guruuno

Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/26/23 Protection Event Time: 2:31 PM Log File: ee98596a-5c9a-11ee-8a7f-b083fe889a7e.json -Software Information- Version: 4.6.3.282 Components Version: 1.0.2151 Update Package Version: 1.0.75695 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\system32\cscript.exe cscript prnmngr.vbs -a -p Splashtop PDF Remote Printer -m Microsoft Print to PDF -r FILE:, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\system32\cscript.exe cscript prnmngr.vbs -a -p Splashtop PDF Remote Printer -m Microsoft Print to PDF -r FILE: URL: (end)

I also have log/notification. This is from last week or so but identical info i added/allowed Splashtop in Malwarebytes but it still occurs Will provide more info as I gather it

I do. Allow me a bit to put them together

September 13th this was informed of issues (I cannot reply or reopen, hence new here topic); Splashtop remote printing being blocked, again please advise as to a resolution their reply was For the fixed ip solution, follow the steps below to configure: 1. Please update and whitelist the following ip addresses 2. Once the ip addresses are whitelisted, please respond and inform us that this has been done 3. When we are notified, we can tag your account to properly route on our backend Please find the list of current fixed ip addresses. 150.136.132.17 3.132.193.204 18.191.44.25 35.165.160.97 50.18.229.181 129.159.111.190 129.159.101.179 3.141.58.188 158.101.45.160 158.101.35.45 129.159.110.20 34.235.90.206 129.159.85.200 129.146.211.84 132.226.113.124 35.211.56.94 18.233.112.74 54.173.10.171 129.146.228.243 54.176.215.111 3.141.82.240 129.159.74.46 129.159.114.84 35.212.232.80 35.155.46.184 129.159.99.162 35.211.185.165 35.211.205.237 132.226.24.89 35.208.36.229 193.122.185.220 150.136.0.254 35.211.20.190 54.241.4.254 54.203.233.2 35.211.146.105 34.225.225.238 3.140.205.16 44.230.159.46 44.241.96.242 35.211.145.52 54.163.92.216 129.159.105.223 132.226.30.183 129.146.216.189 193.122.200.117 129.159.106.212 129.159.92.21 132.226.25.67 132.226.121.15 129.159.84.35 193.122.191.67 158.101.39.21 158.101.39.108 129.146.234.94 3.12.183.222 35.172.169.64 184.169.237.2 158.101.38.12 50.18.55.179 3.141.226.31 35.207.37.114 35.80.107.79 158.101.24.240 54.71.160.66 35.153.163.73 129.159.89.174 44.233.167.217 54.203.67.36 35.212.212.174 129.159.86.83 129.159.100.58 158.101.32.219 35.212.248.219 132.226.113.48 54.198.215.106 193.122.172.160 54.176.48.173 54.241.2.8 132.226.124.195 129.159.116.1 193.122.192.28 158.101.45.12 129.146.197.13 132.226.124.196 35.211.247.4 35.211.34.194 35.209.244.86 129.146.150.170 158.101.37.95 129.159.101.198 150.136.0.219 35.215.99.56 129.146.208.44 129.146.229.237 18.224.115.69 193.122.199.224 132.226.124.145 54.176.81.135 52.9.42.215 3.142.162.106 129.159.108.9 35.215.67.29 132.226.126.196 129.159.82.0/24 129.159.89.16 129.159.108.8 35.208.104.94 132.226.29.110 132.226.144.0/24 35.174.216.37 54.164.19.64 44.238.115.102 132.226.24.212 50.18.0.172 35.211.141.116 150.136.187.68 35.215.81.247 54.151.91.105 132.226.112.220 3.132.98.42 193.122.199.213 35.209.14.26 54.241.14.13 Thank you, -Splashtop Team Regards, Splashtop Business Support Team

Validated with Splashtop, this needs to be addressed with a false positive fix or however it is resolved. Thank you. Please whitelist connection to *.relay.splashtop.com. This is for Splashtop remote connection (02:23:26 PM) ME: So, to be clear, the IP is valid/Splashtop and not a compromise? (02:24:47 PM) Steffi - Splashtop : Yes, this is our IP. We use dynamic ip so the digits will change from time to time but the domain remain the same However, *.relay.splashtop cannot be manually added into anything, only individual IP addresses. Splashtop support says they will send me a IP list, but is it not easier for Malwarebytes to do it on your end (white-list it)?

OK, Sophos log file is attachedSophosScanAndClean_20221208_0951.log

Fixlog.txt Fixlog.txt attached

Running 'fixlist.txt' now, will provide file(s) upon completion as requested, sorry for the delay (holiday). Question(s)? You state: "CCleaner (computer experts no longer recommend this program)"...can you advise as to why? Can you suggest alternative tool? Yes, the new PC was upgraded with a Macrium image from a previous machine. Does the 'fixlist.txt' address the files/items that you reference or do I manually do the removal? Thanks

FRST.txtAddition.txt Files attached as requested

So, ThisisU stated, " I am removing both of those IP blocks just FYI. Threats are 404 (below results haven't been updated). Low abuse rating". Does that mean that they were false?

Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/23/22 Protection Event Time: 5:41 AM Log File: 72abc9c0-6b1b-11ed-bfba-a4bb6dd8b56b.json -Software Information- Version: 4.5.17.221 Components Version: 1.0.1806 Update Package Version: 1.0.62669 License: Premium -System Information- OS: Windows 11 (Build 22000.1281) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Compromised Domain: IP Address: 159.203.73.163 Port: 443 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe ----------- Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/23/22 Protection Event Time: 5:05 AM Log File: 5fe6314a-6b16-11ed-9a2a-a4bb6dd8b56b.json -Software Information- Version: 4.5.17.221 Components Version: 1.0.1806 Update Package Version: 1.0.62669 License: Premium -System Information- OS: Windows 11 (Build 22000.1281) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Malware Domain: IP Address: 159.203.73.163 Port: 443 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe (end) ------------- Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/23/22 Protection Event Time: 5:04 AM Log File: 3d03f252-6b16-11ed-ba1d-a4bb6dd8b56b.json -Software Information- Version: 4.5.17.221 Components Version: 1.0.1806 Update Package Version: 1.0.62669 License: Premium -System Information- OS: Windows 11 (Build 22000.1281) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Compromised Domain: IP Address: 159.203.73.163 Port: 443 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe (end) -------------- Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/22/22 Protection Event Time: 5:49 PM Log File: fd94e18e-6ab7-11ed-a665-a4bb6dd8b56b.json -Software Information- Version: 4.5.17.221 Components Version: 1.0.1806 Update Package Version: 1.0.62649 License: Premium -System Information- OS: Windows 11 (Build 22000.1281) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: IP Address: 159.89.239.212 Port: 443 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe (end)

here you go, new stuffn4.txtn3.txtn2.txtn 1.txt

Unfortunately, it has been deleted. I'm concerned and confused

End users goes to https://www.yahoo.com, he gets notifications (as per screenshot)....why, what, how?

This message is showing on Windows 11. Is there something that needs to be done to make Malwarebytes and Windows defender play nice together?

So. What’s the end result? This has been ongoing and unresolved.

Agreed. I've been noticing that there are some events in Event Viewer indicating Malwarebytes snafus. As much as I'd like to say that this program offers so many good things, it's like it's always being fixed, problematic. Going from a free program to a paid application one might think it would be tweaked more efficiently. Remember the early days of AntiVirus manufacturers, McAfee this, Norton that, Avast here, Eset this, and most famously Sunbelt whoa now Vipre yea. Well when Sunbelt was at the top of their game, they mysteriously dropped out of sight, and all those who paid, used, believed, etc., were abandoned. THen poof...they're back as another company years later. Milk the cows oh dear Malwarebytes. Milk the cows. Ever try calling support? It's a joke.

So let me be clear, we should disable protection and expose to risk?

So let me comprehend. Paid subscriptions have no fix, free 'ant-exploit' have a first run? Do we get compensation for beta testing?

The entire point of a 'community'. or forum is to share suggestions, discuss problems and issues as well as having an inside track to communicate at whatever level with the "mother ship" (as in Malwarebytes) Heeeeellllllllllooooooooo, who is asleep at the wheel? Heeeellllllllooooooo, who is in charge? Hellllllloooooooo how many time will end uses need to open tickets, send logs, jump through hoops to get acknowledgement and resolve? Possibly the next round of conversations regarding these types of problems should be directed to Social Media, Facebook, Twitter, YouTube, and then maybe action will occur.

Well, here we go again, and again, and again. This thread, started way back when with it being re-awoken recently with the "fix" has now reverted back. So, sure, run the tools, submit, or in the meantime de-activate the Word checkbox, all over again? Come on Malwarebytes are you kidding? Microsoft pushed out .NET and other "updates" last evening, who is in charge at Malwarebytes or do you just wait for the complaints to act on compatability?

Misunderstood, THIS VERSION FIXED IT!!

I did do a manual update and it is

Well, for over 1 month, I've had end users in a pickle. Malwarebytes, Windows 10, Office 365, and a vertical application called "Amicus Law" which provides an add-in for Word. When the add-in is enabled, Word has multiple instances remaining upon each opening of the program. 2,3,4,8,9 or more, open and close, another "instance" of Word in memory, all having to be killed in Task Manager to regain control of the application as it becomes frozen and no longer responds to any intended action. If I disable the specific add-in for Amicus, bingo, it all worked. 20+ hours of support with both Microsoft and Amicus developers, engineers, technical support staff and so forth, no conclusions other than each pointing fingers as to whose problem they told each other it's not theirs. Well then I stumbled across this posting after Googling the term "WINWORD.EXE remains running when Word is closed" as well as "winword.exe is waiting to finish network i/o". Also, analyzing wait chain in process manager helped understand what was going on. Bottom line, I disable Winword.exe in protected applications and there were no longer any issues whatsoever! I then thought to force a manual update of Malwarebytes. BINGO! It can now be turned back on and everything works. No more multiple instances of Word regardless of add-in toolbars. One might think that the Malwarebytes people would push those necessary updates more frequently and advise in some fashion the fixes that were part of its patching. Hallelujah!

So, I just got done updating about 100 Windows computers. Out of the 100, 12 had Malwarebytes disappear after the 1809 Windows update. And the answer is just, oh well, download it and reinstall it? This looks serious enough to become a future class action lawsuit if it progressively get worse. Sell the product, tell the customer to reinstall it, and who is to blame, Microsoft, Malwarebytes? Something is very, very fishy.