New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    From what he said that is exactly what is happening.
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Yes they're constantly shifting, randomly.
    Going to do the wildcard thing, well I was thinking of wildcards before I post but wanted to be sure, mostly the format. Please tell me if this is correct, got some doubts about spaces and backslashes (if they are even used), etc:

    "C:\Program Files (x86)\Minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe" -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Xmx1G -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:-UseAdaptiveSizePolicy -Xmn128M -Djava.library.path=C:\Users\MrX\AppData\Roaming\.minecraft\versions\1.8\1.8-natives-* -cp C:\Users\MrX\AppData\Roaming\.minecraft\libraries\java3d\vecmath\1.5.2\vecmath-1.5.2.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\net\sf\trove4j\trove4j\3.0.3\trove4j-3.0.3.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\ibm\icu\icu4j-core-mojang\51.2\icu4j-core-mojang-51.2.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\net\sf\jopt-simple\jopt-simple\4.6\jopt-simple-4.6.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\codecjorbis\20101023\codecjorbis-20101023.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\codecwav\20101023\codecwav-20101023.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\libraryjavasound\20101123\libraryjavasound-20101123.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\librarylwjglopenal\20100824\librarylwjglopenal-20100824.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\soundsystem\20120107\soundsystem-20120107.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\io\netty\netty-all\4.0.15.Final\netty-all-4.0.15.Final.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\google\guava\guava\17.0\guava-17.0.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\commons\commons-lang3\3.3.2\commons-lang3-3.3.2.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\commons-io\commons-io\2.4\commons-io-2.4.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\commons-codec\commons-codec\1.9\commons-codec-1.9.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\net\java\jinput\jinput\2.0.5\jinput-2.0.5.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\net\java\jutils\jutils\1.0.0\jutils-1.0.0.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\google\code\gson\gson\2.2.4\gson-2.2.4.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\mojang\authlib\1.5.21\authlib-1.5.21.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\mojang\realms\1.6.1\realms-1.6.1.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\commons\commons-compress\1.8.1\commons-compress-1.8.1.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\httpcomponents\httpclient\4.3.3\httpclient-4.3.3.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\httpcomponents\httpcore\4.3.2\httpcore-4.3.2.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-api\2.0-beta9\log4j-api-2.0-beta9.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9\log4j-core-2.0-beta9.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\lwjgl\2.9.1\lwjgl-2.9.1.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\lwjgl_util\2.9.1\lwjgl_util-2.9.1.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\tv\twitch\twitch\6.5\twitch-6.5.jar;C:\Users\MrX\AppData\Roaming\.minecraft\versions\1.8\1.8.jar net.minecraft.client.main.Main --username hername --version 1.8 --gameDir C:\Users\MrX\AppData\Roaming\.minecraft --assetsDir C:\Users\MrX\AppData\Roaming\.minecraft\assets --assetIndex 1.8 --uuid 0666134acd92430692cfc0b673e2b1a5 --accessToken * --userProperties {} --userType mojang --nativeLauncherVersion 286
     
  3. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    The wildcard thing rules... just be wary sometimes wildcards don't work, so you have to use ? and a specific amount of them (eg: 123-345-7890123-456, replacing that with *-*-*-* in "some" cases might not work, so you will need ? ? ? - ? ? ? - ? ? ? ? ? ? ? - ? ? ?)... but for the most-part, you can get away with removing duplicate command lines via *. Another word if possible, you may see executables be listed in "" and not, also executable paths duplicated. The "" vs no "" is application dependant, whether parent or child/sub-child calls it. The double entries are not double entries; most of the time there is a space bar keystroke at the end. Removing one or the other will result in a prompt for an unknown command line when it gets executed...

    I just had a look at your amended spoiler; all looks well in regards to what you replaced.

    It's awesome setting ERP to Lockdown and plugging/unplugging external hard drives. You get to commit all command lines and then reduce duplicates via * and ?. But just like Peter said, if you feel like special characters are not your thing for that program, then maybe that program should be uninstalled.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Thanks for your awesome info. Yes, as you well said a space bar keystroke is there at the end, so now I know now why it was failing. Whitelisting commandline strings with a * wildcard worked for me. Now working all good. :thumb:
     
    Last edited: Dec 24, 2015
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Why not just replace the 123-345-7890123-456 with a single *. That's what i've done and it works
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Oh I forgot to mention I did use a single * to whitelist them. :)
     
