Haydn54 Posted March 5, 2016 ID:1023343 Share Posted March 5, 2016 Hi seeing Malwarebytes pop ups blocking this nothing in the logs, suspect a false positive but cant be sureany info gratefully received Link to post Share on other sites More sharing options...
Staff shadowwar Posted March 5, 2016 Staff ID:1023365 Share Posted March 5, 2016 Need more info. Hard to determine without file or logs. Thanks. Link to post Share on other sites More sharing options...
pluto71 Posted November 21, 2016 ID:1073787 Share Posted November 21, 2016 Here's excerpts from my logs of today & yesterday, have been experiencing frequent pop up notifications about what I think looks very similar. Malwarebytes Anti-Malware www.malwarebytes.org Scan, 21/11/2016 02:40, SYSTEM, ROBERT-PC, Context, Start:21/11/2016 02:35, Duration:4 min 47 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections, Detection, 21/11/2016 04:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 6048, Outbound, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Detection, 21/11/2016 04:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 6048, Outbound, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Protection, 21/11/2016 20:34, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Started, Detection, 21/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 7863, Outbound, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Detection, 21/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 7863, Outbound, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Detection, 21/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 7866, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Detection, 21/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 7867, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Detection, 21/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 7869, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Detection, 21/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 7870, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Detection, 21/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 7875, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, (end) Malwarebytes Anti-Malware www.malwarebytes.org Detection, 20/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 3808, Outbound, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Detection, 20/11/2016 20:46, SYSTEM, ROBERT-PC, Protection, Malicious Website Protection, Domain, 0.0.0.0, tablezip.info, 3808, Outbound, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, (end) Link to post Share on other sites More sharing options...
pluto71 Posted November 21, 2016 ID:1073792 Share Posted November 21, 2016 After some rummaging around on the internet this looks to be adware/malware that uses powershell to execute, which ties up with what my logs show above. https://www.cybereason.com/the-dawn-of-sophisticated-powershell-adware-campaigns/ "One particularly persistent adware attack piqued our interest around March. This attack leverages PowerShell, a Windows scripting language, to execute commands and remain persistent on the host machines. Along with creating hourly scheduled tasks, the adware also has the potential to download additional malicious code and direct the user to compromised websites. The IOCs from our samples include the following hosts and IPs: • Beautyfile[.]info • sunlongo[.]info • finhoome[.]info • contexfix[.]info • customsky[.]net • easypop[.]info • unitdata[.]info • fliparray[.]info • secureb[.]info• tablezip[.]info • forallshop[.]info • macrosoftman[.]info • openyes[.]info • secureb[.]info • forallshop[.]info. • 37.48.119.38 • 50.63.202.63 • 146.112.61.107 • 185.17.184.6 • 185.17.184.10 • 185.17.184.11. Link to post Share on other sites More sharing options...
johnburgess Posted December 15, 2016 ID:1080839 Share Posted December 15, 2016 Following Link to post Share on other sites More sharing options...
MysteryFCM Posted December 16, 2016 ID:1081030 Share Posted December 16, 2016 This is not an F/P (it belongs to DNSUnlocker) Link to post Share on other sites More sharing options...
Recommended Posts