Jump to content

GeekFreak

Members
  • Posts

    7
  • Joined

  • Last visited

Posts posted by GeekFreak

  1. Decrypterfixer, it sounds like a reasonable explanation.

    I wanted to see if these updaters are actually removing themselves after installation, so I spot checked a few other PCs (none running MBARW) and some of them have the files and directories and some don't. But they are different OSs (Win7, 8.1 and 10) with different update schedules, so I can't find any exactly the same. But where the "patchman" folder and the "11" folder and the "lnsscomm.exe" file do exist, the patchman folder is over 150MB and contains over 1000 files and folders.

    But I'm not too concerned because, being updates, if the update applied successfully, then the deleted updater files is fine. And if the update didn't succeed, it will probably just update the next time around. If you need me to check anything more thoroughly, please let me know.

    Anyway, I'm glad you can add the functionality into MBARW to detect when files delete themselves and still react accordingly. As you said, this will help make MBARW greater. Thanks for your help and good luck in the ongoing fight!

  2. tetonbob, in "Programs and Features" it's listed as "Advanced Monitoring Agent GP" by "Remote Monitoring Services". It's a tool installed and used by our outside monitoring company. It also pushes occasional patches, which I'm guessing was happening when MBAR flagged it.

    Decrypterfixer, yes, thanks. I had disabled Windows 10  "fast startup" under "Control Panel\All Control Panel Items\Power Options\System Settings". The folder has yet to appear after several reboots.

  3. The flagged files and several upstream directories do not exist.

    "C:\Program Files (x86)\Advanced Monitoring Agent" (aka  C:\PROGRA~2\ADVANC~1) currently has 80 files and folders, but contains no "patchman" folder nor a folder called "11" nor a file called "lnsscomm.exe"

    The "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates" folder is empty. There is no "16.0.6965.2058" subdirectory nor a "OfficeClickToRun.exe" file.

    So the number of superdirectories removed is not even consistent. In one case, it removed the flagged file and the containing folder. In the other case it removed the flagged file, the containing folder and an additional containing folder!

    Side note:

    I just used Agent Ransack to search my entire drive for "lnsscomm" or "officeclick" and, while lnsscomm is nowhere to be found, there are 2 additional instances of "OfficeClickToRun.exe" on my hard drive that are different sizes from each other and have different modified dates. They are found here:

    C:\Program Files\Common Files\microsoft shared\ClickToRun

    C:\Program Files\Microsoft Office 15\ClientX64

    but i don't think these have much to do with the issue. These are all legit Microsoft Office files. MBAR just flagged one of the three.

     

     

  4. Thanks for replying tetonbob.

    I actually have no Quarantine directory in that location?! Should I create an empty directory? Is that directory created at installation or at the time an infection is discovered.

     Directory of C:\ProgramData\Malwarebytes\MBAMService
    
    05/20/2016  12:13 PM    <DIR>          .
    05/20/2016  12:13 PM    <DIR>          ..
    06/21/2016  08:17 AM    <DIR>          ArwDetections
    06/17/2016  04:58 PM    <DIR>          config
    05/20/2016  12:05 PM    <DIR>          ctlrupdate
    05/20/2016  12:04 PM    <DIR>          db
    05/20/2016  12:05 PM    <DIR>          instlrupdate
    06/21/2016  08:17 AM    <DIR>          logs
    06/21/2016  08:18 AM    <DIR>          tmp
                   0 File(s)              0 bytes
                   9 Dir(s)  394,755,948,544 bytes free

    I've had 2 detection events... one posted here:

     

    and one posted here:

    There's only a single log file in the directory. It's attached.

    Thanks for taking a look!

    logs.zip

  5. I've had 2 false positives so far and reported both. I'm glad you guys are working on this.

    However, when it says the files are moved to Quarantine, they are actually just being deleted as far as I can tell.

    Nothing is listed in the Quarantine tab at the time of the infection alert, nor after a reboot, nor after turning protection off.

    Are the files gone forever, or is there a way to actually recover them?

    Thanks!
    (I'm running 0.9.16.484 on Windows 10)

  6. Microsoft Office's ClickToRun.exe was flagged sometime around June 21st at 3am

    Again, MAR says it's quarantined, but it doesn't show up in quarantine and I am unable to restore these legitimate files.

    It's deleted everything from the following directory:

    C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates

    I'm going to stop beta testing. This program is doing more damage than protection. If you can tell me how to restore these files, I might reconsider.

    Thanks and good luck.

    Anti-Ransomware False positive.png

    MBAMSERVICE.zip

    Malwarebytes Anti-Ransomware.zip

  7. The lnsscomm.exe file was flagged on June 10. I was running 0.9.15.416 (see attached screen shot)

    It was being added as part of Advanced Monitoring Agent patch management.

    I'm assuming it's safe, but I'm not 100% sure.

    It never showed up in Quarantine and I was unable to restore it.

    I've added my log file and Anti-Ransomware directory as requested

    Thanks for doing this!

    -GeekFreak

    ransomware WHAT - Copy.png

    MBAMSERVICE.zip

    Malwarebytes Anti-Ransomware.zip

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.