20 replies to this topic

[gen-hackman]

hello

i find a funny thing about Malwarebytes

take the installer of any program ( for example VLC installer ) copy it in your desktop , rename it winlogon.exe.

make a scan with malwarebytes and he finds that's a Reserved.world.exploit ^^

isn't it funny ?

i see that everyday with my tool Pre_Scan renamed winlogon to kill the rogues when i make use MBAM at the end of the disinfection

http://forums-fec.be...an/Pre_Scan.exe

Regards

[shadowwar]

That is detected like it should be. Reserved word exploit means that nothing should be named winlogon.exe outside of system directory. If you are doing this to get it to run it can be added to the Malwarebytes ignore list.
Malware does this a lot but also power users can do this sometimes to get tools to run outside of a malware blacklist. We have no way of knowing if this is malware or on purpose that is why its detected like this.

How often is your file updated? It may be possible to whitelist it.

[gen-hackman]

How often is your file updated?

it depends... the more often i updated my tool .... 6 times on a day ( seeing that , you can't use the MD5 to whitelist it)

if it can serve to you :

Version = 2.6.1.9 (changes very often , 6 = month , 19 = day)
LegalCopyright = g3n-h@ckm@n
FileDescription = g3n-h@ckm@n
DefaultLangCodepage = 040C04B0

i don't which repair you can take ....

it's generaly in downloads folder or desktop at the begginning , and after it's on the desktop cause the program makes a copy of himself here at the end on the scan/kill to be scripted at the launch back without having to search it...try it and you'll see

in fact it has 3 names :

Pre_Scan.exe
Winlogon.exe (you understand why ^^)
Pre_Scan.pif (i think you understand why too )

regards

[shadowwar]

Do you have a few previous versions you can attach here maybe?
Thanks.

[gen-hackman]

can we attach 6/7 Mo here ?

[shadowwar]

yes or pm me a link or the files. Thanks

[gen-hackman]

ok i've another idea

here is a zip containing 3 samples of the last versions


regards

[gen-hackman]

oups....

[shadowwar]

Got em and deleted links.
Will look at this by tomorrow.

[shadowwar]

All these are the same md5.

[gen-hackman]

ok there's still one link in my 1st post ( not important for me if it rests )

read you later , thx

[gen-hackman]

yes but when i update the md5 changes obligatory

[gen-hackman]

I've just updated now for an hour

here's the analysys from virus-total

https://www.virustot...sis/1340150491/

permanent links to download :

http://gen-hackman.f...-speech-pre_san

i know the Md5 is the same for them three , only the name changes

[shadowwar]

Ok can white this for now. Was trying to see past versions so i can make a stronger white for them.

[gen-hackman]

ok thank you very much

Regards

PS : in fact it's not so important but if i need to make use it again after Malwarebytes scan and deletion, the user will have to download it again and it makes manipulations for nothing
scripting my tool , there's a lot of possibility of switches (a little bit like Combofix ) and you can do every what you want in the PC.

thx again

[shadowwar]

This should be fixed in next database update.

[gen-hackman]

thank you very much !

like we say in French : "Au plaisir"

the expression does mean : pleasure to see you again in the near Future

bye

[gen-hackman]

hello just to say it's still detected like before

Regards

[shadowwar]

I just checked here and on desktop its not detected?

[gen-hackman]

ok sorry mbam was not updated

thanks