Jump to content

Greenknight

Honorary Members
  • Posts

    22
  • Joined

  • Last visited

Reputation

0 Neutral

About Greenknight

  • Birthday 03/20/1956

Profile Information

  • Location
    In the shadow of Mt. St. Helens
  • Interests
    Saving the world
  1. Working fine, no more problems. No unusual resource usage (monitored with Process Explorer). FRST logs attached. FRST.txt Addition.txt
  2. I take it back, there was something new, "D:\Downloads\firefox-patch.js" and "D:\Downloads\firefox-update.js" . Fake Firefox updates, as described here - https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update Can't believe I bit on that, but it appeared to be coming through the browser update UI - I'd get a legitimate update prompt, click on it a popup appeared as shown in the link. Downloaded from it, it didn't seem to do anything. The popup closed then, and I could get the real update. This was in Nightly test builds, after the update to v. 57. I thought they might be testing a new update system. Intended to look into it, but I got distracted by real world stuff. I guess the real reason I got that was the new extension system, which disabled NoScript. I was on the Yahoo home page when it happened, must have been infected ads there. I need to report this to Mozilla, looks like a new wrinkle in this malware. I wasn't too worried about that stuff, my file system is pretty well locked down - but I hadn't heard about fileless malware. Now I'm spooked.
  3. Started the ESET scanner per instructions and went to bed - I left the external HDD with the backups connected, so it was sure to take a while. When I got up I saw there were detections, but nothing new, nothing active - outdated downloads and backups. Need to do some housecleaning, clearly. Anyway, here's the log: ESETSmartInstaller@High as downloader log: all ok # product=EOS # version=8 # OnlineScannerApp.exe=1.0.0.1 # EOSSerial=b9b386e02710464bb00eae0153e0de44 # end=init # utc_time=2017-08-21 10:18:12 # local_time=2017-08-21 03:18:12 (-0800, Pacific Daylight Time) # country="United States" # osver=6.2.9200 NT Update Init Update Download esets_scanner_update returned -1 esets_gle=41221 Update Finalize Updated modules version: 0 Old modules - leave modules Update Init Update Download Update Init Update Download Update Finalize Updated modules version: 34470 # product=EOS # version=8 # OnlineScannerApp.exe=1.0.0.1 # EOSSerial=b9b386e02710464bb00eae0153e0de44 # end=updated # utc_time=2017-08-21 10:53:43 # local_time=2017-08-21 03:53:43 (-0800, Pacific Daylight Time) # country="United States" # osver=6.2.9200 NT # product=EOS # version=8 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.7777 # api_version=3.1.1 # EOSSerial=b9b386e02710464bb00eae0153e0de44 # engine=34470 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2017-08-21 03:41:17 # local_time=2017-08-21 08:41:17 (-0800, Pacific Daylight Time) # country="United States" # lang=1033 # osver=6.2.9200 NT # compatibility_mode_1='Avira Antivirus' # compatibility_mode=1815 16777213 100 97 0 54469229 0 0 # compatibility_mode_1='' # compatibility_mode=5893 16776573 100 94 0 13373073 0 0 # scanned=370860 # found=26 # cleaned=26 # scan_time=17253 sh=5E89F51ED6EC3C92F40DAC107DB319083153D6A3 ft=1 fh=d632244ea46baf26 vn="a variant of Win32/FusionCore.I potentially unwanted application (cleaned by deleting)" ac=C fn="D:\Downloads\burnaware_free_9.2.exe" sh=19876B0C21073CE7AC4725124851FC36B7EA7301 ft=1 fh=31b372839de59c7b vn="a variant of Win32/CNETInstaller.B potentially unwanted application (cleaned by deleting)" ac=C fn="D:\Downloads\cbsidlm-cbsi188-Wise_Disk_Cleaner-BP-10613345.exe" sh=50B528A2F9F75E6BBFD7BBD02B105A12D13E6C8A ft=1 fh=a88b6274d514f260 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\ccsetup530.exe" sh=75369141B44BEB2ABC6EABAEE30420153AFEDEA5 ft=1 fh=e2a8c87a94a31088 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\ccsetup531.exe" sh=5AAD85B186804613F4D62DB809B99B5C251006D0 ft=1 fh=758aa1f0b019b275 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\ccsetup532.exe" sh=44CA9080A2F65B67D53B8E7B22775DA58EC31397 ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-patch(1).js" sh=EBEB8F42C5CB76282AA250EB80564CC46EC5358F ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-patch(2).js" sh=7DBBEB971DE364E7F3B0F7FF0C1CC565A7168E9B ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-patch.js" sh=52DFB0CD90922BFCC9D22228EFB46C807EF6ADA8 ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-update(1).js" sh=6BA47DD73C25E6F50FBD65BE94998C9AEBAA1277 ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-update(2).js" sh=F119A4F7DBAB48922292706E454E9C7581EFF61D ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-update(3).js" sh=1DB7C9092C8812AB6162F1580A1EAB5D626929B2 ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-update.js" sh=012428EBFCFC3379028851DD80E38781B5A1192C ft=1 fh=43bf8528b5e5d571 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\spsetup129.exe" sh=379710B7A4F592A002C47CB2A14598B4E0F45FF6 ft=1 fh=3d996f3d97ae2a8b vn="a variant of Win32/TFTPD32.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\tb_free(1).exe" sh=96F1C308AB04872D6728D2F7E0C0AAB0839097E8 ft=1 fh=5aa1bf1224021df0 vn="a variant of Win32/TFTPD32.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\tb_free(2).exe" sh=379710B7A4F592A002C47CB2A14598B4E0F45FF6 ft=1 fh=3d996f3d97ae2a8b vn="a variant of Win32/TFTPD32.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\tb_free.exe" sh=90C3833746A821733FA1049D99A7CBE3CD5EFF55 ft=1 fh=7d6ac13ca0504a91 vn="a variant of Win32/OpenCandy.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Spence\Documents\XP-Update-Extender-1.0.0.0-Setup.exe" sh=9A65CFB29BD09E2373A489B8A9CC34D0EE6DFF3C ft=1 fh=4d448d6dc70d35fc vn="Win32/SmartInstaller.A potentially unwanted application (cleaned by deleting)" ac=C fn="D:\Users\Hope\Downloads\HeroesofHellas_252259(1).exe" sh=9A65CFB29BD09E2373A489B8A9CC34D0EE6DFF3C ft=1 fh=4d448d6dc70d35fc vn="Win32/SmartInstaller.A potentially unwanted application (cleaned by deleting)" ac=C fn="D:\Users\Hope\Downloads\HeroesofHellas_252259.exe" sh=D0787622A4C9C1B3C1126D2D3AD3520F08A47FB1 ft=0 fh=0000000000000000 vn="Win32/SmartInstaller.A potentially unwanted application (deleted)" ac=C fn="F:\BLACKY\Backup Set 2017-06-18 190002\Backup Files 2017-06-18 190002\Backup files 19.zip" sh=26EFDACDEC1CE73A96991AF3A43ACC33D2073C78 ft=0 fh=0000000000000000 vn="a variant of Win32/OpenCandy.A potentially unsafe application (deleted)" ac=C fn="F:\BLACKY\Backup Set 2017-06-18 190002\Backup Files 2017-07-10 075637\Backup files 2.zip" sh=373E4654DB2B5717C23653A6AE67DD68B657B0AD ft=0 fh=0000000000000000 vn="Win32/SmartInstaller.A potentially unwanted application (deleted)" ac=C fn="F:\Fbackup\Users Backup\33_D.zip" sh=616D97DB1189893B6550770E0354FED7866D2332 ft=0 fh=0000000000000000 vn="Win32/SmartInstaller.A potentially unwanted application (deleted)" ac=C fn="F:\Fbackup\Users Backup\51_D.zip" sh=9A65CFB29BD09E2373A489B8A9CC34D0EE6DFF3C ft=1 fh=4d448d6dc70d35fc vn="Win32/SmartInstaller.A potentially unwanted application (cleaned by deleting)" ac=C fn="F:\ZBack\Hope\Downloads\HeroesofHellas_252259(1).exe" sh=9A65CFB29BD09E2373A489B8A9CC34D0EE6DFF3C ft=1 fh=4d448d6dc70d35fc vn="Win32/SmartInstaller.A potentially unwanted application (cleaned by deleting)" ac=C fn="F:\ZBack\Hope\Downloads\HeroesofHellas_252259.exe" sh=122C61A35E6D238A8707E4D414EA1CDCC3A88F15 ft=1 fh=f48babca103875b7 vn="Win32/DownWare.AC potentially unwanted application (cleaned by deleting)" ac=C fn="F:\ZBack\Hope\Downloads\ReimageRepair.exe"
  4. Thank you for your response (that was fast!). I always back up my data, backups are on an external HD. The system partition is imaged by Macrium Reflect, I can boot into a Win PE and go back up to 6 months. In case that fails, user files are backed up by 2 other programs. Fresh scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/19/17 Scan Time: 11:04 PM Log File: Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2622 License: Free -System Information- OS: Windows 10 (Build 15063.540) CPU: x64 File System: NTFS User: BLACKY\Spence -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 704266 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 9 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Disabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end)
