Jump to content

OutcastCyborg

Members
  • Posts

    13
  • Joined

  • Last visited

Reputation

0 Neutral

Profile Information

  • Interests
    Computer Science, Cybersecurity, Gaming, Hardware Engineering, and Software Engineering.

Recent Profile Visitors

1,190 profile views
  1. Salutations, I recently discovered of an attempted intrusion by a variant of the Kotver Trojan. You can find all of the relevant details here (this includes logs from MBAM, HitmanPRO, FSS, FRST, and Kotver itself). According to the technician assisting me, he believes it originated from an exploit ad on a web page or something similar.[1] This reinforces my initial suspicions that WinRAR is the culprit. For some time now, the application has been generating advertisements to convince you to buy a license of their product once the evaluation period has ended (AKA nagware). Malwarebytes' has warned me of this in the past, but the utility of the application outweighed the risks of this so-far benign problem. What further steps should be taken to ensure that there are no remaining remnants or accomplices remaining? Current security arsenal: I operate strictly on a whitelist-as-needed basis both at the system and browser-level. All files expressly downloaded by me are subject to testing in a secure virtual machine prior to execution in a production environment. Apologies for the long rambling, but I want to be as thorough as possible. Any suggestions to further enhance security in a Windows environment would be greatly appreciated.
  2. Hello, Apologies if this is the incorrect place to post this, but it is more of a hypothetical question regarding MBAE's abilities rather than a support inquiry. I recently discovered an intrusion attempt by Kotver-variant trojan. I believe I have tracked down the source, but I intend to do a follow-up on the Removal forums. Can the free version of MBAE theoretically stop an exploit from a webpage generated by an application or would that require premium?
  3. Funny you mention that, I've been using MBAE for some time now with all shields on by default. In fact, it's running right now. Does MBAE treat web pages generated by applications as a browser or would that require premium?
  4. Appreciate it! Any further recommendations to make sure this is gone for good and there are no remaining remnants?
  5. Hello, I wasn't exactly sure where it was appropriate to post this, but I believe I have stumbled upon a false positive. Upon booting my PC, MBAM's daily scan informed me of a Trojan.Kovter in AppData\Local\Temp. In response to this, I ran a deeply thorough scan using MBAM, HitmanPRO, FRST, and FSS with no detections. I also went back and verified the processes running in Process Explorer, since I regularly check what's running on my machine anyway. Nothing about my computer use has been out of the ordinary for this to occur, so I have hypothesized two possible scenarios: A) A false positive B) WinRAR's license advertisements have delivered a successful payload. Scenario B sounds highly unlikely since this has been ongoing thing for some time and I have yet to notice anything outside the ordinary. The following is enclosed with this post: HitmanPRO: Default Scan log; free one-time scan. FRST: The FRST.txt and Addition.txt The following parameters have generated this log: Whitelist: Drivers Internet Processes Registry Services Optional Scan: Addition.txt List BCD 90 Days Files FSS: FSS.txt The following parameters have generated this log: RpcSs and PlugPlay Internet Services Security Center/Action Center System Restore Windows Defender Other Services MBAM: The initial log which triggered the alert, the thorough scan conducted thereafter, and the latest real-time protection logs against the IP's displaying the advertisements (I have others from previous instances of when I used WinRAR, but as I mentioned, up until now it has been benign). For all of the above (MBAM) logs, I have included both the text and xml formats of said logs. I was going to also upload the file in question to VirusTotal as an additional verification, but I decided against it due to the ambiguity of its threat status. Logs.7z
  6. After following the clean removal process and so far everything appears to be up and running, maybe it was just a quirk with my setup. Thanks again for your assistance, OutcastCyborg
  7. Hello all, Not entirely sure what's been going on with my Malwarebytes' setup lately. I recently re-enabled MBAE to test performance with a VM I use to see if recent updates improved performance and it seems a bit better, but since I have done so for some reason MBAM is no longer functioning. I have attached screenshots which show the report from Windows Event Viewer, not entirely sure what any of the exception codes or faults mean though. If the issue is not correctable, I will just reinstall, but I am curious about the cause of said issue. The following is a list of programs I use for security purposes: avast! PremierMalwarebytes' Anti-ExploitMalwarebytes' Anti-Malware Thanks in advance, OutcastCyborg
