Jump to content

MB 4.2 finds Spyware.RedLineStealer in ADGUARDSVC.EXE?


Recommended Posts

Hello,

Today the Malwarebytes scan found 6 times Spyware.RedLineStealer malware in several Adguard components.

I don't believe that Adguard is malware.

I have added adguardsvc.exe which is one of the items reported by malware. Can you please check and verify if this really is malware or a false positive?

MB_report_adguard.png

AdguardSvc.zip

Link to post
Share on other sites
  • Staff

Hi @Chinaski1

This False Positive was fixed on last Friday. You can ask the customers to make sure they have the latest MalwareBytes database installed by simply right clicking MalwareBytes tray icon and then Check for Updates.

Anyone who had Adguardsvc.exe quarantined should restore it from quarantine and do another MalwareBytes scan to make sure it is not detected anymore what should be the case.

Apologies for the inconvenience caused.

 

Link to post
Share on other sites
  • 1 month later...

Malewarebytes Premium 2.2.0.1024 just flagged Quicken Home & Business for me.

Threat:

Spyware.RedLineStealer

Category:

Malware

Type:

File

Location:

C:\Program Files (x86)\Quicken\qw.exe

&

Threat:

Spyware.RedLineStealer

Category:

Malware

Type:

Registry Value

Location:

HKLM\SOFTWARE\WOW6432NODE\MIC...:\PROGRAM FILES (x86)QUICKEN

Link to post
Share on other sites

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/2/2020
Scan Time: 10:08 AM
Logfile: MalwareBytes_RemoveSelected_11_02_2020.txt
Administrator: No

Version: 0.0.0.0000
Malware Database: v2020.11.02.06
Rootkit Database: v2020.11.02.06
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Steve

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 191527
Time Elapsed: 9 min, 50 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

# # #

 

 

Capture11_02_2020_MalwareBytes.PNG

Link to post
Share on other sites

I appreciate MWB's quick response to this issue.

 

However- 

I have been working with Quicken tech support and checking 3rd party forums for a solution for the last 3 hours, faced with the idea that I couldn't use Quicken, which is extremely important to me.

I am extremely frustrated to have to have gone through all of the steps to troubleshoot the issue on two computers only to finally figure out that the problem lies with MWB.

Why does this kind of issue occur?

 

 

Link to post
Share on other sites
27 minutes ago, josephlevin said:

I appreciate MWB's quick response to this issue.

 

However- 

I have been working with Quicken tech support and checking 3rd party forums for a solution for the last 3 hours, faced with the idea that I couldn't use Quicken, which is extremely important to me.

I am extremely frustrated to have to have gone through all of the steps to troubleshoot the issue on two computers only to finally figure out that the problem lies with MWB.

Why does this kind of issue occur?

 

 

Joseph,

I've been using Malwarebytes for over 10 years. The good news is that I can't recall ever having an issue like this pop up.  MWB has saved me a couple times when other programs have failed, and that has saved me a lot of headache.

Link to post
Share on other sites
  • Staff

This was an over aggressive definition. A malware sample we found was imitating the qw.exe but the definition we added got the legit file and the malware file. This is fixed now though. 

 

Link to post
Share on other sites

I've been using MWB for about the same amount of time.

Unfortunately, the only MWB version I could get to work consistently was 2.2.x. Using any newer version than that the real time protection would automagically just stop working, no matter the PC or OS (Win7 versus Win10). I've tried newer versions of MWB almost every time there is a major update available, only to have to downgrade to 2.2.x due to this problem.

Never has there been a solution that worked beyond performing a complete downgrade.

In the process of working with Quicken tech support, I upgraded to the latest version of MWB I have available to me without paying a fee, and the real time protection seems, for the moment, to be working. I'm crossing my fingers, but doubtful it will last, since it never has done so before. This has been a real frustration point for me over the years. Then when faced with the possibility of losing the ability to safely work with a VITAL piece of financial software, I was even more frustrated, hence my tone. 

The worst was, in order for me to use Quicken, despite finding out from this forum that the issue was a false positive, the only way I could do so was to stop using MWB, which would have opened up my PC to potential problems. This is the part I take exception to. 

Yes, MWB has blocked things such as malicious websites doing or attempting nastiness in the past, but a piece of software is only as good as it's last critical problem, in my opinion.

On a minor note, another thing which is annoying to me, is that I asked a question, and the staff member ignored it only to essentially reiterate "it's fixed".

I would genuinely like to know why MWB has this issue, and whether or not there is a way I can learn how to tell if the issue is a false positive on my own, rather than depend on online forums, which usually do not have the time-to-fix of this issue today.

 

 

 

 

 

 

 

 

 

Link to post
Share on other sites
  • Staff

@josephlevin I explained above why this was detected. As far as telling it its a fp on your own if the detection is in a legit directory of a program you normally use like above was in \program files\quicken\ then its most likely a fp. IF you are not sure you can upload the file detected to an online scanner like virustotal.com for a industry wide opinion on the file. 

We have beefed up the fp prevention of quicken related files. Seem they used a Certificate to sign their files we weren't aware of and have since added this newly found certificate to prevent fps on Quicken related files in the future. 

 

Link to post
Share on other sites
13 minutes ago, josephlevin said:

Unfortunately, the only MWB version I could get to work consistently was 2.2.x. Using any newer version than that the real time protection would automagically just stop working, no matter the PC or OS (Win7 versus Win10). I've tried newer versions of MWB almost every time there is a major update available, only to have to downgrade to 2.2.x due to this problem.

Never has there been a solution that worked beyond performing a complete downgrade.

We would love to work with you on the above issue. Could you please start a topic HERE  so we can find out what the issue is in your case.

Link to post
Share on other sites
3 minutes ago, josephlevin said:

Should my version of MWB start to lose real time protection I shall be sure to open a forum post about it.

Your version is missing a lot of the realtime protection that is available in the current version.

Link to post
Share on other sites

I'm currently using MWB v3.6.1. Should the real time protection remain stable, I shall consider getting the latest version.

Will my perpetual license, initially 2.2.x, carry over to the latest version?

 

 

Link to post
Share on other sites
  • Staff

Yes it will. Worse case it may need to be converted by support but if you are using it fine with 3.6.1 then it should work fine with 4.x. Just uninstall 3.6.1 first so you dont run out of seats. 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.