Abilou Posted August 6, 2017 ID:1150382 Share Posted August 6, 2017 Hello everyone, Yesterday, I launched my NoDouble software to find doubles in my PC. After the scan, Malwarebytes has detected it as a ransomware and put it in quanrantine. I actually have to say that that edition of NoDouble is a Premium one (I've paid for it, I've got the licence), same thing for Malwarebytes. I am a bit worry. Is it true NoDouble is a ransomware or is it a False Positive ? I have looked for answers on the web, but nobody ever talked about NoDouble as a ransomware. Have you experienced the same problem than I ? Do you know if NoDouble is really what Malwarebytes tells it is ? Thank you for your answers. Link to post Share on other sites More sharing options...
Abilou Posted August 6, 2017 Author ID:1150456 Share Posted August 6, 2017 As I know someone will surely ask me to join the report, here it is Link to post Share on other sites More sharing options...
thisisu Posted August 7, 2017 ID:1150471 Share Posted August 7, 2017 (edited) Hi Abilou, Please zip and attach D:\Program Files (x86)\NoDouble.exe to your next post. It will also help to include C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG too. Thank you Edited August 7, 2017 by thisisu Link to post Share on other sites More sharing options...
Abilou Posted August 7, 2017 Author ID:1150514 Share Posted August 7, 2017 (edited) Hello thisisu ! Ummm I am sorry but I am not sure to understand what you ask me to do... Do you want me to attach my software NoDouble and the file MBAMservices.LOG in my next post ?? I've got a big problem... I looked for it everywhere in my PC a few minutes ago, I am completely unable to find nodouble.exe ! I don't know where it is ! It scares me a little. In D:\ Program Files (x86), I cannot find the file NoDouble.exe at all ! I find the file NODouble Aide.chm, NoDouble Help.chm, NoDouble.ENG but no trace of the NoDouble.exe Here is the other file you've asked me to attach ; MBAMservices.LOG MBAMSERVICE.LOG Edited August 7, 2017 by Abilou Link to post Share on other sites More sharing options...
thisisu Posted August 8, 2017 ID:1150873 Share Posted August 8, 2017 (edited) Hi, No worries. It was a false positive. I've whitelisted the file so it shouldn't be detected anymore. The file appears to be in quarantine. To restore it, open Malwarebytes, go to "Quarantine", and find the entry with Location: D:\Program Files (x86)\NODouble.exe. Place a check mark in that entry by left mouse clicking in the empty box, and press "Restore". The file should be restored to its original location. 78FC8B1F988DB71C107221F021E19897 Edited August 8, 2017 by thisisu Link to post Share on other sites More sharing options...
Abilou Posted August 8, 2017 Author ID:1150906 Share Posted August 8, 2017 (edited) Hello thisisu Actually I do not find the file even in Malwarebytes quarantine. The last event there is from June 7th, 2017. Malwarebytes detected NoDouble as a ransomware a few days ago, on August 6th, 2017. Malwarebytes mention that file has been blocked and quarantined in Reports, but I never could find that mention in Quarantine. Edited August 8, 2017 by Abilou Link to post Share on other sites More sharing options...
thisisu Posted August 8, 2017 ID:1150922 Share Posted August 8, 2017 H Abilou, It might be fastest to reinstall the program as I can only go by what the log tells us, which is that the file was quarantined. 8/06/17 " 03:55:44.584" 56484717 0718 0f18 INFO CleanControllerImpl DOREngine::PreCleanIsRebootRequired "DOREngine.cpp" 118 "Must reboot, special file D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:44.584" 56484717 0718 0f18 INFO CleanControllerImpl QuarantineEngine::QuarantineFile "QuarantineEngine.cpp" 373 "Quarantining D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:44.589" 56484717 0718 0f18 INFO CleanControllerImpl Cleaner::RemediateAndWriteMetadata "Cleaner.cpp" 307 "Starting cleaning of File D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:44.590" 56484717 0718 0f18 INFO CleanControllerImpl RemovalEngine::RemoveFile "RemovalEngine.cpp" 1148 "Cleaning file D:\Program Files (x86)\NODouble.exe, anti-rootkit = false" 08/06/17 " 03:55:44.681" 56484810 0718 0f18 INFO CleanControllerImpl RemovalEngine::DeleteFileAPI "RemovalEngine.cpp" 1311 "Deleting file 'D:\Program Files (x86)\NODouble.exe', resolved path = 'D:\Program Files (x86)\NODouble.exe'" 08/06/17 " 03:55:50.175" 56490302 0718 0f18 ERROR CleanControllerImpl RemovalEngine::DeleteFileAPI "RemovalEngine.cpp" 1397 "Verification of deleting file D:\Program Files (x86)\NODouble.exe failed!" 