Temporary install files created with InstallMate installer

[jkaleta]

InstallMate is a program for building software installers. I believe it must have been used by someone to build a malware program, and therefore temporary installation files created by InstallMate have been since marked as malware for no good reason. I believe this is a false positive, and - for what it's worth - the maker of InstallMate also thinks so. They say they've been trying to contact Malware Bytes for weeks, but no response or action on your part has been taken.

Please advise if this is a false positive.

MBAM-log-2013-03-18 (12-20-02).txt

[miekiemoes]

Hi,

Please also zip and attach the file being detected to your next post.

Thanks!

[jkaleta]

Attached compressed file...

MBAM-log-2013-03-18 (12-20-02).zip

[jkaleta]

Ooops... wrong file. Let me try again.

_Setup.zip

[miekiemoes]

Hi,

This is the log you attached again. Can you zip and attach the detected file?

_Setup.dll

Looks like you figured it out already

[miekiemoes]

This is a False Positive indeed and will be fixed in next database update. Thanks for reporting!

[aclarity]

Just had Malwarebytes bring up a series of InstallMate files.  Is it possible that these are benign install/uninstall files?  I havn't installed anything recently, intentionally.  I wonder if this is the previous false positive recurring...

 

A. Carwile

 

MBAM-log-2013-08-14 (16-52-07).txt

[sunriseal]

This is a False Positive indeed and will be fixed in next database update. Thanks for reporting!

 

Just started reporting a bunch of InstallMate files... I am sure there has been a database update since this was reported....

 Where do we go from here?

[ky331]

A. Carwile:

 

Your installmate files come from WinPatrol.   I just received a similar detection, with MBAM database 2013.08.14.08.

 

 

4BB7A109-FDB5-45E3-9DB9-ECB2EA7B80EE refers to WinPatrol 28.0.2013.0 (or at least, some current 28.x version)

A62F9CD0-B2E0-4F2A-88F2-79254A3C8539 refers to WinPatrol 26.1.2013.0 (or at least, some other prior version).

 

"The files in this folder are required for a clean update or removal of the above product. Please do not delete them".

[sunriseal]

A. Carwile:

 

Your installmate files come from WinPatrol.   I just received a similar detection, with MBAM database 2013.08.14.08.

 

 

4BB7A109-FDB5-45E3-9DB9-ECB2EA7B80EE refers to WinPatrol 28.0.2013.0

A62F9CD0-B2E0-4F2A-88F2-79254A3C8539 refers to WinPatrol 26.1.2013.0

 

 

"The files in this folder are required for a clean update or removal of the above product. Please do not delete them".

OK... so what do I do with that info.... ?

[ky331]

I suggest we wait for an official response from someone on the MalwareBytes team, now that this issue has been brought to their attention.

 

Given the response on 18 March (above) that it was indeed an F/P then, I would expect the same result now.

 

A PUP is a Potentially Unwanted Program, so there is room for debate there (in general).   But I would suspect that no one would consider WinPatrol's UNinstaller to be a PUP.   I am taking for granted that MBAM can determine which program (e.g., WinPatrol) is being uninstalled in these cases.

 

If you delete the WinPatrol-related files, you'll "break" WinPatrol's ability to uninstall itself.   [This isn't as critical as it sounds... because if you re-install WinPatrol over itself, it will re-create these files, allowing you to then properly uninstall it.]

 

In the event that MBAM decides to stick with this classification, keep in mind that a PUP is ultimately a user-choice:  what one person deems "unwanted", another person might consider useful.   Knowing that my "PUPs" came from WinPatrol, I intend to keep them regardless.

[shadowwar]

Can someone please attach some of these files in zip format?

 

Thanks.

[shadowwar]

NVM fixed in a few minutes.

[ky331]

Zip files attached

4BB7A109-FDB5-45E3-9DB9-ECB2EA7B80EE.zip

[ky331]

Looks like the issue has been FIXED with the release of database 2013.08.15.1

[sunriseal]

Looks like the issue has been FIXED with the release of database 2013.08.15.1

I just updated the database to 2031.08.15.1 and things are now MUCH WORSE...

 

Now indicates 27 lines

 

Looks differentr than the earlier one.. perhaps not a false positive???

 

Al

MBAM-log-2013-08-14 (22-11-30).txt

[miekiemoes]

sunriseal,

 

Your detections are no False Positives, but PUP detections.

PUP means, Potentially Unwanted Program, so this isn't malware.

Please see here: http://forums.malwarebytes.org/index.php?showtopic=130207

[ky331]

Sunriseal,

 

The problem that A. Carwile and I experienced was for InstallMate -- specifically, the UNinstaller (and related files) used by WinPatrol.   This issue has indeed been addressed/fixed as I noted above.

 

When you mentioned "a bunch of InstallMate files", I assumed (perhaps erroneously) that you were referring to precisely the same issue [and nothing more].    When you subsequently posted your log, it then became clearer that your issue was SweetPacks/SweetIM and Conduit --- you'll note that InstallMate is not mentioned in your log at all.

 

As miekiemoes mentioned, SweetPacks and Conduit are a different matter (than InstallMate/WinPatrol).

[sunriseal]

sunriseal,

 

Your detections are no False Positives, but PUP detections.

PUP means, Potentially Unwanted Program, so this isn't malware.

Please see here: http://forums.malwarebytes.org/index.php?showtopic=130207

You are aboslutely correct. Sorry for the "false alram"...

 

After a decent nite's sleep (needed badly) I ran MB again and removed those PUP detections and all is now good.

 

Those files have been on my system for some time and after last nite's database it suddenly reported them (had not with prior database update afew hours earlier). All that coupled with the false positive an hour or so earlier and lack of sleep contributed to the 'perfect storm'.. <grin

 

Al

[sunriseal]

Sunriseal,

 

The problem that A. Carwile and I experienced was for InstallMate -- specifically, the UNinstaller (and related files) used by WinPatrol.   This issue has indeed been addressed/fixed as I noted above.

 

When you mentioned "a bunch of InstallMate files", I assumed (perhaps erroneously) that you were referring to precisely the same issue [and nothing more].    When you subsequently posted your log, it then became clearer that your issue was SweetPacks/SweetIM and Conduit --- you'll note that InstallMate is not mentioned in your log at all.

 

As miekiemoes mentioned, SweetPacks and Conduit are a different matter (than InstallMate/WinPatrol).

I was reporting the SAME issue as u folks did... the log posted was AFTER I had run the database update15.1 which did fix the InstallMate issue... see my post from a few minutes ago... should explain all..

[DWizard]

Today did a quick scan (10/4/13) and InstallMate files have been detected. 

Why I'm posting. First, even though I own WinPatrol, it's never been installed on this PC yet these files are in the C:\Program Data\InstallMate folder.

 

No pc issue's, no other malware detected, just InstallMate. All PUP detections. All I can say is how sneaky! Apparently these files are just to install their install maker program. 

 

It may be fine software but the way it found itself to my pc is to my way of thinking not ethical, and creepy.

 

Attached is everything including MBAM log file.

InstallMate.zip

MBAM-log-2013-10-04 (14-20-37).txt

[shadowwar]

Ok i am not sure what you are asking or stating here. They are ok to remove.