Why is there no Explanation of the IMF pop-up?

[solbjerg]

Hi enoskype

Great!! I am glad YOU had the nerve to check out what credit does

The credit goes to YOU!! :-)

Cheers

solbjerg

 

 

Hi guys,

 

Here is what CREDIT is in the pop-up info window of IMF.

 

The example of the operation of enabling SUPERAntispyware start up with Windows by CCleaner.

 

When you click on CREDIT, IMF gives the credit to the process of CCleaner.exe to allow the registry change for SUPERAntispyware.exe at start up (RUN -Autorun). (auto remember allow included) ( Remember also can be chosen for allowing or blocking the registry as a seperate operation. Below the line.)

Not quite a simple logical GUI. 8-)

 

JohnnySokko's image shows the possibility of giving credit to SUPERAntimalware.exe for the change of the registry for start up of itself (SUPERAntispyware.exe).

 

All can be seen

in: remember.ini file

@: C:\Users\UserName\AppData\Roaming\IObit\IObit Malware Fighter

 

I think the images are self explaining.

 

http://forums.iobit.com/attachment.php?attachmentid=9437&d=1328298469 http://forums.iobit.com/attachment.php?attachmentid=9438&d=1328298481

 

NOTE: You can not screenshot the pop-up window after clicking prt sc key if you click CREDIT before pasting the image to MS Paint. Giving 20 seconds for the tips to stay helps.

 

In the mean time, I have discovered that there is a bug when you click on View by Regedit, the Details of the registry key of SUPERAntispyware.

It takes you to registry key (Run) of Sidebar.:roll:

 

Cheers.

[JohnnySokko]

Ugh!

 

 

Thanks - now I can see what you are talking about. My guess is that CREDIT pertains to the SUPERAntiSpyware you have just downloaded - and that it will send you to their site to see if you have gotten the file from the right place or some other form of validation - perhaps just to buy their pro version?

 

No, it has nothing to do with SUPERAntiSpyware per se. It wouldn't have mattered what I downloaded. The pop up appears in response to any download, and the CREDIT button is always shown on it — no matter what you've downloaded.

 

 

What services do you have on your network? If you open the Windows Firewall and choose Advanced and choose a connection and click the button Settings, you will see what I am talking about concerning services.

 

Okay, thanks for clarifying. I wasn't sure what you meant at first. I have nothing enabled on those settings. Was there a reason that you asked? I'm not sure where you were going with that question.

 

 

Did you have any trouble with the time it took you to capture your screenshot?

 

LOL — No, not at all. :-)

 

 

Hi, enoskype. I am glad YOU had the nerve to check out what CREDIT does. The credit goes to YOU!!

 

Yes, thank you! :-) Thank you very much for digging into this and for shedding some light on it! It's great that you stepped up and made a real attempt to figure this out. However, in spite of your efforts, I sadly, and regretfully, must admit that I am still very unclear as to exactly what the CREDIT button is supposed to do and how it works. Ugh!!! :-x (Very frustrated. Not at you, though. ;-) Frustrated at the program.)

 

 

Here is what CREDIT is in the pop-up info window of IMF.

 

The example of the operation of enabling SUPERAntiSpyware start up with Windows by CCleaner.

 

When you click on CREDIT, IMF gives the credit to the process of CCleaner.exe to allow the registry change for SUPERAntiSpyware.exe at start up (RUN -Autorun). (auto remember allow included) ( Remember also can be chosen for allowing or blocking the registry as a seperate operation. Below the line.) Not quite a simple, logical GUI.

 

JohnnySokko's image shows the possibility of giving credit to SUPERAntimalware.exe [Correction: I think you meant to say SUPERAntiSpyware.exe. I wanted to point that out for clarification and to prevent any confusion] for the change of the registry for start up of itself (SUPERAntiSpyware.exe).

 

Wow, my head is spinning from that — lol. I consider myself to be somewhat intelligent, but I'm feeling pretty dense right now. I don't get any of that. Where's that DNA guy?! (The other poster who wanted to know the same thing about the CREDIT button.) I wonder if he gets it? I won't feel so dense if I'm not the only one not able to understand. :lol:

 

As I try to break down what you said and make some sense of it, let me ask this: Are you only using SUPERAntiSpyware as merely an example; is that correct? (Because as I said above, the pop-up appears in response to all downloads, not just with SUPERAntiSpyware.)

