News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

Did anybody stumbled upon Win BEX exception?

Started by frktons, December 27, 2012, 09:53:49 AM

Previous topic - Next topic

frktons

Quote from: qWord on December 27, 2012, 05:39:57 PM
can you delete the EXE immediately after building or executing?

As far as I know, yes. Sometime I recompile a program soon
after I've added one line or changed something, that I remember
after a little time that I compiled and executed the prog.

Quote from: sinsi on December 27, 2012, 04:43:49 PM
No problem in win7 either.

DEP and/or buffer underrun exploits are quite often a symptom of a malware infection.
Download malwarebytes

Having gone so far, I'll follow your advice and let you know.
There are only two days a year when you can't do anything: one is called yesterday, the other is called tomorrow, so today is the right day to love, believe, do and, above all, live.

Dalai Lama

frktons

A scan with malwarebytes has found this:
Quote
File rilevati: 6
C:\masm32\topgun.exe (Trojan.Dropper.PGen) -> Spostato in quarantena ed eliminato con successo.
C:\masm32\examples\exampl03\lcd\lcd.exe (Trojan.Downloader) -> Spostato in quarantena ed eliminato con successo.
C:\masm32\Masm32_examples\exampl05\enumkeys\enum.exe (Trojan.Downloader) -> Spostato in quarantena ed eliminato con successo.
C:\masm32\Masm32_examples\exampl05\lcd\lcd.exe (Trojan.Downloader) -> Spostato in quarantena ed eliminato con successo.
C:\masm32\Masm32_examples\exampl06\treedemo\treedemo.exe (Trojan.Downloader) -> Spostato in quarantena ed eliminato con successo.
C:\Windows\Setup\scripts\faXcooL.exe (HackTool.Wpakill) -> Spostato in quarantena ed eliminato con successo.
I've quarantined the files for the time being, but it is strange
most of the infected files on Masm32 examples.
I'll check other disks as well and see what I find.

Frank
There are only two days a year when you can't do anything: one is called yesterday, the other is called tomorrow, so today is the right day to love, believe, do and, above all, live.

Dalai Lama

dedndave

the masm32 files - you can ignore (malwarebytes has that option)

the last one seems to be a WPA work-around
not sure you want to delete that, either - lol

frktons

Same thing on disk F:
Quote
File rilevati: 5
F:\masm32\topgun.exe (Trojan.Dropper.PGen) -> Spostato in quarantena ed eliminato con successo.
F:\masm32\examples\exampl03\lcd\lcd.exe (Trojan.Downloader) -> Spostato in quarantena ed eliminato con successo.
F:\masm32\Masm32_examples\exampl05\enumkeys\enum.exe (Trojan.Downloader) -> Spostato in quarantena ed eliminato con successo.
F:\masm32\Masm32_examples\exampl05\lcd\lcd.exe (Trojan.Downloader) -> Spostato in quarantena ed eliminato con successo.
F:\masm32\Masm32_examples\exampl06\treedemo\treedemo.exe (Trojan.Downloader) -> Spostato in quarantena ed eliminato con successo.

I wonder if these are false positive, or they are really infected.
But where is the source of infection, if it is a real infection?
There are only two days a year when you can't do anything: one is called yesterday, the other is called tomorrow, so today is the right day to love, believe, do and, above all, live.

Dalai Lama

dedndave

they are likely false positives
you can look in the AV sub-forum and find them listed several times

frktons

Well Dave, that's the IT world today:
-------------------------------------------------------------
- Windows has some nice bugs
- The Internet is stuffed with malwares
- The AV programs have their limits
- The whole is quite complex for anyone to manage

So far I've found thousands of documented cases of people
having the same problem as I do.
Many partial solutions applied to solve single cases are not
suitable for my PC configuration.
Malwarebytes that I installed today has found some false positive
but their elimination didn't solve anything.
If I use it to prevent web sites potentially dangerous, I can't use
the internet connection altogether.
A messy stuff indeed.  :lol:
There are only two days a year when you can't do anything: one is called yesterday, the other is called tomorrow, so today is the right day to love, believe, do and, above all, live.

Dalai Lama

frktons

When Malwarebytes is "on" to check potentially dangerous web sites
it continually says: Blocked access to the IP 176.31.229.25/24 avp/svchost
port:xxxxx in output, and the port changes continuosly. At the same time the
internet connection becomes anavailable and to write this post I have to
turn off this feature of the anti-malware prog. Not a great prog after all.

I got the masm32 progs back to their place from the quarantine area.
Now I'm thinking about this IP: 176.31.229.24/25 I'm curious to see if I
find something.
There are only two days a year when you can't do anything: one is called yesterday, the other is called tomorrow, so today is the right day to love, believe, do and, above all, live.

Dalai Lama

frktons

What I found is that a nice web site should have changed
my DNS IPs from OpenDNS's ones [208.67.222.222/208.67.220.220]
to these [176.31.229.24/ 176.31.229.25].
Now I wrote back the old ones, and MalwareBytes doesn't complain anymore.
Ater all it was useful to point my attention to the underlying problem.
This solution is NOT going to solve the BEX problem, I'm afraid, but it
was a problem to be solved anyway.

:biggrin:
There are only two days a year when you can't do anything: one is called yesterday, the other is called tomorrow, so today is the right day to love, believe, do and, above all, live.

Dalai Lama