8 replies to this topic

[ShyWriter]

Hello;

Wondering if the following 3 items (shown as 3 worms) are false positives or actual threats. They are currently quarantined per MBAM detection with database shown. Not picked up by SAS, Emisoft AM or MBAM previous to newest version of MBAM.. The "pmmig.exe" is supposedly the Pale Moon browser importer. The 2 "registry worms" are 50/50 on various sites as to good or bad.

Steve :: PROTEUS-ONE [administrator]

Protection: Enabled

4/10/2012 13:22:28
mbam-log-2012-04-10 (13-22-28).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 525037
Time elapsed: 2 hour(s), 27 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\Typelib\{8C2B40D2-963F-4307-AD3E-44A17D530D67} (Worm.Agent) -> Quarantined and deleted successfully.
HKCR\Interface\{1551601C-141C-4499-9C05-557CA1440A05} (Worm.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Steve\Downloads\pmmig.exe (Worm.Agent) -> Quarantined and deleted successfully.

(end)

Thanks in advance!
Steve

[shadowwar]

Can you please post this in the fp forum with the file attached and a dev scan?

Thanks

[ShyWriter]

Will do; please see PM in a few minutes; I'm still writing it..

Thanks,
Steve

[shadowwar]

Please restore it from quaritine.

Thanks.

[ShyWriter]

Rich,

Newer database updates must have fixed whatever was causing PMMIG.EXE to be detected as a worm by MBAMPro...

Sorry for the uncertainties about it.

Also VT gave it a clean sweep as well:

Virus Total

https://www.virustotal.com/file/b0e18cf70a7f22343d4b5998722a8edd8b7899e974e87f1cb09b3d41c4bfb301/analysis/1334112365/

SHA256:b0e18cf70a7f22343d4b5998722a8edd8b7899e974e87f1cb09b3d41c4bfb301
File name: pmmig.exe
Detection ratio: 0 / 42
Analysis date: 2012-04-11 02:46:05 UTC ( 1 minute ago )

You can close and lock this thread; thank you for your patience.

Steve

[shadowwar]

no problem

thanks for trying!

[shadowwar]

There was another report. Is it possible to get the pmmig zipped up and attached.

I think this is because of delphi programs causing a fp.

This should be fixed in the next update regardless.

[ShyWriter]

Laugh; glad I still had it in the recycle bin.. BTW; this file has been reported all over the security community via various vendors over its inception as both safe as well as bad.. Since 2010.. go figure


 pmmig.zip   631.58K   1 downloads

 ScreenHunter_04 Apr. 11 18.13.gif   27.13K   0 downloads


Thanks for the follow-thru Rich,
Steve

[ShyWriter]

Ok Rich;

I put the pmmig.exe from the Recycle Bin back in its original location and UN-quarantined the 2 "worm" registry entries and put them back; rebooted, updated and ran a scan.

All is goot!

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.12.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Steve :: PROTEUS-ONE [administrator]

Protection: Enabled

4/12/2012 01:08:18
mbam-log-2012-04-12 (01-08-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 254189
Time elapsed: 14 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Look very, VERY good..
Thanks for the quick work on the definition fixes.

Steve