My university's IT department thinks I have Mariposa

Hi, I received an email from my university’s IT department last night saying that they think I have a Mariposa/Butterfly infection, but I believe that their detection is a false positive. The IP that they think is suspicious is 192.64.171.50, which according to URLQuery is owned by Riot Games (the creators of League of Legends). A virustotal scan of the IP shows 0/61 detections, and that the IP is benign.

While I’m almost positive I’m not infected, I’d like a second opinion. My FRST and aswMBR logs are attached. Malwarebytes reports clean, Avast reports that it couldn’t scan some files, but all of the unscanned files are located in my OneDrive account, and they are definitely clean. Microsoft’s Malicious Software Removal Tool reports clean. Thanks for your help in advance!

Avast reports that it [b]couldn't scan some files[/b], but all of the unscanned files are located in my OneDrive account, and they are definitely clean.
[b]How do I handle files that avast! can’t scan?[/b] https://blog.avast.com/2014/02/28/how-do-i-handle-files-that-avast-cant-scan/

No indication of a botnet there, if you did have one Avast would alert as it tries to call home

Pondus: Thanks for that, it was very informative.

Essexboy: I figured as much, but I wanted to be sure. Better safe than sorry, right? My best guess is that for some reason my university was detecting the League of Legends client as suspicious for some reason, as the IP that they gave was directly related to Riot Games.

Here they persist that it is a false positive detection: http://forums.na.leagueoflegends.com/board/showthread.php?t=39362
We have been there before late August: http://forums.euw.leagueoflegends.com/board/showthread.php?t=1876176
And other opinion: http://www.gamefaqs.com/boards/954437-league-of-legends/65434766
& http://www.somebits.com/weblog/tech/bad/league-of-legends-and-malware.html
& http://www.file.net/process/lolclient.exe.html
& http://www.herdprotect.com/league-of-legends.exe-a9b2d1ecf01ccba34ac9d174c7aedf61840644f8.aspx

I assume the Santa Monica developed game is not infested with Mariposa or a likewise Financial Fraud Botnet.
Mariposa infects machines via email and Web exploits, as well as via instant messaging and USB drives,
which are the most successful modes of infection for Mariposa. Can you assume such an infection route was plausible?
if not forget about that verdict and rather think of a false positive of the Lol.client excutable.

I think essexboy can take your further fears away and set your mind at ease, as he is one of the best qualified removers around. :wink:

polonus

Hi Polonus, I haven’t clicked on any suspicious email links, and I doubt I was hit by a web exploit. I was playing League with some friends whom I was in a skype call with during the time of the alert from the university. Is it possible for malware to be transmitted from just a skype call? I haven’t clicked on suspicious links nor have I received files from anyone that I was talking to.

I really admire the work you, essexboy, and all of the other volunteers do around here. I’ve been lurking around this forum for some time now, and I find what you all do to be quite inspiring. In fact, if I weren’t so busy with my college courses right now, I would love to learn how to remove malware myself.

Skype ads in rotating have been compromised and one should block all outside your known contacts, but I doubt there was an active threat being spread there.
Well, Camo5633, hope that your finish your studies successfully and then decide to come and assist us as a qualified remover.
essexboy here is an instructor/teacher at G2G and trains malware removers there to become qualified. This qualification is recognized all over the interwebs.
Or you could choose to become a volunteer cold reconnaissance third party website analyst and error hunter like !Donovan and little old me.
From your encounters with university IT you know security is not their first priority to say the least. I am an exam surveyor at a Rotterdam Higher Educational Institute for Commercial, Media & IT Studies and when I asked students about how security was treated in their curriculum, they said they had "something on that subject "the other year, but apparently from the wrong textbook. Well now you know why we do this to arouse some general awareness platform. Appreciate your interest and so stay in contact with our support forums,

kind regards,

polonus

Thanks for your insight, polonus. I definitely plan to stay in contact with the forums, and I hope that sometime soon I’ll be able to help others like all of you here do.

As far as skype ads go, I make a point to never click on them, as I’d heard that they had been compromised before. I also have uPnP turned off in skype, and have it set to allow direct connections to my contacts only.