Jump to content
DarthVitrial

Pale Moon Web Browser detected as ransomware

Recommended Posts

Hi DarthVitrial,

Can you please zip and attach your copy of: C:\Program Files\Pale Moon\palemoon.exe?

I tried using both the 64bit and 32bit installers from the link you provided but was unable to reproduce the detection. Can ignore the below as it's just for my own reference

  • 755809cca67a1acf93ac39b657142878 - 64 bit
  • f4be4b4f18cfdcb17081a5c87c72b1a7 - 32 bit

 

Share this post


Link to post
Share on other sites

I already reinstalled the 64 bit version, sorry. If it happens again I will do so.

(EDIT: see next post. I got the 32 bit downloaded but the 64 bit version is blocked off and I can't edit it or overwrite it or anything)

Edited by DarthVitrial

Share this post


Link to post
Share on other sites

Scratch that, it's still on my PC but attempting to zip it gives an Access Denied error. It says I need Admin permission to edit it, even though I myself am an admin....

Edited by DarthVitrial

Share this post


Link to post
Share on other sites

Might have fixed this without your copy of the file. Can you close and restart MBAM and see if the issue is resolved?

If not, try attaching this file: C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

Share this post


Link to post
Share on other sites
30 minutes ago, DarthVitrial said:

Hm, seems to be fixed for now? I've attached the log anyway in case its useful at all.

MBAMSERVICE.LOG

Thanks. We're looking at the same exact file so you should be OK now. :) Have a good weekend

 

07/06/18	" 19:18:09.759"	43966578	0da8	1aac	INFO	AntiRansomwareControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"ArwControllerImplHelper.cpp"	1166	"Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files\Pale Moon\palemoon.exe, Sha256Hash=b9e1a2df50c1dfdaab128993537551a55a01d8c6d5871d6ba597557f982017bb"
07/06/18	" 19:18:09.780"	43966593	0da8	1aac	WARNING	HttpConnection	mb::common::net::HttpConnection::SendRequest	"HttpConnection.cpp"	390	"Network error."
07/06/18	" 19:18:09.780"	43966593	0da8	1aac	WARNING	HttpConnection	mb::common::net::HttpConnection::LogExceptionDetails	"HttpConnection.cpp"	1472	"Exception details: text=No message received"
07/06/18	" 19:18:09.780"	43966593	0da8	1aac	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::HubbleWhiteLister::AreFilesWhiteListed	"HubbleWhiteLister.cpp"	404	"Response body from Hubble request: None"
07/06/18	" 19:18:09.780"	43966593	0da8	1aac	ERROR	CleanControllerImpl	mb::cleanctlrimpl::whitelist::HubbleWhiteLister::AreFilesWhiteListed	"HubbleWhiteLister.cpp"	407	"Error code -9 returned in PUT to Hubble"
07/06/18	" 19:18:09.780"	43966593	0da8	1aac	INFO	CleanControllerImpl	mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus	"WhiteListManager.cpp"	248	"White list status (not cached): File 'C:\Program Files\Pale Moon\palemoon.exe'   => Hubble:Error"
07/06/18	" 19:18:09.781"	43966593	0da8	1aac	INFO	AntiRansomwareControllerImpl	mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback	"ArwControllerImplHelper.cpp"	1191	"The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files\Pale Moon\palemoon.exe, id=0x1"
07/06/18	" 19:18:11.167"	43967984	0da8	19d8	ERROR	ArwSDK	CheckProcessForThread	"active_response.cpp"	259	"tid: 1ab0 - Inconsistent state for TID:8344 => PID:{Kept:11028 <--> OS:948}."

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.