Jump to content

help with malware detected


Recommended Posts

Hi,

I have recently upgraded from the free version to the retail version of Malwarebytes. The real time protection has intercepted and blocked a program. A copy of the log and my comments about the log follow (Note -- names have been edited in the log):

05:18:30 MYNAME MESSAGE Protection started successfully

05:18:44 MYNAME MESSAGE IP Protection started successfully

11:47:34 USERNAME IP-BLOCK 66.235.126.51

11:47:37 USERNAME IP-BLOCK 66.235.126.51

11:47:43 USERNAME IP-BLOCK 66.235.126.51

11:47:55 USERNAME IP-BLOCK 66.235.126.51

11:47:58 USERNAME IP-BLOCK 66.235.126.51

11:48:04 USERNAME IP-BLOCK 66.235.126.51

16:19:28 MYNAME DETECTION C:\Documents and Settings\MYNAME\My Documents\Downloads\produkey\ProduKey.exe Tool.KeyViewer QUARANTINE

I have quarantined it, pending answers/guidance I may receive in this forum.

The portion highlighted in yellow is a legitimate program saved in an unconventional path. It is from Nirsoft. The program itself does scan as clean.

For personal organization preferences I have this (and similar programs) saved in the path shown above. I do understand that the conventional saved location would be in Program Files. I suspect that this is the cause of the alert I received. I don't believe this is a true false positive, in the sense that I understand false positives.

Is my reasoning on this correct? If so, I plan to move the entry from quarantine to ignore. Is this a reasonable tactic to retain use of the program and prevent further alerts?

Thanks for your guidance.

Link to post
Share on other sites

66.235.126.51------ 2010-05-25 ---- 2010-05-27

COM dp.smileycentral.com 66.235.126.51 2010-06-02 2010-06-02

COM edits.mywebsearch.com 66.235.126.51 2010-06-02 2010-06-02

COM www153.mywebsearch.com 66.235.126.51 2010-06-02 2010-08-08

COM helpint.mywebsearch.com 66.235.126.51 2010-06-02 2010-06-02

COM smiley.smileycentral.com 66.235.126.51 2010-06-02 2010-06-02

COM www153.smileycentral.com 66.235.126.51 2010-06-02 2010-08-08

COM mywebface.mywebsearch.com 66.235.126.51 2010-06-02 2010-06-02

COM cursormania.smileycentral.com 66.235.126.51 2010-06-02 2010-06-02

COM popularscreensavers.smileycentral.com 66.235.126.51 2010-06-02 2010-06-02

COM webfetti.smileycentral.com 66.235.126.51 2010-06-02 2010-06-02

COM buddies.smileycentral.com 66.235.126.51 2010-07-08 2010-07-08

COM funbuddyicons.smileycentral.com 66.235.126.51 2010-07-08 2010-07-08

COM historyswatter.smileycentral.com 66.235.126.51 2010-07-08 2010-07-08

COM mymailsignature.smileycentral.com 66.235.126.51 2010-07-08 2010-07-08

COM mymailstationery.smileycentral.com 66.235.126.51 2010-07-08 2010-07-08

COM popswatter.smileycentral.com 66.235.126.51 2010-07-09 2010-07-09

COM smileyhelpint.smileycentral.com 66.235.126.51 2010-07-09 2010-07-09

Actually my WOT blocks and flags these sites on that IP - Is there any chance you have used one of these programs -

You can follow the directions listed ->HERE if you think it is a False Positive -

Thank You -

Link to post
Share on other sites

NirSoft is a safe company. For some reason many vendors consider their products hacking tools and detect them.
Mail PassView - Recover the passwords of popular email clients: Outlook Express, MS Outlook, Eudora, Mozilla Thunderbird , and more...

MessenPass - Recover the passwords of instant messenger programs: Yahoo Messenger, MSN Messenger, Trillian, and more...

Dialupass: Dialup Password Recovery - Recovers the passwords of dialup entries (VPN and Internet connections). Works also under Windows 2000/XP.

Network Password Recovery - Freeware utility that recovers the network passwords stored by Windows XP (Credentials file).

Asterisk Logger - Reveal the passwords hidden behind asterisk ('****') characters in standard password text-boxes.

SniffPass - Password Sniffer - Listen to your network, and capture POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication) passwords

PstPassword - Recover the password of Outlook PST file.

Protected Storage PassView - Displays all passwords and AutoComplete strings stored in your Protected Storage.

For a few of these reasons above the use of this program is not sanctioned by Security Forums -

These are the hacking type tools mentioned in the post above -

If you are not sure about your passwords , please keep them somewhere safe (mine are updated monthly and paper laminated to prevent loss) -

Link to post
Share on other sites

Thanks all,

The program in question is one I installed to find a product key for the purpose of registering a program. There are five user accounts and six users on this machine. I have taken ownership of maintenance, security, and assisting the other users on this machine. --- quite a chore at times ---

I will leave produkey in quarantine. I really don't need it along with the other 160+ programs installed here.

Regarding the blocked IP adress:

I merely posted the entire log because I have found it to be common for people providing guidance to ask for logs in their entirety. I was quite pleased that Malwarebytes blocked the IPs. I am pretty sure I know the source of the IP address. If it is related to the lists provided above, I believe it to be a tag along (MALWARE?) installation for some other program. I have specifically warned all users of this machine about the ills of mywebsearch and smileycentral.

Judging from a Google search of the IP address and the user account which initiated the blocked communications, I believe I have found the source. The Lady of the House is a big fan of tool bars. Ask tool bar appears to be one of the ones tied to that IP address. Unfortunately Ask is one of her favorite tool bars, despite my continued warnings to find another one to satisfy her wishes.

For this cause, I have this machine (over)loaded with security programs. The other users tend to ignore some warnings if they really want to visit or install questionable sites or programs.

Thanks again for your insight.

learning

Link to post
Share on other sites

Hi noknojon,

Thanks for the input. I appreciate the pointer to extra information.

For the present I plan to leave th IP blocked. Although Ask is a good research source, I have heard too much bad hype about the potential security issues with the Ask tool bar. Additionally I really don't think a half a dozen tool bars are necessary on a single user account. Maybe the blocking feature of Malwarebytes will contribute to some streamlining of that user account.

learning

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.