Jump to content

BlackSun

Member
  • Posts

    67
  • Joined

  • Last visited

  • Days Won

    1

BlackSun last won the day on December 27 2014

BlackSun had the most liked content!

Reputation

1 Neutral

About BlackSun

  • Birthday 10/23/1990

Profile Information

  • Gender
    Male
  • Location
    Germany
  • Interests
    Programmer

Recent Profile Visitors

4661 profile views
  1. Sweet, thanks very much! Are you going to add the entire domain of the fake website from my original post to be blocked, too? Doing so would prevent any further variants of the same scheme from ever taking root. It is very clever and insidious, "hijacking" search engine results like that, as anyone not knowing better and just looking for files for whatever the <most recent version> of the game is, is bound to be directed to this fake website instead of the real one. Having that blocked right there would be a big win.
  2. Alright, here we go, fired it up - log's attached. And about those samples, where can I provide those, is it still needed? I just had Emsi flag the samples when I let it scan them. That's a file hash detection, correct? Fixlog.txt
  3. Ah, thanks! My system's got an uptime of 9 days, currently. Did that possibly get added when installing the update to my Java Minecraft install 3 days ago, and would that be removed / cleaned up by doing a reboot on its own, which we may interfere with? If not, I'll just fire this line off if it has no business being there. ... ah hell, I may just do that anyways. =D As for the samples - as my placeholder post above states, I was unable to upload them. How do I do that, for your team to have a crack at it (and possibly add the domain it came from to webguard blacklists)?
  4. Thanks for the reply! Glad to hear that, calms my nerves. Before I continue doing that, some questions: As for the CMD starting on root C:\, that's my doing. I prefer having CMD start at good old fashioned C:\ root when I open it. Does that mean that, if I want to keep it working that way, I can leave the 1st line out? What is the other line? Something Java, I assume - what exactly does that do? Just curious before I execute anything. =D I know that pcalua.exe is the compatibility assistant, and last session, my Minecraft (Java-Edition) crashed for some reason a few minutes in, and had - according to my System event logs - some compatibility settings applied to it. Is that related, possibly?
  5. [Placeholder post] I am trying to upload a ZIP / 7z / RAR of 1) samples of the suspected malware 2) content of my TEMP that I preserved after the possible infection, and 3) Event Viewer log file from the relevant timespan. It's 4MB in size total. Yet it always gives me this error: "Sorry, an unknown server error occurred when uploading this file. (Error code: -200)" How do I upload these to attach them to the topic?
  6. Hello, one thing i advance - I cannot, for the life of me, find anything suspicious on my system outside of (manually guessed) traces. No scanners come up with any detections, so I'm guessing some context may be needed. Here goes... I've recently fallen for an imposter website when downloading a setup. Decided to return to playing some Minecraft after like 3 years, updated the game, wanted to update a respected mod for it, remembered it had an installer (unusual for Minecraft mods), and looked it up accordingly: Search term: "Minecraft Forge 1.17.1" First result - website looked legit, downloaded and ran the installer. Simple as that - mistakes were made. FAKE website: minecraftforged.com - provides setup "MinecraftForge-1.17_33152.msi" REAL website: minecraftforge.net - provides FORGE setups in .jar format, not .msi! Fake vs real website - it fooled me As it turns out, forge 1.17 doesn't even exist yet, it always lags behind a bit, so when searching for this version explicitly, the first result was the fake website. I ran the installer because at that time, I didn't suspect anything was wrong. It appeared to crash - midway through the bar somewhere, so I even ran it 4 times in a row as it turns out. Only when trying to troubleshoot the "MSI" type installer for Forge "crashing on install", I figured out that, oh wait a minute, there ARE no MSI installers for Forge, and that's when it finally hit me. No scans picked up on it. My Emsisoft install gave it the green light. Virustotal had only 1 detection for it: MinecraftForge-1.17_33152.msi https://www.virustotal.com/gui/file/54b38316af894a3b21c3eca7285e031b276b31019450c9f18f2fcc056ae2ba15/detection Nothing alarming usually - then again, file looks to be very new, and there's a multitude of things tipping me off: 1) The lengths of professionally faking the FORGE download website with minimal adverts 2) The same installer being known as "Spotify_42042.msi" already, so just a renamed file, and on top of that... 3) The setup, when running, claiming to install "BrightestLightSetup" (neither Forge, nor Spotify anything!) 