updates

[chrisTM]

Hey guys,

I haven't been on in awhile because the box,mara- fix has been working so well. I, too, have the no new update problem. I'm sure it will take care of itself in time, as it always has. In the meantime, I tried disabling/enabling the fix as this has worked for me in the past. This time, however, upon disabling the fix, I received an assumed false positive notice, which is attached. I ran ccleaner much later in the day and received the same notice. I have not received this particular notice in the past. Is it possible that this is causing some sort of problem with the updates? All scans are otherwise clean.

Currently running 4.0.467.0 AV, most recent box,mara-, Windows Defender, Spyware Doctor on demand on most recent Vista.

Keep up the good work.

chrisTM out.

[DKT27]

Well if this has happened during enable/disabling box, mara-fix. Don't worry. Mara has named a file in box, mara-fix as svchost. As people don't terminate that file thinkin as it's some different file, it's named a svchost. That file is nothin but to shutdown the PC instantly after fixin it(to enable self-defense).

BTW I think it's better to disable ESET during fixin as it detects the fix as a trojan even when it's not in use.

[RadioActive]

The name of the "threat" is pretty self-explanatory ;)

[implague]

Hey guys,

I haven't been on in awhile because the box,mara- fix has been working so well. I, too, have the no new update problem. I'm sure it will take care of itself in time, as it always has. In the meantime, I tried disabling/enabling the fix as this has worked for me in the past. This time, however, upon disabling the fix, I received an assumed false positive notice, which is attached. I ran ccleaner much later in the day and received the same notice. I have not received this particular notice in the past. Is it possible that this is causing some sort of problem with the updates? All scans are otherwise clean.

Currently running 4.0.467.0 AV, most recent box,mara-, Windows Defender, Spyware Doctor on demand on most recent Vista.

Keep up the good work.

chrisTM out.

yeah same happenes with me last week only in windows 7 pretty deeper in appdata

[Night Owl]

@implague: Actually, I had the same problem too last Sunday on a brand new install of Windows 7 x64 in the %TEMP% directory (C:\Users\User_ID\AppData\Local\Temp). That's probably what you saw too.

@DKT27: Thank you very much for your explanation. I totally forgot about that until I read it just a few minutes ago. I was a bit puzzled until now as to why I saw that on a fresh install of Windows 7. I should have remembered.

[DKT27]

Hehe. You all are gettin problems of not updatin and I'm havin problems of it gettin auto updated every hour yesterday. :P

I don't wanna disable the auto update or increase the time though.

[Night Owl]

@DKT27: I don't understand. We all just had a tiny problem with the patch. I didn't even notice there was any issue at all until a few days later after applying the "box, mara-" fix when I checked the quarantine and I saw the svchost.exe file listed there.

I don't have any problems with updating. ESET NOD32 says 'Your product was activated ...'

[DKT27]

As I mentioned before. Now it, svchost file named by mara-, behaves like a shutdowner program that is there for shuttin down the PC. Now there are also real trojans that can shutdown your PC. I feel that the signature of the real shutdowner trojans and the svchost made by mara- would be similar as they work similarly. So ESET misunderstands the good motive, probably purposely, and catches it as a trojan.

[mara-]

Well, everything what DKT27 said is correct. I just made a mistake naming it like that, because I forgot that many viruses uses that name to hide itself. I also wanted to hide this to prevent people from messing with fix process, but once again, this is 100% not any kind of malware.

Cheers ;)

[Night Owl]

BTW I think it's better to disable ESET during fixin as it detects the fix as a trojan even when it's not in use.

I clean installed Windows 7 Ultimate 64-bit yesterday and I tried disabling ESET this time (just over two weeks ago I clean installed Windows 7 Home Premium 64-bit, but I left ESET on). Disabling ESET didn't make any difference. My %TEMP% folder still had the svchost.exe file. The "problem" is that the "box, mara-fix v1.3" doesn't clean up the svchost.exe file that's left there. I say "problem" because I'm definitely not complaining and I am very grateful for this fix. Thank you! :dance2:

[DKT27]

Sure? It aways left my TEMP folder before I can even know. :blink:

[Night Owl]

I am 100% sure. I was very careful to disable ESET before applying the fix on Monday. So I wasn't expecting to see svchost.exe in my %TEMP% folder, but the next day when I ran a full scan, ESET complained about it. I had already done a drive image of my fresh Windows 7 install with ESET, so I deleted the svchost.exe, deleted my drive image, and did another drive image so I will always have a "clean" fresh Windows 7 drive image.

Are you saying that the svchost.exe file isn't in your TEMP folder after the fix forces a reboot? Hmmm, if so, perhaps there is a difference between how the fix works on XP 32-bit versus Windows 7? I have had the same problem on Windows 7 Home Premium 64-bit and Windows 7 Ultimate 64-bit. I can't remember right now what happened on Vista Home Premium 64-bit. If it's not an XP versus Windows 7 issue, maybe it's a 32-bit versus 64-bit issue?

[mara-]

Fix is made in that way to delete svchost.exe when you exit Fix. But if you checked option "Enable Self-Defense after using fix" then svchost.exe is not deleted from temp folder.

Cheers ;)

[DKT27]

Oh I see. Well I always select "Enable Self-Defense after using fix" but I haven't got any notification of a trojan after computer restart. :think:

[Night Owl]

@mara-: Ah, thanks for the explanation. Yes, I always check "Enable Self-Defense after using fix". So everything is working as designed.

@DKT27: I don't get a notification after the computer restarts. If I do a full system scan, ESET complains. Also, if I use Windows Explorer to go into my %TEMP% folder, ESET will complain. And ESET also quietly quarantined svchost.exe two weeks ago on my older Windows 7 install when it did one of its background scans. ESET didn't tell me anything. I only noticed the svchost.exe file when I looked in the quarantine out of curiosity and I was surprised to see svchost.exe there.

[DKT27]

I hope mara- fixes these problems when he makes another box, mara- fix. :lol:

[Night Owl]

Yes, it would be nice to resolve the svchost.exe issue for the next fix. :lol: If I remember correctly, the issue is the name, svchost.exe, which some viruses use to look like they're part of the operating system. Will just a simple rename of the shutdown file resolve this?

[mara-]

Well, I'm not sure now. I'll test and I'll inform you.

Cheers ;)

[DKT27]

Take your time mara-. But I'm sure that if you can do it, it will revolutionize the ESET fixes world. :)

BTW mara- can you give me that svchost file only? I wanna see what I can do. 7zip cannot open box- mara fix.

[mara-]

Well, 7-zip can not open svchost.exe too. I created this file by myself, in AutoIt. Are you familiar with AutoIt? This is very short code. If you want the code for this, I'll send it to you.

Cheers ;)

[DKT27]

I don't know anythin about autoit. All I want is the svchost file in .exe extention. Is it possible?

[mara-]

Sure, no problem. I'll send it to you via PM.

Cheers ;)