Cleaned computers still flagged as malware

[peb2]

Hello MWB Specialists, 

I work at a university and we had several machines get infected with malware that broadcast over port 1900. Our main campus IT quarantined and removed the malware and rebuilt the 3 machine infected, but MWB 3.0 is now giving us "Website Blocked" popups whenever these machines transmit over the UPnP port. 

My boss and the senior faculty are all using MWB 3, so they're seeing these popups at a rate of 5 or more an hour. I've confirmed the machines are no longer infected, so is there any way to stop MWB from showing these false positive popups? 

****The forum spam protection will not let me post a line from my logs. If you'd like to see any log files, let me know and I'll attach them.

Thank you in advance.

 

 

 

[AdvancedSetup]

Hello @peb2 and

Sorry for the blocking, but due to very high spam content we've had to lock things down a bit to slow it down. I've removed the block for you, so you shouldn't have anymore trouble posting or uploading logs.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[peb2]

Ron,

Thank you. Attached are the export summary and service log from my machine. 

This is a line from the service log that shows the false positive:

09/20/18    " 14:37:49.471"    80541625    10f4    6c58    INFO    MWACControllerCOM    CMWACController::WebsiteBlockedNotificationCallback    "MWACController.cpp"    1130    "Malicious Website Protection, ipBlockList, <IP REMOVED>, , 1900, Inbound, C:\Windows\System32\svchost.exe"
 

I'll have to run the Farbar Recovery Scan Tool at COB and upload the results tomorrow.

Thank you,

-peb2

 

MBAMSERVICE.LOG

[peb2]

Export Summary:
 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/20/18
Scan Time: 2:07 AM
Log File: 6411546c-bc9b-11e8-a533-f832e4728544.json

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.6923
License: Premium

-System Information-
OS: Windows 10 (Build 17134.285)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 397047
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 8 min, 52 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[AdvancedSetup]

I would not call that a FP

It is blocking at least one of your systems due to the Emotet threat.

Blocked for Trojan.Emotet on 2018-09-04 02:39:45

I will discuss with our internal team to have them review the IP again.

If you like I can assist you via Private Messenger as redacting logs makes it difficult to assist you.

Thanks

Ron

 

Edited September 21, 2018 by AdvancedSetup

[peb2]

Ron, 

There was a malware outbreak initially, but it was cleaned by our information security office. Here's their response:

--------------------------

We did deal with a malware outbreak on these machines along with a few others belonging to the affected department.  The machines were rebuilt late Tuesday afternoon and returned to service on Wednesday (9/12). We believe the outbreak started on 8/31.

The packets that MalwareBytes is detecting are Universal Plug and Play  (UPnP) multicast to UDP 1900.  However, our logs show that these machines have been sending the multicast packets long before the malware outbreak.  Which leads us to speculate that the UPnP traffic is coincidental and not caused by the malware. The malware was communicating with a specific command and control IP that we used to track the outbreak.

We took XXX.X.XX.XX offline this afternoon after your last email and we're forensically examining it.  So far we haven't been able to locate any of the malware that was present prior to the rebuild and our logs are not showing the command and control communication or any other signs of the malicious behavior that we observed prior to the rebuild.

--------------------------

So I noticed MWB blocking the inital infection, but the problem I'm having is that post-rebuild (after 9/12) these same machines are transmitting standard UPnP traffic (over port 1900) which MWB is now reporting as malicious. 

 

[peb2]

Also, I've attached my FRST logs:

 

FRST.txt

Addition.txt

[AdvancedSetup]

Thanks for the update @peb2 it was still blocked as it was on a global rule. That rule was removed last night. Please update Malwarebytes and test again and let me know. Sorry for the confusion.

Ron

 

[peb2]

Thanks for your help so far, Ron.

Now I'm a little confused. What exactly would you like me to re-upload?

Just the MWB scan results? Or the MWB scan results, the MWB logs, and the FRST scan results?

-peb2

 

 

[AdvancedSetup]

No, no more uploads @peb2

Just open Malwarebytes. It should automatically be updated, but if not then click on the link to update it. Then let me know if the block continues or not.

 

[peb2]

It looks like this has been fixed, thank you!!

[peb2]

Actually it looks like I spoke too soon.

Looking at the log I was getting hits on port 1900 all day Friday (9/21).

I'm attaching my new log files:

 

 

 

MBAMSERVICE.LOG

MBAM_Scan_export_summary.txt

[AdvancedSetup]

That appears to be an older version. Also, the main program has been updated to 3.61 - Under Settings, Application, if you click on Install Application Updates it should grab the latest installer. The after the install, make sure to check again for the latest rules.

 

Edited September 24, 2018 by AdvancedSetup
Updated information

[peb2]

Hello Ron,

After updating the app and grabbing the latest updates I'm still getting the notifications from a single IP.  Here's my current version of the app and the website blocked notification:

 

I've attached my latest service log as well.

Thank you,

-peb2

MBAMSERVICE.LOG

[AdvancedSetup]

I'm sorry @peb2 , the block is being removed. Please retest in about an hour.

Thanks

Ron