Jump to content

NoDouble a ransomware ? True or False Positive ?


Abilou
 Share

Recommended Posts

Hello everyone, :)

Yesterday, I launched my NoDouble software to find doubles in my PC. After the scan, Malwarebytes has detected it as a ransomware and put it in quanrantine.:blink:

I actually have to say that that edition of NoDouble is a Premium one (I've paid for it, I've got the licence), same thing for Malwarebytes. :wub:

I am a bit worry. Is it true NoDouble is a ransomware or is it a False Positive ? :blink::wacko:

I have looked for answers on the web, but nobody ever talked about NoDouble as a ransomware. :blush:

Have you experienced the same problem than I ? Do you know if NoDouble is really what Malwarebytes tells it is ? :huh:

Thank you for your answers. ;)

Link to post
Share on other sites

Hello thisisu ! :)

 

Ummm I am sorry but I am not sure to understand what you ask me to do... :blush:

Do you want me to attach my software NoDouble and the file MBAMservices.LOG in my next post ??

:blink::blink::blink::blink:

I've got a big problem... I looked for it everywhere in my PC a few minutes ago, I am completely unable to find nodouble.exe ! I don't know where it is ! It scares me a little.

:wacko::wacko::wacko::wacko:

In D:\ Program Files (x86), I cannot find the file NoDouble.exe at all ! I find the file NODouble Aide.chm, NoDouble Help.chm, NoDouble.ENG but no trace of the NoDouble.exe

Here is the other file you've asked me to attach ; MBAMservices.LOG

 

MBAMSERVICE.LOG

Edited by Abilou
Link to post
Share on other sites

  • Staff

Hi,

No worries. It was a false positive. I've whitelisted the file so it shouldn't be detected anymore. The file appears to be in quarantine. To restore it, open Malwarebytes, go to "Quarantine", and find the entry with Location: D:\Program Files (x86)\NODouble.exe. Place a check mark in that entry by left mouse clicking in the empty box, and press "Restore". The file should be restored to its original location.

78FC8B1F988DB71C107221F021E19897

Edited by thisisu
Link to post
Share on other sites

Hello thisisu ;)

Actually I do not find the file even in Malwarebytes quarantine.

 

The last event there is from June 7th, 2017. Malwarebytes detected NoDouble as a ransomware a few days ago, on August 6th, 2017.

Malwarebytes mention that file has been blocked and quarantined in Reports, but I never could find that mention in Quarantine.

:(:(:(:(

 

Edited by Abilou
Link to post
Share on other sites

  • Staff

H Abilou,

It might be fastest to reinstall the program as I can only go by what the log tells us, which is that the file was quarantined.

