Darkdirk

Awesome, thank you @Porthos. You're the best.

I've had multiple users report this one to me tonight: Legit.MisusedLegit.Mshta.Generic, C:\WINDOWS\SYSTEM32\MSHTA.EXE Legit.MisusedLegit.Mshta.Generic, C:\WINDOWS\SYSWOW64\MSHTA.EXE I looked up the MD5 hashes from both files on VirusTotal and they show as being legit Microsoft files.

I'm just wondering if the "Use Expert Algorithms" option should be checked? It sounds like something you'd want to use, but seems like every time I see someone post in the forums about a detection, the advice usually given is to uncheck "Use Expert Algorithms" and rescan. And since it is disabled by default, I was wondering if there is ever any reason to use it in the first place.

OK, good to know, thank you. Can MBAM BrowserGuard be run along side of something like Ublock Origin or Adblock Plus?

If I already have MBAM Premium with Web Protection turned on, does installing the BrowserGuard plugin offer any additional protection that I don't already have?

Thank you for letting us know. This might be a big ask, but can you confirm for me if this is why every one of my MBAMSERVICE.LOG files were all completely filled with mostly: DEBUG TaskScheduler mb::common::misc::ScheduledTask::MyTimerAPCProc "taskscheduler.cpp" DEBUG TaskScheduler mb::common::misc::ScheduledTask::Schedule "taskscheduler.cpp" DEBUG TaskScheduler mb::common::misc::ScheduledTask::MyTimerAPCProc "taskscheduler.cpp" DEBUG TaskScheduler mb::common::misc::ScheduledTask::Schedule "taskscheduler.cpp" DEBUG TaskScheduler mb::common

My issue was almost identical. My Windows Event Log shows the low virtual memory condition starting at 1:12am. Could you do me a favor, MJL? Could you check your logs folder (located at c:\ProgramData\MalwareBytes\MBAMService\logs), and tell me if you have a bunch of MBAMSERVICE.LOG files that we all modified today?

I had the exact same thing happen as well. I've been freaking out for the past two hours thinking it was a malware attack. Now seeing so many others with this same problem, I'm thinking it's probably a bad MBAM update. When I browsed to my MBAMService\logs folder, every single one of my MBAMSERVICE.LOG files (MBAMSERVICE.LOG.bk1, MBAMSERVICE.LOG.bk2, etc...) were completely filled (10MB each) within the past 30 min. Can anyone else browse to their logs and see if they have the same situation?

I've been a Malwarebytes user for many years, and I've never understood why "Scan for rootkits" isn't enabled by default. Are rootkits not a big deal? It seems like for the small amount of time that it adds to the scan, people would want the highest level of protection. I would expect the default setting to offer the most thorough protection, and then users could disable options if they feel like digging into the settings; not the other way around. Am I missing something here?

Is there a way to download an offline installer for MWB for Windows?

Hi Eliuri- I just had one of my clients tell me about a nearly identical detection just last night. A file (also in the "Common Files" folder) and its corresponding registry key (also in "CurrentControlSet/Services"): Malware.Sandbox.13, C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE Malware.Sandbox.13, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MDM This detection came up last night during the scheduled daily scan, and interestingly this computer has been powered on but not actually in use since mid-December. So I am pretty confident tha

Hi Eliuri- I just had one of my clients tell me about a nearly identical detection just last night. A file (also in the "Common Files" folder) and its corresponding registry key (also in "CurrentControlSet/Services"): Malware.Sandbox.13, C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE Malware.Sandbox.13, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MDM This detection came up last night during the scheduled daily scan, and interestingly this computer has been powered on but not actually in use since mid-December. So I am pretty confident tha

Okay great, thanks for the reply. Unfortunately I start getting in my own head wondering things like “gee, of my many many clients that use MBW and MS Office, why has only one had this issue, and why can’t I trigger it again? Is this some sophisticated malware exploiting legit Word or Excel executables to conceal itself? Have I not slept since Monday? What day is it?” So thank you very much for the reassurance.

And just to verify, the fact that searching that MD5 on Virustotal verified that the file in question was the original, legit MS Excel file, is proof positive that the detection was absolutely a FP, right? I just want to make sure I understood that correctly before I hook this thing back up tonight.

Thank you sir for the compliment, and for that additional info. I found the json file and looked up the MD5 on VirusTotal, and as you suspected it was the legitimate excel.exe, not a ransomware. (I was not able to test my 0kB theory as I was unable to trigger a new detection, so I guess that particular mystery will go unsolved) Thanks again for all the help.