Jump to content

cybot

Honorary Members
  • Posts

    247
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

1,928 profile views
  1. here are the logs. it isn't all the entries that from this issue, but there doesnt seem to be any way to export all the entires at once. blocked website.txt
  2. yes. when i enter the ip addresses in to my browser (windows sandbox) google.com is what comes up, not that desonovel site. I am currently running yet another deep scan, but when that finishes, i will post the logs of the website blocking
  3. everytime i start Edge, I get a message that two IP addresses are being blocked, there is one IPv4 adress, and 1 IPv6 address. acordding to MBAM, the addresses belong to desnovel.blogspot.com, but in fact the Ip addresses are for google.com. the ipv4 addresses will vary slightly each time, but ALL of them track back to google.com. Now, I don't know why Edge wants to establish an outbound connection to google, but it could either be the fact that edge is based off of chromium, or because of my search settings in the browser. either way, it's not really important since the addresses are benign. the event logs in MBAM say it is an RTP event with the cause as trojan and there is one malware event attributed to to this issue. I have run multiple scans on my system and nothing was found, even after a deep scan where everything on the drive was looked at. so an infection of some sort is not the issue.
  4. Well... Following post, forum went up and down for a few about 30 minutes or so. Going to assume it was related to someone trying to fix the issue. I am able to press the verify button now, but none of the verification codes I am being sent are working. I keep getting "verification code is incorrect" messages.
  5. I needed to get my license key earlier today because for some reason Malwarebytes had become deactivated on my phone. I went into the my.Malwarebytes.com site and entered my credentials, but the site won't let me in. I am getting the email messages with the verification code, but the verify button is remaining greyed out even after entering the code. How do I access my keys and so if I can't get past the verification page? I tried four or five times too login, and each time it would not let me use the verify button
  6. ok, that seems to have fixed it. further testing, seems that the option to block penetration tests is what is triggering the false detection. not sure why this is so.
  7. oddly enough opening devmgmt.msc or device manager with the start search box does not trigger the erroneous block, only selecting the device manager from the Win+X menu will trigger the block.
  8. malwarebytes just started blocking me from bringing up the device manager from the start menu (Win+X) Not sure why it suddenly started doing that. really dumb move! it doesn't seem to block the other MMC based options( disk management, event viewer, computer management) it only seems to have an issue with the Device Manager option. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 4/5/22 Protection Event Time: 2:12 PM Log File: 081c1c74-b525-11ec-8f52-48a4726f9563.json -Software Information- Version: 4.5.7.186 Components Version: 1.0.1645 Update Package Version: 1.0.53297 License: Premium -System Information- OS: Windows 11 (Build 22000.593) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent - Exploit payload process blocked, C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\devmgmt.msc, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: Windows Control Panel Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\devmgmt.msc URL: (end) PLEASE FIX ASAP!!!
  9. alright it's late right now, but tommorow morning, i will do the reinstall followed by another log grab
  10. this issue has only occured once. i would not even be reporting it except for the scary looking error message. is doing a clean reinstall really nessecary?
