Jump to content

Yaiven

Members
  • Posts

    16
  • Joined

  • Last visited

Reputation

0 Neutral
  1. This is my first time reporting one of these, so I apologize in advance if I'm missing something. I'm pretty certain this was a false positive, because a malware removal expert on this site recently helped me clean the computer thoroughly and this program has been there for quite some time. Mnemosyne.exe is a flashcard program from here: http://mnemosyne-proj.org/ It was detected as Worm.Agent by Malwarebytes this afternoon, so it must have been the latest update (the program has been there for a while). As another user checked, here is the report from virustotal: SHA256: ac5ade53760cc66e7b3880a82a267b82236acc8586d93c3f91eda0e3ae2ddafa File name: mnemosyne.exe Detection ratio: 1 / 45 Analysis date: 2013-03-20 23:29:05 UTC ( 0 minutes ago ) I've attached the file in question in a .rar archive. The result of the MBAM log in /developer mode is below. Originally it detected it on its own (not during a manual scan) and quarantined it. To replicate it in developer mode, I made a copy on E:\ and scanned that with the full scan. Quick scan did not register anything. --> Is there a way to scan a single file with /developer, either as a command line option or using the context menu scan? Malwarebytes Anti-Malware (PRO) 1.70.0.1100 www.malwarebytes.org Database version: v2013.03.20.02 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Yaiven :: HAKKAN [administrator] Protection: Enabled 3/20/2013 7:25:29 PM MBAM-log-2013-03-20 (19-25-54).txt Scan type: Full scan (E:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 247415 Time elapsed: 17 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 E:\mnemosyne.exe (Worm.Agent) -> No action taken. [043eb2117eed41f524be4df0a8596b95] (end) mnemosyne.rar
  2. Thanks for all your help, Gringo, and for the links and information. The computer seems to be working fine. I sent a small donation for your trouble. I just had one more question: You mention that if I use MSE, I should uninstall my present antivirus. Does that include Malwarebytes' Anti-Malware (free or paid versions)? Or can the two work together?
  3. Alright, here are the scan results: Scanning Report Thursday, February 21, 2013 17:36:57 - 18:07:05 Computer name: HAKKAN Scanning type: Scan system for malware, spyware and rootkits Target: C:\ No malware found Statistics Scanned: Files: 70466 System: 6066 Not scanned: 29 Actions: Disinfected: 0 Renamed: 0 Deleted: 0 Not cleaned: 0 Submitted: 0 Files not scanned: C:\HIBERFIL.SYS C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB C:\SYSTEM VOLUME INFORMATION\{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F346384A-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{4B29813F-7C71-11E2-A629-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F346384E-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F3463852-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F3463856-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F346385A-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F346385E-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F3463862-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F3463866-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F346383A-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{E015F2AA-7AFF-11E2-92EE-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{F346383E-7BE6-11E2-A8B5-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\SYSTEM VOLUME INFORMATION\{298242C6-7BD1-11E2-91EF-001FD0A183DA}{3808876B-C176-4E48-B7AE-04046E6CC752} C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\SCANS\HISTORY\CACHEMANAGER\MPSFC.BIN Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR TMP Use advanced heuristics Copyright © 1998-2009 Product support | Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
  4. I'm going to get some sleep for now and try again tomorrow. Have a good night!
  5. Hi Gringo, I'm afraid it still wouldn't work. I tried both IE9 (64-bit) and IE9 (32-bit), both as Administrator (right-click), and I tried resetting the settings with that Fix-It tool, but each time it gets stuck at 4% and says "Can not get update. Is proxy configured?" This is with all my security software off. The only thing I can think is that maybe it has something to do with the router? In any case, I could try the F-secure scan. The link is out-of-date, but I can find their online scan again by following two links. It says it requires Java Runtime Environment to be downloaded and installed first before installing the add-on. Should I do that?