08/06/17 " 03:55:50.175" 56490302 0718 0f18 INFO CleanControllerImpl RemovalEngine::LogCleanResult "RemovalEngine.cpp" 1499 "Scheduling DOR cleaning for file D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:50.176" 56490302 0718 0f18 INFO CleanControllerImpl QuarantineEngine::CopyMetadataToQuarantine "QuarantineEngine.cpp" 134 "Copying quarantine metadata for D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:50.177" 56490302 0718 0f18 INFO CleanControllerImpl QuarantineEngine::LogQuarantineResult "QuarantineEngine.cpp" 637 "Completed quarantining and DOR queueing File 'D:\Program Files (x86)\NODouble.exe'" 08/06/17 " 03:55:50.177" 56490302 0718 0f18 INFO CleanControllerImpl Cleaner::RemediateAndWriteMetadata "Cleaner.cpp" 307 "Starting cleaning of RegValue HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE" 08/06/17 " 03:55:50.177" 56490302 0718 0f18 INFO CleanControllerImpl RemovalEngine::RemoveRegValue "RemovalEngine.cpp" 136 "Cleaning reg value HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE" 08/06/17 " 03:55:50.178" 56490317 0718 0f18 INFO CleanControllerImpl RemovalEngine::LogCleanResult "RemovalEngine.cpp" 1484 "Succeeded cleaning reg value HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE" 08/06/17 " 03:55:50.178" 56490317 0718 0f18 INFO CleanControllerImpl QuarantineEngine::CopyMetadataToQuarantine "QuarantineEngine.cpp" 134 "Copying quarantine metadata for HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE" 08/06/17 " 03:55:50.179" 56490317 0718 0f18 INFO CleanControllerImpl QuarantineEngine::LogQuarantineResult "QuarantineEngine.cpp" 617 "Succeeded quarantining RegValue 'HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE'" Feel free to try the following search as well: Download and run SystemLook In the white box / text-field, type in the following two lines: :filefind NoDouble.exe Then press the "Look" button at the bottom. Wait while it searches your system. Attach or paste the contents of SystemLook.txt when finished. Link to post Share on other sites More sharing options...
Abilou Posted August 8, 2017 Author ID:1150924 Share Posted August 8, 2017 Thank you very much, thisisu I've decided to re-download NoDouble. I am lauching a new NoDouble scan right now, but I've unchecked "Automatically quarantine detected items" before doing it. I hope it will works that way. I'll check that parameter again after having delete the doubles. Thank you again, thisisu, for your help Link to post Share on other sites More sharing options...
Abilou Posted August 8, 2017 Author ID:1150926 Share Posted August 8, 2017 (edited) It does NOT worked ! Malwarebytes absolutely DOES NOT WANT to stop to block my NoDouble software while I am trying to delete the doubles on my PC ! That begins to make me really angry ! I've got many many doubles ! It takes a long time to do that scan to look for the doubles on my PC ! The thing I will do now, once for all, is to DELETE Malwarebytes, to run my NoDouble software, to delete the doubles and then, ONLY AFTER, to (maybe) reinstall Malwarebytes ! So thank to Malwarebytes to all those complications ! Malwarebytes is supposed to act against malwares, not to act like a malware. Edited August 8, 2017 by Abilou Link to post Share on other sites More sharing options...
Abilou Posted August 8, 2017 Author ID:1151004 Share Posted August 8, 2017 (edited) Without Malwarebytes, it worked : I could delete my doubles. I've gained hundreds gigabytes by deleting those doubles and until now, no ransom has been asked to me. Edited August 8, 2017 by Abilou Link to post Share on other sites More sharing options...
thisisu Posted August 9, 2017 ID:1151210 Share Posted August 9, 2017 I'm sorry for the inconvenience. I whitelisted the file that was quarantined according to the log. I'm not sure why it's continuing to detect as ransomware. If you want, you can try adding a file exclusion as well. The steps for adding an exclusion in Malwarebytes are: Settings ==> Exclusions ==> Add Exclusion ==> Exclude a File or Folder ==> Select Files... ==> Navigate to D:\Program Files (x86)\NODouble.exe ==> Select it and press OK. Again, sorry for your troubles. Best regards Link to post Share on other sites More sharing options...
Abilou Posted August 9, 2017 Author ID:1151211 Share Posted August 9, 2017 Thank you very much thisisu. I do apologize for having losing my calm. Thank you for your help. Following your advice, I've added NODouble.exe to the exclusions of my Malwarebytes. All the best for you Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now