic problem.
  7. Also: could a Russian IP address have an innocuous explanation, such as, since I was sharing a file, maybe there was another ordinary person in Russia who simply wanted to download it as well? Also, strictly speaking, 46.172.212.116 is a Ukrainian not Russian IP address that points to the domain name pool.sevtele.com (if ipinfo.info is to be believed, not that that is any more reassuring...).
  8. My colleagues at the DNC tell me that that is just fine. Kidding! Thanks for adding that info.
  9. Thanks for your response. I just sent you a private message with the subject "requested files" that has the requested files. I looked at this a little deeper (the log files), and I think that my initial guess that Vuze was trying to download an auto updater was wrong. My version of Vuze is the latest, there is no update. Instead, I think that Vuze was trying to open a connection to IP address 46.172.212.116, and that particular IP address was blocked. My guess is that that IP is one that is know to you to have downloaded malware in the past to other people?
  10. While running Vuze today, I noticed that Malwarebytes Premium version 3.4.5 flagged Azureus.exe as malware. My guess is that Vuze wanted to download an updater to itself (i.e. Azureus.exe), but MBAM caught that, and decided to block it. Looking at Reports --> View Reports, I see that MBAM's Category for Azureus.exe is "RiskWare". My questions: What exactly is "RiskWare"? I have only used MBAM free in the past, never Premium (am currently on a free trial), and MBAM never identified Azureus.exe before as malware (when I manually scanned my system), so did anything change with either MBAM or Azureus.exe that might have caused this? Ultimately, I want to know if I can safely ignore this warning (i.e. create an exception, and download Azureus.exe anyways).
  11. Aura: thanks for your response. I did download this installer from the official 7-Zip website. I too now conclude that AVG must have reported a false positive this morning. Reason: after it auto updated its database later today, I right clicked on the installer and did a dedicated scan of it with AVG and now AVG thinks that it is fine.
  12. I use AVG paid for and MBAM free. All programs are the latest versions, and both have the latest databases. This morning when I logged onto my computer, to my horror, I found that AVG had popped up a dialog saying that the installer program for 7zip, 7z1604-x64.exe, harbors the Trojan horse Atros5.AYO. Check out the attached screen shot. So, I opened MBAM, updated its database, and then scanned my entire directory where I store all installer files. MBAM found no issues whatsoever. See attached screen shot. I then went to https://www.virustotal.com and uploaded 7z1604-x64.exe and forced it to re-analyse it. Virustotal likewise found nothing, including, bizarrely, its version of AVG! See attached screen shot. What are your recommendations on how I should handle this? Is AVG known for false alarms, or are they among the first to identify new threats? I note a related but distinct inquiry on this forum about 3.5 years ago:
  13. I am concerned about multimedia files that I download having malware inside them. In the first answer in this forum post, David H. Lipman soon states But then he goes on to note Assuming that the above info is still current, I have a couple questions. First, why does MBAM skip scanning of non-executable files? Yes, executables are the most significant danger. But interpreted file types can still have malware. Like MBAM eventually added support for scanning within archive files, will they eventually add support for scanning all file types? Second, I note that I also use the paid for version of AVG, and when I scanned ~40 GB of media files just now, AVG took only a few seconds. That was about as long as MBAM's scan of those same files. This makes me think that AVG, which is supposed to be a traditional anti virus application, is also not really scanning these files. Should I be concerned?
  14. David: my original post on 2014-12-23 observed this bug in MBAM version 2.0.4.1028, and that is the version that is still presented for download on the official link as of this instant. Or, did you simply mean that the MBAM developers internally finished work on the next update, which has yet to be released to the public?
  15. Subject says it all. My original post, with all of my original details, is here. It was pointed out to me by one of my responders to read your false positive reporting guidelines. Normally, I would generate the requested log file. However, my original scan took 2.5 hours, and my wife is going to kill me if I spend any more time on the computer right now, as we have to pack for a trip tomorrow. So, as a quick substitute, I am simply attaching the AzureusTor.exe.bak file to this post so that the MBAM developers can have a full go at it. I trust that that will work. Scratch the sentence above: upload failed with this error message: "You aren't permitted to upload this kind of file". I guess this will have to wait until I get back from my travels.
  16. Pondus: many thanks for the suggestion. I unquarantined it, and made virustotal rescan it. Here is its results. Exactly 2 out of the 56 malware programs it used claimed that it was malware: MBAM and ByteHero. False alarm by MBAM, or evidence of brilliant detection that all others are blind to?