4) The setup crashing, yet no errors being displayed anywhere, nor anything showing up in installed programs 5) The setup gets randomly generated version numbers at the end with each download, I think? On further inspection, the file appears to be a dropper, unpacking this 2nd file (its actual payload perhaps?), also greenlit by Emsisoft: %LOCALAPPDATA% \ BrightestLightSetup \ BrightestLightSetup.exe https://www.virustotal.com/gui/file/15add46219ad5d7f32f93c886804cbf7fbb50653671008bb17f62ec1c845cfb7/detection My first gut reaction was to move the contents of TEMP out of temp to a different location as to 1) prevent anything from using it, even if far too late and 2) to preserve it. There are 4 folders matching the timestamps of my 4 attempts running the installer, each of them sporting the exact same files in them: _setup64.tmp https://www.virustotal.com/gui/file/388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95/detection BrightestLight.dll https://www.virustotal.com/gui/file/ff2455f13f2a2c0bef90ba45f92d736b3833269d609d88f35d2469b0dd0bb012/detection This is where I got a second opinion, using the ESET online scanner ( https://www.eset.com/int/home/online-scanner/ ), which also didn't find anything related - so nothing came of it, sadly. 2 highly reputable scanners, not picking up on a highly suspect file that I ran multiple times, on my legacy system. I know the installers had ample time to do whatever, and I suspect it's just undetected as of now. I also ran it by Hybrid Analysis, an analysis environment, and these are the results of what it did, but I'm not educated enough to make much sense of it myself: https://www.hybrid-analysis.com/sample/54b38316af894a3b21c3eca7285e031b276b31019450c9f18f2fcc056ae2ba15/60e71308af4dd7311c4fa4e0 I've got installed: - Emsisoft Anti Malware - GlassWire firewall (manages Windows firewall & tracks network usage) - Sandboxie (didn't use it when trying to install forge though, because why would I have...) Any further details should be included in the log files, I think. Couldn't use EEK, as I have Emsisoft already installed, attaching a log of that instead. I didn't restart my machine yet, as I am suspecting windows files to be replaced on reboot - as long as my machine keeps running they may still be the original, system-locked files and the malware may be unable to finish installing itself? Just a hunch though... FRST.txt Addition.txt scan_210708-210740.txt
  7. And this, technically, is wrong. As long as Anti Malware detects something as being harmful / unwanted and even quarantines it, despite it not containing anything actually harmful... what's that called? Right - a false positive. The point of any Anti Malware software is to find harmful objects, whatever they are, wherever they are, and prevent them from successfully causing harm to the system and user. Arguing that it "technically isn't a false positive", because the program was deliberately instructed to treat a harmless folder name string as a harmful entity in itself, is a false positive caused by a flaw in design. Harmful software could be anywhere - and anywhere could also contain not-harmful software. Anti Malware should, regardless of folder name and path, keep all my folders safe. As such, I expect both "C:\Windows\", as well as "C:\Program Files (x86)\Browsers\" and any other folder on my system, to be protected. Period. That's what I pay for. Having to disable said paid-for-protection of big folders, because of this serious flaw in design, is not inspiring much confidence in the quality of Your product. In fact, behavior like this has SNAKE OIL stamped right on the tin in huge, red letters. And I hope it's not becoming representative for other parts of the package, too. Finding a "suspicious path" may, maybe, warrant executing a quick scan of the folder, to check for any harmful contents. But hamfistedly labelling the whole thing as harmful and quarantining it is just alarmingly bad. Especially, when restoring from quarantine afterwards fails. Thank god for my backups. Go ahead, create a "Browsers" folder in Program Files, and copy your Firefox, Chrome, Edge, and whatever other browsers you use, in there. Then, execute a manual scan of the Program Files directory. I want all my folders to be treated with equal protection, regardless of their respective names. Period. And this is a false positive by design? Okay, so, fix the design, then. Thank You. Kind regards, Paying customer No 543972 (or something like that)
