Jump to content

kimiraikkonen

Honorary Members
  • Posts

    73
  • Joined

  • Last visited

Everything posted by kimiraikkonen

  1. Nevermind, I found this (another legacy link) for the latest XP/Vista, here: https://downloads.malwarebytes.com/file/mb3_legacy
  2. Hi, But this link lets us download the version of 3.8.3.2965 still as it is considered legacy: https://downloads.malwarebytes.com/file/mb3-windows-legacy Is it because 3.8.3.2965 is compatible with way older OSes like Windows Vista and Windows XP? However I read on some post: Malwarebytes has a legacy 3.xx version but it’s the 3.5.1 version that last supported XP & Vista. v3.6.x & higher require Win7 or higher. So the legacy link forces to download non-XP/Vista compatible version which is 3.8.3.2965 and not 3.5.1? Really a confusion.
  3. Hi and sorry for bumping this old thread. However I need some help and advice as being an old user here. Is that version 3.8.3 recommended for Windows 7 systems for free personal use? I like legacy editions and been using MBAM since initial version. Do you recommend the latest legacy (v3.8.3) for older systems like Windows 7 x64, or Malwarebytes v4 can also be installed? Thanks a lot!
  4. I wish I was able to edit my posts especially due to typos as being regular member. I got remarkable benefit from this forum and like here very much. I beleive such 'edit' option must be provided at least for verified real members by asking them some questions or verifying them by mail. Would be very useful and fair. Best regards.
  5. I have used mbam-clean with 3.x before and as far as I remember it still leaves some registry entries from very earlier versions of Malwarebytes Antimalware 2.x and 1.x when I look them up manually via regedit. I don't know why but this cleanup tool appears not to be %100 compatibile with earlier MBAM versions like 2 or 1, especially with the versions of when it was named as Malwarebytes Antimalware. It is what I obseved.
  6. Hi @Porthos I wonder the same answer with Malwarebytes 3.3.1 as "scan detections" counter is incremented continuously whenever the "same" file being detected as malware or PUP again and again on each scan despite it's false positive. Can't we just modify a kind of registry value or file content to make it appear ZERO withouth MB Clean tool and uninstallation? Thanks a lot.
  7. Hi @exile360, You are helpful again here, many thanks. However based on your initial sentence I want to remind that registry scan stage comes way after memory scan. I only have rootkit scan enabled that takes place before memory scan which comes always clean, as I double checked with Malwarebytes Anti Rootkit tool. The only thing I am suspecting is heuristic scan that would cache or remember previous scans or logs and somehow it "might" gather PUM files at memory scan stage instead of File System scan stage. Other than this, I am quite sure no process is loading any mailcious code/file into memory regarding to corresponding PUM object. I am attaching the picture of a generic threat scan scan stages by ordered. Thanks!
  8. Hi there, I'm a fan of Malwarebytes and getting nice help here, so I wanted to give a shot about an issue that is bugging me a bit. I have a program called UnDeleteplus (eSupport.com) which is a file recovery program like Recuva. For some reason, Malwarebytes always finds its bunch of files and a few registry entries as "PUP.Optional.eSupportUndeletePlus", which is quite false positive. The thing that I couldn't understand is that Malwarebytes detects them at the stage of "Scan Memory" not File System Scan stage. As they're file streams on fixed locations (like C:\ProgramData), why and "how" Malwarebytes can find them during "Scan Memory" stage? I double-checked that none of these files and any entries are loaded into memory at startup (either on Logon (checked with MsConfig/AutoRuns) or as Windows Service) and invoked manually. So I'm a bit lost here. Hope to get a satisfactory reply here, Best regards!
  9. Hi @exile360, Similar to OP's thread, i wanted to ask something I would like to know, in fact I did not like. I'm using Malwarebytes 3.3.1 (previous version) and I've been using MBAM for a long time since version 1.x. I noticed that, although PUP and PUM configuration setting is set to "Warn", Malwarebytes provides an option to Quarantine to Ignore after the scan. When I select "Quarantine" it automatically schedules to delete them on next reboot, asking user's PC to reboot immediately. Is it an expected behaviour? Also, In Malwarebytes main windows, Application or Protection TAB does NOT provide any option to choose any post-detection action like "Delete". Is it also by design? I mean, Quarantine should not mean directly deleting the object when found, but neutralizing it which means keeping it sandboxed / renamed on a protected location, but Malwarebytes appear to "delete it on reboot" when you select Quarantine option at the end of scan when scan report is generated. Was it running always like that? I hope you can explain this, sir. Best regards!
  10. Thanks @gonzo, Yep I found that link is the official and latest version mirror for XP/Vista, which appears to be final: https://downloads.malwarebytes.com/file/mb3_legacy Will we able to get database definition updates even with that version for the future on XP?
  11. I wish I was able to edit my submitted post hence I could correct spelling and grammar errors. Now I feel a bit missing myself here after making typo mistakes when being prevented from editing them even immediately.
