Jump to content

Extension.Mismatch


Recommended Posts

Today, as usual, I ran a Quick Scan after updating MBAM to version 4253. To my surprise, I didn't get the usual clean bill of health. Instead, MBAM reported one problem: Extension.Mismatch. The category was File and the Item was C:\WINDOWS\system32\File.txt. No action was taken, and I don't know whether to tell MBAM to Remove or Ignore this. I tried searching the forum for more information and also googling, but I came up empty on the forum search, and Google wouldn't differentiate between Extension.Mismatch and Extension Mismatch, so I got tons of irrelevant answers and even the one mention of Extension.Mismatch wasn't useful.

I took a look at the C:\WINDOWS\system32 directory, and the file in question is listed as a 36 KB Text file with a modified date of 10/9/1998 5:01PM. I checked to see whether there were other files from the same date in this directory, and I found one: bdeadmin.cpl, a 179KB Control Panel extension with the same date and time.

I'm not sure whether I should tell MBAM to remove File.txt. It was the only problem the Quick Scan turned up. I run scans every day, and they're almost always clean (and when they're not, the "problem" has usually turned out to be a false positive). I'd welcome some advice about this finding from MBAM.

Thanks in advance.

Link to post
Share on other sites

Thanks very much, Firefox, for your prompt and helpful response. I did as you suggested. VirusTotal at first reported that the file had been scanned earlier--in 2009--and 0/41 found a problem. I nonetheless told it to rescan now. Again, 0 out of 41 reported a problem, so I guess the file is not infected. So what should I do now? I still have MBAM waiting for me to tell it what to do. Should I re-run the scan in order to generate a developer's log, and then post this in the False Positives section? Just tell MBAM to ignore it and get on with my life? ;) Remove it?

Thanks again, and in advance.

Link to post
Share on other sites

Thanks, Firefox. I don't really want to keep MBAM waiting for me to tell it what to do, so I think I'll tell it to Ignore the file and then I'll run the scan again to yield a developer's log. I'll then post in the False Positives section. Though if it's a FP, I'm surprised no one else has reported it this morning.

Thanks again.

Link to post
Share on other sites

Not sure if I should be posting in this thread or not but I as well got a Extension.Mismatch error today during my daily scan. Just looking for any info on the subject and if I should be worried or not.

Files Infected:

C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url (Extension.Mismatch) -> Quarantined and deleted successfully.

As you can see I removed the suspect file so sadly I can't provide anymore info on it. ;)

Link to post
Share on other sites

Hi, Fom. I don't know whether it was a message of yours that I saw when I was searching Google for info about Extension.Mismatch, but someone reported the same problem you've mentioned. However, that person's MBAM report mentioned lots of other problems as well. Since the Extension.Mismatch file in question wasn't the same one as mine nor in the same place, and since that problem was only one of many, I felt it wasn't likely to be a sign of a false positive. I assume you removed all the problems MBAM found and ran another scan, and that that scan came up clean. If not, you should probably seek help from the forum. I don't remember the exact wording of the standard message that explains that malware problems are not worked on in this forum but rather elsewhere, but I'm sure you can find that message easily enough. Just look for a reply to anyone seeking help for an infection.

Good luck!

Link to post
Share on other sites

Hi, Fom. I don't know whether it was a message of yours that I saw when I was searching Google for info about Extension.Mismatch, but someone reported the same problem you've mentioned. However, that person's MBAM report mentioned lots of other problems as well. Since the Extension.Mismatch file in question wasn't the same one as mine nor in the same place, and since that problem was only one of many, I felt it wasn't likely to be a sign of a false positive. I assume you removed all the problems MBAM found and ran another scan, and that that scan came up clean. If not, you should probably seek help from the forum. I don't remember the exact wording of the standard message that explains that malware problems are not worked on in this forum but rather elsewhere, but I'm sure you can find that message easily enough. Just look for a reply to anyone seeking help for an infection.

Good luck!

No that wasn't me, but I also saw the page you're talking about while searching google. ;)

I've had problem free scans for as long as I can remember until today. This was the only problem in my scan results. I haven't changed or downloaded anything on my computer in last 24 hours since my last clean scan so I'm thinking it might of been a false positive but it still have me a bit worried since i'm super paranoid about my computer security. :)

Link to post
Share on other sites

This is supposed to be catching executables hiding inside of non executable extensions. The first one file.txt looks like something user created.