  11. srry was doing that when you responded... added the log file to my original post. took a look at the logs myself for frst, and nothing really stood out. there was one thing that caught my attention though. there was an <Attention!> marked for anything that was related to group policy, perhaps erroneously. the group policy is completely disabled on my machine. (see screenshot)
  12. windows 11 Pro I have been sick the last few weeks so the incident is a little old, so please bare with me. incident occurred on 2/4/22. i was playing Ubisoft's "The Crew 2" when i was rudely interrupted by a very scary looking stop screen that said kernel security check failure. i waited for windows to make a dump and then allowed the system to restart. I examined both memory.dmp as well as the full memory dump made using windbg (preview) and it said a buffer overrun occured in the game and that MWAC.sys caused the stop screen. I have been in contact with the dev team for crew2 on discord, and they assured me that the caused was not the game, nor was it another player in the game attempting to hack me. which leaves me the reference in the dump to mwac.sys. what i need to know is, do i have a security issue, or can i safely ignore what happened. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). Arg2: ffff800868e651c0, Address of the trap frame for the exception that caused the BugCheck Arg3: ffff800868e65118, Address of the exception record for the exception that caused the BugCheck Arg4: 0000000000000000, Reserved Debugging Details: ------------------ Unable to load image \SystemRoot\system32\DRIVERS\mwac.sys, Win32 error 0n2 KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 2124 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 6499 Key : Analysis.Init.CPU.mSec Value: 1343 Key : Analysis.Init.Elapsed.mSec Value: 5453 Key : Analysis.Memory.CommitPeak.Mb Value: 194 Key : FailFast.Name Value: CORRUPT_LIST_ENTRY Key : FailFast.Type Value: 3 Key : WER.OS.Branch Value: co_release Key : WER.OS.Timestamp Value: 2021-06-04T16:28:00Z Key : WER.OS.Version Value: 10.0.22000.1 FILE_IN_CAB: MEMORY.DMP TAG_NOT_DEFINED_202b: *** Unknown TAG in analysis list 202b DUMP_FILE_ATTRIBUTES: 0x1800 BUGCHECK_CODE: 139 BUGCHECK_P1: 3 BUGCHECK_P2: ffff800868e651c0 BUGCHECK_P3: ffff800868e65118 BUGCHECK_P4: 0 TRAP_FRAME: ffff800868e651c0 -- (.trap 0xffff800868e651c0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000003 rdx=0000000000000a19 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801d2aaafb7 rsp=ffff800868e65350 rbp=ffff800868e65471 r8=ffff9a8f25f8e0d0 r9=000000000000979d r10=ffff9a8f1afd4000 r11=000000000000979d r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc mwac+0x1afb7: fffff801`d2aaafb7 cd29 int 29h Resetting default scope EXCEPTION_RECORD: ffff800868e65118 -- (.exr 0xffff800868e65118) ExceptionAddress: fffff801d2aaafb7 (mwac+0x000000000001afb7) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000003 Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 PROCESS_NAME: TheCrew2.