Jump to content
navigations

Weird Virus message in Windows Defender

Recommended Posts

I was out doing some errands and when I got back I had some new PC notifications. While looking through, I saw this weird virus message, and when I went to look it came up with this. https://gyazo.com/3099d5d838b8a485b84a7300fbf675c4     Is this trying to say that Process Hacker 2 is a virus, or is it some other external program?

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

We need more information.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Please post the logs for my review.

Wait for further instructions
====

Share this post


Link to post
Share on other sites

Woops, I'm very sorry, I meant to close this I believe. Windows Defender removed it almost immediately after I posted this, and rescanning with Malwarebytes, my PC seemed to be fine. Sorry for the inconvenience nasdaq.

Share this post


Link to post
Share on other sites

Hi,

If you like post the logs from running the Farbar program.

I will review them and advise is anything is suspicious.

Share this post


Link to post
Share on other sites

I think we might well have another false positive issue here. I have Microsoft Security Essentials (MSE) as a temporary AV on another PC and that too suddenly started reporting (the same weekend) that the Process Hacker 2.exe was a "high" threat after its most recent definitions update.  

Unfortunately for me I'd not changed MSE's default settings and in the case of a "high" threat it deals with what it sees as the offending file automatically. I expect that is what has happened here for the OP with Defender which is probably using the same MS definitions. 

I only realised it had been removed when I tried to launch Process Hacker 2 a few days later from my desktop shortcut and it reported the path as invalid. I went to the Process Hacker 2 folder and found its .exe was gone. I then realised what had happened.

Laughably Process Hacker 2 contains both a 64bit .exe and a 32bit .exe and the latter was still there, usable and in the short time when I was using it MSE took not the slightest notice.

Obviously I scanned the Process Hacker 2 folder with MB and other security software and nothing was reported. But I still deleted the installation and reinstalled it from a fresh download (MD5/SHA1 checked); all working a OK but MSE was still reporting its primary .exe as problem after a scan.

On another PC which has had Process Hacker 2 for years neither the main PC's AV, MB or anti-spyware tools have ever reported any problem and that holds true. So I then uninstalled it again on the other PC and using exactly the same installer from my archived collection installed from that. MSE still reports it as a "high" threat too afterwards but still let me install it. MB reports no problem in all cases on both PCs.

navigations 'problem' was 'resolved' only because Defender quarantined the file automatically. It is probably still there in the quarantined folder and I bet the rest of the Process Hacker 2 folder is still there too complete with 32bit .exe.

If his 'problem' was/is not a false positive I'd be very surprised. But it is not really much to do with Malwarebytes it is MS's AV definitions that are likely the problem. However I suppose MB can usefully confirm that the Process Hacker 2 64bit .exe is no threat.

 

 

 

Share this post


Link to post
Share on other sites

Hi,

I need you to run the Farbar Program and post the FRST.TXT  and the Addition.txt logs for my review.

Will do this for the first computer. If you still have problem with the second computer you must start a new topic as we do not give advises on two computer in the same topic.

Share this post


Link to post
Share on other sites

So Coldly, from what I'm understanding from what your saying is, that Windows Defender was just making a silly mistake and there should be no worries for it?

As to nasdaq, I tried installing installing Far Bar, and I got the clssic "Dont run unless you trust this" screen. Is there any website that FarBar has that I could get a direct download?

Share this post


Link to post
Share on other sites

Yes I am saying that the reason we've both had this on two different MS security platforms is that definitions have probably both been updated because somebody, somewhere has either made a mistake, added it after someone reported it as a problem without checking or some process PH2 uses has been wrongly detected as a "threat".

There is a warning with the PH2 installer that one of the options is not recommended and it has been known for that it can be used as a potential conduit for malware. Whether it has or not that would be enough for it to designated as a threat. This is a quote from an article dated 2017:-

"The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool.

Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down."

https://nakedsecurity.sophos.com/2017/11/15/ransomware-spreading-hackers-sneak-in-through-rdp/

However this blog from 2018 was posted by, wait for it, ......................................MalwarebytesLAB a year ago promoting the very same tool:-

https://blog.malwarebytes.com/101/how-tos/2018/11/advanced-tools-process-hacker/

So there is a bit of problem here - the potential threat PH2 may present has been know about for years but MS have been happily not seeing it as a threat until this weekend's Defender and MSE updates. Malwarebytes doesn't see it as problem, AVAST does not see it as problem and Spybot doesn't see it as problem.  That does mean that on your or my PC it has not been used to install malware, just that it is highly unlikely and the 'new' threat' is actually an old threat now redefined as a problem by the MS definitions update and nowhere else.

