Search the Community

I have two DLL's that keep showing up as Malware.AI.1042087896. They appear to be for color scanner software. PIXN1320.zip PIXN1120.zip

Hey, attached is an exported detection by MalwareBytes of the ncrypt.exe, an executable from Norton. Is this a false positive? Thanks PossibleFalsePositive.txt

Two Putty nuget packages from Chocolatey that have been on the device for a long time started to be flagged by the AI as malware. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/2/21 Scan Time: 2:53 AM Log File: 842afa8e-0bba-11ec-a2be-985fd3db6065.json -Software Information- Version: 4.4.4.126 Components Version: 1.0.1413 Update Package Version: 1.0.44517 License: Premium -System Information- OS: Windows 10 (Build 19043.1165) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 346259 Threats Detected: 2 Threats Quarantined: 0 Time Elapsed: 7 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Malware.AI.4275619838, C:\PROGRAMDATA\CHOCOLATEY\LIB\PUTTY.PORTABLE\PUTTY.PORTABLE.NUPKG, No Action By User, 1000000, 0, 1.0.44517, FA94F80E1F946A69FED8C7FE, dds, 01404234, E98A3C5DB1612AD75C4545A1EA5F44C4, 1BCC35D19DF5000E0258B790964990D43024E379A165ED7EF79B0204FCB637C7 Malware.AI.4275619838, C:\USERS\[USER DIRECTORY]\APPDATA\LOCAL\NUGET\CACHE\PUTTY.PORTABLE.0.72.NUPKG, No Action By User, 1000000, 0, 1.0.44517, FA94F80E1F946A69FED8C7FE, dds, 01404234, E98A3C5DB1612AD75C4545A1EA5F44C4, 1BCC35D19DF5000E0258B790964990D43024E379A165ED7EF79B0204FCB637C7 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) FalsePositive.zip

Hello Malwarebytes Support, This is Kent from Laipic, an user-oriented designer and manufacturer of online video presentation software Soom. Now we’ve been dedicated in offering the world’s most engaging and vivid online video presentation for webinar, online courses and telecommuting etc with sound daily feedback from global clients. Here is our official website for your kind reference: https://soom.us/ However, reports of company data surveillance & analysis recently indicate anti-virus software from a small amount of certain brands unfortunately classifies us risky level with harsh warning subsequently issued to our oversea users every time when people are ready to download and install Soom. This is honestly very disappointing and indeed caused bad impact to both our reputation and sales in a pretty negative way and with no doubt relevant influence will last for quite a long term in the coming days. We’d strongly believe Malwarebytes as such a giant in anti-virus industry must’ve been aiming to a brighter and more secure cyber environment creation for all world’s inhabitants which frankly is more than just noble and we highly appreciate all your marvelous attitude and passion in the field. Now it’s a tragic as we all see that COVID-19 tortures the world all around and that’s the exact reason why Soom’s been also working so hard to help those in need via offering the most revolutionary and convenient online video presentation for telecommuting, webinar and online courses etc and people now make a living without risking their lives to step out because social responsibility is what Malwarebytes and Soom both bear and share during this hard time, is what floats in our blood. With all privilege and honor, we respectfully acquire whitelist access under Malwarebytes brand anti-virus software for our common concept and purpose, that is establishment of more harmonious and joyful life and living atmosphere of tomorrow. Seriously crime and such other illegal conducts are what Soom never touched before and will definitely never touch in the future due to a simple reality that Soom sticks to human future improvement so we only behave right and legal with meanwhile great reputation to defend that our software is 100% secure to our daily work and life. Many thanks for your time and kind understanding to all above. If any further basic info needed for the whitelist access authorization please don’t hesitate to let us know. Hope to hear from you soon. Regards Kent

Hi there, Our game files are warned by your antivirus as malware. Please check the attachment for fix it. Thank you. detection history.txt launcher.rar