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 0000000000000003 EXCEPTION_STR: 0xc0000409 STACK_TEXT: ffff8008`68e64e98 fffff801`6a828da9 : 00000000`00000139 00000000`00000003 ffff8008`68e651c0 ffff8008`68e65118 : nt!KeBugCheckEx ffff8008`68e64ea0 fffff801`6a8291f2 : 00000000`00000042 ffff9a80`759facb0 00000000`00000003 00000000`00061e7f : nt!KiBugCheckDispatch+0x69 ffff8008`68e64fe0 fffff801`6a8274d2 : fffff801`d2aad540 ffff8008`68e651d0 41443d72`6579614c 445f4d41`52474154 : nt!KiFastFailDispatch+0xb2 ffff8008`68e651c0 fffff801`d2aaafb7 : ffff9a80`6457c6a0 ffff8008`68e65471 fffff801`d2aae418 ffff8008`68e653d0 : nt!KiRaiseSecurityCheckFailure+0x312 ffff8008`68e65350 fffff801`d2a92179 : 00000000`00000000 ffff8008`68e65471 00000000`00000000 ffff9a80`6457c6a0 : mwac+0x1afb7 ffff8008`68e653f0 fffff801`704d8e8b : ffff9a8f`10fb68a0 ffff9a80`75a11d70 ffff9a80`75a11d70 ffff9a8f`23ea14e0 : mwac+0x2179 ffff8008`68e654c0 fffff801`704d8169 : ffff9a80`22c40018 ffff8008`68e65b70 ffff8008`68e65b90 ffff9a80`759e9c50 : NETIO!ProcessCallout+0x8eb ffff8008`68e65640 fffff801`704d6e9c : ed82e955`72f121ab 00000000`00000008 ffff9a8f`13147cc0 fffff801`6a84b4c0 : NETIO!ArbitrateAndEnforce+0x599 ffff8008`68e65770 fffff801`70a8bdc9 : ffff8008`68e65c04 ffff9a80`487cb700 00000000`00000001 ffff8008`68e65c20 : NETIO!KfdClassify+0x34c ffff8008`68e65b20 fffff801`70a33c79 : 00000000`00000000 00000000`00000000 ffff9a80`75a11ed8 00000000`00000005 : tcpip!WFPDatagramDataShimV4+0x47d ffff8008`68e65f60 fffff801`7098b39c : ffff9a8f`181bb180 ffff9a80`7488f820 00000000`00000000 00000000`00000001 : tcpip!ProcessALEForTransportPacket+0xac159 ffff8008`68e66130 fffff801`709626ef : ffff9a80`0b1c0010 ffff9a8f`2ad232a0 ffff9a8f`2ad232a0 ffff9a8f`1a4758e8 : tcpip!WfpProcessOutTransportStackIndication+0x420 ffff8008`68e66430 fffff801`709614cb : ffff8008`68e66a50 00000000`00000000 ffff8008`68e66a50 fffff801`70975e4d : tcpip!IppInspectLocalDatagramsOut+0x93f ffff8008`68e66730 fffff801`709755fa : 00000000`0000b900 00000000`00000006 fffff801`70b4ba10 ffff9a80`64919b30 : tcpip!IppSendDatagramsCommon+0x40b ffff8008`68e668d0 fffff801`709749a2 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff9a80`75ad7b01 : tcpip!UdpSendMessagesOnPath+0x75a ffff8008`68e66d00 fffff801`709746a5 : ffff8008`68e671c0 ffff9a8f`131af910 ffff8008`68e671c0 ffff8008`68e67330 : tcpip!UdpSendMessages+0x2e2 ffff8008`68e670b0 fffff801`6a75fc08 : 00000000`00000000 ffff9a80`75ad78e0 ffff9a80`00000000 ffff9a8f`31727690 : tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15 ffff8008`68e670e0 fffff801`6a75fb7d : fffff801`70974690 ffff8008`68e671c0 00000000`00000000 00000000`000002ec : nt!KeExpandKernelStackAndCalloutInternal+0x78 ffff8008`68e67150 fffff801`70945454 : 00000000`000002ec fffff801`715e4ba2 00000000`00000000 ffff9a80`00000080 : nt!KeExpandKernelStackAndCalloutEx+0x1d ffff8008`68e67190 fffff801`715db73b : 00000000`00000000 ffff8008`68e67a60 ffff9a80`2e099270 ffff8008`68e67a60 : tcpip!UdpTlProviderSendMessages+0x84 ffff8008`68e67210 fffff801`715dafb4 : 0000657f`9b4a3fd8 00000000`00000000 00000000`00000000 00000000`00000000 : afd!AfdFastDatagramSend+0x71b ffff8008`68e67440 fffff801`6ab6b474 : 00000000`00000000 00000000`00000000 ffff9a8f`31727570 ffff9a8f`31727570 : afd!AfdFastIoDeviceControl+0x17e4 ffff8008`68e677d0 fffff801`6ab6ad36 : 00000000`00000001 00000000`00000604 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x724 ffff8008`68e67900 fffff801`6a828775 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff9a8f`2ac9cde0 : nt!NtDeviceIoControlFile+0x56 ffff8008`68e67970 00007ffd`be943834 : 00007ffd`bb364b64 00000000`00000000 000000e5`9e5ed9e0 000001fd`2ccb7800 : nt!KiSystemServiceCopyEnd+0x25 000000e5`9e5ed738 00007ffd`bb364b64 : 00000000`00000000 000000e5`9e5ed9e0 000001fd`2ccb7800 00007ff7`3e71a07d : ntdll!NtDeviceIoControlFile+0x14 000000e5`9e5ed740 00007ffd`bc752744 : 00000000`3cf3765d 00000000`00000000 00000000`00000000 00000000`fffffffb : MSWSOCK!WSPSendTo+0x2c4 000000e5`9e5ed900 00007ff7`3c676bbd : 00000000`3cf3765d 000001fd`6382d9af 000001fd`2c97eff0 00000000`00001000 : WS2_32!sendto+0xf4 000000e5`9e5ed9b0 00007ff7`3c676cc7 : 000001fd`2c97ee20 000001fd`2c97eff0 00000000`00000005 000000e5`9e5edef0 : TheCrew2!AK::WriteBytesMem::Clear+0x59d 000000e5`9e5eda00 00007ff7`3c67384b : 00000000`00000000 000000e5`9e5edc40 00000000`00000000 000000e5`9e5edbb9 : TheCrew2!AK::WriteBytesMem::Clear+0x6a7 000000e5`9e5edad0 00007ff7`3c6779c5 : ffffffff`ffffffff bf2413eb`42e27292 00000000`3f800000 00000000`00000000 : TheCrew2!+0xc384b 000000e5`9e5edb00 00007ff7`3c677f85 : 000001fd`6382d3d0 000000e5`9e5edf40 000000e5`9e5ee000 3f800000`00000000 : TheCrew2!AK::WriteBytesMem::Clear+0x13a5 000000e5`9e5edc20 00007ff7`3ce2587b : 00000000`00000bb9 000001fd`961798b0 000000e5`9e5ee240 00007ff7`3df9e535 : TheCrew2!AK::WriteBytesMem::Clear+0x1965 000000e5`9e5ede10 00007ff7`3e2ec083 : 000001fd`961798b0 000001fd`3ff295f0 00000000`00000018 00000000`00000003 : TheCrew2!AK::MemoryMgr::SetMonitoring+0x864cb 000000e5`9e5ee5f0 00007ff7`3e2de6fd : 000001fd`3ff295f0 000000e5`9e5ee770 000001fd`27ac3060 00000000`00000000 : TheCrew2!AK::MusicEngine::Term+0xdbd33 000000e5`9e5ee640 00007ff7`3e2eb50d : 00007ff7`3f854830 00000000`00000000 00007ff7`3f854830 00007ff7`3f8704b8 : TheCrew2!AK::MusicEngine::Term+0xce3ad 000000e5`9e5ee670 00007ff7`3c80184e : 000001fd`3ff295f0 00000000`00000000 00000000`00000000 00000000`00000000 : TheCrew2!AK::MusicEngine::Term+0xdb1bd 000000e5`9e5eefd0 00007ff7`3d16ce26 : 00000000`00000000 000001fd`27ac3060 000001fd`010d7d90 00000000`00000000 : TheCrew2!AK::WriteBytesCount::Reserve+0x9943e 000000e5`9e5ef000 00007ff7`3cbb0b76 : 000001fd`3ffbd000 000001fd`2c97e360 000001fd`2c980fd8 00000000`ffffffff : TheCrew2!AK::MemoryMgr::SetMonitoring+0x3cda76 000000e5`9e5ef030 00007ff7`3c660eea : 000001fd`009a6e00 00007ff7`3e29451d 000001fd`009a6e18 00007ff7`3eb43cb9 : TheCrew2!AK::WriteBytesCount::Reserve+0x448766 000000e5`9e5ef060 00007ff7`3c660eea : 00000000`00000000 000001fd`0118d958 000001fd`27abf838 00007ff7`3e2945bd : TheCrew2!+0xb0eea 000000e5`9e5ef090 00007ff7`3d0533fd : 00000000`00000000 000001fd`00c947e8 4690ac00`47a6f300 00000000`42e20000 : TheCrew2!+0xb0eea 000000e5`9e5ef0c0 00007ff7`3c660eea : 000001fd`76d3ef00 00000000`00000000 000001fd`3f7fd416 000001fd`3d15eb30 : TheCrew2!AK::MemoryMgr::SetMonitoring+0x2b404d 000000e5`9e5ef0f0 00007ff7`3e247a6d : 000001fd`27ac2d20 000001fd`27ac2d98 000001fd`76d3eb40 000001fd`00094950 : TheCrew2!+0xb0eea 000000e5`9e5ef120 00007ff7`3c660eea : 000001fd`00000438 80000000`00000780 00000000`00000000 00000000`00000000 : TheCrew2!AK::MusicEngine::Term+0x3771d 000000e5`9e5ef200 00007ff7`3c660eea : 00000000`00000000 000001fd`40c10870 000000e5`9e5ee1d0 000001fd`76d3eb80 : TheCrew2!