Jump to content

Why is my MBSetup.exe file name is ent.exe?


Recommended Posts

I decided to download Malwarebytes for Windows today, and when it finished downloading the setup file, it was randomly named as "ent.exe". I found that very odd and weird, so I decided to download it again, and finally a normal one was downloaded with the original name "MBSetup.exe."

Can someone tell me what is going on? Is this normal? This looks like it could be MITM attack? Not sure.

Screenshot 2024-10-01 191907.png

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

16 hours ago, Porthos said:

Looks like you already uploaded it to VT. It is a legit installer. Cant say how it was renamed.

Did it come directly from the Malwarebytes website?

image.png.cea26b022bb93b727c14dfbd0b9f4700.png

Yes it came directly from the site. Also, I've been dealing with a hacker in the past that got into my system, so this worries me a bit that he or she might still be here to have caused something like this to happen.

Link to post
Share on other sites

@GreyHawks42

Please realize that any file can be renamed to anything.  MBSetup.exe can be named;  dave.txt, myfile.doc or even reallywoerd.dmg

The file extension tells the OS how to associate the file.  However renaming MBSetup.exe to reallywoerd.dmg will not make it a MAC OS installer nor will myfile.doc be able to be opened in MS Word. 

The EXE extension tells the OS the this is a PE file and is an executable under the MS Windows OS.  I could rename MBSetup.exe  to  MBSetup.SCR and will still install Malwarebytes as the SCR is a type of Windows PE file and is also executable.

I use WGET to download the Malwarebytes' Installer and I name them as;  mbam4-lastest-Offline_Installer.exe  and  mbam5-lastest-Offline_Installer.exe to easily identify the files.

It is an old method to thwart malware by naming an anti malware installer or utility.  One can install a MS OS Policy to block the execution of MBSetup.exe  so that if you try to run this EXE file, it will not run.  But by renaming the file to ent.exe it will thwart this Policy and will allow it to run on a PC with such a Policy.

So why the the file is named as such is really of little matter or consequence.  It will be considered a Windows Executable PE file and the contents have not changed.

Taking my example of;  mbam5-lastest-Offline_Installer.exe  I can Right-Click on the file and choose; Properties and I will see...

Image.jpg.a02df74f00cbf8562d9d9d737a99d9ae.jpg

And from there if I choose to view "Digital Signatures" I will see...

Image.jpg.33acc3a31fc475b6e2d58207b2cc8b29.jpg

And I see it is digitally signed by Malwarebytes Incorporated.  The file's contents have not changed, only the file's name.

A so-called "hacker" would not rename the file, but they could and would create such a MS OS Policy to block the default name.  On the other hand someone who wants to clean a PC of malware may rename said file.

 

 

 

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites

6 hours ago, Porthos said:

Would you like us to check your system for malware?

Yes please. Although I've done a lot of cleaning on my own, so it might come up empty, but I'd still like to have it checked. 

In the past, this hacker messed with me by sending me messages related to my activities on my PC, essentially letting me know that they have access and is watching my computer activity, which spooked me out.

Link to post
Share on other sites

4 hours ago, David H. Lipman said:

@GreyHawks42

Please realize that any file can be renamed to anything.  MBSetup.exe can be named;  dave.txt, myfile.doc or even reallywoerd.dmg

The file extension tells the OS how to associate the file.  However renaming MBSetup.exe to reallywoerd.dmg will not make it a MAC OS installer nor will myfile.doc be able to be opened in MS Word. 

The EXE extension tells the OS the this is a PE file and is an executable under the MS Windows OS.  I could rename MBSetup.exe  to  MBSetup.SCR and will still install Malwarebytes as the SCR is a type of Windows PE file and is also executable.

I use WGET to download the Malwarebytes' Installer and I name them as;  mbam4-lastest-Offline_Installer.exe  and  mbam5-lastest-Offline_Installer.exe to easily identify the files.

It is an old method to thwart malware by naming an anti malware installer or utility.  One can install a MS OS Policy to block the execution of MBSetup.exe  so that if you try to run this EXE file, it will not run.  But by renaming the file to ent.exe it will thwart this Policy and will allow it to run on a PC with such a Policy.

So why the the file is named as such is really of little matter or consequence.  It will be considered a Windows Executable PE file and the contents have not changed.

Taking my example of;  mbam5-lastest-Offline_Installer.exe  I can Right-Click on the file and choose; Properties and I will see...

Image.jpg.a02df74f00cbf8562d9d9d737a99d9ae.jpg

And from there if I choose to view "Digital Signatures" I will see...

Image.jpg.33acc3a31fc475b6e2d58207b2cc8b29.jpg

And I see it is digitally signed by Malwarebytes Incorporated.  The file's contents have not changed, only the file's name.

A so-called "hacker" would not rename the file, but they could and would create such a MS OS Policy to block the default name.  On the other hand someone who wants to clean a PC of malware may rename said file.

 

 

 

 

Yes I understand, but who renamed it? It wasn't me. The moment I downloaded it, it was already renamed.

Here you can see my download history:

image.png.7ef662fc91eadf7a7f7f38b3921a43a0.png

I tried to download it again making sure I didn't make a mistake and of course the name was back to original. Who did this exactly?

Link to post
Share on other sites

@GreyHawks42 To save some time and history, I have moved your topic. Do the following.