  8. After doing a little bit more digging, it appears that there could be a myriad of reasons why PIA's ruby runtime environment is flagged by MBAM's realtime protection module. According to this (https://www.privateinternetaccess.com/forum/index.php?p=/discussion/790/questions-regarding-the-backround-network-scans-of-rubyw-exe/p1) article, an alleged IT security consultant found several unusual requests to a variety of domains, which occured when not connected to the VPN. When PIA was questioned about this by the same individual he asked the following: In response to this a Tier II Technical Support PIA Inc technician known only as "alex b" replied to each of his questions with the following: This would explain why there are randomized folders and processes each time PIA is executed. This makes some degree of sense, but at the same time, why is this happening so frequently, when honestly you'll probably only shave a few ms here and there. I'm not sure I buy his argument here, while I get this can be used to conceal some connections, when you connect to PIA's servers the IP Addresses assigned are already shared amongst the servers, which means all you could obtain from a reverse DNS lookup is the DNS of PIA's servers. Until more information about such matters is revealed (which probably never will be for the sake of "security," I'm not buying it). Mind you this article was posted about a year ago, still waiting for an answer to why they haven't provided a solution to this. This is probably the most compelling answer out of the entire response, which to me is near-complete-paradox to the technicians denial of suspicious connections that may or may not be malicious. If they are in fact routing clients to only servers they own then why are the IP-Addresses coming back as potentially malicious especially when you consider his statement about rDNS. All of a sudden you have malicious domains occupying DNS you once used? I'm no network expert, but that to me sounds borderline admission - if not indications that they are constantly under attack - of suspicious routing. At this point, I cannot formerly declare that they are definitely suspicious, but I also cannot say they are not either. *sigh* the price we pay for not knowing things - literally.
  9. Thanks for the informative and to-the-point reply. I have no doubt that the shared IP Address across multiple domains is probably what's causing the issue. I downloaded the MBAM 2.0 RC and while there is no method (though I haven't delved too deep into the new interface), there was a trend that I noticed among the tooltip bubbles. Although the IP Addresses and Port numbers are dynamic, the tooltip bubble in the new interface consistently refers to a folder in "C:\Users\Chad\AppData\Local\Temp\ocr9B0.tmp\bin\rubyw.exe. Originally when I first started using PIA, that temp folder always changed, however, the last couple days, I tweaked the settings to always connect to the same server located closest to me for performance reasons (specifically US - Texas). Prior to that I allowed PIA to select which server I connect to (not good for performance or security I realize), which leads me to believe that PIA creates a directory based off which server you connect to. Now whether that changes whenever I shut down my PC, I am uncertain. To compound the mystery as I type this, I am currently not connected to any of PIA's servers, which has me curious as to why there are outgoing requests to these domains possibly for caching purposes, but nonetheless unusual. If I were to connect, it might be possible that the folder will once again change and honestly, I don't see myself creating an exception for every instance a new folder is created for obvious security reasons. Based on this information, would you suggest requesting a refund and uninstalling Private Internet Access and finding another solution? I doubt any malicious activity is occurring, but as a security-conscious individual, I am moderately suspicious of all this and that's nothing new as I often don't even trust links anymore unless I am in a sandboxed browser environment.
  10. Here is the protection log for today, for whatever reason the log would not upload as a file:
  11. Greetings everyone, First off let me say I am proud to be a long term user of MBAM Pro and I highly endorse, to all my colleagues, the fantastic product that the team at Malwarebytes offers to protect my PC. Secondly, apologies if this is not the correct place to post this, as this is the first time I have had to post an issue. With that out of the way, time to get down to the issue at hand: I recently purchased an annual license for Private Internet Access (PIA), a VPN service to resolve my ISPs monkey business with YouTube, twitch, and the internet in general. So far everything is fine and I have noticed a MASSIVE boost in network consistency and bandwidth with a minor sacrifice in ping times. However, I also noticed MBAM Pro consistently attempts to IP-Block "Rubyw.exe" which is the runtime environment PIA uses for connectivity and management purposes. While it hasn't hindered VPN performance as far as I know (and tends to happen whenever I turn it off), it is quite annoying. Whitelisting the process does not resolve the issue either since they are all randomized and dynamically connect to random ports. Why overall question: is there a solution to this or am I stuck with the excessive IP-Blocks? Below I have enclosed my log, though it continually updates over time.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.