Kelk 2013

[alghorabaa]

Hi,

I have been using this program (Kelk 2013) for years without problems, their website is:

http://sinasoft.com/kelk.html

But after using Malwarebytes I am unable to use it, I scan it and it showed total 12 detection, please check the attachments

result.txt

[shadowwar]

can you please zip and attach the files detected here?

 

Thanks!

[alghorabaa]

Hi,
I put them all in RAR file, 11 files since one file is located at two folder so there was no need to make two copies of it, I also added two files (Kelk2K.exe, Kelk2KR.exe) since Malwarebytes classified them as (MachineLearning/Anomalous.100%) and as Kelk developers gives a note to exclude these two files from Antivirus scan rules, thanks

files_detected.rar

[shadowwar]

This should be fixed in about 10 mins.

If still detected on your end after ~10 minutes from now. Perform the following steps: 

1. Totally exit/shutdown Malwarebytes.
2. Go to here in explorer: C:\ProgramData\Malwarebytes\MBAMService
3. Delete the following file only: hubblecache
4. Then you can restart MBAM and the cache file will rebuild on the next scan.

 

 

[alghorabaa]

Hi,
I updated Malwarebytes, and restarted my laptop, and even deleted hubblecache following the steps you had given, and restarted again, and opened Kelk 2013, but Malwarebytes blocked it, message in the attachment.
thanks

[alghorabaa]

Hi,

Thanks, I had to delete hubblecache one more time, and restore the file from (quarantined), and it seems to be working normally now.

Many thanks

[alghorabaa]

Hi,

I manually scanned the application folder and got two files infected with (trojan.malpack.themida):

xu/k2kmath.dll

xu8/hshardll.dll

They were among the files I uploaded yesterday

[shadowwar]

hmm they are showing whitelisted on this end. Can you please post the scan log?

 

[alghorabaa]

Hi,
It is very strange, I have two computers, one of them shows 2 infections, and the other one shows 10 infections on manual scan, both of them were updated and file (hubblecache) was deleted many times, and machines were restarted several times, the scan log is attached here.
thanks

result.txt

[shadowwar]

These aren't blocked anyway from communicating with us are they? Hubble gets its information from the cloud about whitelisting the files.

[alghorabaa]

apart from that, (Kelk 2013) works without problems, check attachments please.

[shadowwar]

The best i can say is to add them to your ignore list. Something is blocking your communication to our hubble cloud. We have seen this in the past with modified copies of the hosts file. Either Malware can modify the hosts file or Pirated copies of MBAM sometimes add entries to the hosts file to block license checks.

[alghorabaa]

Apart from that, (Kelk 2013) works without problems, check attachments please.

[alghorabaa]

No I don't use pirated copy, and my host file is ok, nothing blocks the communication but internet is very slow, please check the attachments.

[alghorabaa]

No I don't use pirated copy, and my host file is ok, nothing blocks the communication but internet is very slow, please check the attachments.

[shadowwar]

The best i can say then is to add to the ignore list. From the files you sent originally i verified they are all currently whitelisted in the cloud.

[shadowwar]

You can also pm me the mbamservice.log located in C:\ProgramData\Malwarebytes\MBAMService\logs and i can see what is happening with the detections.

[alghorabaa]

I guess it is all because of internet, it is not stable at all due to the cut of the internet undersea cable, the whole country suffers from slow internet, check this link:

https://www.wired.com/story/yemen-internet-blackout-undersea-cable/

[shadowwar]

That could be very well it. The mbamservice.log will show if hubble calls timed out.

 

[alghorabaa]

I am trying to upload the whole log folder to you through PM, rar file is 3.7 mb which is to big to be uploaded due to slow internet

[shadowwar]

Well if you want search for one of the file names detected in the mbamservice.log. Give me the 5 lines before and after the filename and post it here.

[alghorabaa]

File sent to your pm