 

And what in the world does CCleaner have to do with any of this? And more importantly, why in the world would IMF be giving credit to the process of CCleaner.exe to allow the registry change for SUPERAntiSpyware.exe at start up? CCleaner has nothing to do with SUPERAntiSpyware and vice versa.

 

I do, as a matter of fact, happen to have CCleaner, and I do have SUPERAntiSpyware as well, but the pop up would still appear in response to all downloads — regardless of whether I had them or not. I don't see what they have to do with this (especially with what CCleaner has to do with it), so I'm missing your point and not following your explanation. Sorry.

 

 

All can be seen in: remember.ini file

@: C:\Users\UserName\AppData\Roaming\IObit\IObit Malware Fighter

 

I am not able to locate that path and no such file (i.e., remember.ini) seems to be in any of the IObit IMF folders that I did find. :-?

 

 

I think the images are self-explaining.

 

You have no idea how much I wish that were true.

[solbjerg]

Hi JohnnySokko

As I see it the credit/permission/ whatever you want to call it is given to the newly downloaded program to run/startup by the application mentioned in the registry, this is just to see the insertion in the registry - the same thing happens if you click allow and remember and look in registry, I think.

I think you should try clicking the credit button to get a better understanding of what happens - enoskype survived the experience :-)

I don't want to download anything just for checking the function - always supposing that I would get the pop-up :-)

Cheers

solbjerg

[enoskype]

Hi Johnny,

 

[Correction: I think you meant to say SUPERAntiSpyware.exe. I wanted to point that out for clarification and to prevent any confusion]

Thank you for the correction, I have edited my original post #24 for that mistake.

Are you only using SUPERAntiSpyware as merely an example; is that correct? (Because as I said above, the pop-up appears in response to all downloads, not just with SUPERAntiSpyware.)

Yes, it is merely an example because you have used it.

I have tried CREDIT and registry change for the two other prgrams as seen in the remember.ini image to make a variety for the self imposed registry changes though.

I believe, we shouldn't call it downloads but installations, as, personally I do not install all the downloaded setup files.

IMF gives the pop-up info when a program is installed and trying to put a startup entry, URL contact (Probably only PRO version) or so, but NOT when you download a setup of a program.

 

SEE English.lng file for:

[iMF_ThreatForm]

CheckBox_Remember.Caption=Remember

Button_Block.Caption=Block

Button_Allow.Caption=Allow

 

Label_Process_Threat_Caption.Caption=Threat:

Label_Process_File_Caption.Caption=File:

Label_Process_Detail_Caption.Caption=Detail:

Labe_Process_Process_Caption.Caption=Process:

 

Label_URL_Threat_Caption.Caption=Threat:

Label_URL_URL_Caption.Caption=URL:

Label_URL_Detail_Caption.Caption=Detail:

Label_URL_Process_Caption.Caption=Process:

Label_URL_Credit.Caption=CREDIT

 

Label_Registry_Threat_Caption.Caption=Threat:

Label_Registry_Key_Caption.Caption=Key:

Label_Registry_Detail_Caption.Caption=Detail:

Label_Registry_Process_Caption.Caption=Process:

Label_Registry_Credit.Caption=CREDIT

 

Note the missing RED strings I have mentioned in my previous post.

 

It will not be in remember.ini file if CREDIT is not used, ie.,when you only allow or block for the current session. (No remembering.)

And what in the world does CCleaner have to do with any of this? And more importantly, why in the world would IMF be giving credit to the process of CCleaner.exe to allow the registry change for SUPERAntiSpyware.exe at start up? CCleaner has nothing to do with SUPERAntiSpyware and vice versa.

 

I do, as a matter of fact, happen to have CCleaner, and I do have SUPERAntiSpyware as well, but the pop up would still appear in response to all downloads — regardless of whether I had them or not. I don't see what they have to do with this (especially with what CCleaner has to do with it), so I'm missing your point and not following your explanation. Sorry.

Normally, startup registry keys are changed by the very same program installed for their startup item, as in your case SUPERAntispyware by SUPERAntispyware.

 

I wanted to show that the credit can be given to a process which changes the registry key for another program, as this is more likely a malware action.

 

In that respect, I have used Startup (enabling/disabling/deleting) function of CCleaner (CCleaner=>Tools button=>Startup button=>Windows tab=>Enable/Disable/Delete buttons) to change the registry value for startup of SUPERAntispyware.

When you use this function, you can check that the startup with Windows option of SAS changes to ON and OFF in the preferences of SAS.

I am not able to locate that path and no such file (i.e., remember.ini) seems to be in any of the IObit IMF folders that I did find. :-?