8/06/17    " 03:55:44.584"    56484717    0718    0f18    INFO    CleanControllerImpl    DOREngine::PreCleanIsRebootRequired    "DOREngine.cpp"    118    "Must reboot, special file D:\Program Files (x86)\NODouble.exe"
08/06/17    " 03:55:44.584"    56484717    0718    0f18    INFO    CleanControllerImpl    QuarantineEngine::QuarantineFile    "QuarantineEngine.cpp"    373    "Quarantining D:\Program Files (x86)\NODouble.exe"
08/06/17    " 03:55:44.589"    56484717    0718    0f18    INFO    CleanControllerImpl    Cleaner::RemediateAndWriteMetadata    "Cleaner.cpp"    307    "Starting cleaning of File D:\Program Files (x86)\NODouble.exe"
08/06/17    " 03:55:44.590"    56484717    0718    0f18    INFO    CleanControllerImpl    RemovalEngine::RemoveFile    "RemovalEngine.cpp"    1148    "Cleaning file D:\Program Files (x86)\NODouble.exe, anti-rootkit = false"
08/06/17    " 03:55:44.681"    56484810    0718    0f18    INFO    CleanControllerImpl    RemovalEngine::DeleteFileAPI    "RemovalEngine.cpp"    1311    "Deleting file 'D:\Program Files (x86)\NODouble.exe', resolved path = 'D:\Program Files (x86)\NODouble.exe'"
08/06/17    " 03:55:50.175"    56490302    0718    0f18    ERROR    CleanControllerImpl    RemovalEngine::DeleteFileAPI    "RemovalEngine.cpp"    1397    "Verification of deleting file D:\Program Files (x86)\NODouble.exe failed!"
08/06/17    " 03:55:50.175"    56490302    0718    0f18    INFO    CleanControllerImpl    RemovalEngine::LogCleanResult    "RemovalEngine.cpp"    1499    "Scheduling DOR cleaning for file D:\Program Files (x86)\NODouble.exe"
08/06/17    " 03:55:50.176"    56490302    0718    0f18    INFO    CleanControllerImpl    QuarantineEngine::CopyMetadataToQuarantine    "QuarantineEngine.cpp"    134    "Copying quarantine metadata for D:\Program Files (x86)\NODouble.exe"
08/06/17    " 03:55:50.177"    56490302    0718    0f18    INFO    CleanControllerImpl    QuarantineEngine::LogQuarantineResult    "QuarantineEngine.cpp"    637    "Completed quarantining and DOR queueing File 'D:\Program Files (x86)\NODouble.exe'"
08/06/17    " 03:55:50.177"    56490302    0718    0f18    INFO    CleanControllerImpl    Cleaner::RemediateAndWriteMetadata    "Cleaner.cpp"    307    "Starting cleaning of RegValue HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE"
08/06/17    " 03:55:50.177"    56490302    0718    0f18    INFO    CleanControllerImpl    RemovalEngine::RemoveRegValue    "RemovalEngine.cpp"    136    "Cleaning reg value HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE"
08/06/17    " 03:55:50.178"    56490317    0718    0f18    INFO    CleanControllerImpl    RemovalEngine::LogCleanResult    "RemovalEngine.cpp"    1484    "Succeeded cleaning reg value HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE"
08/06/17    " 03:55:50.178"    56490317    0718    0f18    INFO    CleanControllerImpl    QuarantineEngine::CopyMetadataToQuarantine    "QuarantineEngine.cpp"    134    "Copying quarantine metadata for HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE"
08/06/17    " 03:55:50.179"    56490317    0718    0f18    INFO    CleanControllerImpl    QuarantineEngine::LogQuarantineResult    "QuarantineEngine.cpp"    617    "Succeeded quarantining RegValue 'HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE'"

Feel free to try the following search as well:

Download and run SystemLook

In the white box / text-field, type in the following two lines:

:filefind
NoDouble.exe

Then press the "Look" button at the bottom. Wait while it searches your system. Attach or paste the contents of  SystemLook.txt when finished.

Link to post
Share on other sites

Thank you very much, thisisu ;)

I've decided to re-download NoDouble.

I am lauching a new NoDouble scan right now, but I've unchecked "Automatically quarantine detected items" before doing it. I hope it will works that way. 
I'll check that parameter again after having delete the doubles.

Thank you again, thisisu, for your help :)

Link to post
Share on other sites

It does NOT worked !

Malwarebytes absolutely DOES NOT WANT to stop to block my NoDouble software while I am trying to delete the doubles on my PC !

That begins to make me really angry ! I've got many many doubles ! It takes a long time to do that scan to look for the doubles on my PC !

The thing I will do now, once for all, is to DELETE Malwarebytes, to run my NoDouble software, to delete the doubles and then, ONLY AFTER, to (maybe) reinstall Malwarebytes !

So thank to Malwarebytes to all those complications !

Malwarebytes is supposed to act against malwares, not to act like a malware.

:angry::angry::angry::angry::angry::angry::angry::angry::angry::angry::angry::angry::angry:

Edited by Abilou
Link to post
Share on other sites

  • Staff

I'm sorry for the inconvenience. I whitelisted the file that was quarantined according to the log. I'm not sure why it's continuing to detect as ransomware. If you want, you can try adding a file exclusion as well.

The steps for adding an exclusion in Malwarebytes are:

Settings ==> Exclusions ==> Add Exclusion ==> Exclude a File or Folder ==> Select Files... ==> Navigate to D:\Program Files (x86)\NODouble.exe ==> Select it and press OK.

Again, sorry for your troubles. 

Best regards

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.