C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url <- I am looking into this one, we may need to fine tune this some more.

Link to post
Share on other sites

No that wasn't me, but I also saw the page you're talking about while searching google. ;)

I've had problem free scans for as long as I can remember until today. This was the only problem in my scan results. I haven't changed or downloaded anything on my computer in last 24 hours since my last clean scan so I'm thinking it might of been a false positive but it still have me a bit worried since i'm super paranoid about my computer security. :)

Hi Fom!

Just throwing my two cents in here. This morning I got the same Extension.Mismatch warning on the exact same file. C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url

This was on top of a suspicious reading from MBAM regarding vcredist type executables from Steam, so I'm thinking there's a chance for a false positive here.

So, at the very least, you're not alone!

Also, I have samples of this file, if they are desired. Thanks to everyone (particularly nosirrah!) for the input here.

Link to post
Share on other sites

Not sure if I should be posting in this thread or not but I as well got a Extension.Mismatch error today during my daily scan. Just looking for any info on the subject and if I should be worried or not.

Files Infected:

C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url (Extension.Mismatch) -> Quarantined and deleted successfully.

As you can see I removed the suspect file so sadly I can't provide anymore info on it. ;)

well i just got done running a full system scan and got the same EXACT file "infected" and i didn't do anything yet...it is still here on my pc....i would say false positive if i ever seen one cuz i've come up clean for like 6 months with full scans from norton, malwarebytes, and also used to use asquared free till recently.

:)

Link to post
Share on other sites

This is supposed to be catching executables hiding inside of non executable extensions. The first one file.txt looks like something user created.

C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url <- I am looking into this one, we may need to fine tune this some more.

Even though I removed Icon048298C92.url there is still Icon048298C91.exe in the same directory I can provide information on if needed.

Link to post
Share on other sites

Update and try again guys, I think I have this fixed.

I just updated and ran a scan of my Malware-bytes and I got the same c:\windows\installer... extension.mismatch and the guys above me.

I quarantined and deleted it though.. I'm running another scan now.

Should I be worried? maybe format, or is it a false-positive?

I own Steam as well by the way.

Link to post
Share on other sites

Make sure you have update 4256. If you do and you still get this detection please post a scan log.

Is there something to do if I quarantined and deleted it?

I went into the quarantine section and I clicked Restore, am I being left in the dark for deleting it?

Link to post
Share on other sites

Is there something to do if I quarantined and deleted it?

I went into the quarantine section and I clicked Restore, am I being left in the dark for deleting it?

There's no edit button so I'm forced to reply to myself.

After I restored it from quarantine it found the file again even though it said it quarantined and deleted it at first. I'll upload it to that site now.

Link to post
Share on other sites

After I restored it from quarantine it found the file again even though it said it quarantined and deleted it at first. I'll upload it to that site now.

quarantine = makes a backup

delete = delete from original location

Things functioned exactly as designed.

Link to post
Share on other sites

Zip and upload a copy of the file.

I know what is supposed to be happening here and need to double check.

For some reason, I didn't see your first post or Firefox's response before I posted message #7 in this thread. I went ahead and tried to get a developer's log, following the instructions I've found elsewhere in the forum. It would seem as if I do have a developer's log, since the MBAM interface is now headed 9475796, but when I ran the second quick scan, it came up clean, in spite of my having told MBAM to ignore the problematic File.txt. The log file looks just like all the other log files I get when there is no malware detected. Is there someplace I should look for a separate developer's log? I couldn't find one.

Do you still want to see the File.txt file, or is the fact that my second scan was clean the result of your having fixed whatever was causing MBAM to report Extension.Mismatch?

Link to post
Share on other sites

quarantine = makes a backup

delete = delete from original location

Things functioned exactly as designed.

I uploaded the file to: http://www.virustotal.com/

This is what it came out with:

MD5: e146785b70788e3ae7b0918b6232a59e

First received: 2009.05.22 19:12:07 UTC

Date: 2010.02.08 05:02:50 UTC [>141D]

Results: 0/40

Does it mean it's a false-positive?

It's an internet file, by the way.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.