My indicated path was for Windows7, since you are using XP according to your profile, it should be @:

C:\Documents and Settings\UserName\Application Data\IObit\IObit Malware Fighter

 

You have to choose the option that your Files/Folders are not hidden in Folder Properties to see the files/folders there.

If you don't have it, I would suggest a Clean Install of IMF or inserting of remember.ini file to that specific location with only

[version]

version=1.1

in it, as I even have it in my Virtual XP.

You have no idea how much I wish that were true.

 

Correct, I have no idea.:lol::lol:

 

 

@ solbjerg, thank you for the credit! :lol:

You can live the experience using CCleaner without installing/downloading anything.

 

Cheers.

[solbjerg]

Hi enoskype

You deserve any credit you get!!

 

By the way - I think I have figured out why I do not get those pop-ups

I always download new programs or new versions to my folder "Downloads"

then I right click the install program/choose properties and remove the blocking of the program. That way there is nothing for the pop-up to do as the program has already been allowed. (Otherwise - why should I download it) :-)

The added benefit is that I always have the previous install file if something should be wrong with the new version.

Cheers

solbjerg

 

Hi Johnny,

 

Thank you for the correction, I have edited my original post #24 for that mistake.

 

Yes, it is merely an example because you have used it.

I have tried CREDIT and registry change for the two other prgrams as seen in the remember.ini image to make a variety for the self imposed registry changes though.

I believe, we shouldn't call it downloads but installations, as, personally I do not install all the downloaded setup files.

IMF gives the pop-up info when a program is installed and trying to put a startup entry, URL contact (Probably only PRO version) or so, but NOT when you download a setup of a program.

 

SEE English.lng file for:

[iMF_ThreatForm]

CheckBox_Remember.Caption=Remember

Button_Block.Caption=Block

Button_Allow.Caption=Allow

 

Label_Process_Threat_Caption.Caption=Threat:

Label_Process_File_Caption.Caption=File:

Label_Process_Detail_Caption.Caption=Detail:

Labe_Process_Process_Caption.Caption=Process:

 

Label_URL_Threat_Caption.Caption=Threat:

Label_URL_URL_Caption.Caption=URL:

Label_URL_Detail_Caption.Caption=Detail:

Label_URL_Process_Caption.Caption=Process:

Label_URL_Credit.Caption=CREDIT

 

Label_Registry_Threat_Caption.Caption=Threat:

Label_Registry_Key_Caption.Caption=Key:

Label_Registry_Detail_Caption.Caption=Detail:

Label_Registry_Process_Caption.Caption=Process:

Label_Registry_Credit.Caption=CREDIT

 

Note the missing RED strings I have mentioned in my previous post.

 

It will not be in remember.ini file if CREDIT is not used, ie.,when you only allow or block for the current session. (No remembering.)

 

Normally, startup registry keys are changed by the very same program installed for their startup item, as in your case SuperAntispyware by SUPerAntispyware.

 

I wanted to show that the credit is given to the process which changes the registry key for another program, as this is more likely a malware action.

 

In that respect, I have used Startup (enabling/disabling/deleting) function of CCleaner (CCleaner=>Tools button=>Startup button=>Windows tab=>Enable/Disable/Delete buttons) to change the registry value for startup of SUPERAntispyware.

When you use this function, you can check that the startup with Windows option of SAS changes to ON and OFF in the preferences of SAS.

 

My indicated path was for Windows7, since you are using XP according to your profile, it should be @:

C:\Documents and Settings\UserName\Application Data\IObit\IObit Malware Fighter

 

You have to choose the option that your Files/Folders are not hidden in Folder Properties to see the files/folders there.

If you don't have it, I would suggest a Clean Install of IMF or inserting of remember.ini file to that specific location with only

[version]

version=1.1

in it, as I even have it in my Virtual XP.

 

 

Correct, I have no idea.:lol::lol:

 

 

@ solbjerg, thank you for the credit! :lol:

You can live the experience using CCleaner without installing/downloading anything.

 

Cheers.

[DNA]

The whole reason I started this thread was because I DID CLICK "CREDIT" in response to one of the popups, and I had no idea what clicking CREDIT actually did.

 

I have an ongoing problem on my computer whenever I boot up Win7-64, something tries to change the registry to include a program called conime.exe as a startup program to be run each time Windows starts. I have searched the registry and have found a few references to it but there is NO SUCH PROGRAM called conime.exe anywhere on my computer. After seeing the popup about it a dozen times and clicking BLOCK, I decided to try clicking CREDIT instead. Now, after clicking CREDIT, I no longer see the popup, but whatever is trying to install conime.exe as a startup program is STILL occurring, I just don't see the popup anymore.

