Jump to content


  • Posts

  • Joined

  • Last visited

Posts posted by Scubnubby

  1. A few days ago my Malwarebytes wouldn't open anymore. It still seemed to work on the background, I just couldn't open it up.
    I thought I read something about other people also having the problem. So I downloaded the support tool, and did a clean reinstall, after which it worked fine again.

    A few days later, during Norton Power Eraser scan (which is very aggressive and often has false positives and I probably had no reason to run it) It found FRSTenglish.exe (in the downloads folder) and said it was potentially dangerous and suggested removing it.

    After removing it, and after rebooting, this time Hitmanpro found FRSTenglish.exe again (this time in ...AppData\Local\Temp\mwb8F24.tmp\FRSTEnglish.exe) and marked it potentially suspicious.
    After I quarantined it in hitmanpro, none of my scans are finding anything anymore so far.

    So, my question is. Is it possible that the support tool downloaded FRSTEnglish.exe in the background? Or maybe adwcleaner or Mbar did?
    And are these maybe false positives on Hitmanpro and the power eraser? Power Eraser has a reputation for false flags.
    More worried about hitmanpro finding it afterwards. I think I ran a Hitmanpro scan sometime before I removed it with power eraser, and it came up clean back then I'm sure.
    As far as I know I downloaded nothing suspicous or visited any shady sites or did anything out of the ordinary.

    I'll attach in what the log of hitmanpro has to say about the file. Not sure if its needed but might as well add it.



    Suspicious files ____________________________________________________________

       C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\FRSTEnglish.exe -> Quarantined
          Size . . . . . . . : 2.295.808 bytes
          Age  . . . . . . . : 2.3 days (2020-08-04 13:56:16)
          Entropy  . . . . . : 7.6
          SHA-256  . . . . . : 7E07ADF92F2C1BAC8123413DBDA66BB0EF10A3BBB350A270B07E26934760CA17
          Needs elevation  . : Yes
          Fuzzy  . . . . . . : 24.0
             Program has no publisher information but prompts the user for permission elevation.
             Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
             Authors name is missing in version info. This is not common to most programs.
             Version control is missing. This file is probably created by an individual. This is not typical for most programs.
             Time indicates that the file appeared recently on this computer.
          Forensic Cluster
             -8.0s C:\Users\Desktop\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2020-08-04.1156.7232.1.odl
             -7.3s C:\Users\Desktop\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
             -7.3s C:\Users\Desktop\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9
             -7.2s C:\Users\Desktop\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_C1F23DB934C17F934968EA6EC37DAC18
             -7.2s C:\Users\Desktop\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_C1F23DB934C17F934968EA6EC37DAC18
             -3.7s C:\Users\Desktop\AppData\Local\Temp\7zS7DEE.tmp\
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\Malwarebytes EULA.rtf
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mb-support.exe.Config
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\ERDNT.E_E
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\clean.json
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\ERDNTDOS.LOC
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\ERDNTWIN.LOC
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\ERUNT.LOC
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\ERUNT.EXE
             -3.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mb-support.exe
             -3.6s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\7z.dll
             -3.6s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\CommonServiceLocator.dll
             -3.6s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\GalaSoft.MvvmLight.dll
             -3.6s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\GalaSoft.MvvmLight.Extras.dll
             -3.6s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mbcheck.dll
             -3.5s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mbchkrpt.dll
             -3.5s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mbclean.dll
             -3.5s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mbcut.dll
             -3.5s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mbfix_clr.dll
             -3.0s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mbgrab.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mbrpt.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\Microsoft.Expression.Interactions.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\Microsoft.Threading.Tasks.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\Microsoft.Threading.Tasks.Extensions.Desktop.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\Microsoft.Threading.Tasks.Extensions.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\msvcp120.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\msvcr120.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\MWB.DefaultStyle.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\Newtonsoft.Json.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\System.IO.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\System.Runtime.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\System.Threading.Tasks.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\System.Windows.Interactivity.dll
             -2.9s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\Xceed.Wpf.Toolkit.dll
             -2.8s C:\Windows\Prefetch\MB-SUPPORT-
             -2.7s C:\Users\Desktop\AppData\Local\Temp\mbst-stub-results.txt
              0.0s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\FRSTEnglish.exe
              0.7s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\
              0.8s C:\Windows\Prefetch\MBSTUB.EXE-64EB7D80.pf
              1.4s C:\Users\Desktop\AppData\Local\Temp\mwb8F24.tmp\mb-support-log.txt
              1.4s C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\System.Threading.Tasks, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
              1.4s C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\System.Threading.Tasks, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
              1.4s C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\Microsoft.Threading.Tasks, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
              1.4s C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\Microsoft.Threading.Tasks, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a



