riskware-extensionmismatch with photos taken with Pixel 2

[amccombs]

photos taken with Google Pixel 2, is there a program that will fix the extensions so that there isn't a mismatch?

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/16/21
Scan Time: 2:43 AM
Log File: ecad7204-46b0-11ec-97ad-48022a39491f.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.47245
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 519883
Threats Detected: 12
Threats Quarantined: 0
Time Elapsed: 1 hr, 18 min, 5 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 12
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\20181201_132549.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , EB9758F30DB51C2F246E83ADC290D5E6, C0EACFFD7B53D8CCDEDE570DFE8EB64D28E7C9336283FBEC05CF760078F33A30
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\IMG_0035.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , 47DAA5FF28E8B7BAB950DE4831119C67, 748CDAC6EB39AE99AD1668DB27536D24E18DD2AA924B1F45821C897F841F8648
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\IMG_20180510_202718.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , AB42C1D467C0FDF0D2218A7CF2C4F407, 2F3BD90D2B04E784167F24D97411BEE9D01F9DAE2213AE329E7E6B64D833E0C4
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\IMG_20190516_155725.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , 0A9DE739C10EF46D33101CDA12CDC8F4, 19CA2BF9C07CB4198FA70E2639494B7C65CD1EDC326956BE24B55514673E3796
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_20_20181101_184528_THUMBNAIL.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , D1DB1EFB69C3B84D0A5302EC3B555916, 108E49621434F674FA70ED0143CD94EA060185BDA5A7563E72C58C368D9A680F
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_21_20181002_1838_THUMBNAIL.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , 951EE189D02C536D539111A8EB5CF249, 0C9321A8EF32784C8943F5FAE521EE46C611AFD715B7331A8D7A6D424A57F911
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_23_20181008_1925.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , D0BB8852220543A7BF366BC588813F10, 9AED49AB860AA26C6D2F595C4F578FDC4C82855F32CDB7F25645F09C9D5B4767
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_23_20181008_1925_THUMBNAIL.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , 2956C1F68B6C75AB128CAECA4BE6712B, 6C4338CD71986E5D95D218EEED800C7FA5D397F1A47514CA3D655C4A56A37541
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_25_20181025_204141_THUMBNAIL.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , 05957A02F6C1377F6F4F312EBA06605A, 4F988CC25D40C351A0AE1370F20E2C4A5269CB701F9EF24E4AD9A7153545B79E
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_25_20190318_110653_THUMBNAIL (1).JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , 19DA848116EA2BAFD9D04EE5280C0B2C, BF837405A0C00457BB15ED354E8F107BBB783079FC25F38A1C078A0ACA57D3AD
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_25_20190502_200921_THUMBNAIL.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , E9C7521CB548C6B266ACAE0744529488, 3BDCF735CDD62B88825B3FD826CB6C90B9A8D52F7181F38C0318C3AAC52BC270
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_29_20190418_134031.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , 1B4350E0CDF0D308531038DE2666E1EA, 19771666CF44144AB3B3BDCD81825E7959CB3346D4F1B51EBD9E474ECB7DADCD

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[shadowwar]

These are not actual photos. There are legit executables that somehow got renamed to .jpg extension. 

[amccombs]

Looks like a photo to me.

RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\20181201_132549.JPG, No Action By User, 11509, 79314, 1.0.47245, , ame, , EB9758F30DB51C2F246E83ADC290D5E6,

[shadowwar]

This is strange because the file you checked above in the malware log points to this md5 at virustotal

https://www.virustotal.com/gui/file/c0eacffd7b53d8ccdede570dfe8eb64d28e7c9336283fbec05cf760078f33a30

Which is an executable. 

Something is going on with this machine or our install. You may have to contact support. 

 

[shadowwar]

Can you try something for me?

Can you move some of the files hit to a spot that isnt on google drive and rescan those files?

Wonder if its google drive somehow interfering. 

