RandomName96 0 Posted November 8, 2013 Posted November 8, 2013 (edited) Hello all , this is my first thread. So far the community looks nice and promissing. Anyway , so let's start at our problem. I just noticed at the HIPS logs , there were unusual things such as blocking access to registry by a windows program. I found it very suspicious cause I'm a security enthusiast. Even csrss.exe tried to modify ESET...I think I'm infected. Here's the whole log (attached) Log.txt Edited November 8, 2013 by RandomName96
Arakasi 549 Posted November 8, 2013 Posted November 8, 2013 C:\Program Files\Malwarebytes Anti-Exploit\mbae-loader.exe needs to be added to exclusions C:\Users\Linux\Desktop\Prototype\prototypef.exe needs to be added to exclusions or deleted, depending on threat level. Scan it at virustotal, and right click send to ESET for analysis C:\Program Files\Wise\Wise Game Booster\WiseGameBooster.exe Enable detection of PUPS and PUAS in ESET. I would remove and/or delete this Wisegamebooster C:\Users\Linux\Desktop\GTA IV\Grand Theft Auto IV\GTAIV.exe Add to exclusions if the game is not hooked by malware or pirated copy C:\Windows\System32\rundll32.exe Scan at Virustotal and or decypher the hash and make sure this rundll is legitimate and not a trojan. C:\Users\Linux\AppData\Local\Temp\~nsu.tmp\Au_.exe Modify startup settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\NoExplorer allowed Learning mode This is suspicious, clean your temp folders by deletion. C:\Users\Linux\AppData\Roaming\uTorrent\uTorrent.exe Modify startup settings HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\uTorrent allowed Learning mode uTorrent is not a very good application to have installed on the system. This is only my opinion though, take it with a grain of salt. C:\Windows\System32\taskhost.exe Modify startup settings HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe allowed Learning mode Suspicious, what is internat.exe ? All the rest appears normal. I suggest a full scan with ESET if you have not done so.
Administrators Marcos 5,457 Posted November 8, 2013 Administrators Posted November 8, 2013 I wouldn't recommend leaving logging of all operations blocked by HIPS enabled; it serves for troubleshooting purposes when HIPS causes an issue with certain software.
RandomName96 0 Posted November 8, 2013 Author Posted November 8, 2013 Prototype and LaunchGTAIV are pirated (However , that does not mean I will never by those games ), and WiseGameBooster is a legitimate program. However thanks for suggesting about rundll.exe. I thought ESET might allow anti-exploit so I didn't make a rule manually , anyway. Sorry for the amount of piracy , but I'm not in finacial state , even my own forum's software is MyBB and not something like XenForo or IPB. Anyway , the results of rundll32.exe were clean I'm not aware of internat.exe , ESET's full scan is also clean. C:\Program Files\Malwarebytes Anti-Exploit\mbae-loader.exe needs to be added to exclusions C:\Users\Linux\Desktop\Prototype\prototypef.exe needs to be added to exclusions or deleted, depending on threat level. Scan it at virustotal, and right click send to ESET for analysis C:\Program Files\Wise\Wise Game Booster\WiseGameBooster.exe Enable detection of PUPS and PUAS in ESET. I would remove and/or delete this Wisegamebooster C:\Users\Linux\Desktop\GTA IV\Grand Theft Auto IV\GTAIV.exe Add to exclusions if the game is not hooked by malware or pirated copy C:\Windows\System32\rundll32.exe Scan at Virustotal and or decypher the hash and make sure this rundll is legitimate and not a trojan. C:\Users\Linux\AppData\Local\Temp\~nsu.tmp\Au_.exe Modify startup settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\NoExplorer allowed Learning mode This is suspicious, clean your temp folders by deletion. C:\Users\Linux\AppData\Roaming\uTorrent\uTorrent.exe Modify startup settings HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\uTorrent allowed Learning mode uTorrent is not a very good application to have installed on the system. This is only my opinion though, take it with a grain of salt. C:\Windows\System32\taskhost.exe Modify startup settings HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe allowed Learning mode Suspicious, what is internat.exe ? All the rest appears normal. I suggest a full scan with ESET if you have not done so.
RandomName96 0 Posted November 8, 2013 Author Posted November 8, 2013 I wouldn't recommend leaving logging of all operations blocked by HIPS enabled; it serves for troubleshooting purposes when HIPS causes an issue with certain software. Well , I only change core settings (rules , scanner settings , ThreatSense's Core settings etc.) , anyway , so should I set it to warnings , crtical or errors?
RandomName96 0 Posted November 8, 2013 Author Posted November 8, 2013 (edited) I do not know anything about the "additional information" page.. Edited November 9, 2013 by RandomName96
Administrators Marcos 5,457 Posted November 11, 2013 Administrators Posted November 11, 2013 In the advanced setup, navigate to Computer -> HIPS -> Advanced setup and make sure that the "Log all blocked operations" box is unticked.
Recommended Posts