Jump to content

Cleaned computers still flagged as malware


Recommended Posts

Hello MWB Specialists, 

I work at a university and we had several machines get infected with malware that broadcast over port 1900. Our main campus IT quarantined and removed the malware and rebuilt the 3 machine infected, but MWB 3.0 is now giving us "Website Blocked" popups whenever these machines transmit over the UPnP port. 

My boss and the senior faculty are all using MWB 3, so they're seeing these popups at a rate of 5 or more an hour. I've confirmed the machines are no longer infected, so is there any way to stop MWB from showing these false positive popups? 

****The forum spam protection will not let me post a line from my logs. If you'd like to see any log files, let me know and I'll attach them.

Thank you in advance.




Link to post
Share on other sites

  • Root Admin

Hello @peb2 and :welcome:

Sorry for the blocking, but due to very high spam content we've had to lock things down a bit to slow it down. I've removed the block for you, so you shouldn't have anymore trouble posting or uploading logs.


Please run the following steps and post back the logs as an attachment when ready.


  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.


Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.


RESTART THE COMPUTER Before running Step 3

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.





Link to post
Share on other sites


Thank you. Attached are the export summary and service log from my machine. 

This is a line from the service log that shows the false positive:

09/20/18    " 14:37:49.471"    80541625    10f4    6c58    INFO    MWACControllerCOM    CMWACController::WebsiteBlockedNotificationCallback    "MWACController.cpp"    1130    "Malicious Website Protection, ipBlockList, <IP REMOVED>, , 1900, Inbound, C:\Windows\System32\svchost.exe"

I'll have to run the Farbar Recovery Scan Tool at COB and upload the results tomorrow.

Thank you,




Link to post
Share on other sites

Export Summary:


-Log Details-
Scan Date: 9/20/18
Scan Time: 2:07 AM
Log File: 6411546c-bc9b-11e8-a533-f832e4728544.json

-Software Information-
Components Version: 1.0.441
Update Package Version: 1.0.6923
License: Premium

-System Information-
OS: Windows 10 (Build 17134.285)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 397047
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 8 min, 52 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


Link to post
Share on other sites

  • Root Admin

I would not call that a FP

It is blocking at least one of your systems due to the Emotet threat.

Blocked for Trojan.Emotet on 2018-09-04 02:39:45

I will discuss with our internal team to have them review the IP again.

If you like I can assist you via Private Messenger as redacting logs makes it difficult to assist you.




Edited by AdvancedSetup
Link to post
Share on other sites


There was a malware outbreak initially, but it was cleaned by our information security office. Here's their response:


We did deal with a malware outbreak on these machines along with a few others belonging to the affected department.  The machines were rebuilt late Tuesday afternoon and returned to service on Wednesday (9/12). We believe the outbreak started on 8/31.

The packets that MalwareBytes is detecting are Universal Plug and Play  (UPnP) multicast to UDP 1900.  However, our logs show that these machines have been sending the multicast packets long before the malware outbreak.  Which leads us to speculate that the UPnP traffic is coincidental and not caused by the malware. The malware was communicating with a specific command and control IP that we used to track the outbreak.

We took XXX.X.XX.XX offline this afternoon after your last email and we're forensically examining it.  So far we haven't been able to locate any of the malware that was present prior to the rebuild and our logs are not showing the command and control communication or any other signs of the malicious behavior that we observed prior to the rebuild.


So I noticed MWB blocking the inital infection, but the problem I'm having is that post-rebuild (after 9/12) these same machines are transmitting standard UPnP traffic (over port 1900) which MWB is now reporting as malicious. 


Link to post
Share on other sites

  • Root Admin

That appears to be an older version. Also, the main program has been updated to 3.61 - Under Settings, Application, if you click on Install Application Updates it should grab the latest installer. The after the install, make sure to check again for the latest rules.



Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.