 

[amccombs]

I didn't have a malwarebytes menu item, so I had to scan the whole computer. So of course it's going to pick different files. Maybe it's Google Drive, as I  copied the file to c:\temp\malwarebytes folder but it did not find it. Google Drive is not running in Task Manager.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/17/21
Scan Time: 5:32 PM
Log File: 3b2e3b5c-47f6-11ec-8976-48022a39491f.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.47301
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: AllanMcCombs-PC\Allan McCombs

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 520290
Threats Detected: 5
Threats Quarantined: 0
Time Elapsed: 32 min, 47 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 5
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_20_20181101_184528.JPG, No Action By User, 11513, 79314, 1.0.47301, , ame, , 535E3DB536054CF567FB57C113A4FFA2, 41324AC4C430A93C8914C18A7A0CC2EEC9649DF6D91BD0113DA5F31908D486D2
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\0915172358.JPG, No Action By User, 11513, 79314, 1.0.47301, , ame, , 2533D03AA0BF6328599D42115E464157, ED5431CFA781ACB0DC3FB89DAAD71EFBDC740E4D9B715AF8B5D0B4CDB06C6DB2
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\JPEG_22_20181101_184503.JPG, No Action By User, 11513, 79314, 1.0.47301, , ame, , 0464CAE04B6E643127286926DC1724E2, BA3829A1041A445255BD5572E230C7882E3483750BEDD8ECF4AA41B9A8D863FD
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\IMG_20170804_232502.JPG, No Action By User, 11513, 79314, 1.0.47301, , ame, , DBDA60D92E774B4ACB3B1CD71F909426, 56A59DAE638D9BB45CE729A5D6FDFB0ECBE88B37047E4D6D20DBDEF1FC90BD72
RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\IMG_20190210_202721.JPG, No Action By User, 11513, 79314, 1.0.47301, , ame, , 0B8D740C2178315BCB1B71F47041B75A, F29203E47A0574EF4C009EC777DCF861053EF5CAADB4FA968BC9E25D98B36CE3

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

 

RiskWare.ExtensionMismatch, C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\0915172358.JPG, No Action By User, 11513, 79314, 1.0.47301, , ame, , 2533D03AA0BF6328599D42115E464157, ED5431CFA781ACB0DC3FB89DAAD71EFBDC740E4D9B715AF8B5D0B4CDB06C6DB2
(end)

[shadowwar]

Thanks for the information. Strange that we are pulling an erroneous md5. this is the first time i have run into this so i am pulling dev in to look at this post. 

Thanks for the very thorough information. 

 

We might need mbamservice logs in debug mode with a scan. 

under general settings. event log data

Turn on Collect enhanced event log data 

Run a scan and then zip and gather the logs from here:

C:\ProgramData\Malwarebytes\MBAMService\logs

 

If you want to turn on the menu option its also under general for windows explorer options. If its already on then shut it off wait 10 seconds and turn it back on to see if it restores to the right click menu. 

 

 

[shadowwar]

Also c:temp\malwarebytes wouldnt be a normal spot for a threat scan to look in unless there was linking to it. 

Can you try to move it to 

C:\WINDOWS\TEMP

[amccombs]

Copied to C:\Windows\Temp. Enabled event logging, then the system scan did not find any issues with the .jpg files. Then disabled event logging, ran again, but it couldn't reproduce the previous results.

I see that it's skipping the files now.

11/19/21    " 11:56:05.297"    800831336    32ac    236c    DEBUG    ScanControllerImpl    mb::scancontrollerimpl::Scanner::ScanFileImpl    "scanner.cpp"    3468    "Failed to read file. skipping it. FilePath = C:\USERS\ALLAN MCCOMBS\GOOGLE DRIVE\GOOGLE PHOTOS\IMGP2062.JPG."

logs.7z

[shadowwar]

Yeah its failing to read it cause it sees it as jpg now. Not sure what is going on yet but will pass info on to devs. Has to be something with google drive. If you want to try exit the google drive program and rescan the directory where the files were originally and see if you get any detections. 

 

[amccombs]

The Google Drive program was not running in previous results; I stopped using it when google drive and google photo's split.