 

I just did an "Msconfig" to check the startup programs, and sure enough the conime.exe program has been added to the startup list. It of course won't run, because there is no such program to run. I have searched the web several times about this conime.exe and have found that it could be a virus or it is also part of Win7 itself. It has to do with loading a Chinese character set, which I don't need.

 

I also checked the remember.ini file in \user\appdata\roaming\iobit\iobit malware fighter and there is NO REFERENCE to my clicking CREDIT when the conime.exe file was attempting to change the registry. The only file in the remember.ini file is a reference to a \Kodak\installer\setup.exe file.

 

If you're going to offer a program that has popups with several options, I say it would be a good idea for you to explain the popups in your instruction manuals and what the options actually do. Don't wait for people to complain about it, do it when you offer the program.

Thanks

[Melvin_Deal]

Hi DNA!

 

Would you like to have your system examined for Malware removal by an experienced and fully trained MalwareFighter to see? If so... please follow the steps here.

 

Please make sure that you post both of the DDS logs as instructed! If you post the logs, your relevant posts (including the logs) will be moved to the Malware removal section and you will have the guidance you need.

 

I have looked at and researched your last post a bit and if I were you I would do it.

 

Sincerely,

-Mel

Live long and prosper!

[enoskype]

The whole reason I started this thread was because I DID CLICK "CREDIT" in response to one of the popups, and I had no idea what clicking CREDIT actually did.

 

I also checked the remember.ini file in \user\appdata\roaming\iobit\iobit malware fighter and there is NO REFERENCE to my clicking CREDIT when the conime.exe file was attempting to change the registry. The only file in the remember.ini file is a reference to a \Kodak\installer\setup.exe file.

 

You shouldn't find concerned conime.exe in remember.ini file, as if I understand correctly, the registry changing process is not conime.exe, but a different process. (Please see post #29 in this thread and the following quote.)

I wanted to show that the credit can be given to the process which changes the registry key for another program, as this is more likely a malware action.

In that respect, I have used Startup enabling/disabling/deleting function of CCleaner (CCleaner=>Tools button=>Startup button=>Windows tab=>Enable/Disable/Delete buttons) to change the registry value for startup of SUPERAntispyware.

 

You can delete content of remember.ini file except

[version]

version=1.1

 

and find out what is changing the registry for conime.exe in the next pop-up window of IMF.

 

 

it is also part of Win7 itself. It has to do with loading a Chinese character set, which I don't need.

BTW, you may need those Chinese characters if you use IObit softwares.

 

Cheers.

[solbjerg]

Hi DNA

conime.exe can be a legitimate Windows file, - it is used if you sometimes use an Asian language on your computer. (connection input method editor) or if you have activated that setting - In which case it should be located in windows/system32 - if you have it in several other places it could easily be a malware that may be used in remote controlling of your computer, I think.

The good antivirus programs and perhaps some of the malware programs ought to find it if it is a rogue/malware, I think.

Cheers

solbjerg

 

 

 

The whole reason I started this thread was because I DID CLICK "CREDIT" in response to one of the popups, and I had no idea what clicking CREDIT actually did.

 

I have an ongoing problem on my computer whenever I boot up Win7-64, something tries to change the registry to include a program called conime.exe as a startup program to be run each time Windows starts. I have searched the registry and have found a few references to it but there is NO SUCH PROGRAM called conime.exe anywhere on my computer. After seeing the popup about it a dozen times and clicking BLOCK, I decided to try clicking CREDIT instead. Now, after clicking CREDIT, I no longer see the popup, but whatever is trying to install conime.exe as a startup program is STILL occurring, I just don't see the popup anymore.

 

I just did an "Msconfig" to check the startup programs, and sure enough the conime.exe program has been added to the startup list. It of course won't run, because there is no such program to run. I have searched the web several times about this conime.exe and have found that it could be a virus or it is also part of Win7 itself. It has to do with loading a Chinese character set, which I don't need.

 

I also checked the remember.ini file in \user\appdata\roaming\iobit\iobit malware fighter and there is NO REFERENCE to my clicking CREDIT when the conime.exe file was attempting to change the registry. The only file in the remember.ini file is a reference to a \Kodak\installer\setup.exe file.