  2. Order of events:

    - Ran a full system scan with malwarebytes yesterday on laptop.

    - Did a windows update yesterday on both desktop and laptop.

    - Decided to do a full system scan on Laptop today, after which it found 2 notepad.exe files as malware in C:\WINDOWS.OLD
    Malware.Generic.4236541952, C:\WINDOWS.OLD\WINDOWS\SYSWOW64\NOTEPAD.EXE, Geen actie door gebruiker, 1000000, 0, 1.0.24656, 716BA54E48A9D426FC848000, dds, 00740846
    Malware.Generic.4236541952, C:\WINDOWS.OLD\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NOTEPAD_31BF3856AD364E35_10.0.18362.693_NONE_CF0F2E5D362498EF\NOTEPAD.EXE

    - Ran a Malwarebytes scan on the same Windows.old map on my Desktop to check and it seems to detect the excact same Files.


    Not sure if its a false positive but its sudden appearance on both computers out of nowhere seems a bit suspect.
    Made a copy of the files it found and put it in a zip added here.

    Scan Export.txt Mbytes Possible False Positive Notepad Files.zip

  3. My bad, i was trying to follow instructions for wrong MBAM version before. No wonder it didn't work

    in reports there is the protection event that says, 'Ransomware blocked' I am guessing you need the log for that one, since all my scans where normal.

    Since the file where quarantined, I guess i have to restore them. Isn't that risky though? What if its not a false positive?
    The file you want is "C:\Program Files\Norton Security\Engine\\NortonSecurity.exe" I am guessing?

    Should I just restore it and see if I can add the file? How serious of a risk do you think this might be?
    I'll add the log in here for now.


  4.  Norton Security was detected as Ransomware right after a Live update patch.

    I have been running Malwarebytes Premium and Norton Security side by side without problems for a while. However, something suddenly went wrong just now.

    Here's the order of events.
    - My computer had just rebooted since it had just have a crash.
    - Right after it booted again I went through my routine of updating virus definitions of both malwarebytes and run norton live update.
    - Malwarebytes update finishes first as usual. Norton says it has a new patch, as it sometimes does. I install it.
    - Immediately after the patch has finished, I run live update again since often it seems to have some definition updates for the new patch.
    - And here is is when it went wrong, during the the live update, Norton says it failed. about 0.5 - 1sec after malwarebytes has a pop-up that says it blocked ransomware.
    - Everything that was quarantined as ransomware seems to be Norton Antivirus files. (norton doesnt work anymore since its quarentined)

    Not sure what to make it, I didn't do anything out of the ordinary here.
    Also, on the Malwarebytes dashboard it still says 0 Real-Time Protection detections for some reason, its probably not important, just thought it blocking ransomware would count as Real-Time Protection.

    I tried doing the log thing with running mbam.exe /developer. But since that doesnt seem to work for some reason, ill just post some screenshots for now so you can at least see what was detected.




  5. Good news, Clean install worked.
    I wasn't asked to reboot though, immedatly after cleanup it just asked to install the latest version of Malwarebytes.

