BobSoul

September 14, 2021

Hello -

I am guessing the following is a false detection

Malware.AI.36671320 ModuleMalwareQuarantined C:\XAMPP\PHP\LIBPQ.DLL

Malware.AI.36671320ModuleMalwareQuarantinedC:\XAMPP\PHP\LIBPQ.DLL

Malware.AI.36671320FileMalwareQuarantinedC:\XAMPP\PHP\LIBPQ.DLL

This version of XAMPP has been installed for a year or more just last scan flagged it previous nights didnt.

Malwarebytes Diagnostics.zip

June 17, 2021

Appears to be still blocking in the last update 2.3.2 of the browser guard.. Kept in expections list for the time being

May 27, 2021

Yeah that was my thought exactly - The endpoints are working etc its just slow for the updates to come back -- and of course the main irritation is the groups reverting back after I moved and seperating them.... at least only one days moved back even though when you look at groups it says the count is correct so its probably a reporting issue or log server delay

May 27, 2021

I summitted a request was hoping maybe someone knew if it was a " oh we know are are working on this " Type issue.. It appears to be on the nebula side since it doesnt matter what machine or network I connect from and well not much is under my control on the user side of the portal :)

May 27, 2021

It appears that the entire cloud nebula interface isnt updating correctly since around 1pm eastern -- even tasks I created and know executed show as pending. I am assuming something is going on server side ... Even scheduled tasks and scans aren't updating results in scan history but show in events etc- its as if the system is not updating but still executing the task and schedules

May 27, 2021

Hello

I have been moving endpoints into different groups etc which was working fine ... The about an hour ago some moved all back to default group and now dont seem to be moving to other groups - I have tried on 3 different pc's. Is there something on the nebula side acting weird?

May 26, 2021

Thank you - and the inconvenience was no big deal - I just don't want to see others that don't understand how this works etc to have to worry -- I use Malwarebytes exclusively at home and at all my locations at work. You guys are great :)

May 26, 2021

I just wanted to add a few more pieces of info that maybe helpful to the research team if you go to discover.com ( works fine no block) then choose home loans - home equity ( takes you here) https://www.discover.com/home-equity-loans/?sc=HC515&ICMPGN=PUB_HNAV_LOANS_DHL then select login at the top choose my loan has been funded ( it takes you to the blocked portion of discover ) if you choose my application is in process it takes you here https://homeloans.discover.com/accountcenter/ no block the next link for the application process is https://dmimtg.com/UserLogin.aspx?Conn=T85{37843404-4237-4EC7-8451-0C682794D6D4} which doesnt get blocked its only the link for logging in to my loan is funded which takes you to https://discoverhomeloans.mtgsvc.com/Account/UserLogin?conn=085{0a6e118f-71b2-4e0f-80d6-dc28680a6e60} so from what I have gathered its got to be something with there redirects and which systems they are directing you to maybe site certs or something ... I just wanted to give a detailed view of the site and how its a legit site ( discover.com and there various services).. If you go to the main page at discover.com select login login in choose home loan it takes you to this https://discoverhomeloans.mtgsvc.com/Account/UserLogin?conn=085{0a6e118f-71b2-4e0f-80d6-dc28680a6e60} and it doesnt get blocked -- so the redirects or direct linking gets blocked.

May 26, 2021

Its installed in edge and working just thought it was odd edge didnt block it Ill try again and hopefully research will find something --

May 26, 2021

Just noticed something that may be helpful -- It seems to be specific to chrome -- Edge doesnt block it only the chrome browser guard does -- ( I did clean out cache etc and did scans etc to make sure chrome was clean )

May 26, 2021

Thanks - the something fishy may be on there end like I said I use this every month and logging in everything is up to snuff etc as far as the account. I did call discover and they have said they are looking into why this is being detected. Since the address etc is the same one for years and same book mark as before etc.

May 26, 2021

Thats what I did for now -- just a bit annoying and I do know its a vaild company Discover and that the loan does get paid etc from this site it may be something in there set up. I have emsisoft as well on another pc and it doesnt block this site. Nor does their broswer guard

May 26, 2021

The website is discover home loans this the company phone 1-855-295-2193

Once I click go to it browser guard says its fine after Unless its something with there site certificate and redirect - from www.discover.com/helogin in my original I accidently had HE capitialized. It is not down for me when I access it

May 26, 2021

I can access it and it works fine if I allow in exceptions and click go to anyways ... I have used this mortgage company ( Discover card ) for years and this is recently happening. This would be the full url once the page loads

https://discoverhomeloans.mtgsvc.com/Account/UserLogin?conn=085{0a6e118f-71b2-4e0f-80d6-dc28680a6e60}

Once again its Discover cards Home equity loans Website. Unsure why you cannot access unless its region specific

May 25, 2021

Not sure If post here or False Positives cause both Browser Guard Plug in and Malwarebytes Web protection as of just today think the website is a phishing site or a malware site.. It is neither since its discovers home mortgage site for paying your mortgage from discover.

discoverhomeloans.mtgsvc.com

The other way to get to the site is which directs you to the above site. I had to turn of the protection and such just to make my monthly payment and it is the same site etc I go to each month. Called Discover and they are aware this is happening.

www.discover.com/HElogin

May 19, 2021

I got the same - scan ran at 9am eastern got notice 10:50 Am -- So I assume we can restore the quarantined items after the fix and rerun scan

May 18, 2021

So I can restore if needed and carry on ? :) And just treat as a false ID etc

May 18, 2021

The latest Diag I uploaded should be complete - file size matches normal diag downloads from other workstations

May 18, 2021

I may have grabbed them off the console before they where done -- Here is a new run of the diagfiles

Malwarebytes Diagnostics (2).zip

May 18, 2021

I havent restored any othe files as of yet - If you need me to let me know -

May 18, 2021

Attached the log filesMalwarebytes Diagnostics (1).zip

May 18, 2021

One machine last night came up with this positive detection. The IETABHELPER is an old chome addon. The first one not sure about but assume its part of the same package. I havent restored the c:windows\installer file as of yet, just incase, since this machine basically only does network copies of files and nothing else

Malware.AI.3495686957	File	Malware	Quarantined	C:\WINDOWS\INSTALLER\4D9A029D.MSI
Malware.AI.3495686957	File	Malware	Quarantined	C:\USERS\ADMIN\DOWNLOADS\IETABHELPER.MSI
Malware.AI.3495686957	File	Malware	Quarantined	C:\USERS\ADMIN\DOWNLOADS\IETABHELPER (1).MSI

May 10, 2021

Thank you

May 10, 2021

Uploading console generated diag logs as well

Malwarebytes Diagnostics.zip

May 10, 2021

OK - got the file - I scanned with Emsisoft after transferring and it says the file is clean -- and I noted that even thlough malwarebytes says its quarantining the file its still there. Do you need the logs as well ?

Have the console creating now

DEVMONSRV.zip

Events

Profiles

Forums

Posts posted by BobSoul

Important Information