"Suspicious Warning Message from MSE"

Environment: XP MCE version 2002 SP3 - "fully updated at the time of discontinued support"

Problem: Recently, I've been intermittently receiving this warning:

https://www.amazon.com/clouddrive/sh...hare_link_copy



Obviously, the warning is purporting a source of MSE, and requesting I allow transmit of mHotkey.exe to MS for review.


1. My MSE is always dormant. It's only used for system scanning, at will. Never real time as a monitor.
2. Is MSE even viable for any use on this XP system?
3. Is the source of this warning even from MSE? IOW, is this presented from some unauthorized source/malware?


My response at this point was just to terminate the window because I was focused on other stuff, and didn't want to dedicate
the time for research. But, I now want to ask for aid to determine what is at play here. I've read about mHotkey.exe
at various sites/NG's, and have a very basic idea of its purpose, based on the limited description. But I can find no-
thing similar to this description. I chose this group for the perceived loyalty to the XP discontinuance, rather than
the MSE group. But, I can move there if needed. I do not plan for a perpetual XP use, I've just had more important
issues.

Also, this was written .txt, without spell check. Please excuse any error(s).



Thank you !

"anonymous" wrote in message
...


Environment: XP MCE version 2002 SP3 - "fully updated at the time of
discontinued support"

Problem: Recently, I've been intermittently receiving this warning:

https://www.amazon.com/clouddrive/sh...hare_link_copy



Obviously, the warning is purporting a source of MSE, and requesting I
allow transmit of mHotkey.exe to MS for review.


1. My MSE is always dormant. It's only used for system scanning, at will.
Never real time as a monitor.
2. Is MSE even viable for any use on this XP system?
3. Is the source of this warning even from MSE? IOW, is this presented
from some unauthorized source/malware?


My response at this point was just to terminate the window because I was
focused on other stuff, and didn't want to dedicate
the time for research. But, I now want to ask for aid to determine what is
at play here. I've read about mHotkey.exe
at various sites/NG's, and have a very basic idea of its purpose, based on
the limited description. But I can find no-
thing similar to this description. I chose this group for the perceived
loyalty to the XP discontinuance, rather than
the MSE group. But, I can move there if needed. I do not plan for a
perpetual XP use, I've just had more important
issues.

Also, this was written .txt, without spell check. Please excuse any
error(s).





http://www.file.net/process/mhotkey.exe.html

What are you using for real-time protection? MSE isn't protecting your
machine.

anonymous wrote:

Environment: XP MCE version 2002 SP3 - "fully updated at the time of discontinued support"

Problem: Recently, I've been intermittently receiving this warning:

https://www.amazon.com/clouddrive/sh...hare_link_copy



Obviously, the warning is purporting a source of MSE, and requesting I allow transmit of mHotkey.exe to MS for review.


1. My MSE is always dormant. It's only used for system scanning, at will. Never real time as a monitor.
2. Is MSE even viable for any use on this XP system?
3. Is the source of this warning even from MSE? IOW, is this presented from some unauthorized source/malware?


My response at this point was just to terminate the window because I was focused on other stuff, and didn't want to dedicate
the time for research. But, I now want to ask for aid to determine what is at play here. I've read about mHotkey.exe
at various sites/NG's, and have a very basic idea of its purpose, based on the limited description. But I can find no-
thing similar to this description. I chose this group for the perceived loyalty to the XP discontinuance, rather than
the MSE group. But, I can move there if needed. I do not plan for a perpetual XP use, I've just had more important
issues.

Also, this was written .txt, without spell check. Please excuse any error(s).



Thank you !

There is a subtle difference between

1) Checking the DLLs in System32
2) Checking your "Expense_Report.doc" before opening it in MS Word.

Disabling real-time scanning, disables (2).
The item in step (1) is necessary, for any prospective AV
tool to assure itself the OS is not compromised. Only if
the AV is sure the OS is safe, should the AV present a
screen offering its services.