  17. When I last tried using MBAM back in August, I was hit by a bad bug in MBAM if it tried to scan a TrueCrypt volume. My travails are documented in this post. So, I was keen to see if the latest version fixes that bug. I downloaded and installed the latest MBAM (version 2.0.4.1028) this morning. Before leaving for work, I selected a custom scan, and selected all my drives (including 2 TrueCrypt volumes), and selected all scan options, including for rootkits. When I got back home, I found to my pleasure that my machine had not crashed, and that MBAM was presenting me with scan results: the scan lasted for about 2.5 hours, and found 2 issues, of which just one was maybe serious (see this post for details). What has me concerned is if MBAM actually scanned my 2 TrueCrypt volumes, as opposed to, say, skipping them if it identifies them as TrueCrypt volumes. I can see from the MBAM GUI how to get the scan log. I am attaching the text file export of that to this post. My problem is that the scan log seems to be really inadequate. In particular, I do not see any list in there of all the volumes that were actually scanned. Is this a defect in MBAM, or have I overlooked some way to find that information? mbamLog.txt
  18. I just downloaded the latest MBAM (version 2.0.4.1028) and scanned my entire computer this morning. The only serious issue that it found was that it identified C:\Users\sam\AppData\Roaming\Azureus\plugins\aznettor\AzureusTor.exe.bak as a "trojan exploit". This sounds awful! I did a Google web searching on the keywords "AzureusTor.exe.bak" malware and there are only 2 pages of hits. Perhaps the best link is the first hit. That web page seems to be the result of some automated analysis. If you look at its Signature section, the claimed malicious actions are exactly what I think a Tor plugin for Azureus should, in fact, do. (I do want Azureus on my system, byt the way, for file sharing.) Furthermore, I rescanned just that file with my (paid for) version of AVG, and it claimed that it was harmless. So, does anyone know more about whether or not AzureusTor.exe.bak is a genuine piece of malware, or did I just quarantine legit software? And if it is bad, now much harm was done to my system? Let me know if you want me to upload my copy of AzureusTor.exe.bak.
  19. Altho I disable autoupdates, I do have autonotifies on, as I want to require manual approval of all software updates (e.g. from Windows, Firefox, Java, etc). That said, I almost always accept all updates as soon as I am notified of them. I think that my system is totally up to date. Speaking of antivirus, I got the paid for version of AVG years ago, before ever hearing of MBAM, and have been using it ever since. AVG is about the only program that does autoupdate, so it is totally current. To my knowledge, I have never been the victim of any malware. But recently I had some paranoid reasons to believe that some malware may have slipped thru my defences. I did some research, and found that MBAM is highly regarded. Hence, I downloaded the free version and attempted a complete scan with it. Now AVG is set to auto renew (charge my credit card) in a couple of days. If MBAM did not crash upon trying to scan my TrueCrypt partitions, I might consider switching to MBAM paid version. But if an MBAM release that works for me is months away, that will not do. Given all that, what is your objective opinion of AVG paid version? Do you respect its malware detection abilities? Or is there another product (free or paid--I care most about quality than price) that you recommend which can scan TrueCrypt partitions? I so wish that it was coming out in a week or so!
  20. AdvancedSetup: to be explicit: I did not create any those alternate data streams for the file C:\Windows\SysWOW64\MSIHANDLE. In fact, I did not know that Windows (NTSF) even supported alternate data streams until I researched it just now. My C:\Windows\SysWOW64\MSIHANDLE file now shows up as having 0 KB size in Windows Explorer. Should I assume that my last MBAM scan wiped it clean, including all of the alternate data streams? By the way, from my logs, do you happen to knw what malware may have been lurking in those alternate data streams?
  21. AdvancedSetup: I made sure that scan for rootkits was unchecked before my run this morning. When I got home from work, once more my box had blue screened and restarted. Very annoying.... Attached are the latest diagnostic files. When is the next version of MBAM coming out? I can't wait. FRST.txt CheckResults.txt
  22. Great, I am looking forward to that release. You have any idea when I should start looking for it to come out? Thanks for the suggestion. I will start a scan before leaving for work today which unchecks rootkit detection. I certainly did not explicitly create those. From what I understand of WoW64, they should have been created automaticly by Windows. I do use some 32 bit programs because 64 bit alternatives are still not available. Is there something in those particular files that jumps out at you?
  23. p.s. I note that this time TrueCrypt at least was still able to mount my partitions after today's MBAM crash. I did not need to go thru the TruCrypt uninstall/reinstall procedure described in my 01 September 2014 - 06:19 AM post.
  24. Thanks for your response. I am back now from my travels, so I can once again resume this. Early this morningbefore work, I went thru the clean removal procedure exactly as described, even tho I had previously uninstalled MBAM. I then installed the latest version. I then started a complete scan of my entire system before leaving for work. When I got home, I found that my computer had once again rebooted, and when I logged in, I was presented with a Windows dialog box once again saying that my system had recoved from an unexpected shutdown. I assume that it is the same exact error described above (did not bother checking, since I assume that the attached log files will capture the necessary logs). I am attaching all 3 requested log files. I eagerly await your diagnosis for why MBAM croaks when it starts scanning my TrueCrypt volume. (I assume that that is where the latest run crashed. The proof last time was when I did not mount my TrueCryot volumes, then the scan worked fine on my C: drive alone which is a raw native drive.) Addition.txt FRST.txt CheckResults.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.