Jump to content

ParrotSlave

Members
  • Content Count

    25
  • Joined

  • Last visited

About ParrotSlave

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. You can open reg files with Notepad; here's what that one reads: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\RENƒAƒvƒŠƒP[ƒVƒ‡ƒ“ ƒEƒBƒU[ƒh‚Ŷ¬‚³‚ꂽƒ[ƒJƒ‹ ƒAƒvƒŠƒP[ƒVƒ‡ƒ“] [HKEY_CURRENT_USER\Software\RENƒAƒvƒŠƒP[ƒVƒ‡ƒ“ ƒEƒBƒU[ƒh‚Ŷ¬‚³‚ꂽƒ[ƒJƒ‹ ƒAƒvƒŠƒP[ƒVƒ‡ƒ“\EasyConfig] "EasyConfigDlgSize"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,f0,00,00,00,7f,00,00,00,97,06,00,00,0a,04,00,\ 00 "Col0"=dword:0000002d "Col1"=dword:0000005f "Col2"=dword:0000005a "Col3"=dword:00000046 "Col4"=dword:00000046 "Col5"=dword:000000df "Col6"=dword:00000046 "Col7"=dword:00000070 "Col8"=dword:0000017e "Col9"=dword:00000032 "Col10"=dword:00000032 I was just wanting an opinion. To stick an actual malicious program into the registry itself, i.e., have the key itself be a such a program, I haven't heard of, although I could see that merging (instead of opening) a key could very easily do something nasty. It's just something that has puzzled me for a long time. The only reasonable explanation is that, maybe, it was part of an "activation" for some program or other after the program was installed. One of the problems software makers have is trying to keep people from stealing their software, and, in order to do so, they often require activation. If the activation does something simple, like stick a license key somewhere or other, for instance, somewhere in ProgramData, then it might be easy for someone to activate the program just by duplicating that file and putting it wherever it's supposed to go. There are normally some registry changes, though. By making the name of the registry key unrelated to the program itself, then nobody would guess that that particular file goes with a particular program. (https://en.wikipedia.org/wiki/Product_activation) I don't know; I'm not a programmer. I learned simple programming when I had my Amiga, thirty-odd years ago, but Windows is a mystery to me (and, apparently, also to the folks at Microsoft.😉) Maybe it is a remnant of some malware, or maybe it's a remnant of something I uninstalled or never used. Since everything works, it's not a big deal. Instead of being a tricky program application entry, it actually looks more like a reg key that would control the appearance of some GUI or another, since it's giving instructions for 10 different columns. Sorry, I just remembered that I asked about that in this very forum in 2014, and nobody knew. I don't remember sending any message to the moderators. Should I do so now?
  2. Thanks. Out of curiosity--and this is clearly not related to whatever was happening--a number of years ago, I discovered a registry entry in HKCU\Software that puzzled me. This is it: HKEY_CURRENT_USER\Software\ƒAƒvƒŠƒP[ƒVƒ‡ƒ“ ƒEƒBƒU[ƒh‚Ŷ¬‚³‚ꂽƒ[ƒJƒ‹ ƒAƒvƒŠƒP[ƒVƒ‡ƒ“ I did not trust it, since I had no idea what it was, so I renamed it by adding REN to it, which would make whatever was using the path not function:: HKEY_CURRENT_USER\Software\RENƒAƒvƒŠƒP[ƒVƒ‡ƒ“ ƒEƒBƒU[ƒh‚Ŷ¬‚³‚ꂽƒ[ƒJƒ‹ ƒAƒvƒŠƒP[ƒVƒ‡ƒ“ Nothing that I know of stopped working when I renamed it, so I still, after at least six years or so, have no clue as to what it goes with. Have you ever seen that key before? Oddball key in HKCU.zip
  3. I mentioned that the problem had disappeared this morning, before I wrote my post. I was wondering whether there was a false positive problem with MBAM that had been corrected with today's update, or if there really was a problem on my system. I did run the fix anyway, though. I had already investigated whether it was the individual Excel files that were the problem or whether it was Excel itself (or something affecting Excel.) My first thought was also, hey, maybe it was just that one file, since that one was in my Dropbox, which I regard as a potential security risk. I did check other worksheets, and MBAM did the same thing to each, in the same amount of time. It closed Excel even if I just opened up the program instead of opening up an old spreadsheet. I don't know if you noticed this, but in those FRST lists, there were references to some QuickTime plugins. Apple stopped patching the program in 2016, and we're all supposed to have removed it from our systems. But, because I need it every now and then, instead of uninstalling it, what I did was to remove the QuickTime program folder (in Program Files (x86)), and put the folder on a removable drive. My old SoundForge Pro needs the QuickTime dlls to process mp4s, and I also use QuickTime to do non-destructive editing of mov and mp4 files. Very few programs will allow you to edit such files without re-encoding them when they're finished, which lowers the quality. So, whenever I want to use the program, which might be once a month, I disconnect from the internet, then move that folder back into Program Files (x86), do what I need to do, then get rid of the folder again. In other words, it's not there to compromise my system, but there are references to it in the registry. Most technical support people would freak out at the thought that the program might be active. Fixlog.txt
