10 replies to this topic

[Rocky]

Hi all
after updating MBAM to 1.39 and rebooted, my KIS 2010 found launched during the boot a "Run Once Wrapper" which was assigned in the "green/no-problem area" and a file called "IS-KEM2G.EXE" assigned in the low-restriction area. I tried to find something about this file in google but w/o success.
Is there anyone who can explain what sort of file is this?
Thanks in advance for any suggestion.
Rocky

[AdvancedSetup]

Not sure what it is. Have not heard of it before myself. If you can try to upload it here and see what they say about it. http://www.virustotal.com

[Rocky]

Thanks for your quick reply
but I can't find that file anymore; it seems that it was a sort of "run once" file after the update. That's why I thought it was something related to MBAM update to version 1.39.
I checked the applications launched at the boot and at a first sight there is nothing worring; one thing is sure the file doesn't exist anymore.
Thanks again for your support
Rocky

[Rocky]

I tried to boot again just to make sure that everything was ok
and in fact my KIS did not find that file anymore.
Rocky

[AdvancedSetup]

Okay, thanks for the follow-up reply..

[mona7865]

FWIW: when updating to a new version, Scotty (WinPatrol) always alerts there's a "run once" app from MBAM that wants to run. I'll try to write down what excactly mentioned with the next update.

[exile360]

mbamgui /install /silent

Should be the RunOnce entry after installing a new MBAM version. As far as the other file, since it was identified as a "wrapper" it's possible that this was just the new version of MBAM's installer executing from a temp location, but I could be wrong.

[xx521xx]

I've had trouble finding information about these files, but as far as I know, they are used by a certain type of setup program. I've seen them when installing other legitimate programs as well. The file name tends to be is-[random string].exe, which makes it hard to find info about it. It also has an associated .lst file and a .msg file. I uploaded all of these to VirusTotal and got no detections from them. The file is-[random string].exe is added to the system startup programs list, then deleted after it has run once.

The purpose of this file is apparently to register some other files, and these files are specified in the .lst file. According to the .lst file added during setup of the latest version of MBAM, it registers the following files in this case, all in the MBAM program folder:

mbamext.dll
ssubtmr6.dll
vbalsgrid6.ocx

If you want to look it up, a common string associated with these files is InnoRegSetupFile. BleepingComputer thinks they're safe:

http://www.bleepingcomputer.com/startups/i....exe-16618.html

It appears that MBAM has begun to use this type of setup file as of the latest version, 1.39.

[Rocky]

Thank you very much for all your interesting info.
I'm wondering why I haven't been told that by AdvancedSetup: I mean if this is true it is a thing very well known by MBAM setup!
Thanks again for all your support.
Rocky

[dykesc]

WinPatrol alerts for MBAM 1.39 update:

Attached Images

• 
• 

[exile360]

@xx521xx: I believe you've hit the nail on the head . MBAM's installer does indeed (and always has as far as I know) use an InnoSetup installer package. It's also possible (and again likely) that since a new update for the VB6 runtimes has been released by Microsoft to patch a security vulnerability that the new version of MBAM needs to unregister the old versions and register the new, more secure ones that are bundled with its installer (those are the files you referenced as being registered).