Jump to content

Log Analyze Request


Recommended Posts

16 minutes ago, andremelo90 said:

also, this is the symptom, mb starts - and wont stop - poping up this notification as soon as i start a tunnel software called noping.exe - its for lowering online games latency
image.png.9dff6ce47b35f427613ecce7175c1982.png

Link to post
Share on other sites

Hello andremelo90 and :welcome:


I'm Android8888 and I'll be helping you with your malware issues. Please ask questions if anything is unclear.

Your system is infected with a Rootkit which is a stubborn and nasty infection.

Please DO NOT RUN ANY additional scans or anti-malware tools on your own while you are being assisted in this topic, otherwise can get things worst.

It's getting late, so I'll be back with a fix tomorrow.

Thank you for your understanding.

Android8888

Link to post
Share on other sites

Hi, @andremelo90

Thank you for your patience. I have analyzed your logs carefully and I would need to see a new set of logs from FRST to ensure that the suspected infection is not a false positive.

Please run a new scan with FRST and attach the fresh logs (FRST.txt and Addition.txt) for my review.

Then wait for further instructions.

Link to post
Share on other sites

There is something to mention, the first time i did run the FRST my pc was running a game called tibia and its anticheat engine is called battleye.. i say this because as soon as u repplied yesterday, i searched he log for rootkit and found a battleye related file, called BEDaisy.sys

Link to post
Share on other sites

Your logs are clean.

Concerning the popups you are experiencing from Malwarebytes Premium version, the program offers 4 layers of active protection:
Web Protection
Malware Protection
Ransomware Protection
Exploit Protection

In this case Malwarebytes Web Protection is blocking the application NoPing.exe from connecting the IP address 203.23.128.148 which is located at Hong Kong and does not have good reputation by several antivirus scanner engines.
Take a look at this report:
https://www.virustotal.com/gui/ip-address/203.23.128.148/detection

However if you think this may be a false positive I suggest you create a new topic here for Research team to review and whitelist the site if it proves to be an FP.

Are there any issues or concerns with the machine?

Link to post
Share on other sites

9 minutes ago, Android8888 said:

and does not have good reputation by several antivirus scanner engines.

exactly, i did some research and this ip is mentioned as one of the C&C of the renown thrickybot

12 minutes ago, Android8888 said:

However if you think this may be a false positive I suggest you create a new topic here for Research team to review and whitelist the site if it proves to be an FP.

The software noping.exe is well known - at least here in Brazil - for being one of the best software to decrease latency in online games, so I have more reason to believe that other software might be using the features of noping.exe to try to access the site / ip in question.

Well, since the possibilities have been exhausted, I feel that I must mention that I use two automation softwares, which the supplier has indicated me to add as exclusions in both my antivirus, Kaspersky and Malwarebytes.


I really believe that I have suffered fraud through this supplier, as nothing else can explain such strange and suspicious behavior.
Anyway, what I have left would be to send such files so that you can check their behavior, but as we are talking about software and its logins and password, I am afraid that we need a private channel to exchange them.

Link to post
Share on other sites

Well i treid contact with the noping.exe support team, and they informed me that they now own this ip, 203.23.128.148 and probably the bad reputation might be due to its past owners. Still ive requested an ip analyze creating a topic on the section Malwarebytes for Home Support > False Positives > Website Blocking. So, lets wait for their feedback. And a huge thanks to you @Android8888 and the whole malwarebytes support team, u guys are saviors!!!

Link to post
Share on other sites

Hi @andremelo90

I saw your new topic at Malwarebytes for Home Support > False Positives > Website Blocking.

It appears your issue is resolved, isn't it?

If so, please let me know so we can close this topic as well.

Link to post
Share on other sites

1 minute ago, Android8888 said:

Hi @andremelo90

I saw your new topic at Malwarebytes for Home Support > False Positives > Website Blocking.

It appears your issue is resolved, isn't it?

If so, please let me know so we can close this topic as well.

Yess!! sorry for forgetting about it, but yes its has been resolved,¬†they did change the ip, so no more¬†trojan notification 24h/day¬†ūüėĚ
again, i am extremaly gratefull for all your and @Zynthesist efforts helping this out. Thank you guys, u r awesome!!

Link to post
Share on other sites

Okay, any time you need help don't hesitate and feel free to ask here. We at Malwarebytes will certainly do what we can to help.

Best regards and stay safe.

Android8888

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.