Greetings! I am the developer of WFE (Warcraft Feature Extender) and my .exe/.dll sometimes both get detected as MachineLearning/Anomalous.100%, I do not have malicious code, and VirusTotal and other scanners report it to be comepletely fine. Could you please take a look and hopefully remove my software from being detected as virus? Archive with files attached below. Thanks in advance! WFE v2.23.zip

Hello, Malware Bytes Browser Guard is blocking our website https://royalbathrooms.co.uk/ Here is the latest VirusTotal scan showing clean from all the engines https://www.virustotal.com/gui/url/96ade4d1c8d46613c5c47b864bb494b6a9e79eb5c3b29fd60066a610d67eb8c9/detection Please remove the site from your blacklist as soon as possible as it is affecting our business. Kind regards

Hi Malwarebytes support team, We hope you are doing great. Kindly know, we belong to the tech department of Shufti Pro. It came to our attention that Malwarebytes extension for browser (Malwarebytes Browser Guard) and Desktop Antivirus software is marking our Web Application Shufti Pro as: "Website blocked due to trojan". Also, it is showing a danger message for its clients, which is a false positive. Shufti Pro has a dedicated Security Department, and we understand that security is the main priority of every user. Shufti Pro doesn't steal or harm its visitor/client's data in any possible way. Also Shufti Pro does not have any type of virus, malware or trojan in its Web Application or any other service platforms. It is humbly requested that your team remove Shufti Pro's site from Malwarebytes' blacklist so that our clients can have a better and smoother experience. We hope you understand the situation. Feel free to ask any questions that deem necessary, and we'll be glad to help. Awaiting your kind response. Best regards, Tech Department, Shufti Pro Ltd.

Hello. My name is Ane Mari Tache from the Innovative Solutions Grup. We are the developers of the Orange Defender PRO program. It seems that your AV program Malwarebytes is flagging our program as PUP.Optional.OrangeDefender on VirusTotal. As a software developer I can strongly and sincerely vouch that the files bellow don't contain any malware or PUP files. I have worked on these products, and know with 100% certainty that they don't contain malware. Please either whitelist our products or tell us, in detail, why they are considered malware. We would gladly cooperate with you in order to fix this problem which is damaging to us and to our users (and, by extension, to your users, also). Here is the download link: https://www.orange-defender.com/ Kind regards, Ane Mari Tache

Hi, Recently I sent an installer of some software I made to my boss, and he reported seeing a MachineLearning/Anomalous.100% warning upon installation. As far as I know, my software should be safe, as I made it. Could you please flag this as a false positive so it doesn't show up as an anomaly? I attached both executables generated by the Squirrel installer, because I'm not sure which one is triggering the warning. Thanks. DirectPrintExecutables.zip

We often recommend Malwarebytes to our customers and I don't recall there being a false positive with GlassWire/Malwarebytes in the past. Unfortunately now we are receiving complaints about a false positive and we need your assistance please. You can download our installer from here https://www.glasswire.com/download/. The false positive screenshot is attached. Thank you for your assistance. -Log Details- Scan Date: 6/11/20 Scan Time: 8:52 AM Log File: 65a7c437-abe2-11ea-a534-201a06b471c5.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.931 Update Package Version: 1.0.25366 License: Premium -System Information- OS: Windows 10 (Build 18362.900) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 320950 Threats Detected: 4 Threats Quarantined: 0 Time Elapsed: 22 min, 38 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Warn PUM: Warn -Scan Details- Process: 1 Trojan.MalPack, C:\PROGRAM FILES (X86)\GLASSWIRE\GWCTLSRV.EXE, No Action By User, 555, 830500, , , , Module: 1 Trojan.MalPack, C:\PROGRAM FILES (X86)\GLASSWIRE\GWCTLSRV.EXE, No Action By User, 555, 830500, , , , Registry Key: 1 Trojan.MalPack, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\GlassWire, No Action By User, 555, 830500, , , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.MalPack, C:\PROGRAM FILES (X86)\GLASSWIRE\GWCTLSRV.EXE, No Action By User, 555, 830500, 1.0.25366, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected)

