Jump to content

exile360

Experts
  • Content Count

    22,630
  • Joined

  • Last visited

Posts posted by exile360


  1. Yes, I'm sure you did.  It is because just as with the file listed on that VirustTotal page, your file is a 0 byte file meaning it is completely empty/no content, and any file that is 0 bytes/has no contents (regardless of what it might be named) will have the same hash/checksum, so the results will be the same.  The file name and path/location is what you need to use to research it if you wish to find out what it is and where it came from which is why I speculated that it appeared to be a trace left over from a Conduit PUP/infection because Conduit would create a file by that name in that location according to the information I found (and I suspect that's the purpose of this signature in ADWCleaner that is detecting the file as well, though I do not know for certain as only Research would have access to that information).


  2. Greetings,

    The information in the following links should help to clarify much of this with regards to what Malwarebytes detects as PUP and why:

    https://www.malwarebytes.com/pup/
    https://blog.malwarebytes.com/malwarebytes-news/2016/10/malwarebytes-gets-tougher-on-pups/
    https://blog.malwarebytes.com/cybercrime/2015/06/digital-snake-oil/
    https://blog.malwarebytes.com/cybercrime/2015/06/driver-updaters-digital-snake-oil-part-2/
    https://blog.malwarebytes.com/cybercrime/2015/07/pup-makers-digital-snake-oil-part-3/
    https://blog.malwarebytes.com/threats/registry-cleaner/
    https://blog.malwarebytes.com/puppum/2016/12/why-malwarebytes-detects-pc-pitstop-as-potentially-unwanted/
    https://blog.malwarebytes.com/malwarebytes-news/2017/11/winning-the-battle-against-pups-on-your-computer-and-in-u-s-district-court/
    https://blog.malwarebytes.com/puppum/2016/07/pup-friday-cleaning-up-with-5-star-awards/
    https://blog.malwarebytes.com/puppum/2016/08/systweak-redux-our-response/


    Regarding legal precedent, please refer to the following articles which cite two cases involving Malwarebytes and vendors blocked as PUP:

    https://blog.ericgoldman.org/archives/2017/11/section-230c2-protects-anti-malware-vendor-enigma-v-malwarebytes.htm
    https://blog.ericgoldman.org/archives/2018/09/section-230-helps-malware-vendor-avoid-liability-for-blocking-decision-pc-drivers-v-malwarebytes.htm

    The following links should also prove informative as to why many items are classified as PUP by Malwarebytes:

    https://decentsecurity.com/#/registry-cleaners/
    https://support.microsoft.com/en-us/help/2563254/microsoft-support-policy-for-the-use-of-registry-cleaning-utilities
    https://www.howtogeek.com/171633/why-using-a-registry-cleaner-wont-speed-up-your-pc-or-fix-crashes/
    https://www.howtogeek.com/162683/pc-cleaning-apps-are-a-scam-heres-why-and-how-to-speed-up-your-pc/
    https://lifehacker.com/5482701/whats-the-registry-should-i-clean-it-and-whats-the-point
    https://lifehacker.com/5033518/debunking-common-windows-performance-tweaking-myths
    https://www.howtogeek.com/198758/never-download-a-driver-updating-utility-theyre-worse-than-useless/
    https://www.howtogeek.com/233115/the-only-way-to-safely-update-your-hardware-drivers-on-windows/
    http://www.tomshardware.com/answers/id-1857635/good-free-automatic-driver-updater.html
    http://www.tomshardware.com/answers/id-1974868/trusted-driver-updater.html
    https://www.howtogeek.com/172839/10-types-of-system-tools-and-optimization-programs-you-dont-need-on-windows/
    https://computer.howstuffworks.com/question1751.htm
    https://lifehacker.com/5415355/do-you-really-need-more-than-4gb-of-ram
    https://www.tomshardware.com/reviews/memory-module-upgrade,2264.html
    https://www.howtogeek.com/128130/htg-explains-why-its-good-that-your-computers-ram-is-full/
    https://techlogon.com/2011/03/28/will-more-ram-memory-make-my-computer-faster/

    Obviously you're free to change how PUPs are handled and this is in fact the very reason those options are provided.  Additionally, if you only wish to exclude a specific PUP rather than all PUPs you may instead perform a Threat scan with Malwarebytes by opening Malwarebytes and clicking the Scan Now button on the Dashboard, then once the scan completes, verify that all of the detected items belong to the program that you wish to exclude then click the empty checkbox at the top of the list in the column header to clear all of the checkboxes next to all of the detections then click Next and when prompted on what to do with the remaining detections select the option to always ignore and they will all be added to your Exclusions in Malwarebytes so that those items will no longer be detected by future scans or the Malware Protection component.

