AlexLeadingEdge

The website is: www.soyang.net (173.255.213.202:80) Interestingly it is blocked on some machines but not on others. Soyang is a supplier for one of our clients. The block page claims the website "may contain a trojan". Can you please confirm this, and if nothing is found, please whitelist.

All the download options say that it is the "lightweight version", but there is no full installer. What if I need the full installer? https://i.postimg.cc/8CVWSRvR/Malwarebytes-Lightweight01.jpg

Just had another hit. Same software, different version, also flagged as a trojan: https://www.virustotal.com/gui/file/dcdbc648dcbf6be3f3328fdc9a899aa77195dd89c7b6a768dc7d9096a53c08ae/detection RPM_DataExtract.zip

Thanks cli. How do you determine if a file is good (or not)?

Hi guys, Just had one of the data extraction elements of RPM quarantined, and the registry key associated with it. Malware.AI.1361592252 Reg, Value Malware Quarantined HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|C:\RPM\BIN\RPM_DATAEXTRACT.EXE Malware.AI.1361592252 File Malware Quarantined C:\RPM\BIN\RPM_DATAEXTRACT.EXE Running it through VirusTotal there are 6 out of 69 vendors that flag it as a trojan, but it has been sitting on this machine for 13 years (2008) so I believe it is most likely a false positive. https://www.virustotal.com/gui/file/7ef5fe6d8555252f6677c420b94da27d566b64f786b773ebcd58e8f3c4f856ab/detection RPM_DataExtract.zip

Ok. I don't know what to say to that. Perhaps someone else reported it over the weekend?

Same problem again today. The bottom one is whitelisted ("Exclusions") and yet it has been quarantined. The other one is RdpGuard, a security program we use to block IPs after several failed RDP attempts. Malware.AI.2838036267 Reg, Key Malware Quarantined HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RdpGuard_is1 Malware.AI.2838036267 File Malware Quarantined C:\PROGRAM FILES (X86)\RDPGUARD\UNINS000.EXE Malware.AI.2838036267 Reg, Key Malware Quarantined HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F88FE7C0-2B64-405B-9197-25F8BE135460}_is1 Malware.AI.2838036267 File Malware Quarantined C:\PROGRAM FILES\ADVANCED MONITORING AGENT NETWORK MANAGEMENT\UNINS000.EXE Two are Registry entries, attached are the two uninstallers. unins000_SolarWinds_Advanced_Monitoring_Agent.zip unins000_RdpGuard.zip

Cheers Cli, I have PM'd you the logs. I see the machine is on our repair bench, which probably means Malwarebytes was re-installed sometime in the last four day, but I see no emails notifying me of a new install so I can't be certain.

Hi Cli, This detection has come back, same detection name: Malware.AI.1301800893 We even Whitelisted the whole folder it was in, so I don't know why it could have Quarantined it:

Depends on the size of the business and the management software used. Without central management many computers will update themselves at any given day, which may result in dozens of different versions of the same software across a network. Computers that are offline or not on the network cannot be updated, so they have a different version from the majority. We use SolarWinds RMM to control Windows Updates, and PDQ to try and standardise the versions of programs, but there is only so much that you can do. If you look at the likes of Teamviewer, there are literally hundreds (thousands?) of versions, going from version 1 to version 15, with small build changes in each major version, which means different files, different MD5 hashes.

Interesting, I didn't know that. Unfortunately it still requires releasing potentially infected files back into the wild just to get the MD5.

I find I have to release the file out of quarantine and then upload it to VirusTotal.com, which gives me the MD5 hash, which I then can use in the Exclusions section of Malwarebytes OneView. If it is on a domain I can access the computer over the network without annoying the end users. It is long-winded approach but seems to work, but as mentioned above, the MD5 hash only works against Exploit Protection, not all the other components. I have pretty much given up on using MD5 hashes as half the time it will still pick up the file, so I open a forum thread here under False Positives and upload the quarantined file.

Cheers. How do you know if it is infected or not?

Software used to monitor the UPS for power failures. VirusTotal flags it twice but I believe it is a false positive. File is attached, password is 'infected'. https://www.virustotal.com/gui/file/6f2f3affa35c13bd3852adf12c2655cf04756f03c97ad0747f92e999a9142576/detection Malware.AI.2068222834 File Malware Quarantined C:\PROGRAM FILES (X86)\UPSMONPRO\SCAPOWERREG.EXE SCAPowerReg.zip

I believe this is a false positive as it is part of our SolarWinds Antivirus package (BitDefender and LanGuard). VirusTotal says there are no hits. File is attached, the password is 'infected'. https://www.virustotal.com/gui/file/69e4de45eb900381c0bb085497393f3b0ea35607f46f77436f17a23ff1b82471/detection Malware.AI.1301800893 Malware File C:\PROGRAM FILES (X86)\ADVANCED MONITORING AGENT\ASSETSCAN.EXE assetscan.zip

Excellent.

Hi guys, We have an accountant who has lost the uninstall file for a program called BankLink. BankLink has recently been bought by MYOB, a large accounting software firm in Australasia. Details as follows... Malware.AI.4214841433 File Malware Quarantined C:\BK5\UNINS000.EXE MD5: 3ebba8c2e66a5cb61d45e2101375dd6f https://www.virustotal.com/gui/file/e88d8112447beb30652d1e6da310dc51113b5cfa1f9248bf7d2c4e00daf7c287/detection File is attached, password is 'infected'. unins000.zip

Password is 'infected'. Soda_PDF_7_Installer.zip

Got this today, can someone please check if this is a false positive? Name Type Category Status Path Malware.AI.3861356229 File Malware Quarantined C:\USERS\ADMIN\DOWNLOADS\SODA_PDF_7_INSTALLER.EXE

I would like to second the request for an "unqarantine and whitelist" option. Trying to find out what the MD5 is (not that MD5 seems to always work) or to create a wildcard file location in the whitelist options is tedious.

I'm not sure what is going on but these files keep coming back each day. I ran ADWCleaner and it found files that Malwarebytes didn't. From the location we initially thought it was due to the client using their personal Gmail account to sync with their work Chome account, but after removing all the Chrome Extensions and then turning off the sync the issue remains, the same files are picked up and quarantined every day. Interestingly, when running two scans one after the other, the first scan finds the files and quarantines them, and the second scan doesn't find anything. The next day they are back. Any ideas how to kill it off for good? (assuming it isn't a false positive). Note that I have replaced the username of the individual with USERNAME. PUP.Optional.SweetPage Folder PUP Quarantined C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB PUP.Optional.SweetPage File PUP Quarantined C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data PUP.Optional.SweetPage Folder PUP Quarantined C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001 PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000011.ldb PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000010.log PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.ldb PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.ldb PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb PUP.Optional.SweetPage File PUP Quarantined C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data

I released it, scanned the computer again and the file was picked up again.

Hi guys, Just a quick update, the latest version is 3.5.2 and all their machines are on that version, so it looks like it is a leftover install file of no importance to the client.

Hi guys, We are seeing C:\USERS\REDACTED\APPDATA\LOCAL\DOWNLOADED INSTALLATIONS\{ECF6FE39-A8B0-411B-83AC-75A17875FE6F}\RSERV34.MSI It is a remote access tool that our client uses to access all the point of sale machines. This is a tough one, given it could probably be abused, but so could other remote access tools such as TeamViewer, and TeamViewer isn't detected as malware. Can an admin please let me know who wants to take a look at this and I will upload log files to that person.

Done :)