  8. ... and I can't even submit false positive report, because it then states it can't find the file. Yeah, because there is no file to begin with...! Some people may like to put all their installed browsers into a subfolder "Browser" within Program Files to keep on top of things. If it's literally just detecting the path itself, "C:\Program Files (x86)\Browser\", then yes, I created that to install my browsers into. Scan start: 3/5/2020 5:19:20 PM C:\Program Files (x86)\browser detected: Adware.Win32.XBrowse (A) [223312] ... adding that to exclusions will prevent Emsisoft from ever again scanning or reacting to anything happening from within that path, does it not? As such, I'd like to add detection of the path to exclusions, not all content within that path!
  9. Had the same issue just now. I restarted Win7 x64 because the mouse was acting up. Restart fixed that, but renewal box popped up. I closed it, Emsi quit. Started it again, same thing, despite it stating that it had close to 300 days left. Closing the renewal window still made Emsi quit despite showing 290+ days of license left. The process of logging into my Win7 acc took a weirdly long amount of time, too, right before (right as?) Emsi acted up. Restarting once more solved both issues. We also have the cloudflare routing outage going on currently, so I'mma guess it was related to that, somehow. Everything's fine now, including login time.
  10. SLUI 3 ist das Aktivierungstool von Windows, lässt sich direkt aufrufen. SLUI 1 zeigt, ob die Aktivierung erfolgreich war, um diese zwei einfach mal zu nennen. SFC habe ich noch nicht gemacht, da ich in der Vergangenheit bereits einmal ein System [von Famile] daran verloren hatte. Ich weiß, das hört sich seltsam an, aber das System hatte leicht instabiles Verhalten an den Tag gelegt, ich führte SFC aus, es wurden Reparaturen gemeldet, und danach bootete das System gar nicht mehr. Komplette Neuinstallation war fällig, seit diesem Fall machte ich auch Backups von privaten Systemen. Hat mich trotzdem ein wenig gebrandmarkt, dass SFC offenbar auch "kaputtreparieren" kann. Ein SFC VerifyOnly gibt jedenfalls nur diese Infos für Reparaturbedarf: C:\Windows\System32"\[l:24{12}]"imageres.dll [l:24{12}]"SaImgFlt.dll" of wiasa002.inf ref by [l:184{92}]"Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.INF_wiasa002" C:\Program Files (x86)\Internet Explorer"\[l:34{17}]"ie9props.propdesc" C:\Program Files (x86)\Common Files\Services"\[l:24{12}]"verisign.bmp" Imageres? Die Icons funktionieren eigentlich tadellos. ie9props, das hat was mit Win Search Funktion zu tun, denke ich. verisign ist nur eine BMP Datei, wofür auch der Ordner "Services" nicht existiert, wie es aussieht. SaImgFlt, nun dazu konnte ich nichts finden, Driver Package - die anderen Dinge geben mir nicht zu bedenken, aber das könnte was sein. Bei diesen Ergebnissen werd ich SFC jetzt doch einfach mal reparieren lassen. Aber, EAM? Meinst du? Hm. Naja, kann man ja einfach mal versuchen als nächsten Schritt. Könnte vllt wenigstens das mit den Ereignis-Meldungen lösen. *Anhang: Huh. Cannot repair member file [l:24{12}]"SaImgFlt.dll" of wiasa002.inf, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type = [l:24{12}]"driverUpdate", TypeName neutral, PublicKey neutral in the store, file is missing Ich starte mal neu und mach noch einen Log, mal sehen was sich getan hat. *Update: "SaImgFlt.dll von wiasa002.inf" ist weiterhin nicht reparabel, was auch immer das nun ist, der Rest ist behoben - und das Problem mit der Meldung besteht. Trotz "erneuter", erfolgreicher Aktivierung des Keys. Dann bleibt jetzt nur noch, die beiden Updates zu entfernen, oder eine komplette Systemwiederherstellung von Backup des letzten Monats vorzunehmen. Was ein Affenzirkus das doch ist... gibt es nicht irgendwo Logs oder sonstwas von der Gültigkeitsprüfung, was sich einsehen ließe? Um nachzuvollziehen, was das eigentliche Problem ist, anstelle mit einem Stock blind ins Dunkle zu stochern? Windows protokolliert doch sonst immer alles irgendwo.
  11. Captains Logbuch, Nachtrag: Schon wieder. Das erste Mal seit... 11 Tagen. Habe jetzt einfach mittels SLUI 3 den Key erneut eingegeben, doch bei Erscheinen des Fensters war der Hinweis bereits wieder weg. Trotzdem bekam ich danach Wird das angezeigt, wenn eine bereits aktive Version den selben Key nochmal zu aktivieren versucht? Oder würde man sonst darauf hingewiesen, dass der Key und / oder diese Windows-Installation bereits aktiv sind? Falls der BS nicht aufhört, werde ich die Updates wieder kicken. Kann ja irgendwie nich richtig sein...