  12. @exile360 hello, I am the second asking here for the recommended Malwarebytes version for XP SP3 Professional. I was using 3.3.1.2183 for a while along with XP and Vista and it was fine but I cannot find it officially here now. The link you posted contains Malwarebytes 3.5 with "legacywos" keyword and I would like to know if it has a special meaning for a special build, or simply version name? Currently Malwarebytes offers "mb3-setup-consumer-3.6.1.2711-1.0.519-1.0.8878" as the latest download and I am not sure which version is the best foe legacy systems like XP. Hope you help. Best regards.
  13. Thanks a lot for your reply @exile360. However i found out a trick or a behavior which must be expected. As Malwarebytes wants user to select entire drive even just to scan for rootkits with Custom Scan option, when you just launch "Threat Scan" (which is actually a partial scan decided by Malwarebytes's pre-determined locations) we can get rootkit scan performed just before the beginning of File System Objects scan. So as there is no quick "only-rootkit scan" option, Threat Scan appears to come to the rescue quickly without initiating a Custom Scan or Full Scan that requires all drive to be checked. Is this correct operation and behavior? Best regards.
  14. Hello @exile360, Sorry for bumping this but i have the same question. I remember very well that previous versions of Malwarebytes (those times it was Malwarebytes Anti-Malware) would allow us to also scan for rootkits even while performing predefined threat scan, hyper scan or custom scan which scans partial locations other than entire system drive (C:). Wasn't it working in that way? Now with 3.x versions, the whole (hundreds of GB) drive has to be selected to perform rootkit scan based on the error dialog shown above. There are many other rootkit scanners doing only rootkit scan within short time and that makes Malwarebytes disappointing. Aren't i correct? Best regards.
  15. Hello @exile360, Many thanks for your nice and detailed reply. I found out the setting you told, now i see. However when i double-check there, i found out that although first setting (automatically download and install updates) is disabled and the second setting (notify full version updates) is enabled, but i haven't been notified at anytime during usage period with 3.3.1 as free edition (Premium trial was ended). So, could using Malwarebytes as "free" have prevented me from being notified about new release? Program simply did not notify me during that period. And i'm still using it as free edition as of now. I "really" wish to upgrade to Premium plan but Malwarebytes do not customize pricing plans based on per country's affordability level, that is sad. Finally, i understand your concern about using older version as malware definitions are not the only things that should be updated, but program core. Best regards.
  16. Hi folks, I've just faced a situation with MBAM (Premium Trial) version that i've downloaded from mb3_legacy server. I'm running on XP. The problem is that MBAM found a file as Trojan.FakeAlert "malware", (the file was orginally renamed to tmp2.exe) which is digitally signed with a valid certificate and belongs to a legit company, LogMeIn. The component has an icon with JoinMe. Then i double-checked the SAME file on Virustotal.com and all come up clean including Malwarebytes. So, how can i tell this paradox true? Here is the file report: https://www.virustotal.com/#/file/c1dc1f654a9443ec6c6f8ca71da2959dbb447d51e135185643b2fc330be9d367/detection Best regards!
  17. Hi dcollins, You're life saver. I'm facing the same problem as 3.6 did NOT work on XP SP3 giving the error "Runtime Error 414:120 - Could not call proc". Which latest XP version do you recommend as of today? Best regards.
  18. Hi folks, I'm currently using Malwarebytes 3.3.1.2183 on my Windows 7 and it was updated to 3.3.1 automatically after downloading regular database updates inside the GUI more than a year ago. Since 3.3.1, thankfully, i am no longer offered and forced to install newer client version, and i thought MBAM was up to date during that period. Then I learned that Malwarebytes seem to have released versions as higher as 3.6. Just i wanted to know whether i'm optionally free to install new MBAM (free, maybe paid in future) manually, and i will no longer be forced to install newest release during database updates unlike old days? Thanks a lot! I updated database / and other stuff a few minutes ago and attaching the screenshot.
  19. Hi @kevinf80, I do not want to remove ControlSet018, i just want to rename it to 002 as it should be, to maintain numbering sequence. It holds the configuration data for "Last Known Good" environenment as it can be seen from the screenshot of "Select" key above. That's why i wanted to know whether FRST can rename it on-the-fly just like with the success of deleting them. It would be awesome. What i understood that FRST is doing great job like setting ACLs, permissions temporarily then deleting the undeletable keys. The manual renaming method is not working due to TrustedInstaller is the owner of subkeys as i stated above, so i though FRST can also take care of this issue. No matter, if you can't help any further, i'm extremely appreciate your help for what you've done so far, at least i have no signs of Pragma malware at the moment, and i feel very clean by means of your help. Best regards!