So disabling real-time scanning, does not prevent a boot-time
check from occurring for (1). And the boot time check might
include checking services or startup items.

*******

From a heuristic (behavioral) point of view, mHotkey.exe shares
characteristics with a keylogger. In that, it runs privileged,
and it "sniffs" the keyboard stream. And if mHotkey.exe was
replaced with a keylogger, the report could be "for real".

At a time like this, I might download Malwarebytes MBAM free
on-demand scanner, and have it scan the system. If you have
trouble getting MBAM to download, or trouble getting MBAM to
start, that's generally a sign your system is compromised.

https://en.wikipedia.org/wiki/Malwarebytes_Anti-Malware

http://www.malwarebytes.org

https://www.malwarebytes.org/downloads/

MBAM has three versions:

1) Paid version with real time protection.
2) Offers a 30 day trial of (1)
3) Completely free on-demand scanner that does not
offer real time protection. You want the "free"
version for your check right now. Not necessarily
the trial version.

MBAM runs in a currently-running copy of Windows, for
the express purpose of doing heuristic (behavioral) checking.
So if it sees mHotkey.exe sniffing the keyboard, and
writing what was sniffed into a file (keylogging), then
it can blow the whistle.

Paul

On Tuesday, October 6, 2015 at 2:19:41 PM UTC-5, Bruce Hagen wrote:
"anonymous" wrote in message
...


Environment: XP MCE version 2002 SP3 - "fully updated at the time of
discontinued support"

Problem: Recently, I've been intermittently receiving this warning:

https://www.amazon.com/clouddrive/sh...hare_link_copy



Obviously, the warning is purporting a source of MSE, and requesting I
allow transmit of mHotkey.exe to MS for review.


1. My MSE is always dormant. It's only used for system scanning, at will.
Never real time as a monitor.
2. Is MSE even viable for any use on this XP system?
3. Is the source of this warning even from MSE? IOW, is this presented
from some unauthorized source/malware?


My response at this point was just to terminate the window because I was
focused on other stuff, and didn't want to dedicate
the time for research. But, I now want to ask for aid to determine what is
at play here. I've read about mHotkey.exe
at various sites/NG's, and have a very basic idea of its purpose, based on
the limited description. But I can find no-
thing similar to this description. I chose this group for the perceived
loyalty to the XP discontinuance, rather than
the MSE group. But, I can move there if needed. I do not plan for a
perpetual XP use, I've just had more important
issues.

Also, this was written .txt, without spell check. Please excuse any
error(s).





http://www.file.net/process/mhotkey.exe.html

What are you using for real-time protection? MSE isn't protecting your
machine.

Nothing! I'm the only very careful user(no kids, and a spouse that has been extensively warned to just signal any irregularities to me, never do what you are instructed by some unknown popup, and simply walk away).
In 8 years, this system has never run with any real time monitoring. I do run malicious, safety scanner, and MSE quick scan on a pretty regular basis.

Gary

On Tuesday, October 6, 2015 at 3:53:01 PM UTC-5, Paul wrote:
anonymous wrote:

Environment: XP MCE version 2002 SP3 - "fully updated at the time of discontinued support"

Problem: Recently, I've been intermittently receiving this warning:

https://www.amazon.com/clouddrive/sh...hare_link_copy



Obviously, the warning is purporting a source of MSE, and requesting I allow transmit of mHotkey.exe to MS for review.


1. My MSE is always dormant. It's only used for system scanning, at will. Never real time as a monitor.
2. Is MSE even viable for any use on this XP system?
3. Is the source of this warning even from MSE? IOW, is this presented from some unauthorized source/malware?


My response at this point was just to terminate the window because I was focused on other stuff, and didn't want to dedicate
the time for research. But, I now want to ask for aid to determine what is at play here. I've read about mHotkey.exe
at various sites/NG's, and have a very basic idea of its purpose, based on the limited description. But I can find no-
thing similar to this description. I chose this group for the perceived loyalty to the XP discontinuance, rather than
the MSE group. But, I can move there if needed. I do not plan for a perpetual XP use, I've just had more important
issues.