 

If you're going to offer a program that has popups with several options, I say it would be a good idea for you to explain the popups in your instruction manuals and what the options actually do. Don't wait for people to complain about it, do it when you offer the program.

Thanks

[DNA]

Ok, I was finally able to get a screen capture of the popup involving the

conime.exe program trying to get added to my registry as a startup program.

 

I still don't see which program, Setup.exe, is trying to add the conime.exe

to the startup. Is it a Win7 program???

 

I also mentioned before that there is NO FILE by the name of conime.exe

in my Windows\system32 folder. So here is a clip showing that there is

no file by that name in that folder.

 

What is trying to add it to my startup, when there is NO such program file?

 

If it should happen again, should I click on View by Regedit? (something else to

click in the warning popup that was never explained in the instruction manual)

((oh that's right, enoskype said that "View by Regedit" doesn't work))

Thanks

[Melvin_Deal]

Hi DNA!

 

Please see post 32 above as well as the subsequent posts by Enoskype and Solbjerg. I strongly urge you to have your system cleaned! Please follow the "Guidelines for requesting malware removal assistance"

 

What is trying to add it to my startup, when there is NO such program file?

If you post the two logs, they will be moved to the Malware removal section and your machine will be cleaned!

 

Sincerely,

-Mel

Live long and prosper!

[enoskype]

Hi DNA,

 

I also checked the remember.ini file in \user\appdata\roaming\iobit\iobit malware fighter and there is NO REFERENCE to my clicking CREDIT when the conime.exe file was attempting to change the registry. The only file in the remember.ini file is a reference to a \Kodak\installer\setup.exe file.

I am glad you have found out remember.ini file. A screenshot of the content of remember.ini file may shed a light there about the origin of the setup.exe file.

I still don't see which program, Setup.exe, is trying to add the conime.exe

to the startup. Is it a Win7 program???

 

I also mentioned before that there is NO FILE by the name of conime.exe

in my Windows\system32 folder. So here is a clip showing that there is

no file by that name in that folder.

 

What is trying to add it to my startup, when there is NO such program file?

Thanks

It is clearly seen from your screenshot that Setup.exe (\Kodak\installer\setup.exe as you have given the CREDIT) is trying to add it to your startup. (Probably to be able to use Japanese, Chinese characters as the setup file (Kodak) could be for all international Windows versions, namely XP, Vista and 7.)

 

This is similar to the example I have given in my previous posts. (A process is changing the registry for a different process.)

 

I think you are or were running a Kodak software in your start-up which triggers the registry change of conime.exe.

Is it a Win7 program???

I also mentioned before that there is NO FILE by the name of conime.exe

in my Windows\system32 folder. So here is a clip showing that there is

no file by that name in that folder.

There is no conime.exe in Windows 7, please see parantheses about Windows versions above.

 

Clean the content of remember.ini as I described in my previous post and rename Setup.exe at \Kodak\installer\setup.exe, probably startup of conime.exe will not be invoked anymore. Other option could be to stop the startup of the Kodak software if you have one.

If all those cause a different problem, the best think to do is clicking CREDIT or Remember and leave it as it is.

Checking for virus as Melvin_Deal suggests, is a good idea too.

 

I hope this is helpful.

 

Cheers.

[DNA]

Looking through my hard drive today, I came across a folder called

Kodak under the folder ProgramData, and under Kodak was a folder

called Installation, and in that folder was a file called Setup.exe.

 

I clicked on Setup.exe and up pops the Iobit MF popup saying it was

trying to modify the registry. So I renamed that Setup.exe file

and hopefully that will put an end to the popups.

 

I still have no idea what was causing the Setup.exe file to run at

random times. There is nothing about Kodak in my startup programs

and there is nothing about Kodak in the Task Scheduler.

 

When I search in the registry for Kodak, I find hundreds of entries,

so there must be someting in there that is causing the Setup file

to run.

 

I had problems with Kodak printer software several years ago

when it practically takes over your whole computer. I guess they

are still at it. Lol

 

Thanks for your help enoskype, glad that it's over. :lol:

[Melvin_Deal]

Hi DNA!

 

I'm glad you found the solution and that it wasn't due to Malware!:smile:

 

Sincerely,

-Mel

Live long and prosper!

[dv8cowboy]

@Eno...

