Stardance

Addendum: Thank-you for the explanation, knagaroth (-?- sorry if I misspelled your handle). The MBAM files were in C:\Windows for about six months before VIPRE "hit" is-RK5TT.exe. Regardless, given your explanation, it was a "false positive" and I have reported that to Sunbelt Software.

IMHO, the fact that other software has been known to store files in C:\Windows when they actually do not serve any purpose there does not justify Malwarebytes doing the same thing. (Sandboxie stores its configuration file there, but I haven't bothered to ask "tzuk" whether that is justified just because it "covers" Windows XP.) FWIW, I have not excluded C:\Program Files\Malwarebytes from VIPRE scans, but, so far, it has never found anything in that subdirectory to quarantine. Before I run Malwarebytes' Anti-Malware, I instruct VIPRE to exit. After MBAM finishes and exits, I launch VIPRE from a desktop shortcut. The old principle is to not run an AV program while another developer's AV program is installed, but MBAM has never frozen or disappeared while running on my computer.

Sunbelt Software VIPRE 3.1.2837 discovered is-RK5TT.exe in C:\Windows and decided that it is a "malware dropper" which they identify as Win32.Malware!Drop, so it quarantined the file. When I spoke with Sunbelt Software tech support today, the technician said that he could not find anything with Google (apparently) which would confirm whether the file is a component of the Windows XP operating system. He recommended that I submit it to Virus Total. When I did that, VT responded that the file had already been analyzed, and the list of AV scanners which had hits showed only Sunbelt Software VIPRE had characterized the file as malware. In order to upload the file to Virus Total, I had to tell VIPRE to restore the file from quarantine. So, when I finished with VT I displayed C:\Windows in order to find and delete is-RK5TT.exe. However, to my surprise, two other files were with it, each with the same name and a different extension. is-RK5TT.lst contains the following lines: ; This file was created by the installer for: ; Malwarebytes' Anti-Malware ; Location: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe ; List of files to be registered on the next reboot. DO NOT EDIT! [sq]C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll [sq]C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx The file is-RK5TT.msg contains ASCII text strings which appear to be usable as messages to instruct users and report errors during the installation of software. A couple of observations: (1) Obviously, the Sunbelt Software person(s) who identified the .EXE as a "malware dropper" was correct insofar as it does appear to be a program that installs something (as one can see by reading the Virus Total report). I only scanned it and do not recall seeing any string that contained the name "Malwarebytes" or "Antimalware". If it doesn't, then perhaps it should. It doesn't seem to me that Sunbelt can be blamed for erring on the side of caution. (2) If your software and/or the installer for it creates files in C:\Windows, then do not leave them there! As a rule, the only files that belong in C:\Windows are the ones that Microsoft and their software stores there. Unfortunately, that does include Active X controls for Internet Explorer, among other non-Microsoft files, but at least they are used by "the operating system". --- Stardance nil carborundum illegitimi