Jump to content

Brokerage Update Check software - Rogue.EvidenceEliminator


davidi
 Share

Recommended Posts

The attached log has two items that I would like to understand why they might be flagged as a concern or perhaps they (one or both) are false positives.

I'll post the two items as separate topics although they can both be seen in the attached developer log.

This first one reports a temporary file that is generated upon start up of Windows as (Rogue.EvidenceEliminator).

I have narrowed this down by turning off/on my various programs that startup when Windows starts up to the some part of the process of my brokerage trading software that offers to check for updated version of their software when Windows starts up. Specifically it's Interactive Brokers TWS application and the start up is "C:\Jts\WiseUpdt.exe".

Best I can tell is that when Windows starts up (I have cleared the temp location before the restart) my brokerage software starts it's check to offer to check for updates but it doesn't get to displaying any dialog windows to me. What happens is apparently in the process brokerage's update check software creates and perhaps is running a "temp\GLK2.tmp" file and MBAM catches it and intercepts it and presents me with the Rogue.EvidenceEliminator message.

If I terminate then I will get a small dialog window from the terminated software/process that the "Installation Aborted!", "Internal Error", "OK" and my brokerage update software doesn't follow through it's normal process of asking me if I want to check for an update. Also the temporary file (GLK2.tmp in this example) remains in my file system.

Sometimes MBAM will close up (I mean that it's presence in the Taskbar as an open window) goes away as expected. Sometimes I remain with a dead/ghost of MBAM in the taskbar. Clicking on it to minimize/restore does nothing and there is no right click "close" on the taskbar item and it doesn't appear as an application in my taskmanager. So I just have this extra space taken up with it appearing that MBAM must have an open Window (or minimized) on my desktop but no evidence of such.

I could 'ignore' this but I'm wondering if I should be concerned about this "evidence eliminator" or if it's a false positive. I would appreciate some thoughts on this.

As for the ghost of MBAM remaining in the taskbar - I'm not sure how that happens and if it's related to this or the other issue MBAM found or my system. It seems intermittent. I'm mostly concerned about it because as a computer hardware/software support person with many home based and small business clients I have started to recommend MBAM and purchase of MBAM Pro as part of their protection and I want to avoid questions from users as much as possible about strangeness such as this. I can work with them on what to 'terminate', 'ignore', etc. but to have a leftover bit of the application appearing to hang around on the taskbar (as if it were an open/minimized window) and not have it really act that way or go away is a bit harder for me to casually brush off as 'normal', 'just ignore it' - that won't fly. But I want to be totally clear - I am the only one right now that has seen that behavior in my experience and I don't know that my clients have that experience. And it is intermittent for me.

For now I have disabled the automatic update check by my brokerage software because it's not something I currently need. Although there was a time when it was something that was important for me to have run every day.

Thanks for your thoughts and input on this,

- David I

Link to post
Share on other sites

  • Staff

I have removed both of these in defs 1328 .

One was an install component used by both malware and legit software .

The other was just a coincidental hit but because the def was for a long dead infection I just removed it .

As for non FP related issues make sure to post you question where people looking for this type of issue will be looking .

http://www.malwarebytes.org/forums/index.php?showforum=41

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.