Hello, this is my website where I test various CMS systems. I bought malwarebytes premium and I see varning about my webpage. Is there something wrong on my side I can fix? I didnt install any suspiscious extension or script. Thanks for cooperation. Have a nice day. JurajBe

Hello. We respectfully request the removal of the flag on our software DriverFinder. Flag: PUP.Optional.DriverFinder Kindly note that this is a new version release certified clean and secure by Appesteem: https://customer.appesteem.com/certified?vendor=DESKT Kind regards, Melanie Tan DeskToolsSoft BV DriverFinderInstall.zip

Hello, This is to inform you that I'm in receipt of an FSA abuse report initiated by hphosts against my blog site hosted by WordPress (www.antivirus[.]ink -> https://antivirusink.wordpress[.]com) the hphosts DOES NOT provide the specifics of the abuse except the FSA tag. (pls. see below) Since hphosts claims to use malwarebytes engine to flag hosts for abuse and malicious activity I kindly urge malwarebytes to provide me with the specific details of the abuse as per FSA classification which should fall into one of the following categories: 1. Using misleading means to peddle their products (e.g. claiming the product is free when in actuality, it's just a free scan) 2. Not keeping their affiliates under control (i.e. those affiliates spamming, using BlackHat SEO, or otherwise misleading users) 3. The site is residing on a known malicious IP block Please be reminded that the site does not sell any products (1), does not have and is not signed with any affiliates (2) and is hosted on wordpress.com (3) The site is a security information blog content ONLY and is aimed to raise public's awareness of emerging security threats, phishing attacks and in the wild malware activity. I'm eagerly awaiting your response so I can proceed with the appropriate legal actions further. Kindly, AC

I recently ran Malwarebytes for the first time in a while and the following was detected: Registry Key: 10 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, No Action By User, [6454], [249843],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, No Action By User, [6454], [249843],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE, No Action By User, [6454], [249279],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE, No Action By User, [6454], [249733],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE, No Action By User, [6454], [249279],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE, No Action By User, [6454], [249733],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE, No Action By User, [6451], [249279],1.0.8057 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE, No Action By User, [6451], [249279],1.0.8057 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE|DEBUGGER, No Action By User, [6451], [249279],1.0.8057 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE|DEBUGGER, No Action By User, [6451], [249279],1.0.8057 Are these detections false positives? I have recently installed AVG Tune Up and suspect that some of them maybe false positives. AVG and Antispyware did not detect anything. Scans.docx

I have developed 1 program. Checked with virustotal no error. Malwarebytes www.malwarebytes.com -Protokolldetails- Datum des Schutzereignisses: 29.08.18 Uhrzeit des Schutzereignisses: 06:21 Protokolldatei: 11d39624-ab43-11e8-9429-000000000000.json -Softwaredaten- Version: 3.5.1.2522 Komponentenversion: 1.0.421 Version des Aktualisierungspakets: 1.0.6545 Lizenz: Premium -Systemdaten- Betriebssystem: Windows 10 (Build 17134.228) CPU: x64 Dateisystem: NTFS Benutzer: System -Einzelheiten zu blockierter Schadsoftware- Datei: 1 MachineLearning/Anomalous.94%, D:\testsb\buildtest14.exe, In Quarantäne, [0], [392687],1.0.6545 (end) BUILDTEST14.zip

Hello, I report a false positive, my website url is blocked by Malwarebytes Anti-Malware URL Blocked : rxcloud.fr.nf Best Regards, RoxasDev