  6. Alright, I removed those three startup items (they seem to be for Adobe and the HP Printer, and I don't use either often enough to warrant having them running constantly). I had a problem with the scan, though - I disabled Windows Defender, Windows Firewall, MBAM Website Blocking and MBAM Filesystem Protection first. Then I right-clicked Windows Explorer 9 (64-bit) and ran it as admin. I then came directly to this thread (typed it in), clicked the ESET link, and activated the Online Scanner. Six boxes were there; I unticked Remove Found Threats and ticked the other two advanced boxes like you said. There was one final box for Use Custom Proxy which was unticked so I left it unticked. I allowed it to install the add-on, and then it began to download definitions, but it got to 4% and stopped with an error message saying it was unable to locate file, check proxy. I'm not sure why that was - should I have ticked "Use Custom Proxy"? If so, what custom proxy info should I use?
  7. Hi Gringo, I've finished going through your instructions. Revo Uninstaller was very helpful - I uninstalled the three programs you indicated, and I also uninstalled a few others that I didn't want to have anymore. I was careful to only select the bolded registry items. After that, I updated Adobe Reader from the link you provided, I ran CCleaner as you instructed, and I did the scans with MBAM and HijackThis. The logs are pasted below. -- End of file - 6952 bytes The computer is running normally. Please let me know if there is anything else you would like me to do or check. (Thanks for all your help so far too!!)
  8. Thank you for the reply! I will follow these instructions when I get home this evening. I was thinking of buying Malwarebytes Pro after this is all finished (it's on a 15-day trial right now) just to be safe. One question: Can I uninstall other software I don't want or need using that Revo Uninstaller program? Or should I just uninstall the three programs you said and wait until later to remove other software?
  9. I'm afraid I have to get some sleep before work tomorrow, but if you have any instructions to leave for me, I'll follow them once I get home tomorrow evening. I will turn my computer off for now. Thank you so much for your ongoing help and patience.
  10. Okay, I ran ComboFix again as you directed (disabled the protection software again, dragged the script file into ComboFix). It did not need to restart this time either, so the last time the computer restarted was back with AdwCleaner. Questions: 1) Should I restart the machine anyway before doing anything else? 2) Can I remove this weird pmb.exe file (that was triggering Malwarebytes' IP block, which I pasted above)? I don't know what it is; I think it was part of an old game download but it seems strange and I would rather not have it.
  11. And I just noticed that the start menu appears slightly different now (makes sense, with the name of the virus in this post title, I guess). It's marginally taller, a little less wide, and seems to have more options on the right-hand side. I suppose I hadn't noticed anything unusual, as I'm relatively new to Windows 7.
  12. Oh, also, Malwarebytes' Anti-Malware is reporting some kind of access attempt: Also, there is now a folder called Yaiven on it on the Desktop that wasn't there before. It appears to open C:\Users\Yaiven I don't think I created it or clicked on anything by accident. Just to be safe I'm going to unplug my computer from the internet again and watch for any replies from you using my cell phone.
  13. Alright. I disabled Windows Defender real-time protection, Windows Firewall, Malwarebytes' Anti-Malware filesystem protection and website blocking, then unplugged the network cable from my computer for good measure. Combofix took about 15 minutes or so to run. It did not restart the computer at all, it simply went through its 50 stages and then produced a log, which I've pasting below: The computer still seems to be running normally. I've re-enabled the security software mentioned above now that ComboFix is finished.
  14. Alright, I disabled Malwarebytes' real-time protection. There was a small difference in this latest version; the instructions said to uncheck "Enable Protection" and "Start with Windows," but my version does not have "Enable Protection." It has "Website Blocking" and "Filesystem Protection" instead, so I disabled those. (Is that enough?) Also, do I need to disable Windows Firewall as well?
  15. Thank you, Gringo! I really appreciate you taking a look at my problem. I'll try my best to follow the instructions precisely, and I'll make sure to post the logs in plain text below. The computer seems to be running normally. Here are the log files you asked for: Also, I have two questions: 1) There are two user accounts on this computer. Is it necessary to repeat any of this from the other account? (My account has administrator privileges) 2) This computer is also on a small home network. Is there anything I can do to help protect it from other devices using the network (e.g. visitors, etc.)?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.