Jump to content

Malwarebytes just can’t let go, drops dubious EXEs all over my machine


Recommended Posts

After I announced my divorce from Malwarebytes, Malwarebytes made the divorce official by offering, and promptly submitting refunds for my two Malwarebytes licenses. To finish-up on my side, I used the downloadable support tool that alleges to remove all traces.

Even after uninstalling Malwarebytes, and after using the support tool, there still were many Malwarebytes entries in my registry.

 What’s worse, the tool automatically, and without asking, downloaded FRSTEnglish.exe  and left it in more than 20 locations of my computer, even after Malwarebytes was removed, and after the support tool was closed. 

 

 frst.png.715d80b4165128436255e500f2380f2a.png

 

FRSTenglish.exe has earned a very dubious reputation on the Internet.  JoesSandBox says FRSTEnglish.exe "has functionality to log and monitor keystrokes," and that it can exfiltrate encrypted data via HTTPS. A reputable developer of security solutions should stay away from such dubious apps, and definitely should not leave them all over a customer’s computer after the app has been uninstalled.

Or was it that even after the divorce, Malwarebytes just can’t let go?

 

Link to post
Share on other sites

In addition to the above, the helpful  uninstaller  left bunches of mwb3b3a.tmp directories on my machine, each containing

Malwarebytes EULA.rtf
mbcheck.dll
mbchkrpt.dll
mbclean.dll
mbcut.dll
mbfix_clr.dll
mbgrab.dll
mbrpt.dll
mbst-fix-results.txt
mb-support.exe
mb-support.exe.Config
mb-support-log.txt
MWB.DefaultStyle.dll

.... and more

 

 

Link to post
Share on other sites

It would be nice if you actually KNEW how to interpret the results set forth in front of you.  It is a shame that you can't but subsequently provide information in a fashion to support some form of vengeful agenda without fully understanding the information that you have provided.  You act just like a Tech Support scammer that uses Social Engineering to con some victim into thinking there is something wrong with their PC and gets them to allow the Tech Support scammer to remote-in the victim's PC.  Once there they perform a series of actions that are used to persuade the victim that they are infected or that their computer is fouled up and requires the victim to pay for some service and for a service contract.  The victim is presented information that they can't interpret but the narrative is used to lend credulity to the victim of the Tech Support scammer's fraud narrative.

It would be like saying Nir Sofer is a malicious actor because some of the tools he authors get detected by various anti malware solutions.  That would be a false narrative because he authors tools that perform a set of functionalities that can ( and have been ) used in a malicious fashion.  Thus many of the tools offered for use at NirSoft are flagged as HackTools or as other detection names not be because the tools are themselves malicious but because they can gather and provide information that can be used in a malicious fashion such as grabbing license keys or WiFi Passwords.  One may provide these tools to some automated analysis system and may get suspicious or malicious declarations because of the activity these tools perform.   However one must look at the tools activity in an overarching fashion.  For example if ( and only IF ) NirSoft's WirelessKeyView could show WiFi Passwords and exfiltrate said data and dump the harvested information to some web site.  But that's not the case.  WirelessKeyView only accesses that information and provides it to the person who executes the utility.

Farber's utility, hosted on BleepingComputer, is similarly classed but it doesn't even grab that level of information that NirSoft's utilities gather.  It does gather information about a platform in such a fashion as to allow a trained Forum Helper to "remotely" assist a Windows Computer user in analyzing that platform for abnormal, adverse and/or consequential information.  It is used countless times on numerous Forums and sites where anti malware assistance is provided and is a White Hat utility.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

13 minutes ago, David H. Lipman said:

You act just like a Tech Support scammer that uses Social Engineering to con some victim into thinking there is something wrong with their PC and gets them to allow the Tech Support scammer to remote-in the victim's PC.  Once there they perform a series of actions that are used to persuade the victim that they are infected or that their computer is fouled up and requires the victim to pay for some service and for a service contract.  The victim is presented information that they can't interpret but the narrative is used to lend credulity to victim of the Tech Support scammer's fraud narrative.

Sure, why don't you make it complete and claim that I have a heavy Indian accent, and an office in Bengaluru?  Why don't you use the "support tool" yourself, do a complete and thorough uninstall, search your machine for FRST* and MBW*, and then come back to me?

Link to post
Share on other sites

@David H. Lipman, when you are done spewing invective and making accusations of criminal activity, why don’t you start thinking. Don’t you think that it is pretty strange that a developer of security software needs a 3rd party tool to clean up an their install, especially a 3rd party tool of ill repute, one that can monitor and emulate my keystrokes and exfil any data it feels like?   

Sure, FRST requires UAC, but permission is given to uninstall the damned app, not to act as a keylogger, and not to send home whatever data it wants.

I don’t mind a  strong whitehat tool, but I want to be the one to put it on my computer, and I want to be the one to execute it. I am taking a very dim view when someone else does it without asking for my permission. I am taking an exceptionally dim view when keys are logged and data are phoned home while an app claims it’s cleaning my computer. 

Link to post
Share on other sites

David got to you ? He is correct, you don't know anything about computers or how to fix them.

Nothing in FRST does what you show and it has been used for years.

GIVE UP AND GET LOST. If you think you are hidden on the internet, you are VERY wrong. EVERYONE CAN BE FOUND.

Don't go away mad, JUST GO AWAY

Link to post
Share on other sites

All I can tell you is that the support tool downloads frst64.exe onto my computer without asking, and stores it as FRSTEnglish.exe in my Downloads folder, again without asking.  FRSTEnglish.exe supposedly requires user Access Control, but I never was asked to give UAC consent to FRSTEnglish.exe. Apparently, FRSTEnglish inherits consent from the support tool, which of course will receive consent from the user.

During execution, there are at least two open, and encrypted connections with AWS nodes. No permission is expressly asked, or given, to exchange data with an anonymous entity. No permission is given to log my keystrokes.

When everything is done, copies of FRSTEnglish.exe are left in various corners of my computer.

I don’t care whether FRST should be considered a White Hat or a Black Hat tool.  I did not give permission for it to be put on and left on my machine.

Link to post
Share on other sites

 

7 minutes ago, KenW said:

 

GIVE UP AND GET LOST. If you think you are hidden on the internet, you are VERY wrong. EVERYONE CAN BE FOUND.

O.K., so now I am told that they know where I live? What a charming community.

Many here, especially KenW, hide behind a handle.  I post under my full name, and I indeed can easily be found. Come and get me. Or are you making these threats only to give the admin reason to close the thread and make it go away? 

Link to post
Share on other sites

8 minutes ago, TempLost said:

And I thought one of the benefits of a divorce was to put all the bitterness behind you so you could get on with your life? Evidently not..........

Exactly what I thought. Until I found out that the divorce was not as final as I was made to believe, and that there were monitoring tools left all over the house..

Link to post
Share on other sites

  • Root Admin

Everyone please take a step back and relax. There is no need to name call or accuse anyone of anything. I understand some members can be passionate about certain things but let's not get carried away and ignore good civil discussion.

The FRST program is an essential tool used by most Experts today to help log what is running on a system so that choices can also be made by writing a script if needed to remove unwanted items. We have worked with the author of the FRST program to obtain approval grabbing their tool and renaming it for use with our own tool. There is nothing nefarious going on with either tool. As with most tools and software available for the PC removals often leave behind traces. Thank you for your feedback and input @Bertel and I will submit to our Support Team to review the tools for possible better clean up on removal.

Thank you

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.