guruuno

Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/26/23 Protection Event Time: 2:31 PM Log File: ee98596a-5c9a-11ee-8a7f-b083fe889a7e.json -Software Information- Version: 4.6.3.282 Components Version: 1.0.2151 Update Package Version: 1.0.75695 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\system32\cscript.exe cscript prnmngr.vbs -a -p Splashtop PDF Remote Printer -m Microsoft Print to PDF -r FILE:, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\system32\cscript.exe cscript prnmngr.vbs -a -p Splashtop PDF Remote Printer -m Microsoft Print to PDF -r FILE: URL: (end)

I also have log/notification. This is from last week or so but identical info i added/allowed Splashtop in Malwarebytes but it still occurs Will provide more info as I gather it

I do. Allow me a bit to put them together

September 13th this was informed of issues (I cannot reply or reopen, hence new here topic); Splashtop remote printing being blocked, again please advise as to a resolution their reply was For the fixed ip solution, follow the steps below to configure: 1. Please update and whitelist the following ip addresses 2. Once the ip addresses are whitelisted, please respond and inform us that this has been done 3. When we are notified, we can tag your account to properly route on our backend Please find the list of current fixed ip addresses. 150.136.132.17 3.132.193.204 18.191.44.25 35.165.160.97 50.18.229.181 129.159.111.190 129.159.101.179 3.141.58.188 158.101.45.160 158.101.35.45 129.159.110.20 34.235.90.206 129.159.85.200 129.146.211.84 132.226.113.124 35.211.56.94 18.233.112.74 54.173.10.171 129.146.228.243 54.176.215.111 3.141.82.240 129.159.74.46 129.159.114.84 35.212.232.80 35.155.46.184 129.159.99.162 35.211.185.165 35.211.205.237 132.226.24.89 35.208.36.229 193.122.185.220 150.136.0.254 35.211.20.190 54.241.4.254 54.203.233.2 35.211.146.105 34.225.225.238 3.140.205.16 44.230.159.46 44.241.96.242 35.211.145.52 54.163.92.216 129.159.105.223 132.226.30.183 129.146.216.189 193.122.200.117 129.159.106.212 129.159.92.21 132.226.25.67 132.226.121.15 129.159.84.35 193.122.191.67 158.101.39.21 158.101.39.108 129.146.234.94 3.12.183.222 35.172.169.64 184.169.237.2 158.101.38.12 50.18.55.179 3.141.226.31 35.207.37.114 35.80.107.79 158.101.24.240 54.71.160.66 35.153.163.73 129.159.89.174 44.233.167.217 54.203.67.36 35.212.212.174 129.159.86.83 129.159.100.58 158.101.32.219 35.212.248.219 132.226.113.48 54.198.215.106 193.122.172.160 54.176.48.173 54.241.2.8 132.226.124.195 129.159.116.1 193.122.192.28 158.101.45.12 129.146.197.13 132.226.124.196 35.211.247.4 35.211.34.194 35.209.244.86 129.146.150.170 158.101.37.95 129.159.101.198 150.136.0.219 35.215.99.56 129.146.208.44 129.146.229.237 18.224.115.69 193.122.199.224 132.226.124.145 54.176.81.135 52.9.42.215 3.142.162.106 129.159.108.9 35.215.67.29 132.226.126.196 129.159.82.0/24 129.159.89.16 129.159.108.8 35.208.104.94 132.226.29.110 132.226.144.0/24 35.174.216.37 54.164.19.64 44.238.115.102 132.226.24.212 50.18.0.172 35.211.141.116 150.136.187.68 35.215.81.247 54.151.91.105 132.226.112.220 3.132.98.42 193.122.199.213 35.209.14.26 54.241.14.13 Thank you, -Splashtop Team Regards, Splashtop Business Support Team

Validated with Splashtop, this needs to be addressed with a false positive fix or however it is resolved. Thank you. Please whitelist connection to *.relay.splashtop.com. This is for Splashtop remote connection (02:23:26 PM) ME: So, to be clear, the IP is valid/Splashtop and not a compromise? (02:24:47 PM) Steffi - Splashtop : Yes, this is our IP. We use dynamic ip so the digits will change from time to time but the domain remain the same However, *.relay.splashtop cannot be manually added into anything, only individual IP addresses. Splashtop support says they will send me a IP list, but is it not easier for Malwarebytes to do it on your end (white-list it)?

OK, Sophos log file is attachedSophosScanAndClean_20221208_0951.log

Fixlog.txt Fixlog.txt attached

Running 'fixlist.txt' now, will provide file(s) upon completion as requested, sorry for the delay (holiday). Question(s)? You state: "CCleaner (computer experts no longer recommend this program)"...can you advise as to why? Can you suggest alternative tool? Yes, the new PC was upgraded with a Macrium image from a previous machine. Does the 'fixlist.txt' address the files/items that you reference or do I manually do the removal? Thanks

FRST.txtAddition.txt Files attached as requested

So, ThisisU stated, " I am removing both of those IP blocks just FYI. Threats are 404 (below results haven't been updated). Low abuse rating". Does that mean that they were false?

Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/23/22 Protection Event Time: 5:41 AM Log File: 72abc9c0-6b1b-11ed-bfba-a4bb6dd8b56b.json -Software Information- Version: 4.5.17.221 Components Version: 1.0.1806 Update Package Version: 1.0.62669 License: Premium -System Information- OS: Windows 11 (Build 22000.1281) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Compromised Domain: IP Address: 159.203.73.163 Port: 443 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe ----------- Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/23/22 Protection Event Time: 5:05 AM Log File: 5fe6314a-6b16-11ed-9a2a-a4bb6dd8b56b.json -Software Information- Version: 4.5.17.221 Components Version: 1.0.1806 Update Package Version: 1.0.62669 License: Premium -System Information- OS: Windows 11 (Build 22000.1281) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Malware Domain: IP Address: 159.203.73.163 Port: 443 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe (end) ------------- Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/23/22 Protection Event Time: 5:04 AM Log File: 3d03f252-6b16-11ed-ba1d-a4bb6dd8b56b.json -Software Information- Version: 4.5.17.221 Components Version: 1.0.1806 Update Package Version: 1.0.62669 License: Premium -System Information- OS: Windows 11 (Build 22000.1281) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Compromised Domain: IP Address: 159.203.73.163 Port: 443 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe (end) -------------- Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/22/22 Protection Event Time: 5:49 PM Log File: fd94e18e-6ab7-11ed-a665-a4bb6dd8b56b.json -Software Information- Version: 4.5.17.221 Components Version: 1.0.1806 Update Package Version: 1.0.62649 License: Premium -System Information- OS: Windows 11 (Build 22000.1281) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: IP Address: 159.89.239.212 Port: 443 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe (end)

here you go, new stuffn4.txtn3.txtn2.txtn 1.txt

Unfortunately, it has been deleted. I'm concerned and confused

End users goes to https://www.yahoo.com, he gets notifications (as per screenshot)....why, what, how?

This message is showing on Windows 11. Is there something that needs to be done to make Malwarebytes and Windows defender play nice together?