Also, this was written .txt, without spell check. Please excuse any error(s).



Thank you !

There is a subtle difference between

1) Checking the DLLs in System32
2) Checking your "Expense_Report.doc" before opening it in MS Word.

Disabling real-time scanning, disables (2).
The item in step (1) is necessary, for any prospective AV
tool to assure itself the OS is not compromised. Only if
the AV is sure the OS is safe, should the AV present a
screen offering its services.

So disabling real-time scanning, does not prevent a boot-time
check from occurring for (1). And the boot time check might
include checking services or startup items.

*******

From a heuristic (behavioral) point of view, mHotkey.exe shares
characteristics with a keylogger. In that, it runs privileged,
and it "sniffs" the keyboard stream. And if mHotkey.exe was
replaced with a keylogger, the report could be "for real".

At a time like this, I might download Malwarebytes MBAM free
on-demand scanner, and have it scan the system. If you have
trouble getting MBAM to download, or trouble getting MBAM to
start, that's generally a sign your system is compromised.

https://en.wikipedia.org/wiki/Malwarebytes_Anti-Malware

http://www.malwarebytes.org

https://www.malwarebytes.org/downloads/

MBAM has three versions:

1) Paid version with real time protection.
2) Offers a 30 day trial of (1)
3) Completely free on-demand scanner that does not
offer real time protection. You want the "free"
version for your check right now. Not necessarily
the trial version.

MBAM runs in a currently-running copy of Windows, for
the express purpose of doing heuristic (behavioral) checking.
So if it sees mHotkey.exe sniffing the keyboard, and
writing what was sniffed into a file (keylogging), then
it can blow the whistle.

Paul

I have used MB in the past. Probably about ~1 year ago. It's here dormant on the system, and I get an email from MB every so often. Presumably, wondering
if/when I'll be buying. I only ran it 2-3 times. No problems found. I'll have
to spend a little time digesting the rest of your reply. I'm considerably less
fluent here than ya'll. I'll return within 48 hours with my expanded understanding, and/or additional information. Including MB result(s).

Gary

On Tuesday, October 6, 2015 at 2:06:13 PM UTC-5, anonymous wrote:
Environment: XP MCE version 2002 SP3 - "fully updated at the time of discontinued support"

Problem: Recently, I've been intermittently receiving this warning:

https://www.amazon.com/clouddrive/sh...hare_link_copy



Obviously, the warning is purporting a source of MSE, and requesting I allow transmit of mHotkey.exe to MS for review.


1. My MSE is always dormant. It's only used for system scanning, at will. Never real time as a monitor.
2. Is MSE even viable for any use on this XP system?
3. Is the source of this warning even from MSE? IOW, is this presented from some unauthorized source/malware?


My response at this point was just to terminate the window because I was focused on other stuff, and didn't want to dedicate
the time for research. But, I now want to ask for aid to determine what is at play here. I've read about mHotkey.exe
at various sites/NG's, and have a very basic idea of its purpose, based on the limited description. But I can find no-
thing similar to this description. I chose this group for the perceived loyalty to the XP discontinuance, rather than
the MSE group. But, I can move there if needed. I do not plan for a perpetual XP use, I've just had more important
issues.

Also, this was written .txt, without spell check. Please excuse any error(s).



Thank you !



This is my 10/07 MBam scan report:
https://www.amazon.com/clouddrive/sh...hare_link_copy

I guess I kinda' lost focus earlier. I was really just trying to verify if the MSE popup message/request was actually MSE. I don't have any problem with transmitting the requested file to MSE. I just don't want to transmit it somewhere incorrect because I'm being fooled. Can I email contact MSE to receive confirmation that this instruction is authentic?

