Jump to content

myrti

Experts
  • Posts

    103
  • Joined

  • Last visited

Reputation

0 Neutral

1 Follower

Recent Profile Visitors

5,882 profile views
  1. Hi Bob, can you please run a scan with Malwarebytes as described here and post the logs for the developers to look at. regards myrti
  2. Hi, that would be great. Knowing why they are blacklisted may give us some indication as to what we are facing. regards myrti
  3. Hi, this was actually a discussion that went on on our IRC channel, not a thread per se. I can send you the logs, but they will be rather long. Let me know if that's what you want. regards myrti
  4. Posted a new topic here:http://forums.malwarebytes.org/index.php?showtopic=112818
  5. Hi, I have a user that has posted here: http://forums.malwarebytes.org/index.php?showtopic=112814 I've checked the logs and they appear clean, however MBAM is blocking outgoing connections from svchost to china once or twice a day, which makes us think that there may still be something in the bushes. I haven't been able to track down why MBAM is blocking said IPs and would be greatful if you could give us some further information. These are the blocked connections: On the 17th. 2012/07/17 06:39:04 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe) 2012/07/17 06:39:12 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe) 2012/07/17 06:39:20 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 61746, Process: svchost.exe) 2012/07/17 11:18:39 +0800 CHRIS-PC Chris IP-BLOCK 58.240.186.242 (Type: outgoing, Port: 61746, Process: svchost.exe) 2012/07/17 16:45:43 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe) 2012/07/17 16:45:43 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe) 2012/07/17 16:45:51 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe) 2012/07/17 16:45:51 +0800 CHRIS-PC Chris IP-BLOCK 222.71.191.21 (Type: outgoing, Port: 61746, Process: svchost.exe) On the 18th 2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 13:13:23 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 13:13:31 +0800 CHRIS-PC Chris IP-BLOCK 222.64.248.174 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 15:49:56 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 15:49:56 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe) 2012/07/18 15:50:04 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 63387, Process: svchost.exe) On the 19th 2012/07/19 15:00:00 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe) 2012/07/19 15:00:00 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe) 2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe) 2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe) 2012/07/19 15:00:08 +0800 CHRIS-PC Chris IP-BLOCK 222.69.93.132 (Type: outgoing, Port: 49697, Process: svchost.exe) I'd be greatful if you could give us an indication as to why the IPs are being blocked and if they're directly connected to malicious activity. thanks &regards myrti
  6. Hi, Yes, we did look at the IPs. However they do not show up as obviously malicious on google, the ones I've checked are not listed as malicious on hosts-file.net either. This is why I referred cstva here to ask about the IPs. From the logs I can't see why they are being blocked and I have to assume it has to do with the ISP or something else, but it would help to know for sure if the IP itself is malicious or the ISP is or some other reason entirely. Thanks & regards myrti
  7. Sorted here as well. Thanks!
  8. Hi, I have a log with the same results or almost as it is a 64bit OS:
  9. Hi, sorry for the lack of feedback. My user's hard disk died just at the wrong moment. So I can't get you the files. Happy to see that you have been able to fix this anyways!
  10. Hi, I have a topic where the game Crusader Kings by Paradox Interactive is being detected as Rogue.Crusader. I couldn't find anything indicating that the game wasn't legit. Let me know if you need the files. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4875 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 10/19/2010 6:48:23 AM mbam-log-2010-10-19 (06-48-23).txt Scan type: Full scan (C:\|F:\|) Objects scanned: 645880 Time elapsed: 5 hour(s), 25 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer.Gen) -> Data: f:\windows\system32\userinit.exe -> Quarantined and deleted successfully. [031153F3AC28B6B4EB1499C492E8619B] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer.Gen) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. [031153F3AC28B6B4EB1499C492E8619B] Folders Infected: (No malicious items detected) Files Infected: C:\Program Files\Paradox Entertainment\Crusader Kings\Crusaders.exe (Rogue.Crusader) -> Quarantined and deleted successfully. [FE254D30F0C6B8F9D3A041DAB3464600] C:\Documents and Settings\Owner\Desktop\Games\Thumb Drive\Crusaders_1.05.exe (Rogue.Crusader) -> Quarantined and deleted successfully. [FE254D30F0C6B8F9D3A041DAB3464600] C:\Documents and Settings\Owner\Desktop\Games\Thumb Drive\Crusaders_104a_eng.exe (Rogue.Crusader) -> Quarantined and deleted successfully. [FE254D30F0C6B8F9D3A041DAB3464600] F:\Documents and Settings\Jim\Local Settings\Temp\ie1B.tmp (Malware.Trace) -> Quarantined and deleted successfully. [C870F4A49897395E2FC092CA4F85E549] F:\Documents and Settings\Jim\Local Settings\Temp\in1A.tmp (Malware.Trace) -> Quarantined and deleted successfully. [BEFBF0D8EE4A30DEF1A4598754734042] regards myrti
  11. Hi, No I haven't changed anything on my VM, but I am still running IE6 on it. I originally got alerted to this because of this thread at BC where the file was deleted: http://www.bleepingcomputer.com/forums/topic317515.html While looking for a possible matching file, I found HP PhotoSmart and tried to download it, which left me with the detection I posted. This being said, deleting a file from a temp folder is not a big issue and I doubt many people will actually be bothered by it, besides the occasional helper that needs to identify the file. I consider this an FP and that's why I posted it here. If you want to share this point of view is your choice. I can totally understand when you decide not to follow up on this since the presence of the file will have no further impact on the PC after it has (or not) been run through IE. regards myrti
  12. Hi, this is on my VM. I had seen it in a log and was wondering if I could reproduce it. Just downloaded it again, when I click Run instead of Save, the file gets dropped in Temporary Internet Files. regards myrti
  13. Hi, possible/probable false positive on the HP photosmart essential. The file is downloadable here: ftp.hp.com/pub/united-states/pse/pse_350_enu.exe When the file is located in Temporary Internet Files, it gets detected as trojan.agent. No detection when it resides in another location (eg T:\) The log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4117 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 5/19/2010 2:01:12 PM mbam-log-2010-05-19 (14-01-12).txt Scan type: Quick scan Objects scanned: 109361 Time elapsed: 1 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\myrti\Local Settings\Temporary Internet Files\pse_350_enu.exe (Trojan.Agent) -> No action taken. [C53626311C55A2193448C2597797B227] regards myrti
  14. Hello and welcome to malwarebytes, Please try running rkill and if that succeeds please try downloading and installing Malwarebytes after that again: Download and Run RKill Please download RKill by Grinler from one of the 4 links below and save it to your desktop. Link 1 Link 2 Link 3 Link 4 Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how. Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator) A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed. If nothing happens or if the tool does not run, please let me know in your next reply Malwarebytes is most effective in normal mode and hence it is not ideal to run it from a live cd. regards myrti
  15. Hello and welcome to Malwarebytes, do you still need help? The | is a seperator for partitions scanned. The C:\ is the drive scanned. regards myrti
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.