    I hope that helps to clarify things and if there is anything else we might assist you with please don't hesitate to let us know.

    Thanks


  3. LOL, that second image looks like a mannequin :P 

    Anyway, here's another track:

     

    That song always reminds me of the movie Mannequin since Kim Cattrall played an Egyptian princess in that film which also featured Andrew McCarthy, and of course I can't think of the Bangles without thinking of my favorite tune of theirs which actually was on the soundtrack of another film that featured Andrew McCarthy (as well as an amazing performance by Robert Downey Jr), Less Than Zero:

    Man those girls could ROCK.  They were so metal back when metal wasn't even that metal :P .  Must be one of the best covers ever.


  4. Just to add to what Firefox mentioned above, you might find the information in this support article to be helpful and you'll find additional details on signing up at My.Malwarebytes.com in this support article.

    If you are still unable to retrieve your license key then please contact Malwarebytes Support directly via the form on the bottom of this page and they should be able to assist you in tracking down your license information.

    I hope this helps and if there is anything else we might assist you with please don't hesitate to let us know.

    Thanks


  5. That file doesn't even have the same name as the file from your system; they are only the same in that they are empty 0 byte files and therefore have the same hash just as mentioned in this comment from VT:

    Reading the comments here makes me want to cry, people arguing what the file is and is it safe or not without realising they've submitted an empty file, thus has the SAME FILE HASH as everyone elses empty file.


  6. Greetings,

    I don't know about how it works for Macs, but I do know that on Windows it is a very bad idea to try to remove malware from backup images or system restore points as it will corrupt them rendering them useless and an infected backup is better than none should a system failure occur as you can always restore the system/image then scan it afterwards to remove any threats that might be present once the restore operation is completed.


  7. You should be able to retrieve it by creating an account at My.Malwarebytes.com using the same email address you used when you originally purchased your license, otherwise if that's not possible you may contact Malwarebytes Support directly via the form on the bottom of this page and they should be able to retrieve it for you.


  8. Once the trial expires it will revert to the free version.  The features of the free version are manual scans, including context menu scans when you right-click on any file or folder or drive as well as the standard Threat scans and Custom scans as well as unlimited threat detections and removals.  What you lose are all of the real-time protection components as well as scheduled updates and scans, however you may continue to use it as a scan/remediation tool for as long as you'd like.  I do not know if they will allow you to use your license on both drives or not so I can't speak to that, however someone from Support can answer that I'm sure.


  9. Sounds like a malicious Chrome extension.  Those have been getting pretty nasty these days.  Some of them, like SmartService/Yelloader are even accompanied by rootkits.  Extreme measures for a PUP/adware infection, but with a pay-per-click/pay-per-install affiliate model it's no wonder that the bad guys are leveraging such tactics to get these PUPs installed and keep them there.  I've even seen one that used an actual worm to spread throughout any network connected to an infected device just to install the PUP on every system it could infect.  Really nasty stuff.  Chrome's become a popular target because it's used by so many these days (even more frequently targeted than IE ever since Google overtook MS in browser market share).


  10. This being a brand new system raises my suspicions.  I wouldn't be surprised at all if something like this happens to them again as it may well be due to some underlying hardware fault from the manufacturer.  I hope I'm wrong, but just in case I would strongly recommend they keep regular backups of anything important that is stored on that device on some kind of external media or in the cloud online or both.


  11. Greetings,

    After reviewing your logs I suspect that it may be the VPN(s) and/or proxies that are installed preventing Malwarebytes from connecting to the licensing servers to activate.  The latest version of Malwarebytes is very sensitive to third party VPNs, proxies and similar tools that alter internet connectivity using the deprecated Winsock LSP protocol rather than the current Windows Filtering Platform protocol.  If possible, please try removing these VPNs/proxies to see if you are able to activate Malwarebytes, then see if there are newer versions or alternatives if you still need to use those applications that use WFP instead of Winsock:

    Winsock: Catalog5 01 C:\Windows\SysWOW64\PrxerNsp.dll [87024 2018-08-15] ()
    Winsock: Catalog9 01 C:\Windows\SysWOW64\networkdlllsp.dll [448296 2016-05-21] (Network Tunnel Lab)
    Winsock: Catalog9 02 C:\Windows\SysWOW64\networkdlllsp.dll [448296 2016-05-21] (Network Tunnel Lab)
    Winsock: Catalog9 03 C:\Windows\SysWOW64\networkdlllsp.dll [448296 2016-05-21] (Network Tunnel Lab)
    Winsock: Catalog9 04 C:\Windows\SysWOW64\networkdlllsp.dll [448296 2016-05-21] (Network Tunnel Lab)
    Winsock: Catalog9 05 C:\Windows\SysWOW64\networkdlllsp.dll [448296 2016-05-21] (Network Tunnel Lab)
    Winsock: Catalog9 06 C:\Windows\SysWOW64\networkdlllsp.dll [448296 2016-05-21] (Network Tunnel Lab)
    Winsock: Catalog9 07 C:\Windows\SysWOW64\networkdlllsp.dll [448296 2016-05-21] (Network Tunnel Lab)
    Winsock: Catalog9 08 C:\Windows\SysWOW64\PrxerDrv.dll [98800 2018-08-15] (Initex)
    Winsock: Catalog9 09 C:\Windows\SysWOW64\PrxerDrv.dll [98800 2018-08-15] (Initex)
    Winsock: Catalog9 10 C:\Windows\SysWOW64\PrxerDrv.dll [98800 2018-08-15] (Initex)
    Winsock: Catalog9 11 C:\Windows\SysWOW64\PrxerDrv.dll [98800 2018-08-15] (Initex)
    Winsock: Catalog9 26 C:\Windows\SysWOW64\ierd_tgp_lsp.dll [723104 2019-01-09] (Tencent)
    Winsock: Catalog9 27 C:\Windows\SysWOW64\ierd_tgp_lsp.dll [723104 2019-01-09] (Tencent)
    Winsock: Catalog9 28 C:\Windows\SysWOW64\ierd_tgp_lsp.dll [723104 2019-01-09] (Tencent)
    Winsock: Catalog9 29 C:\Windows\SysWOW64\ierd_tgp_lsp.dll [723104 2019-01-09] (Tencent)
    Winsock: Catalog9 30 C:\Windows\SysWOW64\PrxerDrv.dll [98800 2018-08-15] (Initex)
    Winsock: Catalog5-x64 01 C:\Windows\system32\PrxerNsp.dll [101872 2018-08-15] ()
    Winsock: Catalog9-x64 02 C:\Windows\system32\PrxerDrv.dll [119792 2018-08-15] (Initex)
    Winsock: Catalog9-x64 03 C:\Windows\system32\PrxerDrv.dll [119792 2018-08-15] (Initex)
    Winsock: Catalog9-x64 04 C:\Windows\system32\PrxerDrv.dll [119792 2018-08-15] (Initex)
    Winsock: Catalog9-x64 05 C:\Windows\system32\PrxerDrv.dll [119792 2018-08-15] (Initex)
    Winsock: Catalog9-x64 19 C:\Windows\SysWOW64\ierd_tgp_lsp64.dll [1010848 2019-01-09] (Tencent)
    Winsock: Catalog9-x64 20 C:\Windows\SysWOW64\ierd_tgp_lsp64.dll [1010848 2019-01-09] (Tencent)
    Winsock: Catalog9-x64 21 C:\Windows\SysWOW64\ierd_tgp_lsp64.dll [1010848 2019-01-09] (Tencent)
    Winsock: Catalog9-x64 22 C:\Windows\SysWOW64\ierd_tgp_lsp64.dll [1010848 2019-01-09] (Tencent)
    Winsock: Catalog9-x64 23 C:\Windows\system32\PrxerDrv.dll [119792 2018-08-15] (Initex)


  12. Yes, unfortunately without more details there really isn't much to go on, but my suspicion is that either it is as I suggested that the threat had done some damage at some point, or possibly it could have even been an underlying issue with the system that was already present but only manifested once put through the process of scanning/removing the threats with ADWCleaner (for instance some kind of problem with corrupt disk sectors or something similar, though again, this too is merely speculation).

    Yes, FileHippo is a legit site.  I refer users to it often whenever one seeks an older build of Malwarebytes as they keep a long running archive of past software versions for the programs they host.

    If you are able to get into contact with your friend it might shed light on the situation if he were to run the following tool and submit the resulting ZIP file containing logs that it gathers to Support for analysis; though honestly after the OS has been reinstalled there is not likely to be any evidence of whatever caused the issue anyway so it might not be worth it, but in case your friend is interested in doing so here are the instructions:

    1. Download and run the Malwarebytes Support Tool
    2. Accept the EULA and click Advanced tab on the left (not Start Repair)
    3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply


  13. I did a quick search and I came across this topic on Tom's where they were saying that a file called C:\END belongs to Conduit which is a well known PUP (Conduit Toolbar, a search hijacker essentially) and I suspect that's why this is being detected, most likely via a heuristics signature designed to target that threat.  Only Research would know for sure though.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.