Thanks,

Gary

anonymous wrote:
On Tuesday, October 6, 2015 at 3:53:01 PM UTC-5, Paul wrote:
anonymous wrote:
Environment: XP MCE version 2002 SP3 - "fully updated at the time of discontinued support"

Problem: Recently, I've been intermittently receiving this warning:

https://www.amazon.com/clouddrive/sh...hare_link_copy



Obviously, the warning is purporting a source of MSE, and requesting I allow transmit of mHotkey.exe to MS for review.


1. My MSE is always dormant. It's only used for system scanning, at will. Never real time as a monitor.
2. Is MSE even viable for any use on this XP system?
3. Is the source of this warning even from MSE? IOW, is this presented from some unauthorized source/malware?


My response at this point was just to terminate the window because I was focused on other stuff, and didn't want to dedicate
the time for research. But, I now want to ask for aid to determine what is at play here. I've read about mHotkey.exe
at various sites/NG's, and have a very basic idea of its purpose, based on the limited description. But I can find no-
thing similar to this description. I chose this group for the perceived loyalty to the XP discontinuance, rather than
the MSE group. But, I can move there if needed. I do not plan for a perpetual XP use, I've just had more important
issues.

Also, this was written .txt, without spell check. Please excuse any error(s).



Thank you !
There is a subtle difference between

1) Checking the DLLs in System32
2) Checking your "Expense_Report.doc" before opening it in MS Word.

Disabling real-time scanning, disables (2).
The item in step (1) is necessary, for any prospective AV
tool to assure itself the OS is not compromised. Only if
the AV is sure the OS is safe, should the AV present a
screen offering its services.

So disabling real-time scanning, does not prevent a boot-time
check from occurring for (1). And the boot time check might
include checking services or startup items.

*******

From a heuristic (behavioral) point of view, mHotkey.exe shares
characteristics with a keylogger. In that, it runs privileged,
and it "sniffs" the keyboard stream. And if mHotkey.exe was
replaced with a keylogger, the report could be "for real".

At a time like this, I might download Malwarebytes MBAM free
on-demand scanner, and have it scan the system. If you have
trouble getting MBAM to download, or trouble getting MBAM to
start, that's generally a sign your system is compromised.

https://en.wikipedia.org/wiki/Malwarebytes_Anti-Malware

http://www.malwarebytes.org

https://www.malwarebytes.org/downloads/

MBAM has three versions:

1) Paid version with real time protection.
2) Offers a 30 day trial of (1)
3) Completely free on-demand scanner that does not
offer real time protection. You want the "free"
version for your check right now. Not necessarily
the trial version.

MBAM runs in a currently-running copy of Windows, for
the express purpose of doing heuristic (behavioral) checking.
So if it sees mHotkey.exe sniffing the keyboard, and
writing what was sniffed into a file (keylogging), then
it can blow the whistle.

Paul

I have used MB in the past. Probably about ~1 year ago. It's here dormant on the system, and I get an email from MB every so often. Presumably, wondering
if/when I'll be buying. I only ran it 2-3 times. No problems found. I'll have
to spend a little time digesting the rest of your reply. I'm considerably less
fluent here than ya'll. I'll return within 48 hours with my expanded understanding, and/or additional information. Including MB result(s).

Gary


If you think the file is malware, or the detection is a "false positive",
you can report the issue here.

https://www.microsoft.com/security/p...on/submit.aspx

Another site that can help with the process, is virustotal.com.
You can upload a copy of your mHotkey.exe to virustotal.com and
have it scanned. And see if any other tool reports the file as
malware. Since MBAM didn't detect it as malware, my guess
is the file is OK. And virustotal.com can help confirm that.

Once you know the file is safe, then you can go to the Microsoft
link above and submit a sample there and tell them you think
there is a false positive.