  5. Malwarebytes Free wouldn't open when I was trying to run routine scans in Win 10 a few days ago, just the tray app would. Came here for help, but download link for FRST crashed any browser I tried. Link from MajorGeeks did the same, attempt to visit BleepingComputer also caused crash. Downloaded FRST with laptop, but it crashed on opening. Convinced there was an infection, tried ESET online scan, found nothing. Booted into safe mode and ran Malwarebytes, found and quarantined fileless malware in the registry (log attached). Everything works now, and I've deleted restore points and recent disk images. I'd like to verify that the system is really clean before I do anything that might expose sensitive information. I got a fresh download of FRST and ran a scan (logs attached), I'd appreciate it if someone could check them over. Any other free tools you could recommend (my financial resources are very limited, on a fixed income) I would also be grateful for. FRST.txt Addition.txt MBAM results.txt
  6. Turned out not to be anything to do with MBAM; it was the Avast problem discussed here: http://forum.avast.c...p?topic=94171.0 It occurred randomly, just coincidence that the first time was after updating MBAM. It kept getting worse/more frequent, and I couldn't figure it out. Got so bad I restored a disk image from months earlier, which fixed it - until I updated Avast. That pinned it down. I've switched to Avira, and everything's fine now.
  7. OK, here they are:OTL.TxtExtras.Txt Thanks for the nice welcome, though I joined this forum in '05. Hope you can get to the bottom of this.
  8. I reinstalled MBAM, and it's now ok, but I thought I should report this issue anyway - this was seriously messed up. The update seemed to be going normally until I clicked restart, after the restart nothing but my wallpaper appeared - no icons, taskbar, or start button. Ctrl+Alt+Del brought up the Task Manager, but shutdown didn't work. Nothing worked, had to punch the power button. Restarted, still the same; restarted again and logged in as a different user, no difference. Booted into Safe Mode, everything was normal; rebooted again to normal mode, still broken. Back to Safe Mode, ran System Restore, then everything worked except MBAM - just got a message the database was missing or corrupted, did I want to download it? Elected instead to uninstall and reinstall from a fresh download. Works fine now. Running MBAM Free on Win XP SP3, Windows Firewall. I haven't added any autoruns since MBAM last updated. The Task Manager didn't show any unusual activity; RAM use was low and CPU use 0. Nothing helpful in the Event Viewer, either. I have no clue what brought this on. I'd be happy to provide any other info that might help.
  9. I also though it was pretty self-evident - except for the 9 at the beginning. Glad to hear that's just a temporary expedient. Looking forward to v. 1.60.
  10. I should have pointed out, you need to restore EAL.EXE from quarantine - I suspect it's needed in order to use your printer.
  11. @nosirrah - Confirm fixed. You're welcome, Bruce; happy to help. @control_tps - The last log you posted showed the file had been quarantined and deleted. Hard to make a zipped copy after it's deleted! Uncheck the file the results window so you don't accidentally do that. To get a detected file, all I do is right-click on the detected item in the results and select "Go to location" (I think that's the wording). I make a zipped copy with 7-zip (use whatever you've got) and move the .zip file to My Documents, where I can find it quicker. Then I attach it to my post here.
  12. I have the same FP. File attached:EAL.zip
  13. Fast scan detected C:\Windows\WinIo.sys as Rootkit.agent. File properties show no modification since it was created 5 years ago. Submitted to VirusTotal, no detections. Developer mode scan log attached:mbam_log_2009_10_24__02_32_57_.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.