• Login
    • Search
    • Categories
    • Recent
    • Tags
    • Users
    • Groups
    • Rules
    • Help

    Do more on the web, with a fast and secure browser!

    Download Opera browser with:

    • built-in ad blocker
    • battery saver
    • free VPN
    Download Opera

    Antimalware Software

    Lounge
    4
    85
    37223
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Former User
      A Former User last edited by

      As a note of caution, if there are any quarantined files you want to restore, be sure and do it before your trial version either expires or is uninstalled. It alone holds the keys to restoring its own quarantined files, since not all AVs use the same quarantine format.

      Thanks, I'll bear it in mind*🆙*

      Reply Quote 0
        1 Reply Last reply
      • blackbird71
        blackbird71 last edited by

        The "$NtUninstall..." file name prefix tells the system that it's a backup folder containing the original files changed by the associated Windows update. There are corresponding links in the registry to direct where each of those files actually came from, so that uninstalling the update puts the original files back in the right places. It's been a while since I've explored this, but the $NtUninstall folders might indeed be hidden folders. I keep all my systems set to always show all the hidden stuff, and I don't recall whether these were in that category.

        The Windows update would have replaced the original win32k.sys file in the Windows system folder with an updated file version, and moved the original win32k file into the $NtUninstall file, plus creating registry links showing what it had done. Apparently your AV found the file there, pulled it out, and quarantined it into its own AV folder, probably because the AV didn't expect to find a win32k.sys file copy outside of the normal system folder. Since the now-quarantined copy was simply the old or earlier version of the win32k.sys file, it would only be of value if you needed to uninstall that particular update which replaced it in the first place. But if you install the just-posted 3057839 update, that update will replace whatever win32k.sys version is currently in the Windows system folder with a still-newer version of win32k.sys. So reverting all the way back to the file copy the AV pulled out of the $NtUninstall folder is unlikely to ever happen, hence it probably doesn't matter whether you un-quarantine it or not.

        The details of how you whitelist a file depends on the AV you're using. But I think it's going to be very hard to whitelist for a future file that has yet to be moved by some future Windows update into an as-yet-not-named uninstall folder. There simply are too many important files that can be replaced by updates, and there are an infinite combination of update numbers that might be used to construct the uninstall folder name. Given that WinXP updates are "going away" due to the obsolesence of the OS, probably the entire issue of the AV quarantining Windows update uninstall file elements will also fade away, as long as you're still using XP.

        Reply Quote 0
          1 Reply Last reply
        • A Former User
          A Former User last edited by

          Apparently your AV found the file there, pulled it out, and quarantined it into its own AV folder, probably because the AV didn't expect to find a win32k.sys file copy outside of the normal system folder.

          Isn't C:\WINDOWS\ a normal system folder?

          But I think it's going to be very hard to whitelist for a future file that has yet to be moved by some future Windows update into an as-yet-not-named uninstall folder. There simply are too many important files that can be replaced by updates, and there are an infinite combination of update numbers that might be used to construct the uninstall folder name.

          Perhaps I'll just allow the file this next time, and see what happens*:)*

          Given that WinXP updates are "going away" due to the obsolesence of the OS, probably the entire issue of the AV quarantining Windows update uninstall file elements will also fade away, as long as you're still using XP.

          Right. Plus the potential "obsolescence" of the AV itself...😉
          Besides, I think I might consider moving away when (if?) IT fades away😉 right?😃

          Reply Quote 0
            1 Reply Last reply
          • blackbird71
            blackbird71 last edited by

            Yes, but what I was referring to was the \system32 sub-folder underneath the Windows folder. It can be confusing when writing about this stuff because of terminology overlap. That \system32 folder's the place where OS drivers and similar programs normally are found, and as such, that folder is supposed to be better protected against malware writing itself into it. Hence, a system file like win32k.sys found in some other folder may be malware masquerading as a system file, because that other folder was write-accessible to the malware infector file. Though in your situation, a legitimate copy of win32k.sys was legitimately placed in the update uninstall folder elsewhere. So, as usual, the scenario will always be the same, except when it isn't. O.O :rolleyes:

            Actually, I ran a Win98 First Edition (vintage 1998) system online until late 2010, long after it had been declared officially obsolete and was no longer being updated by MS. What ultimately kills the use of an old OS is typically the inability to find any software that's rated for use on the old OS - in my case specifically, antivirus programs. The system still is in use for local computing, in large part because it's still compatible with some antique 16-bit software that I occasionally need to run. But online, it would be a sitting duck for malware, either at dodgy sites or in some drive-by infector in an ad on a legitimate site. Its AV hasn't been able to be updated in 5 years. :rip:

            Reply Quote 0
              1 Reply Last reply
            • A Former User
              A Former User last edited by

              Its AV hasn't been able to be updated in 5 years.

