Muraly Posted May 31, 2016 ID:1042887 Share Posted May 31, 2016 Hello Guys, I'm receiving pop up message as shown below in my windows server 2012 machine. Logs : Detection, 5/31/2016 8:09 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 208.100.26.234, ns2.honeybot.us, 64571, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 8:10 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 94.242.206.221, 65180, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 8:10 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 94.242.206.221, 63706, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 8:10 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 94.242.206.36, 65180, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 8:10 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 94.242.206.36, 64807, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 8:10 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 94.242.206.36, 63706, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 8:11 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 94.242.206.221, 64807, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:04 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 148.81.111.111, sinkhole.cert.pl, 63902, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:04 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 148.81.111.111, sinkhole.cert.pl, 63902, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:05 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 148.81.111.111, sinkhole.cert.pl, 63306, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:13 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 122.228.198.140, 49287, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:25 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, Domain, 89.145.103.61, ns2.gwesystems.com, 64752, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:25 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, Domain, 89.145.103.61, ns2.gwesystems.com, 64752, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:25 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, Domain, 89.145.103.61, ns2.gwesystems.com, 63713, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:29 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 122.228.198.140, 65177, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:45 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 122.228.198.140, 65089, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:47 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 122.228.198.140, 64221, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 9:47 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 122.228.198.140, 64019, Outbound, C:\Windows\System32\dns.exe, Update, 5/31/2016 9:51 AM, SYSTEM, PKSHQINF01, Scheduler, IP Database, 2016.5.27.3, 2016.5.30.1, Update, 5/31/2016 9:51 AM, SYSTEM, PKSHQINF01, Scheduler, Domain Database, 2016.5.29.1, 2016.5.30.3, Update, 5/31/2016 9:51 AM, SYSTEM, PKSHQINF01, Scheduler, Malware Database, 2016.5.30.4, 2016.5.30.7, Protection, 5/31/2016 9:51 AM, SYSTEM, PKSHQINF01, Protection, Refresh, Starting, Protection, 5/31/2016 9:51 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, Stopping, Protection, 5/31/2016 9:52 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, Stopped, Protection, 5/31/2016 9:52 AM, SYSTEM, PKSHQINF01, Protection, Refresh, Success, Protection, 5/31/2016 9:52 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, Started, Detection, 5/31/2016 9:56 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 80.77.81.89, 64421, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 10:03 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 109.163.226.148, 64209, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 10:04 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 148.81.111.111, sinkhole.cert.pl, 64135, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 10:05 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 148.81.111.111, sinkhole.cert.pl, 63241, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 10:09 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 122.228.198.140, 64386, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 10:09 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 122.228.198.140, 63591, Outbound, C:\Windows\System32\dns.exe, Detection, 5/31/2016 10:11 AM, SYSTEM, PKSHQINF01, Protection, Malicious Website Protection, IP, 122.228.198.140, 63450, Outbound, C:\Windows\System32\dns.exe, How do i solve this issue ? Please assist, Rgds, Muraly 30 May Daily Protection Logs.txt 31 May Daily Protection Logs.txt Link to post Share on other sites More sharing options...
daledoc1 Posted May 31, 2016 ID:1042945 Share Posted May 31, 2016 Hello and welcome: Until a Malwarebytes staff member spots your post.... It looks as if MBAM is doing its job. If you think that the IP blocks may be a False Positive, then I suggest starting with the advice HERE and then reporting the issue in the Website F/P section HERE. The team will evaluate the information and advise you. If you think you might be infected (as seems likely), then I suggest starting with the advice here: Available Assistance for Possibly Infected Computers It explains the options for free, expert help >>AND<< the preliminary steps to expedite the process. A trained helper will guide you through scanning and cleanup. Thanks, P.S. MBAM Consumer is not designed or supported to run under Windows Server. Once you get cleaned up, you might want to contact the Business Help Desk for assistance migrating to MBAM for Business. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 1, 2016 Root Admin ID:1043143 Share Posted June 1, 2016 (edited) I will go ahead and move your topic into the FP section. Thank you Edited June 1, 2016 by AdvancedSetup Link to post Share on other sites More sharing options...
MysteryFCM Posted June 5, 2016 ID:1043871 Share Posted June 5, 2016 Sorry for missing your post. These are not F/P's. The IPs have been blocked due to their use as Locky C&Cs. Link to post Share on other sites More sharing options...
Recommended Posts