Jump to content

Malware byes added a Security package in Registry. Normal ?


Recommended Posts

Hi, i use MBAM with eset. Today after a scan, MBAM added a security package and anotherthing to windows HKLM registry. Eset's HIPS warned me about it , but i allowed the action because it was MBAM. Is it a normal thing for MBAM to do or is it compromised somehow and a malware trying to add it ?

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:
NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply
Thank you
Link to post
Share on other sites

1 hour ago, mayan said:

I have attached the file.

I doubt your Malwarebytes install is infected and you should allow activities from Malwarebytes if prompted by other security software.

HIPS is over sensitive by nature as well. I would make a few suggestions though.

I suggest turning off fast startup in Windows. Then restart.

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

I would  also recommend creating exclusions between Malwarebytes and Your AV to help prevent any possible conflicts or performance issues.  Please add the items listed in this support article to Your AV 's allow list(s)/trust list(s)/exclusion list(s) particularly for any of its real-time protection components and likewise add Your AV 's program folder(s) (likely located under C:\Program Files and/or C:\Program Files (x86)) to Malwarebytes' Allow List using the method described under the Allow a file or folder section of this support article and do the same for its primary data folder which is likely located under C:\ProgramData (you may need to show hidden files and folders to see it).

You also have issues with your Killer Network adapter and software. You might wish to do something about fixing it.

You also have a ton of web blocking going on. I assume it is your torrent program causing it.

As for why Malwarebytes blocked qbtorrent, this is because qbtorrent, and all Bittorrent software, are what are known as Peer-to-Peer (P2P) applications meaning it connects to many different servers/IP addresses (this is how files are downloaded through qbtorrent) and because of this, sometimes qbtorrent will connect to a server that is also known for hosting malicious content.  This is because servers/IP addresses are often shared by multiple sites, so while what you are downloading through qbtorrent may be perfectly safe, some of the sites hosted on some of the IP addresses that qbtorrent connects to may be malicious.  Such connections are not a threat however, and you may exclude qbtorrent from the Web Protection component in Malwarebytes to stop the blocks from happening without compromising your protection (your web browser and other critical web facing programs will still be fully protected from malicious websites and other malicious content).  To do so, add qbtorrent.exe to your exclusions using the method described under the Exclude an Application that Connects to the Internet section of this support article.

 

Link to post
Share on other sites

Thank you. I will be doing what you said :)  Also, i have disabled the killer network app and just use the Killer network adapter. I haven't noticed any issue so far regarding internet speeds, but while using a vpn the connection would drop suddenly and reconnect (this has happened only a handful of times so far in the past year). So, i  thought it would be an issue with the vpn connection. What kind of issues does the log show actually ? A possible reinstall of the Killer network driver would fix the issue may be ?

Link to post
Share on other sites

  • Root Admin

Did you do a SCAN with Malwarebytes? We may have modified based on a scan, but don't think we touch that key during installation.

Can you post back recent Protection Logs and Scan Logs from that day?

 

 

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

 

Link to post
Share on other sites

Yes, i did a scan with "Use expert systems algorithms to identify malicious files" option enabled. And the eset's HIPS warning about MBAM accessing that location happened as soon as MBAM quarantined 2 files called "3d_sad_shared2.dll" (from C:\Windows\SysWOW64) and its related .lnk file (from C:\Users\Uzer\AppData\Roaming\Microsoft\Windows\Recent)   I scanned the dll in virustotal and it came clean & without it my audio software called "Spatial Sound Card Pro" wouldn't work. So i restored only the dll from the quarantine & added it to exclusions.

I have attached the related log file.

3D_SAD_SHARED2.dll log.txt

Link to post
Share on other sites

5 minutes ago, mayan said:

Yes, i did a scan with "Use expert systems algorithms to identify malicious files" option enabled

That setting is off by default for a reason. It can lead to False positives. It is est to leave all defaults as they are unless instructed by Malwarebytes support.

 

Edited by Porthos
  • Like 1
Link to post
Share on other sites

  • Root Admin

Agreed.

During remediation of us removing the file we probably modified the LSA area of the Registry.

You should be able to temporarily disable ESET real-time protection. Then restore the file from Quarantine inside Malwarebytes.

Then in Settings, put everything back to Default

Thanks

 

Link to post
Share on other sites

I was able to restore the file from quarantine without disabling eset :)  @Porthod Do you recommend any extra exploit protection option to be ticked for pdf readers ? (i download a lot of free books and pdfs) Also, is it good to add "7zip" software to exploit protection list ?  I some times download zip/rar files which doesn't show its contents until i extract them using a password. What should i be doing to prevent some malicious script or exploit from executing while unzipping those kind of archives ?

Link to post
Share on other sites

8 minutes ago, mayan said:

What should i be doing to prevent some malicious script or exploit from executing while unzipping those kind of archives ?

Do not open archives especially from email unless you are 1000% sure of the sender and contents.

10 minutes ago, mayan said:

Do you recommend any extra exploit protection option to be ticked

I would not change any of the default settings period.

Link to post
Share on other sites

13 minutes ago, mayan said:

(i download a lot of free books and pdfs) Also, is it good to add "7zip" software to exploit protection list ?  I some times download zip/rar files

One should proceed with extreme caution when downloading files from the internet, especially if you are downloading these book/zip files using any torrent software.

Link to post
Share on other sites

Thank you. One final doubt. I have already added MBAM's folders and files you has mentioned to ESET's exclusions list in its "Detection egine's exclusions" list. But ESET also has an exclusions options for "process" separately under it's Real Time file protection system. I am not able to add any of these folders or files to this list since it accepts only .exe files. So, should i add all the exes in the location "C:\Program Files\Malwarebytes\Anti-Malware" to this exclusions list ?

Check out the pic on what ESET's process exclusions will do pls.625159228_processexclusions.thumb.png.a57ad6b3f1c9fc3e1b1c7bf22ddb32aa.png

Link to post
Share on other sites

  • Root Admin

Recommendations to help improve your computer privacy and security

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

16 minutes ago, Porthos said:

If you are having issues please post/start your own topic. Do not "Me too" Other peoples topics.

No problems with Malwarebytes at all, if fact it's been running great, except for problems updating the definitions, check your internet connection

I do not have any problems with my internet connection on other websites

I saw this post, checked my Registry and saw I also have that entry

So, I just wanted to add my information (logs) to help with the diagnostic, since it hasn't been answered why it's there

Link to post
Share on other sites

3 minutes ago, MSimm1 said:

since it hasn't been answered why it's there

There is no issue except the over reaction of the HIPS function of ESET.

3 hours ago, Porthos said:

I doubt your Malwarebytes install is infected and you should allow activities from Malwarebytes if prompted by other security software.

HIPS is over sensitive by nature as well.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.