  4. I had just restored my system to an April Macrium image, and updated everything, when MBAM started blocking Excel. (It did not block Word.) It wasn't the individual file it was blocking: opening Excel itself would last about 15 seconds or so before MBAM would block it. This is on a Win8.1 64-bit system that has, as resident, MBAM, Norton Internet Security, SuperAntiSpyware Pro, and Zemana Anti-Logger. When the message came up a couple of times, I ran the Sophos Virus Removal Tool, and it found nothing. I also ran AdwCleaner and FRST, as suggested in-- The reason I had just restored my system to that April image is that I'm somewhat paranoid about my system--even though I don't go anywhere I shouldn't go on the internet, for real. Even if I wanted to, I wouldn't go to a porn site, since that's where you get viruses. However, whenever "weird" things happen--which might be due to Windows itself, or to malware, or both--I just revert my system, then update everything. In this case, my mouse had been acting "funny"--it had started lagging, not just in one browser, but in them all, and in other programs, which makes me worried about keyloggers--despite my security precautions. It wasn't just the battery in the mouse: I tried several different ones I have on hand. When I restore my system, I work offline, and update whatever needs it (browsers, Adobe Air, even offline antimalware definitions) before connecting to the internet, then letting Windows Update do its thing. I didn't realize that, this time, the very first visit there, it hadn't installed anything. I remember a necessary reboot screen, and I'd left the computer for hours, all by its lonesome, so I'd assumed that everything was normal, when WU showed no available updates. The next day, though, I was puzzled when it told me that there were more updates available, and, without checking the installation history, I went ahead and let it do its thing again. One of the recent updates was supposed to protect against a heap memory exploit. When I kept getting MBAM blocking Excel, I finally decided to re-revert my system, and decided to manually download all the Windows updates this time, to do that offline as well, which was when I discovered that I'd been going a day without those updates. When I did that, I also ran the Windows Malicious Software tool by itself, and it found nothing. But my preliminary hypothesis then became that, somehow, I'd had some kind of real heap memory exploit. As I was getting ready to choose which system image to revert to, I opened up an Excel file of my image list, since I have them on several different removeable drives--I'm a belt and suspenders guy--and, voila, Excel stayed open. So, now I'm wondering if this was a MBAM glitch that has been fixed in an update of the last day, or if something was really there. If something was really there, even if it seems to be gone, I need to do a re-restoration, just to be safe. I'm attaching FRST.txt and Addition.txt, my second run of FRST. When I ran it the first time, I discovered more than half a dozen different VLC player dlls with different versions, so I uninstalled it and reinstalled it: I'm going to have to start doing things the old-fashioned way again, i.e., not trusting programs to update themselves, except those ones where it's a hassle to reinstall due to activation issues. I do have a couple of programs that offered PUPs, but I've used them for years. FRST.txt Addition.txt AdwCleaner[S00].txt AdwCleaner_Debug.log
  5. It seemed to have been fixed, but it has, apparently been "unfixed." Several weeks ago, I had to manually exclude the file from MBAM's detection engine. MBAM had not detected CareUEyes 1.20, but after the program updated itself to v1.21, MBAM ate the 1.21 exe. Since I had had no problem with v1.20, I uninstalled v1.21, then installed 1.20 again, then unchecked the "check for updates automatically" in the CareUEyes gui. Somehow, CareUEyes updated itself anyway, which made me assume that, when MBAM ate it again, MBAM didn’t like the presumably newer version of careueyes.exe. I had no problems with it after that until today, when MBAM did the same thing. which, annoyingly, when that happens, requires a reboot: MBAM has to completely digest it before it can be restored. My friend Norton reminded me that the digital signature on careueyes.exe is invalid, but that's not the problem. Only one out of 66 engines at Virus Total flag the file. The careueyes.exe that's in AppData\Roaming\CareUEyes says product version 1.1.0.6 and product version 2017.7.28.1. The spooky thing is that, a few days ago, I’d restored my system to a Macrium image I made after I’d first installed CareUEyes but before I’d manually excluded it from MBAM, and MBAM was happy with it for several days before deciding that it was evil.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.