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please do all of the requested scans in order and attach all of the results in your next reply.<<<<< Important.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point  <<<<< Important.
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup   Windows 8 and newer only <<<<< Important.
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes
       RESTART the computer <<<<< Important.
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case. <<<<< Important.

 

Thank you

 

Edited by Porthos
Link to post
Share on other sites

Hello, that's good news.

However... Prior to me coming up on this forum, I did ran a Bitdefender scan recently, and it found infected files which came from LAMZU company, a computer mouse company. False positive? Because this company is reputable. 

 

Screenshot 2024-10-03 005132.png

Screenshot 2024-10-03 005156.png

Screenshot 2024-10-03 005621.png

AdwCleaner[S00].txt AdwCleaner[C00].txt Malwarebytes Scan Report 2024-10-03 003234.txt FRST.txt Addition.txt AdwCleaner[S00].txt AdwCleaner[C00].txt Malwarebytes Scan Report 2024-10-03 003234.txt FRST.txt Addition.txt bitdefender scan.txt

Link to post
Share on other sites

<Item type="0" objectType="0" path="C:\Users\david\Downloads\THORN Tools 2024.01.19\1K Receiver 1.21.exe" threatType="0" threatName="IL:Trojan.MSILMamut.13873" action="3" allActions="3" initialStatus="3" finalStatus="5" quarId="" failReason="0" itemHash="no_hash" chainHash="no_hash" family="" rtvrType="">
<FileInfo itemMd5Hash="no_hash" chainMd5Hash="no_hash" fileSize="12562944" certIssuer="" certSubject="" certSerial="" certTimestamp="0"/>
</Item>
<Item type="0" objectType="0" path="C:\Users\david\Downloads\THORN Tools 2024.01.19\Thorn.exe" threatType="0" threatName="IL:Trojan.MSILMamut.13873" action="3" allActions="3" initialStatus="3" finalStatus="5" quarId="" failReason="0" itemHash="no_hash" chainHash="no_hash" family="" rtvrType="">
<FileInfo itemMd5Hash="no_hash" chainMd5Hash="no_hash" fileSize="12083200" certIssuer="" certSubject="" certSerial="" certTimestamp="0"/>
</Item>
<Item type="0" objectType="0" path="C:\Users\david\Downloads\THORN Tools 2024.01.19\4K Receiver 1.28.exe" threatType="0" threatName="IL:Trojan.MSILMamut.13873" action="3" allActions="3" initialStatus="3" finalStatus="5" quarId="" failReason="0" itemHash="no_hash" chainHash="no_hash" family="" rtvrType="">
<FileInfo itemMd5Hash="no_hash" chainMd5Hash="no_hash" fileSize="12587520" certIssuer="" certSubject="" certSerial="" certTimestamp="0"/>
</Item>
<Item type="0" objectType="0" path="C:\Users\david\Downloads\THORN_Tools_2024.01.19.zip=>THORN Tools 2024.01.19/1K Receiver 1.21.exe" threatType="0" threatName="IL:Trojan.MSILMamut.13873" action="5" allActions="3 5" initialStatus="3" finalStatus="5" quarId="" failReason="0" itemHash="no_hash" chainHash="no_hash" family="" rtvrType="">
<FileInfo itemMd5Hash="no_hash" chainMd5Hash="no_hash" fileSize="12562944" certIssuer="" certSubject="" certSerial="" certTimestamp="0"/>
</Item>
<Item type="0" objectType="0" path="C:\Users\david\Downloads\THORN_Tools_2024.01.19.zip=>THORN Tools 2024.01.19/4K Receiver 1.28.exe" threatType="0" threatName="IL:Trojan.MSILMamut.13873" action="5" allActions="3 5" initialStatus="3" finalStatus="5" quarId="" failReason="0" itemHash="no_hash" chainHash="no_hash" family="" rtvrType="">
<FileInfo itemMd5Hash="no_hash" chainMd5Hash="no_hash" fileSize="12587520" certIssuer="" certSubject="" certSerial="" certTimestamp="0"/>
</Item>
<Item type="0" objectType="0" path="C:\Users\david\Downloads\THORN_Tools_2024.01.19.zip=>THORN Tools 2024.01.19/Thorn V1.24.exe" threatType="0" threatName="IL:Trojan.MSILMamut.13873" action="5" allActions="3 5" initialStatus="3" finalStatus="5" quarId="" failReason="0" itemHash="no_hash" chainHash="no_hash" family="" rtvrType="">
<FileInfo itemMd5Hash="no_hash" chainMd5Hash="no_hash" fileSize="11742720" certIssuer="" certSubject="" certSerial="" certTimestamp="0"/>
</Item>
<Item type="0" objectType="0" path="C:\Users\david\Downloads\THORN_Tools_2024.01.19.zip=>THORN Tools 2024.01.19/Thorn.exe" threatType="0" threatName="IL:Trojan.MSILMamut.13873" action="5" allActions="3 5" initialStatus="3" finalStatus="5" quarId="" failReason="0" itemHash="no_hash" chainHash="no_hash" family="" rtvrType="">
 

Link to post
Share on other sites

  • Root Admin

I have no idea if they are infected, bad, or not. Restore one or download one again and upload it to https://virustotal.com and have them scan it.

However not being in a startup group and or otherwise detected it's just a flat file and not normally a threat so I would ignore that.

The system does not show any obvious signs of being infected.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.