Jump to content


Photo

Extension.Mismatch


  • Please log in to reply
39 replies to this topic

#1 whatmeworry?

whatmeworry?

    True Member

  • Honorary Members
  • PipPipPipPip
  • 326 posts

Posted 29 June 2010 - 08:26 AM

Today, as usual, I ran a Quick Scan after updating MBAM to version 4253. To my surprise, I didn't get the usual clean bill of health. Instead, MBAM reported one problem: Extension.Mismatch. The category was File and the Item was C:\WINDOWS\system32\File.txt. No action was taken, and I don't know whether to tell MBAM to Remove or Ignore this. I tried searching the forum for more information and also googling, but I came up empty on the forum search, and Google wouldn't differentiate between Extension.Mismatch and Extension Mismatch, so I got tons of irrelevant answers and even the one mention of Extension.Mismatch wasn't useful.

I took a look at the C:\WINDOWS\system32 directory, and the file in question is listed as a 36 KB Text file with a modified date of 10/9/1998 5:01PM. I checked to see whether there were other files from the same date in this directory, and I found one: bdeadmin.cpl, a 179KB Control Panel extension with the same date and time.

I'm not sure whether I should tell MBAM to remove File.txt. It was the only problem the Quick Scan turned up. I run scans every day, and they're almost always clean (and when they're not, the "problem" has usually turned out to be a false positive). I'd welcome some advice about this finding from MBAM.

Thanks in advance.

Dell XPS 8300 Win7 Prof. 64-bit desktop (Intel Core i5-2400 processor, 8 GB RAM): MS Security Essentials AV, Windows Firewall, MBAM Pro, WinPatrol PLUS
Dell Latitude E5530 Win7 Prof. 64-bit laptop: (Intel 3rd gen. i5-3230M processor, 4 GB RAM), MS Security Essentials AV, Windows Firewall, MBAM Pro, WinPatrol PLUS


#2 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,000 posts
  • Gender:Male
  • Location:USA

Posted 29 June 2010 - 08:54 AM

Hello and ;)

Not sure if it may be a false positive or not.

Try uploading the file to VirusTotal: http://www.virustotal.com/ and see if it comes back infected....

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#3 whatmeworry?

whatmeworry?

    True Member

  • Honorary Members
  • PipPipPipPip
  • 326 posts

Posted 29 June 2010 - 09:06 AM

Thanks very much, Firefox, for your prompt and helpful response. I did as you suggested. VirusTotal at first reported that the file had been scanned earlier--in 2009--and 0/41 found a problem. I nonetheless told it to rescan now. Again, 0 out of 41 reported a problem, so I guess the file is not infected. So what should I do now? I still have MBAM waiting for me to tell it what to do. Should I re-run the scan in order to generate a developer's log, and then post this in the False Positives section? Just tell MBAM to ignore it and get on with my life? ;) Remove it?

Thanks again, and in advance.

Dell XPS 8300 Win7 Prof. 64-bit desktop (Intel Core i5-2400 processor, 8 GB RAM): MS Security Essentials AV, Windows Firewall, MBAM Pro, WinPatrol PLUS
Dell Latitude E5530 Win7 Prof. 64-bit laptop: (Intel 3rd gen. i5-3230M processor, 4 GB RAM), MS Security Essentials AV, Windows Firewall, MBAM Pro, WinPatrol PLUS


#4 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,000 posts
  • Gender:Male
  • Location:USA

Posted 29 June 2010 - 09:18 AM

As for removing the file, I am not sure myself as I have not come accross this file myself. You could wait to see what one of the experts suggest.

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#5 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 29 June 2010 - 09:22 AM

Zip and upload a copy of the file.

I know what is supposed to be happening here and need to double check.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,000 posts
  • Gender:Male
  • Location:USA

Posted 29 June 2010 - 09:24 AM

Thanks for stepping in nosirrah, I know what I would do on my computer (but I know how to recover is something goes wrong)....

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#7 whatmeworry?

whatmeworry?

    True Member

  • Honorary Members
  • PipPipPipPip
  • 326 posts

Posted 29 June 2010 - 09:25 AM

Thanks, Firefox. I don't really want to keep MBAM waiting for me to tell it what to do, so I think I'll tell it to Ignore the file and then I'll run the scan again to yield a developer's log. I'll then post in the False Positives section. Though if it's a FP, I'm surprised no one else has reported it this morning.

Thanks again.

Dell XPS 8300 Win7 Prof. 64-bit desktop (Intel Core i5-2400 processor, 8 GB RAM): MS Security Essentials AV, Windows Firewall, MBAM Pro, WinPatrol PLUS
Dell Latitude E5530 Win7 Prof. 64-bit laptop: (Intel 3rd gen. i5-3230M processor, 4 GB RAM), MS Security Essentials AV, Windows Firewall, MBAM Pro, WinPatrol PLUS


#8 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 29 June 2010 - 09:38 AM

Not sure if I should be posting in this thread or not but I as well got a Extension.Mismatch error today during my daily scan. Just looking for any info on the subject and if I should be worried or not.


Files Infected:
C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url (Extension.Mismatch) -> Quarantined and deleted successfully.

As you can see I removed the suspect file so sadly I can't provide anymore info on it. ;)

#9 whatmeworry?

whatmeworry?

