Jump to content

False Positive in Temp whenever uninstalling programmes


ZePet

Recommended Posts

I have a slight problem with attaching the desired files to my post, as MBAR reports ransomware when I uninstall programmes, and the file path leads to a temp folder that is gone after rebooting. It seems that whenever I unsinstall, a file called Au_.exe is created in C:\Users\username\AppData\Local\Temp\~nsu.tmp\ - and it sets MBAR off without fail. With the first programme I tried to uninstall (a programme used to manage the downloads of children's games from the official site of the learning computer makers, and installed from there), I thought it was a real threat MBAR found. But since the same file name popped up as ransomware in ALLfollowing uninstalls, I am inclined to believe it is not actually Ransomware... The last instance was upon trying to uninstall Teamspeak.

I hope the other zip files can provide some insight at least. Sadly, with the first alarm treated as "remove" by me, I can not uninstall the Vtech programme anymore, not even with Revo. I manually deleted the files without uninstalling, as the programme is not recognised by either Windows nor Revo as still installe, but all files remained behind.

Hope this helps some at least.

logs.zip

Malwarebytes Anti-Ransomware.zip

Link to post
Share on other sites

Hello ZePet and welcome:

"...MBAR[Sic] reports ransomware..."

With only the limited data from your post, MBARW Beta5 appears to have alerted to TeamSpeak 3 Client's uninstaller application whose filename was "Au_.exe". That filename can/could be/could have been added to MBARW GUI Dashboard -> Exclusions with the complete pathname of "C:\Users\Ti'riqa\AppData\Local\Temp\~nsu.tmp\Au_.exe".

If you would like to re-install MBARW Beta5 in the future, this forum would be happy to assist you with the issue you reported and other issues.

Thank you for participating in beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

Oh, I didn't uninstall it, nono.

But as the same file name popped up in EVERY uninstrall I did, no matter which programme, I shut down MBAR for uninstalls. And well, that worked. I'm definitely not letting a small bump in the road dissuade me from using the proggie! I'm glad it exists.

Link to post
Share on other sites

@ZePet Wow.  I reported on an installation causing this issue, where the installer was always extracted to a random folder in %TEMP% so that it could not be added effectively to quarantine.  Since you say this occurred with all uninstallation attempts, I wonder if there is more going on here.

As fro the program that you were trying to uninstall that was interrupted, in order to remove all the leftover bits (such as registry entries, shared files, programdata, etc.) you could always try to install it again (provided that you can find the setup) and then uninstall it again.  Of course, with your issue of MBARW flagging the uninstaller, it might be best if you performed all of those steps with it temporarily disabled so it would not have any issues either installing or uninstalling.

Good catch on this though.  Now I know I have a lot more testing to perform on my end.

@1PW - could this be related to the same issue I found with the installer?  If so, and if uninstallers do break because of similar behavior as I reported with randomly named container files, and particularly those that are marked as malicious but never actually make it to the quarantine, moving forward, what would be the best scenario in terms of handling possible issues other than simply disabling protection temporarily?

I know the caveat to not use on production machines has already been mentioned, but what else? 

Link to post
Share on other sites

Hello John:

What I state here is non-authoritative, and instead calls for a developer/staffer to weigh-in. Yet if a pathname to a MBARW alerted executable is volatile it could be a greater challenge for the present user's exclusion list, but probably not insurmountable if lesser known factors were also in play.

Again, this is much better answered by the development team members than a forum helper.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.