  7. guest

    guest Guest

    the easiest way :thumb:
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    There's an issue which it seems to be related to length. Take a look:
    If I whitelist this command-line:
    "C:\Program Files (x86)\Minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe" -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Xmx1G -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:-UseAdaptiveSizePolicy -Xmn128M -Djava.library.path=C:\Users\MrX\AppData\Roaming\.minecraft\versions\1.8\1.8-natives-* -cp C:\Users\MrX\AppData\Roaming\.minecraft\libraries\java3d\vecmath\1.5.2\vecmath-1.5.2.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\net\sf\trove4j\trove4j\3.0.3\trove4j-3.0.3.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\ibm\icu\icu4j-core-mojang\51.2\icu4j-core-mojang-51.2.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\net\sf\jopt-simple\jopt-simple\4.6\jopt-simple-4.6.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\codecjorbis\20101023\codecjorbis-20101023.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\codecwav\20101023\codecwav-20101023.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\libraryjavasound\20101123\libraryjavasound-20101123.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\librarylwjglopenal\20100824\librarylwjglopenal-20100824.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\paulscode\soundsystem\20120107\soundsystem-20120107.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\io\netty\netty-all\4.0.15.Final\netty-all-4.0.15.Final.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\google\guava\guava\17.0\guava-17.0.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\commons\commons-lang3\3.3.2\commons-lang3-3.3.2.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\commons-io\commons-io\2.4\commons-io-2.4.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\commons-codec\commons-codec\1.9\commons-codec-1.9.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\net\java\jinput\jinput\2.0.5\jinput-2.0.5.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\net\java\jutils\jutils\1.0.0\jutils-1.0.0.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\google\code\gson\gson\2.2.4\gson-2.2.4.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\mojang\authlib\1.5.21\authlib-1.5.21.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\com\mojang\realms\1.6.1\realms-1.6.1.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\commons\commons-compress\1.8.1\commons-compress-1.8.1.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\httpcomponents\httpclient\4.3.3\httpclient-4.3.3.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\commons-logging\commons-logging\1.1.3\commons-logging-1.1.3.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\httpcomponents\httpcore\4.3.2\httpcore-4.3.2.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-api\2.0-beta9\log4j-api-2.0-beta9.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9\log4j-core-2.0-beta9.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\lwjgl\2.9.1\lwjgl-2.9.1.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\org\lwjgl\lwjgl\lwjgl_util\2.9.1\lwjgl_util-2.9.1.jar;C:\Users\MrX\AppData\Roaming\.minecraft\libraries\tv\twitch\twitch\6.5\twitch-6.5.jar;C:\Users\MrX\AppData\Roaming\.minecraft\versions\1.8\1.8.jar net.minecraft.client.main.Main --username hername --version 1.8 --gameDir C:\Users\MrX\AppData\Roaming\.minecraft --assetsDir C:\Users\MrX\AppData\Roaming\.minecraft\assets --assetIndex 1.8 --uuid 0666134acd92430692cfc0b673e2b1a5 --accessToken * --userProperties {} --userType mojang --nativeLauncherVersion 286

    It simply doesn't survive a machine restart or power on leaving the line shortened just like this:
    "C:\Program Files (x86)\Minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe" -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Xmx1G -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:-UseAdaptiveSizePolicy -Xmn128M -

    The rest is lost.

    Is this a bug?
     
  9. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    I've had the length shortened sometimes, mainly when Flash and Firefox were referenced. Now that I don't use Flash anymore, problem gone. It isn't a bug in the traditional sense; it is just a number assigned to the length of that field. I guess the developer didn't anticipate a command line that went for, hmmm... 30 odd lines to be encountered. It's a simple fix, just gotta boost the length. You might want to put this forward as a fix request.

    As a test, try and put * at the end of the shortened version; maybe that will be enough to let it through without popping up with a prompt. Just make sure that the * is the last character in that command line, with a space between it and the previous character... eg: -Xmn128M * as opposed to -Xmn128M -*
    OR
    to keep things neat-looking, make this the command line; if it will work... "C:\Program Files (x86)\Minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe" -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump * <--- might be pushing my luck here...
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That command line is insane. Seems the developer forgot keeping the battle ground to the game and off the computer. Phew.
     
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Thank you, a lot. It worked as expected...
     
  12. hjlbx

    hjlbx Guest

  13. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Does anyone know what this commandline means?
    ERP gave me 2 alerts and after I whitelisted the commandlines my machine was unusable until after I rebooted.
     
  14. hjlbx

    hjlbx Guest

    That is .NET Runtime Optimization service.

    It is probably attempting to compile NET assemblies.

    It is legitimate process.

    Sometimes when ERP blocks an object - even after white-listing the blocked object, the system will mis-behave\malfunction until after a reboot.

    If you continue to have issue, you might have to use wild-card (* or ?) in the command line.
     
  15. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Where would I place the wildcard?
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    Actually, csc.exe is .Net's command line compiler. Mscorsvw.exe or C# APIs run the compiled output. Outright blocking of mscorsvw.exe can rendered your PC unusable as noted above.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    Read this: http://www.rohitab.com/discuss/topi...ching-a-particular-process-with-command-line/ . Mscorsvw.exe is running a previously created ngen process from .Net's cache area. Ngen creates and stores processes in .Net's cache versus csc.exe which creates .dlls and the like and stores them to disk; usually the temp directories.

    The tool he is referring to costs $80: http://www.apimonitor.com/

    A free like version is here: http://jacquelin.potier.free.fr/winapioverride32/ . Can't vouch for it; never used it.
     
    Last edited: Jan 14, 2016
  18. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Is there any way to wildcard the commandlines so I don't get anymore alerts? Thanks
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Try this:
    Code:
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent * -InterruptEvent 16c -NGENProcess 174 -Pipe 180 -Comment "NGen Worker Process"
     
  20. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    117
    WhiteList -> CommandLine (Wildcard)
     
  21. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Thanks, will try it
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,104
    Location:
    .
    Net\Framework is system protected....
    You may allow system protected.....
     
  23. guest

    guest Guest

    will be a while since ERP is not updated, feel like an abandonware...
     
  24. hjlbx

    hjlbx Guest

    Same here...
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    I doubt it will be an abandonware. The last beta works fine on the 2 Windows 7X64 machines I have tried it on.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.