    True Member

  • Honorary Members
  • PipPipPipPip
  • 326 posts

Posted 29 June 2010 - 09:53 AM

Hi, Fom. I don't know whether it was a message of yours that I saw when I was searching Google for info about Extension.Mismatch, but someone reported the same problem you've mentioned. However, that person's MBAM report mentioned lots of other problems as well. Since the Extension.Mismatch file in question wasn't the same one as mine nor in the same place, and since that problem was only one of many, I felt it wasn't likely to be a sign of a false positive. I assume you removed all the problems MBAM found and ran another scan, and that that scan came up clean. If not, you should probably seek help from the forum. I don't remember the exact wording of the standard message that explains that malware problems are not worked on in this forum but rather elsewhere, but I'm sure you can find that message easily enough. Just look for a reply to anyone seeking help for an infection.

Good luck!

Dell XPS 8300 Win7 Prof. 64-bit desktop (Intel Core i5-2400 processor, 8 GB RAM): MS Security Essentials AV, Windows Firewall, MBAM Pro, WinPatrol PLUS
Dell Latitude E5530 Win7 Prof. 64-bit laptop: (Intel 3rd gen. i5-3230M processor, 4 GB RAM), MS Security Essentials AV, Windows Firewall, MBAM Pro, WinPatrol PLUS


#10 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 29 June 2010 - 10:05 AM

Hi, Fom. I don't know whether it was a message of yours that I saw when I was searching Google for info about Extension.Mismatch, but someone reported the same problem you've mentioned. However, that person's MBAM report mentioned lots of other problems as well. Since the Extension.Mismatch file in question wasn't the same one as mine nor in the same place, and since that problem was only one of many, I felt it wasn't likely to be a sign of a false positive. I assume you removed all the problems MBAM found and ran another scan, and that that scan came up clean. If not, you should probably seek help from the forum. I don't remember the exact wording of the standard message that explains that malware problems are not worked on in this forum but rather elsewhere, but I'm sure you can find that message easily enough. Just look for a reply to anyone seeking help for an infection.

Good luck!

No that wasn't me, but I also saw the page you're talking about while searching google. ;)

I've had problem free scans for as long as I can remember until today. This was the only problem in my scan results. I haven't changed or downloaded anything on my computer in last 24 hours since my last clean scan so I'm thinking it might of been a false positive but it still have me a bit worried since i'm super paranoid about my computer security. :)

#11 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 29 June 2010 - 10:09 AM

This is supposed to be catching executables hiding inside of non executable extensions. The first one file.txt looks like something user created.

C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url <- I am looking into this one, we may need to fine tune this some more.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 Carbonyl

Carbonyl

    New Member

  • Members
  • Pip
  • 5 posts

Posted 29 June 2010 - 10:11 AM

No that wasn't me, but I also saw the page you're talking about while searching google. ;)

I've had problem free scans for as long as I can remember until today. This was the only problem in my scan results. I haven't changed or downloaded anything on my computer in last 24 hours since my last clean scan so I'm thinking it might of been a false positive but it still have me a bit worried since i'm super paranoid about my computer security. :)


Hi Fom!

Just throwing my two cents in here. This morning I got the same Extension.Mismatch warning on the exact same file. C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url

This was on top of a suspicious reading from MBAM regarding vcredist type executables from Steam, so I'm thinking there's a chance for a false positive here.

So, at the very least, you're not alone!

Also, I have samples of this file, if they are desired. Thanks to everyone (particularly nosirrah!) for the input here.

#13 sharptooth53

sharptooth53

    New Member

  • Members
  • Pip
  • 2 posts

Posted 29 June 2010 - 10:12 AM

Not sure if I should be posting in this thread or not but I as well got a Extension.Mismatch error today during my daily scan. Just looking for any info on the subject and if I should be worried or not.


Files Infected:
C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url (Extension.Mismatch) -> Quarantined and deleted successfully.

As you can see I removed the suspect file so sadly I can't provide anymore info on it. ;)



well i just got done running a full system scan and got the same EXACT file "infected" and i didn't do anything yet...it is still here on my pc....i would say false positive if i ever seen one cuz i've come up clean for like 6 months with full scans from norton, malwarebytes, and also used to use asquared free till recently.


:)

#14 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 29 June 2010 - 10:18 AM

This is supposed to be catching executables hiding inside of non executable extensions. The first one file.txt looks like something user created.

C:\Windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C92.url <- I am looking into this one, we may need to fine tune this some more.

Even though I removed Icon048298C92.url there is still Icon048298C91.exe in the same directory I can provide information on if needed.

#15 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 29 June 2010 - 10:18 AM

Update and try again guys, I think I have this fixed.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#16 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,000 posts
  • Gender:Male
  • Location:USA

Posted 29 June 2010 - 10:20 AM

PS: Please use the "ADDREPLY" Posted Image button instead of other ones when you start replying. ;)

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#17 shaiz

shaiz

    New Member

  • Members
  • Pip
  • 7 posts

Posted 29 June 2010 - 10:21 AM

Update and try again guys, I think I have this fixed.

I just updated and ran a scan of my Malware-bytes and I got the same c:\windows\installer... extension.mismatch and the guys above me.

I quarantined and deleted it though.. I'm running another scan now.

Should I be worried? maybe format, or is it a false-positive?

I own Steam as well by the way.

#18 Fom

Fom

    New Member

  • Members
  • Pip
  • 18 posts

Posted 29 June 2010 - 10:23 AM

I have steam installed as well if it matters.

#19 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 29 June 2010 - 10:26 AM

Make sure you have update 4256. If you do and you still get this detection please post a scan log.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#20 shaiz

shaiz

    New Member

  • Members
  • Pip
  • 7 posts

Posted 29 June 2010 - 10:27 AM

Make sure you have update 4256. If you do and you still get this detection please post a scan log.

Is there something to do if I quarantined and deleted it?

I went into the quarantine section and I clicked Restore, am I being left in the dark for deleting it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users