  12. Bisher ist die Meldung nicht wieder aufgetaucht. Sobald sie es doch wieder tut, werd ich das aber mal versuchen. Wobei ich eigentlich nichts bedeutsames geändert habe seit dem letzten Auftreten. Ich habe allerdings eine Meldung in der Ereignisanzeige gefunden: 24.06.2017 hat diese angefangen - seitdem jeden Tag 2 bis 19 Wiederholungen der selben Meldung, bis heute. 06.01. bis 09.01.2016 steht auch die gleiche Meldung drin, nur mit a2service.exe stattdessen. Danach hat die aufgehört (Update?). Ist unter Warnungen archiviert, passiert still im Hintergrund. Soll dat so?
  13. Gerade erneut aufgetaucht. Habe erneut die Systemeigenschaften aufgerufen, der Hinweis blieb stehen - bis ich in den Eigenschaften herunter gescrollt habe und das "Windows ist aktiviert" in SIchtweite kam. Erst dann verschwand die Meldung auf dem Desktop, exakt zeitgleich dazu. Was geht da denn ab...? Das hat mein System definitiv noch nie gemacht bis vorgestern! Ich lege Wert auf einen freien Desktop, sowas entgeht mir nicht. Ich bin dazu geneigt, die beiden eingespielten Updates wieder zu entfernen... wenn die Sache nicht an gestoppten Services liegen kann...?
  14. Hallo! Ich habe gerade eben eine extrem seltsame Meldung auf meinem Desktop bemerkt: Dieses System ist nun etwa 8 Jahre alt, und ein Laptop - also keine Hardware-Änderungen [außer SSD & RAM vor 6 Jahren]. Nach diesem Hinweis habe ich direkt in meine Systemeigenschaften geschaut: Huh? Huh. Als ich dieses Fenster wieder minimierte, war die Meldung auf dem Desktop auch wieder verschwunden. Hätte ich keinen Screenshot davon gemacht, würd ich jetzt echt an mir zweifeln. Sowas ist mir in all meinen Jahren in der IT noch nicht untergekommen... Die einzigen aktuellen "Änderungen" an meinem System wären, dass ich die Services für SMB Network shares (re)aktiviert habe und die dazugehörigen zwei Sicherheitsupdates gegen WannaCry und BadTunnel [KB4012212, KB3161949] eingespielt habe. Was Updates generell angeht, bin ich sehr selektiv geworden, seit MS die Win10-Telemetrie in deren "Updates" für Win7 eingestrickt hat. Dienste, die ich nicht benötige, sind vor allem aus Sicherheitsgründen meist deaktiviert / manuell. Habe ich vllt versehentlich etwas deaktiviert, was laufen sollte? Habe einfach mal einen Scan mit Emsisoft angestoßen, der läuft gerade. Danach werde ich neu starten, und darauf hoffen, dass die Meldung nicht wieder auftaucht und mein Desktop nicht schwarz wird, wie das bei nicht lizensierten Versionen beim Start passiert. Dennoch - wie passiert sowas denn...? Sind ähnliche Fälle bekannt? Welche Services sollte ich evtl überprüfen?
  15. Thanks for the answer! So, Apps are being checked by checksums, against an up-to-date cloudside DB to check for any known bad apples. While surfing, not just domain names but complete URLs are being checked against a cloudside DB. All of this EMS-traffic is utilizing secure HTTPS, and not a bit of data is being logged and collected by you guys. That's what I'm getting from this - that correct so far? Now, while all the cool features in cars are definitely a nice thing, in some cases it has led to reckless driving and underestimation of dangerous situations. That's, of course, up to each individual driver, but what do companies expect if they advertise the "accident-proof car"? That's why I'd rather have the, or at least some, specifics of how things work, what they can and especially what they cannot do - both with cars, and software. Because, what the software cannot do is, doing any real-time monitoring of what an app is doing while it is running. That app won't be able to break free from its sandbox either, though, so that's in Androids hands. From what I've gathered though, it is possible for an app to check on in- and outgoing traffic from other apps (and possibly the system)? So, there are no apps out there that, say, simply don't "support" having their traffic looked into by such "other apps" like EMS, for example? As a customer, I really appreciate companies explaining in detail what their products can do, and why I would want to have that magic working for me. With blanket statements however, I get really suspicious and sometimes, can't resist to dig some more. Just a little piece of feedback, maybe I just didn't see the features of EMS advertised clearly enough somewhere.
×
×
  • Create New...