  20. Hi Kevin, @kevinf80 After a few days have passed, i just noticed that the fixlist you posted have a little error, posted on post #17. The fixlist contains registry path "CurrentControlSet" prefix which seems wrong, it must be "ControlSet". I changed the lines to "ControlSetxxx" and voila! The ControlSet entries containing PRAGMAcxjvwfkfoe have been deleted by FRST! Great job! However i'm now trying to rename ControlSet018 to ControlSet002 to maintain the numbering order, and i also will change "Select" key's "LastKnownGood" value to 002 from 018. But the problem is, i even cannot rename ControlSet018 itself to 002 by launching regedit.exe using PsExec with -s switch (runs under SYSTEM account). I then realized that it fails because the some subkeys under ControlSet018\Services are owned by "TrustedInstaller", instead of SYSTEM account. Example: RDPCDD is a subkey under "ControlSet018\Services that contains subkeys owned by TrustedInstaller which has full control permissions. That's my finding, though. I'm now looking for a solution, by the help of new FRST fixlist miracle whether it can rename ControlSet 018 to 002 without breaking subkeys' ownerships / permissions, if you can create one. I'm attaching the screenshots of current situation. Best regards!
  21. Hi @kevinf80 again, Sorry for quite late reply, i did what you instructed, dowloaded Registry Backup Tool, backed up registry without any failure. It's OK. Then i ran fixlist.txt under FRST, i got "not found" message in fixlog for the key named PRAGMAcxjvwfkfoe . Huh? I'm attaching the log here. The key appears to be present for the ControlSets between / inluding 002 to 016 under "Service" parent key, but i'm unable to delete it as you see. It had been deleted successfully from CurrentControlSet, ControlSet001 and ControlSet017 as can be seen from my previous post, though, thanks a lot for that. I don't know how your previous fixlist had worked for the keys mentioned above like a miracle, but it fails for the rest of ControlSets unfortunately. An interesting observation from me is here; when i look at ControlSet keys from 002 to 016, they only contain "Services" subkey and not others (Control, Enum, HW Services unlike 001 and 017), which contain PRAGMAcxjvwfkfoe key unlike 001 and 017, that makes me think that those extra problematic ControlSets (002 to 016) were failed to be removed by operating system because of the presence of PRAGMAcxjvwfkfoe key that probably was preventing the removal due to this unknown abnormal lock, probably when infection happened. I'm attaching some more screenshots, though. By the way, i'm so grateful for your strive and extremely sorry for keeping you busy with that silly problem which is driving me crazy. Is there anything that i can do more in conjunction with your great help? Best regards! Fixlog.txt
  22. Thanks for your suggestions @kevinf80, however as far as i read elsewhere on the internet; those ControlSetXXXX groups are holding information about services / drivers about Last Known Good Configuration and last successful boot configuration build data. So deleting them may cause problems especially because their numbering consist in such order between 002 and 016, note that 001 and 017 are clean, so deleting them would also break numbering sequence which is my concern. Also, note that i cannot delete PRAGMAcxjvwfkfoe thingy manually even with Admin rights and even with SYSTEM account from these extra ControlSets (002 to 016) due to error that is shown immediately when i click on that key, which was also the case for CurrentControlSet key before last FRST fixlist and your help have come into play as it's clean now. So i'd like to know whether you can create another FRST fixlist that would rip off and clean each PRAGMAcxjvwfkfoe key individually from ControlSets ranging from 002 ending with 016 without deleting entire ControlSetxxx key group? Please let me know, friend, Thanks for your great support so far though, Best regards.
  23. Hi Kevin, I did ran the last fixlist you posted. It took quite long, almost more than several minutes to complete, especially for the temporary folders to be flushed as i realized. I'm attaching the fixlog.txt but according to log PRAGMAcxjvwfkfoe entry still appears to be locked and cannot be removed. But when i lookup manually with regedit, and GMER, BINGO! PRAGMAcxjvwfkfoe is gone finally! But except notable exception! When i do a full search using regedit against "PRAGMAcxjvwfkfoe" key, the key appears to reside in Services subkey of multiple CurrentControlSets ranging from [CurrentControlSet002] to [CurrentControlSet 16]. CurrentControlSet, CurrentControlSet001 and CurrentControlSet017 does NOT have PRAGMAcxjvwfkfoe key! As far as i know, other CurrentControlSetxxx groups are the mirrors that are symbolically linked to main CurrentControlSet which is the key that the machine is running on. So i'm still feeling not OK. BTW, FRST is very interesting and intensive tool that scans through very deep locations even an advanced power user forgets to look up. What should i do now? Thank you! Fixlog.txt
  24. Ok, i'll do it ASAP. One last thing before applying the last FRST fixlist you posted, friend. I see some official Microsoft entries are meant to be removed in this fixlist, i've taken their list from a trusted Microsoft OS reference book, attaching here (IP filter driver, tunneling driver etc.), and TpChoice.sys seems to be related to my laptop's touchpad...I'm a bit nervous now. Does removing those entries via fixlist cause networking and touch pad devices to malfunction? Studied a bit more, I also found out that the entries in FRST log are located and taken from Windows Registry, and marked by FRST with [X] if they're not present on file system actually (for example i checked TpChoice.sys is not in "drivers" folder just like other sys files marked by [X]), and the others are marked with ATTENTION, that are taken from LEGACY_xxxxx prefix, located under "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Enum\Root" if they're not core Microsoft processes (in temp folder), when i lookup these entries manually. Worse, those leftover entries cannot be removed manually even by administrator user who has no "full control" priviledge and needs to take ownership which is by design. Is that right?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.