Netmeter Version 3.6 build 437 False Positive?

[kozmick]

Greetings...I just installed Malwarebytes...I've grown very attached to Netmeter v3.6 ...anything to be concerned about here?

Thanks in advance,

mick

protection-log-2011-06-21.txt

08:35:17 Michael MESSAGE Protection started successfully

08:35:21 Michael MESSAGE IP Protection started successfully

08:40:09 Michael IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 49583, Process: svchost.exe)

08:50:50 Michael MESSAGE Protection started successfully

08:50:55 Michael MESSAGE IP Protection started successfully

08:58:09 Michael DETECTION C:\PROGRAM FILES (X86)\NETSPEED\NETMETER\HOONETMETER.EXE Adware.Agent ALLOW

09:02:53 Michael MESSAGE Protection started successfully

09:02:57 Michael MESSAGE IP Protection started successfully

09:04:01 Michael IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 49240, Process: svchost.exe)

mbam-log-2100-06-21(08-48-45).txt

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6910

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19048

6/21/2011 8:48:45 AM

mbam-log-2011-06-21 (08-48-45).txt

Scan type: Quick scan

Objects scanned: 225455

Time elapsed: 10 minute(s), 52 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 14

Memory Processes Infected:

c:\program files (x86)\Netspeed\NetMeter\hoonetmeter.exe (Adware.Agent) -> 4552 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Net Meter (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetMeter (Adware.Agent) -> Value: NetMeter -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\program files (x86)\Netspeed (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:

c:\Users\Michael\local settings\temporary internet files\Content.IE5\D8LHQDZI\pack[1].exe (Rogue.SecurityShield) -> Quarantined and deleted successfully.

c:\Users\Michael\local settings\temporary internet files\Content.IE5\D8LHQDZI\pack[3].exe (Rogue.SecurityShield) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Alarm.wav (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Beep.wav (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Boing.wav (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\hoonetmeter.exe (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\License.txt (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\net meter.url (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\NetMeter.chm (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\netmeterservice.exe (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Notify.wav (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\ReadMe.txt (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\uninst.exe (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Warning.wav (Adware.Agent) -> Quarantined and deleted successfully.

==========================================================

Correspondence sent to publisher of Netmeter on 2100-06-21 support@hootech.com:

Registered Licensee:

M***** A K*********

Version 3.6 build 437

I really like this program...I've referred many clients...want to continue to use it and refer others. If I do not hear from you I will be forced to assume that this is not a false positive, remove the program and advise all others to to the same and post accordingly.

This is a warning message from Malwarebytes - please explain what the purpose is of this outbound activity. Is this your IP ? If not whose?

08:35:17 Michael MESSAGE Protection started successfully

08:35:21 Michael MESSAGE IP Protection started successfully

08:40:09 Michael IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 49583, Process: svchost.exe)

08:50:50 Michael MESSAGE Protection started successfully

08:50:55 Michael MESSAGE IP Protection started successfully

08:58:09 Michael DETECTION C:\PROGRAM FILES (X86)\NETSPEED\NETMETER\HOONETMETER.EXE Adware.Agent ALLOW

09:02:53 Michael MESSAGE Protection started successfully

09:02:57 Michael MESSAGE IP Protection started successfully

09:04:01 Michael IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 49240, Process: svchost.exe)

Malware Scan log 06-21-2011 - Please advise:

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Net Meter (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetMeter (Adware.Agent) -> Value: NetMeter -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\program files (x86)\Netspeed (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:

c:\Users\Michael\local settings\temporary internet files\Content.IE5\D8LHQDZI\pack[1].exe (Rogue.SecurityShield) -> Quarantined and deleted successfully.

c:\Users\Michael\local settings\temporary internet files\Content.IE5\D8LHQDZI\pack[3].exe (Rogue.SecurityShield) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Alarm.wav (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Beep.wav (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Boing.wav (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\hoonetmeter.exe (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\License.txt (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\net meter.url (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\NetMeter.chm (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\netmeterservice.exe (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Notify.wav (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\ReadMe.txt (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\uninst.exe (Adware.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\Netspeed\NetMeter\Warning.wav (Adware.Agent) -> Quarantined and deleted successfully.

[nosirrah]

I want to make sure I am looking at the right thing, please provide a link to their home page.

[kozmick]

Thanks Bruce-

Here's the link:

netmeter

~mak

[nosirrah]

Thanks

Please update and scan again, this should be resolved.

[kozmick]

Bruce-

Updated as requested and did a quick scan which produced the detection before.

Happy to report that Netmeter no longer is detected as malware.

I am however still receiving warnings/blocks of IP related to Netmeter 91.212.226.6

I believe this is a benign IP...your thoughts...if it is in fact non-malicious, is there a way to create an exception or ignore, or optimally, block the IP 91.212.226.6 and mute the warning?

Thanks again for the sudden and impressive service...I will purchase the program.

~mak

[Mystery]

To my knowledge the IP 91.212.226.6 is associated with a shady Russian network that has had many complaints about malicious activity by pc users.

Since your computer has an outgoing request to this IP, I would recommend a further look into this issue. Maybe one of the experts can help you verify if there is anything wrong or not.

[kozmick]

Here's an update for others who may be experiencing similar woes:

After chasing this thing for days/weeks...finally out of desperation, turned to Comcast Online Malware Removal support - not cheap - $130US, but ultimately worth every penny, as I learned the process to be able to do this to my own system:

1. The Tech logged on to my computer remotely

2. Did many tests etc. cleaned up registry, services startup etc.

3. Finally upon running a battery of test software, most of which is available like Malwarebytes(first prog he installed and ran)Process Explorer and Autoruns from sysintervals.com, the Tech installed remotely, TDSS Killer scan by Kaspersky (free tool downloadable) a rootkit malware was found (Rootkit.win32.TDSS.tdl4)

4. TDSS then prompted to cure. Problem resolved....so far...

Netmeter was, BTW, very responsive to my concerns, and was most helpful in negating any possibility that the program Netmeter was causing the problem. I highly recommend the progrram and the support for it.

To the staff at Malwarebytes, thank for all your help.