However whilst the problem is most likely the MS definitions update (its too much of a coincidence for that not to be the most likely explanation) you should do what nasdaq previously asked and submit the FarBar logs for review. If anything is found amiss then I'll follow.

BTW Check Defender's quarantined items and I suspect you'll find it there as HackTool:Win64ProcHack and the files detected beneath.

Also check C:\Programs for the Process Hacker 2 folder. That screenshot in the earlier post indicates that only very specific PH2 files are being seen as a threat by Defender. My MSE log reports exactly the same files too including the program's own uninstaller.

I'd bet that most of PH2's folder content is still there including the x86 folder containing the 32bit .exe which MSE has no problems with. There are probably left overs in ProgramData and your User AppData too, folders Windows hides by default.

If it truly wanted to get rid of PH2 MSE, and I'd suspect Defender too, have done a lousy job.

Should you want to get rid of PH2 completely at any point do not use the Remove option. I suggest instead restoring the quarantine items and then using Revo Uninstaller or BCUninstaller. Either will do a far better and thorough job than just running the uninstaller. If you delete the main .exe and the uninstaller as MSE seems to want to do you'll have a much harder task finding and removing all PH2 files, particularly the registry keys.   

     

 

 

 

 

 

Share this post


Link to post
Share on other sites
13 minutes ago, ColdlyIndifferent said:

platforms

Welp, thanks for the help Coldly, I'm sure it was just a mistake. As I stated earlier about the FarBar though is that it's blocked by the Blue Screen warning, and to be honest I would rather just find their website and get it directly from there, if possible. As to the uninstall thing, I just went into the uninstall App's and Features (built directly into windows) to uninstall it, I did that a few hours ago.

Share this post


Link to post
Share on other sites

The uninstall you did probably left stuff behind and did you check Defender's Quarantine folder because it might still contain those quarantined items? It will delete them after a certain period of time, 30 days I think, but if you've decided to get rid of PH2 then it would be a good idea to use the Remove option if anything PH2 related is there.

I do not know whether Defender is the same but MSE makes adding exclusions, once detected, as difficult as possible. Once there they also seem to persist in Quarantine even if you use the Allow option. The Allow option is only available under the All Detected items list and apparently has not removed one of the PH2 instances, the second scan I did, from Quarantine.

Pretty sure I'm going to have to restore the PH2 files and uninstall the program, remove anything left in Quarantine, re-install then add the PH2 folder to MSE's exclusions list. If I don't it may well disable PH2 again at the end of the quarantine period.

PH2 is often recommended and has a built in option to be used as a MS Task Manager replacement. I dread to think what problems might have been caused to if that has been the case for anyone else using Defender or MSE. It is probably a very small subset and one I'm glad I'm not in.

What I'm going to try to do now is get some sense and explanation out of MS on this. I'm signed up to their forums although, unlike here, it is a lottery if you get an actual response from a genuine MS representative who knows what they're talking about let alone able to do something about it.   

Share this post


Link to post
Share on other sites

As a follow up I've posted about this in the appropriate MS Community forum and Process Hacker 2's forum. In the latter this MSE/Defender definitions issue (as that is what it appears to be) is also being reported.

Although it is not really a Malwarebytes' matter, as that, like all other security tools it reports there being no problem it would be helpful if this thread is kept open so if there is some resolution/explanation from MS about this it can be posted. Other users coming here may find it useful information and not have to bother Malwarebytes any further with it.

Share this post


Link to post
Share on other sites

Hi,

Thank you for the information.

The Moderator will possibly close the topic in a week.

The topic will not be removed.

Share this post


Link to post
Share on other sites

No new news to report except that Microsoft are refusing to budge on their sudden decision to treat PH2 as high threat malware.

This link to a Process Hacker forum admin post links to relevant threads which may help others coming here in regard to this matter:-

https://wj32.org/processhacker/forums/viewtopic.php?f=1&p=11304#p11304

and the other thread there:-

https://wj32.org/processhacker/forums/viewtopic.php?f=40&t=3729&p=11282#p11282

In short MS, and only MS, now regard PH2 as a malware tool and their anti-virus/anti-malware programs will, depending on your settings, either quarantine or remove the main ProcessHacker.exe along with some other associated files.

Malwarebytes and no other security software as of this date are jumping on the MS bandwagon.

 

Probably a good idea to close this thread now. If there are any other developments, particularly if relevant to Malwarebytes, a new thread can always be started.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.