Spyware.Pony

[sflater]

Pretty confident this is a false positive, but want to confirm with MB. Thank you.

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 10/25/2017 6:53:03 PM

Server Hostname: MBAMSERVER

Server Domain/Workgroup: bk.com Server IP: 10.230.3.116 Notification Catalog: Client

Description:

Malware threat detected, see details below:

 

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{F7E1C96B-781E-11D2-AAB7-00C04FAE2D4C}

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                HKLM\SOFTWARE\CLASSES\INetRepl.ReplInet.1

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                HKLM\SOFTWARE\CLASSES\INetRepl.ReplInet

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                HKLM\SOFTWARE\WOW6432NODE\CLASSES\INetRepl.ReplInet

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                HKLM\SOFTWARE\CLASSES\WOW6432NODE\INetRepl.ReplInet

10/25/2017 6:51:09 PM DESK128               10.230.3.128        Spyware.Pony   Quarantined                HKLM\SOFTWARE\WOW6432NODE\CLASSES\INetRepl.ReplInet.1

10/25/2017 6:51:09 PM DESK128               10.230.3.128        Spyware.Pony   Quarantined                HKLM\SOFTWARE\CLASSES\WOW6432NODE\INetRepl.ReplInet.1

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F7E1C96B-781E-11D2-AAB7-00C04FAE2D4C}

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                C:\Windows\Installer\2d8b1c.msi

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                C:\Windows\System32\DriverStore\FileRepository\wcerndis.inf_amd64_7f46c8a40bd97188\wmupdate.msi

10/25/2017 6:51:09 PM DESK128               10.230.3.128        Spyware.Pony   Quarantined                C:\Windows\System32\DriverStore\FileRepository\wceusbsh.inf_amd64_ed7e79d05f4c4512\wmupdate.msi

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                C:\Windows\WindowsMobile\INetRepl.dll

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                C:\Windows\WindowsMobile\wmupdate.msi

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                C:\Windows\WindowsMobile\Drivers\Bluetooth\wmupdate.msi

10/25/2017 6:51:09 PM DESK128               10.230.3.128         Spyware.Pony   Quarantined                C:\Windows\WindowsMobile\Drivers\RNDIS\wmupdate.msi

10/25/2017 6:51:09 PM DESK128               10.230.3.128        Spyware.Pony   Quarantined                C:\Windows\WindowsMobile\Drivers\Serial\wmupdate.msi

 

Total count: 18.

 

--------------------------------------------

Comment: This email was generated by Malwarebytes Management Server. Please do not reply to this message.

 

[miekiemoes]

Hi,

This was fixed already and shouldn't be detected anymore.

Thanks for reporting though!!

[sflater]

Thank you - we are not able to restore 3 of the 14 items that were quarantined. Can you point us in the right direction to restore these 3 remaining items?

 

[miekiemoes]

Hi,

This would require changing the permissions of the Driverstore\FileRepository folder. But it's ok if these files are deleted though, as they are just a copy of earlier installs.

Here's some info about that folder, with below, how to change the permissions on that folder: https://www.techcrises.com/windows-10/clean-filerepository-folder-in-driverstore/

Once permissions are changed, you should be able to also unquarantine above- but honestly, for above 3, it's not really worth it to tamper with permissions.

 

[sflater]

Thanks!