              Write one.😉


              Definitely it must be Windows' developers' (no names uttered!;)) blurp to allow for such file placing.

              Reply Quote 0
                1 Reply Last reply
              • blackbird71
                blackbird71 last edited by

                I have a different approach for that system. It's called "unplugging the Ethernet cable". :whistle:

                Reply Quote 0
                  1 Reply Last reply
                • A Former User
                  A Former User last edited by

                  I have a different approach for that system. It's called "unplugging the Ethernet cable".

                  Searched for Ethernet - didn't get your metaphor.

                  en.wikipedia.org/wiki/Metaphor :whistle:

                  Reply Quote 0
                    1 Reply Last reply
                  • blackbird71
                    blackbird71 last edited by

                    Hmmm. The ethernet definition is out there: https://en.wikipedia.org/wiki/Ethernet

                    It's the cable (CAT-5) connection from the computer to the router/modem. Pull the cable from the computer, and no more Internet (and no more malware from that source).

                    Reply Quote 0
                      1 Reply Last reply
                    • A Former User
                      A Former User last edited by

                      I'm lost.

                      Reply Quote 0
                        1 Reply Last reply
                      • blackbird71
                        blackbird71 last edited by

                        OK, let's see if we can get you "found". Back to basics: to get online functionality, your computer has to have a wired connection to your ISP via a dial-up phone wire or an ethernet cable to a modem/router connected to a DSL-capable phone line or a cable-company's dedicated line. Otherwise, the computer must use a wireless (radio) connection to a wifi "hotspot" in the vicinity, whether connected to your ISP's modem or provided by a public hotspot within range of your computer.

                        Back in the pre-wifi days when the only option was a wired connection, the easiest way to protect an old system from Internet-based malware was to simply "pull the cable" out of the computer and break the Internet connection. Of course, that meant no online capability, but it did work to avoid Internet-sourced malware. Hence my earlier humorous (?) statement/metaphor about unplugging the Ethernet cable as a means to deal with my inability to find an AV that would work to keep my Win98 system safe.

                        Unfortunately, whatever humor might have been embedded in my cable-pulling statement is now long gone... :faint:

                        Reply Quote 0
                          1 Reply Last reply
                        • A Former User
                          A Former User last edited by

                          :doh:

                          Well, we're good when we quote stuff*🆙*

                          Reply Quote 0
                            1 Reply Last reply
                          • A Former User
                            A Former User last edited by

                            UnThreat and Windows' firewall don't get along very much:
                            I change scan settings - the FW goes off, I enable UnThreat's 'active protection' - same picture.
                            What should I do - if any? Let the system's FW get disabled? Or is it rather more important than UnThreat's - whatever it is?

                            Reply Quote 0
                              1 Reply Last reply
                            • A Former User
                              A Former User last edited by

                              Today or something, the AV started to show "Updating for first time" now and again. Just now, trying to simply show the window (was in background), it hung somehow, I system right-clicked to close it.
                              It closed altogether (the tray thing gone, see); no prompts that I wasn't protected though, I got concerned, opened the thing from the desktop icon - and it showed as if it just got installed.
                              Quite funny - I was offered to choose options, etc. Then I got excited if it "forgot" everything - no, it didn't.
                              Quite funny...:left:

                              Reply Quote 0
                                1 Reply Last reply
                              • blackbird71
                                blackbird71 last edited by

                                I'm not sure why the firewall alerts are happening, unless your AV settings changes try to "phone" home and run into firewall issues when trying to do that. I have found a review at VirusBulletin from 2013 that does describe Unthreat as having stability issues: https://www.virusbtn.com/virusbulletin/archive/2013/04/vb201304-comparative#id5403118

                                Whether your various issues are related to that remains a bit of a guess. One of the possible risks of using a less-popular AV, however, is stumbling into peculiar issues of one kind or another. There may not be enough users and the company may be too small to iron out all the bugs. The more widely used the software, the more exposure it receives to various systems and software suites to help expose (and hopefully develop fixes for) bugs. That's perhaps the main reason a lot of folks recommend something like Avast as a free AV - it's quite widely used.

                                Reply Quote 0
                                  1 Reply Last reply
                                • A Former User
                                  A Former User last edited by

                                  One of the possible risks of using a less-popular AV, however, is stumbling into peculiar issues of one kind or another. There may not be enough users and the company may be too small to iron out all the bugs. The more widely used the software, the more exposure it receives to various systems and software suites to help expose (and hopefully develop fixes for) bugs.

                                  Good point!
                                  I'll bear that in mind.🆙

                                  By the way, it somehow recuperated about yesterday. Nice for now...