 

Thank you enoskype for directing me to this excellent thread! Some things aren't as simple as they appear! :mrgreen:

 

 

-Cowboy

[CrazyTim]

By the way - I think I have figured out why I do not get those pop-ups

I always download new programs or new versions to my folder "Downloads"

then I right click the install program/choose properties and remove the blocking of the program. That way there is nothing for the pop-up to do as the program has already been allowed. (Otherwise - why should I download it) :-)

solbjerg

 

Hey Solbjerg,

 

Hope things are going well for you.

 

I have looked at several installation files on my computer, which is running XP Pro. In the Properties for these programs (all were *.EXE files that I checked), some of them have that "Unblock" button, and some do not. I'm guessing that any freshly downloaded installation program would most always have that button. I never noticed that Unblock button before, till you mentioned it in this thread and I had to try to figure out what you were talking about. So, if the Unblock button isn't there in a file's Properties on my computer, it isn't because I have previously clicked it and made it go away.

 

What do you think is putting the Unblock button there? Windows O/S? IMF? I'm thinking it's the O/S. Because of that intuition, I doubt that IMF checks for if that file "attribute" is there or not, and, therefore, I also have to doubt if it has anything to do with whether one gets the IMF "Risk Registry Modify" popup or not.

 

I personally think that what is causing the IMF "Risk Registry Modify" popup, i.e. this

 

http://i267.photobucket.com/albums/ii313/Utopia2115/IMFRiskPopup03nVidiaUpdate.jpg

 

is whether an installation is either adding a file to your Windows' Start|Programs|Startup folder, or is modifying or adding something to the

 

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows registry keys, or maybe even to the

 

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

registry keys. Could be it might popup with an addition to the Scheduled Tasks, too.

 

Any time I have EVER seen the IMF Risk Registry Modify popup, it was when a change was being made to make some file autorun or load at startup.

 

Thx!

 

Tim

 

P.S. HEY! This is weird! WTF is causing that space in the word "Current" in those registry keys I pasted??? The spaces aren't in those lines in my message.

 

The following edit was NOT done by CrazyTim:

 

EDIT: It is the Forum page itself doing that glitch, not permitting continuous characters without a space at certain number of places. I have no idea why it is doing this on which technical basis!

[CrazyTim]

All can be seen

in: remember.ini file

@: C:\Users\UserName\AppData\Roaming\IObit\IObit Malware Fighter

 

Hi enoskype. Been a while. Are you having fun yet? :lol:

 

OK, are you good enough to be able to tell me what the entries in the REMEMBER.INI file mean?

 

Here is my REMEMBER.INI file so we can refer to it:

 

[version]

version=1.1

[data]

1=C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE

2=C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

3=C:\DOCUME~1\TIMNAS~1\LOCALS~1\TEMP\IS-MK3NA.TMP\MBAM-SETUP.TMP

4=C:\DOCUME~1\TIMNAS~1\LOCALS~1\TEMP\IS-JJF5F.TMP\MBAM-SETUP.TMP

5=C:\NVIDIA\DISPLAYDRIVER\280.26\WINXP\ENGLISH\SETUP.EXE

6=C:\PROGRAM FILES\NVIDIA CORPORATION\INSTALLER2\DISPLAY.NVIEW.0\NVIEWSETUP.EXE

7=C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE

8=C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE

9=C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\CARBONITE\CARBONITE BACKUP\CARBONITEUPGRADE-V5.EXE

10=C:\__ZIPJUNK\WINPATROL PLUS V24.1.2012.0 [WPSETUP.EXE

11=C:\NVIDIA\DISPLAYDRIVER\285.58\WINXP\ENGLISH\SETUP.EXE

12=C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST5\SETUP\AVAST.SETUP

13=C:\DOCUME~1\TIMNAS~1\LOCALS~1\TEMP\LOGITECH\SETPOINTSI32_1\5-SETPOINT\EVTMGR6\SETUP.EXE

14=C:\DOCUME~1\TIMNAS~1\LOCALS~1\TEMP\NVIDIA\CONTROLPANELINSTALLERTEMP\SETUP.EXE

15=C:\NVIDIA\DISPLAYDRIVER\301.42\WINXP\ENGLISH\SETUP.EXE

16=C:\PROGRAM FILES\CARBONITE\CARBONITE BACKUP\CARBONITESETUP.EXE

17=C:\PROGRAM FILES\EVEMON\EVEMON.EXE

[style]

1=REGISTRY

2=REGISTRY

3=REGISTRY

4=REGISTRY

5=REGISTRY

6=REGISTRY

7=REGISTRY

8=REGISTRY

9=REGISTRY

10=REGISTRY

11=REGISTRY

12=REGISTRY

13=REGISTRY

14=REGISTRY

15=REGISTRY

16=REGISTRY

17=REGISTRY

[block]

1=0

2=0

3=0

4=0

5=0

6=0

7=0

8=1

9=0

10=0

11=0

12=0

13=0

14=0

15=0

16=0

17=0

 

I assume that, if a program is in the list, then the Remember selection box on the IMF Risk Registry Modify popup was checked by the user. Right?

