Jump to content

MBAM 1.39 and KIS2010


Recommended Posts

Hi all

after updating MBAM to 1.39 and rebooted, my KIS 2010 found launched during the boot a "Run Once Wrapper" which was assigned in the "green/no-problem area" and a file called "IS-KEM2G.EXE" assigned in the low-restriction area. I tried to find something about this file in google but w/o success.

Is there anyone who can explain what sort of file is this?

Thanks in advance for any suggestion.

Rocky

Link to post
Share on other sites

Thanks for your quick reply

but I can't find that file anymore; it seems that it was a sort of "run once" file after the update. That's why I thought it was something related to MBAM update to version 1.39.

I checked the applications launched at the boot and at a first sight there is nothing worring; one thing is sure the file doesn't exist anymore.

Thanks again for your support

Rocky

Link to post
Share on other sites

  • Staff
mbamgui /install /silent

Should be the RunOnce entry after installing a new MBAM version. As far as the other file, since it was identified as a "wrapper" it's possible that this was just the new version of MBAM's installer executing from a temp location, but I could be wrong.

Link to post
Share on other sites

I've had trouble finding information about these files, but as far as I know, they are used by a certain type of setup program. I've seen them when installing other legitimate programs as well. The file name tends to be is-[random string].exe, which makes it hard to find info about it. It also has an associated .lst file and a .msg file. I uploaded all of these to VirusTotal and got no detections from them. The file is-[random string].exe is added to the system startup programs list, then deleted after it has run once.

The purpose of this file is apparently to register some other files, and these files are specified in the .lst file. According to the .lst file added during setup of the latest version of MBAM, it registers the following files in this case, all in the MBAM program folder:

mbamext.dll

ssubtmr6.dll

vbalsgrid6.ocx

If you want to look it up, a common string associated with these files is InnoRegSetupFile. BleepingComputer thinks they're safe:

http://www.bleepingcomputer.com/startups/i....exe-16618.html

It appears that MBAM has begun to use this type of setup file as of the latest version, 1.39.

Link to post
Share on other sites

  • Staff

@xx521xx: I believe you've hit the nail on the head :( . MBAM's installer does indeed (and always has as far as I know) use an InnoSetup installer package. It's also possible (and again likely) that since a new update for the VB6 runtimes has been released by Microsoft to patch a security vulnerability that the new version of MBAM needs to unregister the old versions and register the new, more secure ones that are bundled with its installer (those are the files you referenced as being registered).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.