Paul

On Thursday, October 8, 2015 at 6:34:34 PM UTC-5, Paul wrote:
anonymous wrote:
On Tuesday, October 6, 2015 at 3:53:01 PM UTC-5, Paul wrote:
anonymous wrote:
Environment: XP MCE version 2002 SP3 - "fully updated at the time of discontinued support"

Problem: Recently, I've been intermittently receiving this warning:

https://www.amazon.com/clouddrive/sh...hare_link_copy



Obviously, the warning is purporting a source of MSE, and requesting I allow transmit of mHotkey.exe to MS for review.


1. My MSE is always dormant. It's only used for system scanning, at will. Never real time as a monitor.
2. Is MSE even viable for any use on this XP system?
3. Is the source of this warning even from MSE? IOW, is this presented from some unauthorized source/malware?


My response at this point was just to terminate the window because I was focused on other stuff, and didn't want to dedicate
the time for research. But, I now want to ask for aid to determine what is at play here. I've read about mHotkey.exe
at various sites/NG's, and have a very basic idea of its purpose, based on the limited description. But I can find no-
thing similar to this description. I chose this group for the perceived loyalty to the XP discontinuance, rather than
the MSE group. But, I can move there if needed. I do not plan for a perpetual XP use, I've just had more important
issues.

Also, this was written .txt, without spell check. Please excuse any error(s).



Thank you !
There is a subtle difference between

1) Checking the DLLs in System32
2) Checking your "Expense_Report.doc" before opening it in MS Word.

Disabling real-time scanning, disables (2).
The item in step (1) is necessary, for any prospective AV
tool to assure itself the OS is not compromised. Only if
the AV is sure the OS is safe, should the AV present a
screen offering its services.

So disabling real-time scanning, does not prevent a boot-time
check from occurring for (1). And the boot time check might
include checking services or startup items.

*******

From a heuristic (behavioral) point of view, mHotkey.exe shares
characteristics with a keylogger. In that, it runs privileged,
and it "sniffs" the keyboard stream. And if mHotkey.exe was
replaced with a keylogger, the report could be "for real".

At a time like this, I might download Malwarebytes MBAM free
on-demand scanner, and have it scan the system. If you have
trouble getting MBAM to download, or trouble getting MBAM to
start, that's generally a sign your system is compromised.

https://en.wikipedia.org/wiki/Malwarebytes_Anti-Malware

http://www.malwarebytes.org

https://www.malwarebytes.org/downloads/

MBAM has three versions:

1) Paid version with real time protection.
2) Offers a 30 day trial of (1)
3) Completely free on-demand scanner that does not
offer real time protection. You want the "free"
version for your check right now. Not necessarily
the trial version.

MBAM runs in a currently-running copy of Windows, for
the express purpose of doing heuristic (behavioral) checking.
So if it sees mHotkey.exe sniffing the keyboard, and
writing what was sniffed into a file (keylogging), then
it can blow the whistle.

Paul

I have used MB in the past. Probably about ~1 year ago. It's here dormant on the system, and I get an email from MB every so often. Presumably, wondering
if/when I'll be buying. I only ran it 2-3 times. No problems found. I'll have
to spend a little time digesting the rest of your reply. I'm considerably less
fluent here than ya'll. I'll return within 48 hours with my expanded understanding, and/or additional information. Including MB result(s).

Gary


If you think the file is malware, or the detection is a "false positive",
you can report the issue here.

https://www.microsoft.com/security/p...on/submit.aspx

Another site that can help with the process, is virustotal.com.
You can upload a copy of your mHotkey.exe to virustotal.com and
have it scanned. And see if any other tool reports the file as
malware. Since MBAM didn't detect it as malware, my guess
is the file is OK. And virustotal.com can help confirm that.

Once you know the file is safe, then you can go to the Microsoft
link above and submit a sample there and tell them you think
there is a false positive.

Paul

Thanks Paul, I'll look into that further. I might add that I've not seen the mHotkey warning since re-installing MBam, and running that scan of the posted results. Nothing reported in the MBam history for that tun though. I'm not suggesting the problem is corrected. It just seems dormant currently.

Thank again everyone, for all of your assistance.


Gary