Jump to content

C:\end "Adware.Trace" F/P?


Koldin

Recommended Posts

Since it is against the rules, to post in other peoples "removal Help Threads", i wanted to make this one.

 

To have an history of what im talking about, pls look here: https://forums.malwarebytes.org/index.php?/topic/174869-cend-file-quarantined-want-to-make-sure-im-safe/#entry1000602

 

 

I deleted my file too fast, so i cant upload something here, but  an other User said, if i creates an empty "end" file, mbam also detects it and gives out an alarm on that one.

 

 

maybe the "empty file" is enogh for you at mbam, to check it for us.

 

 

Thanks!

 

 

 

 

 

 

Link to post
Share on other sites

Hi,

 

It's not a false positive. It's just a very minor trace typically left behind by adware installations. It typically contains either a date, 'true', or 'false'. It doesn't do any harm, which is why it has the .Trace suffix in the detection name. The detection is there to rid your computer of remnants of adware installations.

 

In the link you provided, the END file may have just been a remnant of Iminent, or Spigot installation -- two other known PUPs which we can see a trace of here:

 

CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxps://isearch.avg.com/?cid={AAFAABA0-BD86-42DB-A8D3-0F3CA24A743F}&mid=50a934c49d284458bc29aae36a58e94b-350008f61377841d110a0e21809282e2fe53022c〈=en&ds=hk014&pr=sa&d=2012-10-02 20:51:35&v=12.2.5.34&sap=hp","hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch","hxxp://search.iminent.com/?appId=E3AF24A0-8722-4C73-954B-3E1E5D14D51E","hxxp://www.msn.com/?pc=UP93&ocid=UP93DHP&dt=040313","hxxp://search.yahoo.com?fr=spigot-yhp-gcmac&ilc=12&type=435714"

 

Hope that clears things up.

 

Regards

Link to post
Share on other sites

 

Hi,

 

It's not a false positive. It's just a very minor trace typically left behind by adware installations. It typically contains either a date, 'true', or 'false'. It doesn't do any harm, which is why it has the .Trace suffix in the detection name. The detection is there to rid your computer of remnants of adware installations.

 

In the link you provided, the END file may have just been a remnant of Iminent, or Spigot installation -- two other known PUPs which we can see a trace of here:

 

 

Hope that clears things up.

 

Regards

 

I'm the other user that today too has found the end file in his C:\ folder.

As stated before, the file was completely empty, nothing written in it. As you said, usually contains some value like "OK", "true" etc, but that was not the case.

Other weird thing is that this popped up the same day for other users, and for everybody it was MBAM that found it (I'm running Kaspersky Internet Security for live protection).

Since some adwares (like conduit from what I've heard) leave this C:\end file, it's not properly a false positive. But the point is, there is the possibility that the end empty file was generated by some other software/update and that MBAM flags it as possible malware, since the behaviour is the same (it is found during the heuristic analysis).

Am i wrong?

Also there are no traces about some misbehaviour, or some weird browser extensions, no warnings from KIS, nothing wrong, so that leads me to the idea that the file was generated by something else and MBAM flagged it because that's a behaviour some malware has.

Link to post
Share on other sites

Other weird thing is that this popped up the same day for other users, and for everybody it was MBAM that found it (I'm running Kaspersky Internet Security for live protection).

 

 

Most likely because the detection was added yesterday.

 

 

 

 

But the point is, there is the possibility that the end empty file was generated by some other software/update and that MBAM flags it as possible malware, since the behaviour is the same (it is found during the heuristic analysis).

 

We have not observed legitimate software creating this file nor it being completely empty. In any case, you shouldn't worry about this detection if you aren't experiencing any issues with your system.

 

Regards

Link to post
Share on other sites

We have not observed legitimate software creating this file nor it being completely empty. In any case, you shouldn't worry about this detection if you aren't experiencing any issues with your system.

 

There is. Star Wars - The Old Republic produces this file. The File was created the same day I installed the game and since today MBAM never cared about this file.

File is completly empty, 0 bytes.

 

Some users from the SW TOR-Game reported this file in the forums (See here).

File could be related to toolbars when containing lines like "ConduitOK" or other information.

 

If you move the file to another directory (not C:\ directly) even MBAM won't report this file. Maybe MBAM thinks about a harmful file when it's directly placed to "C:\"?

Link to post
Share on other sites

What I wanted to add (can't find a way to edit my post): At my last scan (~2 weeks ago) the file wasn't reported. I guess the update messed this one up, because today it says it's a Adware.Trace. Like I said, file is there for almost half a year and nothing happend yet except for the MBAM-positive.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.