 

I'm also guessing that the "0" and "1" numbers at the bottom are switches, and probably tell IMF about if the corresponding program should be allowed to make a modification to the registry. I'm guessing that a "0" means to Allow the program to make a modification, and a "1" means to Never Allow the program to make a modification. Is that right, too?

 

OK, if you know, please tell me how I can tell if a program was not allowed to make a modification, but the Remember selection box on the IMF Risk Registry Modify popup was NOT checked.

 

Thx!

 

Tim

[enoskype]

Hi Tim, nice to see you back! We would like to see you more often. :grin:

We can have more fun altogether.:lol:

 

Your remember.ini list is simple enough, you have given permission (allowed) to all registry changes of all those programs with ticking "Remember" checkbox except # 8 which is dw20.exe (Microsoft Error Reporting) and it seems that you have blocked the registry change it wanted to make and you have also ticked "Remember" checbox for that item, so IMF will remember to block each time it wants to change that registry entry.

 

Repetition of the same names are indication of the newer versions trying to change the registry entries when setup files are installing the new versions.

 

Exceptions to setup files are Winpatrol.exe (this could also be new installation of winpatrol or it's changing/blocking some other program) and Plugin-container.exe which could have been an installation of add-on to Firefox, and the last one, Evemon.exe is the avant internet browser upgrade for windows internet explorer. We have discussed dw20.exe already.

 

You are right that, if a program is in the list, then the Remember selection box on the IMF Risk Registry Modify popup was checked by the user or CREDIT is clicked, and we can describe "0" [block] as Always Allow and "1" [block] as Never Allow (Always Block).

 

You can only tell if a program was allowed or not allowed (blocked) to make a modification, but the Remember selection box on the IMF Risk Registry Modify popup was NOT checked or CREDIT was NOT ticked, ONLY IF THE SAME PROCESS IS USED AGAIN AND SEEING THE POP_UP WINDOW AGAIN.

 

In short, you can't tell it! :-P :mrgreen:

 

Cheers.

[CrazyTim]

Thx. You pretty much confirmed what I thought, enoskype.

 

Exceptions to setup files are Winpatrol.exe (this could also be new installation of winpatrol or it's changing/blocking some other program) and Plugin-container.exe which could have been an installation of add-on to Firefox, and the last one, Evemon.exe is the avant internet browser upgrade for windows internet explorer. We have discussed dw20.exe already.

 

If you aren't familiar with WinPatrol, it basically does what this IMF "Risk Registry Modify" popup does (i.e. monitors for changes to startup/system), but it does so much more elegantly, and also does a few other things like watch for ActiveX additions, etc. It is a robust program in itself, but is not really a thorough malware fighter like IMF is, and doesn't try to be.

 

I really don't know what Plugin-container.exe is for sure. It exists in my C:\Program Files\Mozilla Firefox\ folder, is signed by Mozilla, and is presently an Active Task in Windows', Task Manager's Processes (obviously I have Firefox open as I type this). From WinPatrol's info I can tell Plugin-container.exe was first detected on my computer on June 24, 2010. The version of it on my computer now was last modified on June 16, 2012, which I think was the day I finally upgraded from Firefox 3.6x-something to Firefox 13.1. I'm thinking it is actually part of Firefox.

 

Hey, enoskype, Googling Plugin-container.exe I just found this:

 

Background: A new Firefox crash prevention feature was introduced in Firefox 3.6.4 to load Adobe Flash (as well as Microsoft Silverlight and Apple QuickTime, on Windows) in a separate process named "plugin-container". When one of these "out-of-process" plugins crashes or stops responding for a specified time period (10 seconds in Firefox 3.6.4 or 45 seconds in Firefox 3.6.6), only the plugin is terminated and you will get a plugin crash notice with the option of sending a crash report to Mozilla. The purpose of this new feature is to prevent the entire Firefox browser from crashing when a plugin hangs or crashes.

 

Read more about

Plugin-container.exe

here

, at the Mozilla site, or

here

if you want.