Hi, I've been using MalwareBytes Free on my computer for a number of years, never had a problem and only use it for the bare basics - only 'safe' websites (Wikipedia, Facebook) and don't use it a great deal anyway. Did a scan this morning and it detected "MachineLearning/100%anomalous detection" - interestingly I had run a scan earlier without the internet connected, but after I connected the internet and ran the scan again it found it. I've since quarantined and deleted the file, ran another scan and all seems well - I'd just like to know what it was and whether it was a real problem or a false positive. I did a large Windows update (1803) last night and wonder if that's related? I have looked over this forum and seen that this detection has come up a number of times for people developing their own software, however I am not a software developer and had nothing on my computer that an average user wouldn't have. I understand that MalwareBytes is using new detection systems to stop malware, and so hopefully this is a teething problem rather than a real concern. I'm pretty savvy about computer safety, but still I'd rather be certain that everything is OK. I'm attaching the exported report here. There are no other visible signs of infection (slowing down, redirects etc). Thank you! MB Report.txt

Hello, We have fully cleaned and replaced the hacked version of this site Ccfriendsofwildlife.org. During this process we fully cleaned any hacked files on the system included the site's themes and plugins. We have also ensured the database is clean and removed all the injected content from the servers and checked and removed any malicious processes. We have checked the site using the "site: google search" and bad links we have also used fetch and render in google to ensure there is no bad content. All suspect javascript loaded and it's content has also been inspected. We have also performed a "curl" against the front page with a google bot user and again there is no spammy content returned or injected content. On top of this and most importantly we have placed the website behind an enterprise grade web application firewall to ensure this site has a high level of protection against any future attacks. Could you please ASAP remove any hack label and security warnings for this site.

Hi, a program that has been on our server for years came back as Spyware.Lokibot. It has never scanned as Spyware before, so I am curious as to why it would suddenly start scanning as such. On the hourly scan, it came back two hours in a row, then didn't appear anymore. It is these two files Name Type Category Status Path Spyware.LokiBot File Malware Quarantined C:\PROGRAM FILES (X86)\SPICEWORKS\NMAP-5.61-SPICEWORKS-SETUP.EXE Spyware.LokiBot File Malware Quarantined C:\PROGRAM FILES\WINPCAP\RPCAPD.EXE and the programs installed are Nmap 5.61-Spiceworks 05/19/2016 Spiceworks Desktop 7.5.00087 05/19/2016 Spiceworks, Inc. WinPcap 4.1.2-Spiceworks 4.1.0.2001 05/19/2016 CACE Technologies Please let me know if this was a false positive, or possibly caused by an update to Spiceworks (not sure if it updated automatically or anything).

Please remove my website www.acasadibarbara.it, we had a problem in February but now is clean Thanks DAVID

I have the same file information however I am using the cloud point software. I added snips from the scan that was completed.

Hi, i have a problem with my application and Malware Bytes 3.4 I've developed an application and its exe file is detected as MachineLearning/Anomalous.94% (obviusly it's not a malware ) Is there a way to avoid this detection? Thanks

Tried to look this up, but couldn't really find anything. I am not really experienced in this stuff. Sorry if this is a stupid question. I have MBAM 3 and after scanning my C drive with rootkit option on, it detected 2 threats, called Unknown.Rootkit.Driver and the location is C:\\Windows\System32\drivers\vwifibus.sys and vwififtl.sys. So these are apparently drivers, and I don't know how they affect my computer. I just quarantined the 2 in the meantime before I figured out anything. I want to note that vwifibus.sys came up a second time in a new scan just now. Quarantined it again. I just want to know if these are just false positives and if I should restore them, or do something else. Not sure if this is related at all to my recent problems of slow and inconsistent internet connections. Thanks for any info

Hi, you are blocking this CloudFlare IP that has two of my sites, as well as oodles of sites of other people. You ought to contact CloudFlare and work it out. For the time being I'm telling my visitors who you are blocking to STOP using your product. There is absolutely nothing dangerous about my site (hochmanconsultants.com). If you disagree, please post a code snip to prove me wrong.