Jump to content

Is it normal


Recommended Posts

Hello all , this is my first thread. So far the community looks nice and promissing.

 

Anyway , so let's start at our problem. I just noticed at the HIPS logs , there were unusual things such as blocking access to registry by a windows program.  I found it very suspicious cause I'm a security enthusiast. Even csrss.exe tried to modify ESET...I think I'm infected. Here's the whole log (attached)

 

 

Log.txt

Edited by RandomName96
Link to comment
Share on other sites

C:\Program Files\Malwarebytes Anti-Exploit\mbae-loader.exe

needs to be added to exclusions

 

C:\Users\Linux\Desktop\Prototype\prototypef.exe

needs to be added to exclusions or deleted, depending on threat level. Scan it at virustotal, and right click send to ESET for analysis

 

C:\Program Files\Wise\Wise Game Booster\WiseGameBooster.exe

Enable detection of PUPS and PUAS in ESET. I would remove and/or delete this Wisegamebooster

 

C:\Users\Linux\Desktop\GTA IV\Grand Theft Auto IV\GTAIV.exe

Add to exclusions if the game is not hooked by malware or pirated copy

 

C:\Windows\System32\rundll32.exe

Scan at Virustotal and or decypher the hash and make sure this rundll is legitimate and not a trojan.

 

C:\Users\Linux\AppData\Local\Temp\~nsu.tmp\Au_.exe    Modify startup settings    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\NoExplorer    allowed    Learning mode

This is suspicious, clean your temp folders by deletion.

 

C:\Users\Linux\AppData\Roaming\uTorrent\uTorrent.exe    Modify startup settings    HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\uTorrent    allowed    Learning mode  

uTorrent is not a very good application to have installed on the system. This is only my opinion though, take it with a grain of salt.

 

C:\Windows\System32\taskhost.exe    Modify startup settings    HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe    allowed    Learning mode

Suspicious, what is internat.exe ?

 

 

All the rest appears normal.

 

I suggest a full scan with ESET if you have not done so.

:)

Link to comment
Share on other sites

  • Administrators

I wouldn't recommend leaving logging of all operations blocked by HIPS enabled; it serves for troubleshooting purposes when HIPS causes an issue with certain software.

Link to comment
Share on other sites

Prototype and LaunchGTAIV are pirated (However , that does not mean I will never by those games ), and WiseGameBooster is a legitimate program. However thanks for suggesting about rundll.exe. I thought ESET might allow anti-exploit so I didn't make a rule manually , anyway. Sorry for the amount of piracy , but I'm not in finacial state , even my own forum's software is MyBB and not something like XenForo or IPB.
 
Anyway , the results of rundll32.exe were clean I'm not aware of internat.exe , ESET's full scan is also clean.

 

C:\Program Files\Malwarebytes Anti-Exploit\mbae-loader.exe

needs to be added to exclusions

 

C:\Users\Linux\Desktop\Prototype\prototypef.exe

needs to be added to exclusions or deleted, depending on threat level. Scan it at virustotal, and right click send to ESET for analysis

 

C:\Program Files\Wise\Wise Game Booster\WiseGameBooster.exe

Enable detection of PUPS and PUAS in ESET. I would remove and/or delete this Wisegamebooster

 

C:\Users\Linux\Desktop\GTA IV\Grand Theft Auto IV\GTAIV.exe

Add to exclusions if the game is not hooked by malware or pirated copy

 

C:\Windows\System32\rundll32.exe

Scan at Virustotal and or decypher the hash and make sure this rundll is legitimate and not a trojan.

 

C:\Users\Linux\AppData\Local\Temp\~nsu.tmp\Au_.exe    Modify startup settings    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\NoExplorer    allowed    Learning mode

This is suspicious, clean your temp folders by deletion.

 

C:\Users\Linux\AppData\Roaming\uTorrent\uTorrent.exe    Modify startup settings    HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\uTorrent    allowed    Learning mode  

uTorrent is not a very good application to have installed on the system. This is only my opinion though, take it with a grain of salt.

 

C:\Windows\System32\taskhost.exe    Modify startup settings    HKEY_USERS\S-1-5-21-3012067017-2217459130-425731381-1000\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe    allowed    Learning mode

Suspicious, what is internat.exe ?

 

 

All the rest appears normal.

 

I suggest a full scan with ESET if you have not done so.

:)

Link to comment
Share on other sites

I wouldn't recommend leaving logging of all operations blocked by HIPS enabled; it serves for troubleshooting purposes when HIPS causes an issue with certain software.

Well , I only change core settings (rules , scanner settings ,  ThreatSense's Core settings etc.) , anyway , so should I set it to warnings , crtical or errors?

Link to comment
Share on other sites

  • Administrators

In the advanced setup, navigate to Computer -> HIPS -> Advanced setup and make sure that the "Log all blocked operations" box is unticked.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...