 

Hmmm... That's very interesting to me that the IMF "Risk Registry Modify" popup caught that one. Now I'm wondering if it DOES catch more than just changes to Windows startup. It must! It can't be catching all registry changes, though. Any thoughts on what is truly being caught? Or is there any way we can find out for sure? 100% for sure?

 

You blew it with EVEMon.EXE, dude. LOL. EVEMon is a piece of 3rd party software that monitors my roll playing character in the EVE Online MMOG. (I are a space pilot. :roll: zoom... zoooom......)

 

You can only tell if a program was allowed or not allowed (blocked) to make a modification, but the Remember selection box on the IMF Risk Registry Modify popup was NOT checked or CREDIT was NOT ticked, ONLY IF THE SAME PROCESS IS USED AGAIN AND SEEING THE POP_UP WINDOW AGAIN.

 

In short, you can't tell it! :-P :mrgreen:

 

That sucks.

 

Thx again!

 

Tim

[enoskype]

You blew it with EVEMon.EXE, dude. LOL. EVEMon is a piece of 3rd party software that monitors my roll playing character in the EVE Online MMOG. (I are a space pilot. :roll: zoom... zoooom......)

 

Tim, I blew it on behalf of IObit, mate. LOL :-P:-P See the attachment.

I really have not thought of an online game!

 

Yes, I had used WinPatrol long time ago. A nice, useful software.

 

Although at the moment I have FF14.0b (20120619191901), after IE9 is released, I have a feeling that IE9 is the most secure non-specialized browser, so I rarely use FF. There are compatibility issues. Fx, latest ZA SE engine.

 

BTW, I am not aware of a way to know for 100% sure what is trully being cauth by IMF. :roll:

 

Cheers.

[CrazyTim]

LOL, enoskype.

 

Even that http://www.iobit.com/process/e/1/evemon-exe-1397.html web page URL referenced in your attachment says what it is correctly ON THE ACTUAL PAGE. Apparently whoever made that page at IObit screwed up the meta level HTML description for the page and Google is picking it up.

 

Although at the moment I have FF14.0b ...

 

Aren't we precious :lol:

 

As far as using Internet Explorer goes, this is pretty much the way I generally feel about Microsoft software...

 

 

http://i267.photobucket.com/albums/ii313/Utopia2115/th_LettermanGates.jpg

 

 

BTW, I am not aware of a way to know for 100% sure what is trully being cauth by IMF.

 

I'm posting diatribe in a new thread here concerning this popup.

 

di·a·tribe/ˈdīəˌtrīb/

Noun: A forceful and bitter verbal attack against someone or something.

 

:-)

 

Thx!

 

Tim

[CrazyTim]

OK, if anyone is interested, here is my thread complaining about this popup

 

Problems with the "Risk Registry Modify" popup

 

Tim

[Buddahfan]

Plug-In container is not new. No where even close. It has been part of Firefox for several versions at least.

[CrazyTim]

Plug-In container is not new. No where even close. It has been part of Firefox for several versions at least.

 

Yeah, Budda, but I think I was using the very old FF v3.6.2, or something like that, and Plug-in Container was introduced in v3.6.4. I had a plugin, called TurboPasswords, that didn't work with the next FF version that is/was an encrypted Password Vault that synced with my Palm, Treo 680 PDA/smartphone. I was putting off finding something new. I am now using LastPass to securely store encrypted passwords.

 

Tim

[Buddahfan]

Yeah, Budda, but I think I was using the very old FF v3.6.2, or something like that, and Plug-in Container was introduced in v3.6.4. I had a plugin, called TurboPasswords, that didn't work with the next FF version that is/was an encrypted Password Vault that synced with my Palm, Treo 680 PDA/smartphone. I was putting off finding something new. I am now using LastPass to securely store encrypted passwords.

 

Tim

 

Glad you and so many other like LassPass. I tried it and hated it big time. It really screwed up my logging in to websites. Does it secure passwords more than other options? Got me.

 

Enjoy LastPass, I will pass on LastPass;-)

 

Note: Personally I would never tell anyone what software I use to secure my passwords. Why. Any software in the world can be hacked. If a person knows the software I use to secure my passwords in just makes it easier for them or someone they give the information to to steal my passwords.

 

No the risk is not great that it will happen but would you tell someone, especially a stranger, where the safe in your home is even if you thought the safe is break-in proof, which none are? I know I wouldn't. So by the same token I don't think it is smart to tell other people, especially strangers, where I keep my passwords. One less step they need to take to hack my passwords.