    Last time I pressed repair and I thought that actually seemed to do a clean install. Guess it did not.
    When I did the repair before it did ask for a reboot tho.

    Still confused about what started this bug, but happy its working now.
    Thank you for your help.

  6. Its been 3 days now and the problem still persists.

    I've noticed when it crashes the malwarebytes tray application might be unaffected, and its just the malwarebytes window that freezes, but im not completely sure.
    I haven't tested every button in malwarebytes, but so far everything seems to work fine other the the "bell' icon crash.

    I can still update, and do scans as normal.
    Also would like to know if I have anything to worry about with that blocked site.
    If it got blocked by malwarebytes and scanning doesnt find anything I probably have nothing to worry about right? And the problems are probably unrelated?

    I have added a screenshot of what it exactly looks like when I press the icon.


  7. Short version of the problem:
    Whenever I press the little bell icon in the top right corner Malwarebytes just completely crashes.
    Rebooting does not help, ran repair with the Malwarebytes suppport tool. But nothing changed and it still crashes as soon as i click the icon.
    I have to forcibly close malwarebytes and restart it to get it to work again.

    When did it start / order of events (some of it might be unrelated to the problem):

    - I was watching a random youtube video. A little add popped up on the video I want to click on the 'x' to close it but missclicked and clicked the banner instead opening up the site it advertised.

    - Malwarebytes instantly blocks the site due to 'POP' (which im guessing is 'PUP' but since my malwarebytes is in dutch its says 'POP' instead.)

    - Just in case I update my virus definitions and run a malwarebytes scan, followed by Norton antivirus scan. Both  scans found nothing.

    - While im scanning the 'Bell icon' still works since im using it to check the notification and what site was blocked etc. (the blocked Domain was "free.gamingwonderland.com")

    - A very short while after the scans I want to use the bell icon again to click the thing that says I saw the notifications and mark it as read or something.

    - This time as soon as I click it Malwarebytes crashes and freezes up, but I just assume its a one time problem and turn of my computer cause I got to go do some other stuff.

    - I came back not long after and started up my computer and again want to use the icon in the top right corner. As soon as I Click it Malwarebytes crashes and freezes up again.

    - I decide to reboot my computer (during which windows seems to do a quick short update). After reboot it still crashes.

    - I download Malwarebytes support tool to repair malwarebytes, which seems to do a reinstall of malwarebytes. After which the problem presists, it still crashes when pressing the button.


    I am not super knowledgeable about all this. So, I need some advice.
    How do I fix this, and do I have anything to worry about with the POP thing.
    Could they be related or is this just a coincidence.

    Help is appreciated. :)

  8. I need some advice,
    I run both Malwarebytes and Norton Security to protect my PC (windows 10)
    I run scans multiple times a day, my routine beeing, first run updates for both malwarebytes and norton, then scan with malwarebytes, and after that scan with norton.
    When I did this on the 16th my first scan of the day gave my an all clear on everything, as ussual.
    When I ran updates and scanned later that night however I found 6 Emotet trojans(1 file, 5 Keys) which I assume is the false positive people here are talking about.
    After quarantine I scanned with norton, which found nothing.

    The part I need advice on is this.
    The day after in the evening I decided to reinstall my windows, picking the option that deletes my files.
    After the reinstall i downloaded malwarebytes, norton, firefox and ran windows updates. Then immediatly starting with same old routing, running updates and scanning.
    This time norton found C:\Windows\SysWOW64\Pid.dll to be Bloodhound.MalPE.

    I see on some of the links in this thread that some people like kdonovan9 had their pid on virustotal gave Bloodhound.MalPE on symantec, while for others it wasnt.

    So my question is, Is this linked to the false positive? Is it like a false positive from nortons end?
    I get the 6 trojans I found with malwarebytes on the 16th where probably false, but I am quite confused about the Bloodhound.MalPE and would like some advice on how to proceed next.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.