Jump to content

miekiemoes

Staff
  • Posts

    10,868
  • Joined

Reputation

213 Excellent

5 Followers

About miekiemoes

  • Birthday 07/19/1975

Contact Methods

  • MSN
    notimetochat
  • Website URL
    http://miekiemoes.blogspot.com https://www.malwarebytes.com

Profile Information

  • Location
    Belgium

Recent Profile Visitors

61,765 profile views
  1. Combofix uses some commandline tools that are often used by malware as well, hence why this is being flagged as heuristic. Given Combofix is outdated for more than 15 years anyway, it's safe to delete it as I do not recommend running it on any newer OS after Windows 7, since it might break more than fixing things.
  2. No, it's just because, when the file is in use, Malwarebytes might alter the PE header in some cases for a successful removal, so that results in a different sha256, but restores this again if not quarantined or unquarantined. Or it might also be because rooitkit scanning sees a slight difference in files when checked at kernel level in comparison with usermode level (forged files), but that often happens when the file is in use as well.
  3. Yes, files are ok. The reason why it started to detect since recently is because I created that generic detection rule recently as well :)
  4. Yes, that's because of the rootkit scanning. But don't worry and don't be nervous. I wrote the actual detection rule and know it might involve a handful of FPs when rootkit scanning is enabled which happened here in your case. :)
  5. That file is clean. This is really because of the rootkit scanning being enabled though. I will adjust the detection rule to make it a little less generic so this won't be triggered anymore when rootkit scanning is enabled.
  6. That's correct, nothing harmfull was installed on your pc :)
  7. Thanks! That's a 2GB+ file, so unsure if this is the installer. Did he zip the entire contents of his stick? I'll hide the above post for public, just in case something personal is in this zipped file. Edited to add. This is indeed an installer and looks completely legit/safe.
  8. Hi, This is indeed a false positive by our additional machinelearning engine we have implemented. This will get fixed. Thanks for reporting!
  9. Hi, Unfortunately we can't do anything with the above info or verify if an FP since we don't have the file or don't know either as what it is detected. So can you post/attach the file and the detection log please?
  10. Hi, This is indeed a false positive by our additional machinelearning engine we have implemented. This will get fixed. Thanks for reporting!
  11. Given you had rootkit scanning enabled, that might be the reason since this reads usermode with kernelmode version and when a file is in use at the time, it might see a difference here. This doesn't mean it's a rootkit though. This might just happen when the file is in use. Sometimes this also gives unpredictable results as that engine works slightly different. This is exactly why rootkit scanning is disabled by default when you install Malwarebytes. Also because our current engines are powerful enough already to deal with rootkits even when rootkit scanning is disabled.
  12. VT only has files if they are uploaded to there. So in your case, the sha256 that was detected (EC25CAA16313E987285266D0F30BABB33712C427F01A6039F31A1D37B95B4B2D) was never seen by VT. That doesn't necessarily mean the file is bad, but it also makes it more suspicious, since, if it would be a file that is quite popular, Virustotal should have seen it at least once.
  13. Hi, Above shouldn't be detected anymore either with my previous fix already. I just verified. While you tested the above/modified your above file, you probably didn't have the latest update of our database yet with the fix :)
  14. I don't think you ever installed that program as it's just an installer file that was detected. You probably downloaded it once/or got downloaded with another program where the download/save location was accidentally that MobileSync\Backup location that session. In either way, don't worry about it too much, even if you had installed it, it's harmless :)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.