Jump to content

Archived

This topic is now archived and is closed to further replies.

RandomName96

Is it normal

Recommended Posts

Hello all , this is my first thread. So far the community looks nice and promissing.

 

Anyway , so let's start at our problem. I just noticed at the HIPS logs , there were unusual things such as blocking access to registry by a windows program.  I found it very suspicious cause I'm a security enthusiast. Even csrss.exe tried to modify ESET...I think I'm infected. Here's the whole log (attached)

 

 

Log.txt

Share this post


Link to post
Share on other sites

C:\Program Files\Malwarebytes Anti-Exploit\mbae-loader.exe

needs to be added to exclusions

 

C:\Users\Linux\Desktop\Prototype\prototypef.exe

needs to be added to exclusions or deleted, depending on threat level. Scan it at virustotal, and right click send to ESET for analysis

 

C:\Program Files\Wise\Wise Game Booster\WiseGameBooster.exe

Enable detection of PUPS and PUAS in ESET. I would remove and/or delete this Wisegamebooster

 

C:\Users\Linux\Desktop\GTA IV\Grand Theft Auto IV\GTAIV.exe

Add to exclusions if the game is not hooked by malware or pirated copy

 

C:\Windows\System32\rundll32.exe

Scan at Virustotal and or decypher the hash and make sure this rundll is legitimate and not a trojan.

 

C:\Users\Linux\AppData\Local\Temp\~nsu.tmp\Au_.exe    Modify startup settings    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\NoExplorer    allowed    Learning mode

This is suspicious, clean your temp folders by deletion.

 

C:\Users\Linux\AppData\Roaming\uTorrent\uTorrent.exe    Modify startup settings    HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\uTorrent    allowed    Learning mode  

uTorrent is not a very good application to have installed on the system. This is only my opinion though, take it with a grain of salt.

 

C:\Windows\System32\taskhost.exe    Modify startup settings    HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe    allowed    Learning mode

Suspicious, what is internat.exe ?

 

 

All the rest appears normal.

 

I suggest a full scan with ESET if you have not done so.

:)

Share this post


Link to post
Share on other sites

I wouldn't recommend leaving logging of all operations blocked by HIPS enabled; it serves for troubleshooting purposes when HIPS causes an issue with certain software.

Share this post


Link to post
Share on other sites

Prototype and LaunchGTAIV are pirated (However , that does not mean I will never by those games ), and WiseGameBooster is a legitimate program. However thanks for suggesting about rundll.exe. I thought ESET might allow anti-exploit so I didn't make a rule manually , anyway. Sorry for the amount of piracy , but I'm not in finacial state , even my own forum's software is MyBB and not something like XenForo or IPB.
 
Anyway , the results of rundll32.exe were clean I'm not aware of internat.exe , ESET's full scan is also clean.

 

C:\Program Files\Malwarebytes Anti-Exploit\mbae-loader.exe

needs to be added to exclusions

 

C:\Users\Linux\Desktop\Prototype\prototypef.exe

needs to be added to exclusions or deleted, depending on threat level. Scan it at virustotal, and right click send to ESET for analysis

 

C:\Program Files\Wise\Wise Game Booster\WiseGameBooster.exe

Enable detection of PUPS and PUAS in ESET. I would remove and/or delete this Wisegamebooster

 

C:\Users\Linux\Desktop\GTA IV\Grand Theft Auto IV\GTAIV.exe

Add to exclusions if the game is not hooked by malware or pirated copy

 

C:\Windows\System32\rundll32.exe

Scan at Virustotal and or decypher the hash and make sure this rundll is legitimate and not a trojan.

 

C:\Users\Linux\AppData\Local\Temp\~nsu.tmp\Au_.exe    Modify startup settings    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\NoExplorer    allowed    Learning mode

This is suspicious, clean your temp folders by deletion.

 

C:\Users\Linux\AppData\Roaming\uTorrent\uTorrent.exe    Modify startup settings    HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\uTorrent    allowed    Learning mode  

uTorrent is not a very good application to have installed on the system. This is only my opinion though, take it with a grain of salt.

 

C:\Windows\System32\taskhost.exe    Modify startup settings    HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe    allowed    Learning mode

Suspicious, what is internat.exe ?

 

 

All the rest appears normal.

 

I suggest a full scan with ESET if you have not done so.

:)

Share this post


Link to post
Share on other sites

I wouldn't recommend leaving logging of all operations blocked by HIPS enabled; it serves for troubleshooting purposes when HIPS causes an issue with certain software.

Well , I only change core settings (rules , scanner settings ,  ThreatSense's Core settings etc.) , anyway , so should I set it to warnings , crtical or errors?

Share this post


Link to post
Share on other sites

In the advanced setup, navigate to Computer -> HIPS -> Advanced setup and make sure that the "Log all blocked operations" box is unticked.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...