                                  Reply Quote 0
                                    1 Reply Last reply
                                  • A Former User
                                    A Former User last edited by

                                    Black, I have still installed that 360.
                                    It is quite a powerful devil; it didn't offer any "advanced" or whatever options during/upon the install, then earnestly suggested some "Full something", I had little choice and commenced...
                                    It doubled my disk space...

                                    Well, it didn't wiped much in my Firefox, but it wiped out a bit of something in Chrome - I lost my tabs and had to restore them manually.
                                    Now with Opera [11] - I guess it didn't even consider it a browser and left it alone*;)*

                                    Found some threats, yeah... I'll ask next time. 🙂

                                    Reply Quote 0
                                      1 Reply Last reply
                                    • A Former User
                                      A Former User last edited by

                                      @blackbird71.

                                      Here it is: 360scan15.07.07.
                                      I couldn't seem to copy the text from there. And I haven't made any search for that yet... <_<

                                      (I couldn't find any info there what must be the quarantine period.
                                      It's kinda weird they "forgot" to include quite a number of things in the user interface. I sent them feedback...)

                                      Reply Quote 0
                                        1 Reply Last reply
                                      • blackbird71
                                        blackbird71 last edited by

                                        The dbghelp.dll file may legitimately exist in multiple versions and places, since it is a debugging help library. Typically, a basic version is included with all Windows releases, and modified versions are often included with specific applications, tailored to those apps. If you have Open Office installed on your system (I don't), the file may be a legitimate one for that app. You'd have to inquire in the OpenOffice forum to find out for sure. If it is legitimate, the AV entry would be a false alarm, of course.

                                        Likewise, there are legitimate driver.cab files that contain a library of the various drivers for an OS or for a given computer model (eg: Dell). Again, these files may have been misidentified by the AV as malicious (false alarms), but a lot depends on the legitimate location where (or even if) those files are supposed to appear on your system. Malware often hijacks a legitimate Windows or other software file name, but almost always puts that malicious file in a place it's not supposed to be for the legitimate software. My suspicion (and its only that, since I'm not familiar with your system) is that all three quarantined files are false alarms, in which case they probably ought to be restored. The two driver.cab files were picked up by heuristic analysis, which can tend toward much higher false alarm rates than signature analysis. It's unclear exactly what the identification method for dbghelp.dll was, but citing behavior as "high risk" also implies heuristics were used there as well.

                                        You'll have to contact the AV company to find out whether there's a time limit on how long quarantined files are kept on the system by their AV. Many well-known AV's keep them there forever, so that a user can restore them later on when he eventually stumbles upon a system hiccup caused by the quarantined (and hence, unavailable) file. But that's not to say 360 does it that way.

                                        Another thing you could do is to restore the 3 files via the AV and upload copies of them to VirusTotal or Jotti to get a consensus opinion from other AV's about whether they're problematic. If they are, then have 360 re-quarantine them via another scan and use the quarantine panel to delete them. If VirusTotal or Jotti says they're OK, leave them restored and (if possible) enter them as exceptions to 360's future scanning.

                                        Reply Quote 0
                                          1 Reply Last reply
                                        • A Former User
                                          A Former User last edited by

                                          Thanks, Black!

                                          Reply Quote 0
                                            1 Reply Last reply
                                          • A Former User
                                            A Former User last edited by

                                            Another thing you could do is to restore the 3 files via the AV and upload copies of them to VirusTotal or Jotti to get a consensus opinion from other AV's about whether they're problematic.

                                            Googling, I could see that both are scan services, though the former had a link to some "Community" - while the other didn't.
                                            Do you suggest I resort to the community or your upload means they do "pick-scans" of sorts?

                                            Ah, checked Wikipedia...
                                            :rolleyes:

                                            Reply Quote 0
                                              1 Reply Last reply
                                            • First post
                                              Last post

                                            Computer browsers

                                            • Opera for Windows
                                            • Opera for Mac
                                            • Opera for Linux
                                            • Opera beta version
                                            • Opera USB

                                            Mobile browsers

                                            • Opera for Android
                                            • Opera Mini
                                            • Opera Touch
                                            • Opera for basic phones

                                            • Add-ons
                                            • Opera account
                                            • Wallpapers
                                            • Opera Ads

                                            • Help & support
                                            • Opera blogs
                                            • Opera forums
                                            • Dev.Opera

                                            • Security
                                            • Privacy
                                            • Cookies Policy
                                            • EULA
                                            • Terms of Service

                                            • About Opera
                                            • Press info
                                            • Jobs
                                            • Investors
                                            • Become a partner
                                            • Contact us

                                            Follow Opera

                                            • Opera - Facebook
                                            • Opera - Twitter
                                            • Opera - YouTube
                                            • Opera - LinkedIn
                                            • Opera - Instagram

                                            © Opera Software 1995-