+0xb0eea 000000e5`9e5ef230 00007ff7`3c660eea : 00000000`00000000 000001fd`00c918a8 000001fd`00c918a8 00000000`00000000 : TheCrew2!+0xb0eea 000000e5`9e5ef260 00007ff7`3c660eea : 00000000`00000000 000001fd`40c10840 00000000`00000000 00000000`00000000 : TheCrew2!+0xb0eea 000000e5`9e5ef290 00007ff7`3c660eea : 00000000`00000000 000001fd`00392b30 000000e5`9e5ef450 000001fd`76d3e5f0 : TheCrew2!+0xb0eea 000000e5`9e5ef2c0 00007ff7`3c65f2f2 : 00000000`00000000 000001fd`76d3ef80 00000000`00000000 00000000`00000003 : TheCrew2!+0xb0eea 000000e5`9e5ef2f0 00007ff7`3c660eea : 000001fd`6dac0000 00007ffd`be8c8c6a 000001fd`6dbc0000 00007ff7`00000000 : TheCrew2!+0xaf2f2 000000e5`9e5ef320 00007ff7`3c660a55 : 000001fd`00030740 000001fe`127e33a0 000001fd`00000002 00007ff7`3c660a55 : TheCrew2!+0xb0eea 000000e5`9e5ef350 00007ff7`3c65e865 : 000001fd`76d3ef80 00000000`00000000 00007ff7`3c660a40 000001fe`127df010 : TheCrew2!+0xb0a55 000000e5`9e5ef380 00007ff7`3c661316 : 00000002`00000005 000001fd`00000000 00000000`00000000 00007ff7`3c65bb6b : TheCrew2!+0xae865 000000e5`9e5ef460 00007ff7`3c659cc1 : 00007ffd`05a6f66d 00000000`00000000 00000000`05a6f66d 00000000`ffffffff : TheCrew2!+0xb1316 000000e5`9e5ef500 00007ff7`3dcb7c53 : 00000000`0000000a 00007ff7`3dcb7cb1 00000000`00000000 00000000`00000000 : TheCrew2!+0xa9cc1 000000e5`9e5efd30 00007ffd`bda454e0 : 00000000`00000000 00000000`00000000 00000000`00000000 00007ffd`6d420000 : TheCrew2!AK::WriteBytesMem::SetCount+0x5e603 000000e5`9e5efd70 00007ffd`be8a485b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x10 000000e5`9e5efda0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2b SYMBOL_NAME: mwac+1afb7 MODULE_NAME: mwac IMAGE_NAME: mwac.sys STACK_COMMAND: .cxr; .ecxr ; kb BUCKET_ID_FUNC_OFFSET: 1afb7 FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_mwac!unknown_function OS_VERSION: 10.0.22000.1 BUILDLAB_STR: co_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {b7ff9ef7-2db3-57c8-afc6-0256eccfd112} Followup: MachineOwner --------- 020422-18046-01.dmp mbst-grab-results.zip
  13. todays scan revealed that the file IEexec.exe and the registry value associated with it are supposedly malware. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/10/21 Scan Time: 12:59 PM Log File: 3451d0cc-9a37-11eb-b453-00d86104a727.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.38019 License: Premium -System Information- OS: Windows 10 (Build 19042.867) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 454812 Threats Detected: 2 Threats Quarantined: 0 Time Elapsed: 44 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Malware.AI.1525378349, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\IEEXEC.EXE, No Action By User, 1000000, 0, , , , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Malware.AI.1525378349, C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\IEEXEC.EXE, No Action By User, 1000000, 0, 1.0.38019, B3A6A93134F58BCB5AEB6D2D, dds, 01194508, 2A6EFFF1EFE42D279D74851EDDE33872, 30635C8AD04D3ADE4AF47B54E761C81CEE59CA0022E9462F5C1FA0D87D48D10D Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) I have already checked my system, and the files are properly signed and are official Microsoft files belonging to Microsoft .NET. This appears to be yet another false detection by malwarebytes detection AI
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.