JeremyNicoll

GT500 > Is your computer logged out when the scan starts? Ritzter007's reply: "No..." means "Not logged out" but then saying "When I logon" means the opposite. Did you really mean: "No, locked" followed by "When I unlock..." ?.

You said: Version of the script that do not hang the antivirus: Set UAC = CreateObject("Shell.Application") UAC.ShellExecute "C:\Program Files\VPNArea Chameleon\bin\vpnmanager.exe", "", "", "runas", 1 Maybe when the BB looks at the elevation request it also checks (in this case) the target ...vpmanager.exe ... and perhaps it knows that that is a legitimate program. Could it be possible that the BB when it looks at a shortcut DOESN'T look at the target of the shortcut? After all if that shortcut of yours pointed at vpnmanager.exe, it should (according to your experiment) been ok. But if the BB actually tests path "C:\Users\darkl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNArea Chameleon.lnk" without recognising that it's a shortcut and looking at the target, then that might explain why it then tries to use the AMN to verify the reputation /of the shortcut file/. That would somewhat resemble the AMN hang issue I reported, where AMN appeared to be trying to verify the reputation of a script of mine (ie something that couldn't have a predefined reputation in the AM network).

The path pointing to th elink isn't the issue, it's the attempt to elevate that's the problem. However it IS interesting that you mention the AMN popup and no response when you click on that. I reported that to Emsisoft a while ago, and sent them full memory dumps (as in on-purpose BSOD dumps of the system) to help them fix it. You might want to read: https://support.emsisoft.com/topic/27330-system-hang-after-suspicious-activity-box-could-not-be-dismissed/

It might be useful to upload the files concerned to VirusTotal, to see if lots of anti-virus/anti-malware apps think they are dangerous, of if it's just a False Positive. If the files are actually safe then there's no need to quarantine them, just wait for the scanner's rules to be changed to say they're safe. On the other hand if they are indeed dangerous the advice stapp gave you is definitely what you want to do next. Also, did you yourself install something called 'best buy pc'? Do you know what it is, and do you trust it?

The problem is that the program isn't running as an administrator, so it uses the code you showed to restart itself with admin authority. But the Behaviour Blocker correctly intercepts that - you really wouldn't want any old program that wasn't running as admin to be able to elevate itself without being intercepted as that would be a huge security hole. Presumably, because all this happens at startup, before any user is logged on, there is no person able to see the BB alert (if indeed there actually is an alert when there's no user logged on), hence the hang. Maybe Emsisoft should change that behaviour so that rather than an alert the program is immediately terminated? You might be able to get around this by placing the VPNArea Chameleon's binaries folder (or maybe just its main .exe) in the exceptions table - at Settings - Exclusions - Exclude from monitoring. Does this not also happen if you try to start the program yourself, not at startup?

See: and:

See:

As soon as I unpacked the zip, I too found that everything in it got quarantined. The files are of course harmless provided you don't run them. I was very careful...

Aha! Thanks.

That 7z file needs a password.

On the system where it's not shown there will be a little black cross down there somewhere. If you click that, that copy of EIS will change permanently to displaying the version number.

see: https://support.emsisoft.com/topic/27479-emsisoft-anti-malware-and-anti-malware-server-are-the-same-software/

I'm not sure how EIS would tell the difference between an 'obfuscated' script and a 'minified' one. Scripts downloaded for use on webpages are very often minified. They are fetched faster than larger scripts, and once on your machine will be executed very slightly faster. Minification certainly obscures what a script does, but does so for good reasons.

Assuming you didn't delete the infected file, can you upload it to VirusTotal to find out if lots of a/v software thinks it's infected? Maybe it's not, it could just be a False Positive.

Every a/virus or /malware program reports false positives. A/v or a/m programs don't contain long lists of known-to-be-bad programs, but instead lists of characteristics that seem to be shared by sets of similar malware. Sometimes a set of characteristics also matches the inner workings of a program that's ok - which is a false positive. You'll notice that one part of this forum: https://support.emsisoft.com/forum/58-false-positives/ is entirely dedicated to people's reports to Emsisoft of programs that they believe are ok but get detected by one of the Emsisoft products. You can report programs that you think are ok, there. I expect that Emsisoft collect information from other places too.