itman

Member
  • Content Count

    130
  • Joined

  • Last visited

  • Days Won

    1

itman last won the day on April 14 2014

itman had the most liked content!

Community Reputation

2 Neutral

About itman

  • Rank
    Forum Regular

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

4489 profile views
  1. Found and remove the malware manually. It is definitely one insidious bugger to say the least. Believe I have found a new and undetectable ransomware. Appears it is targeted at Win 10 and using Smartscreen's Outlook filter to do its dirty work. Explains why impact of it on my PC was minimal. I have MS Office installed but I don't use Outlook for my e-mail client. It must perform some fingerprinting on users w/MS Office installed. On to the gory details. I am attaching the reg. key where the malware was found. Note that same malware was found in all 3 instances of this key, 3B6C15BE-F9FD-7E15-F865-ABA8E2A09915, in the registry. In an case, Emsisoft needs to beef it it's self-protection. I still don't know how this sucker was able to modify EAM and EAM not detect it was tampered with. All statuses for EAM indicated all was normal with the software. Also I noticed that epp.sys is not in C:\Windows\System32\Drivers directory and is being loaded instead into the kernel global root table i.e. \??\C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys as a file system driver. Since this is EAM's protection platform driver, I question why this this driver is not being loaded as a kernel driver. regkey 1.zip
  2. Task Scheduler totally totally busted. Won't even start up. Can't type into "Search Windows" toolbar box anymore. God knows what else is borked. I am doing a system restore and will never run Farbar crap again.
  3. I ran FRST64 w/admin privileges and got a bit farther this time before it crapped out. Here's the log. Fixlog.txt
  4. Also now have a ton of the following errors in my event log: Log Name: Application Source: Microsoft-Windows-Security-SPP Date: 11/1/2016 5:12:15 PM Event ID: 16385 Task Category: None Level: Error Keywords: Classic User: N/A Computer: Don-PC Description: Failed to schedule Software Protection service for re-start at 2116-10-08T21:12:15Z. Error Code: 0x80070005. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" /> <EventID Qualifiers="49152">16385</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-11-01T21:12:15.667299100Z" /> <EventRecordID>17945</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>Don-PC</Computer> <Security /> </System> <EventData> <Data>0x80070005</Data> <Data>2116-10-08T21:12:15Z</Data> </EventData> </Event>
  5. FRST64 keeps aborting in the middle of the fix scan. Shut down EMET, disabled all of ESET except the firewall, and disabled all of EAM whose behavior blocker was going nuts. I am now pee-ood since Win 10 set IE11 search provider to Bing due to "corruption" and I can't reset to Google via "Manage Add-Ons." -EDIT- Was able to add Google search add-on from IE site. After I start up IE 11 again, it tells me its corrupted and do I want to use Bing instead. Is this bogus MS crap? Also noticed this: Task: {2131F82C-E0F0-4197-8BC1-C4D4E7D87DF4} - System32\Tasks\Delete URL Temp Files => C:\Don's Scripts\DelURLtm.bat [2016-10-23] () <==== ATTENTION I created that script and scheduled task, so that has to go. Attaching FRST log that was created. Source Farbar Recovery Scan Tool Summary Stopped working Date ‎11/‎1/‎2016 5:13 PM Status Report sent Description Faulting Application Path: C:\Users\Don\Desktop\FRST64.exe Problem signature Problem Event Name: APPCRASH Application Name: FRST64.exe Application Version: 30.10.2016.0 Application Timestamp: 5816796d Fault Module Name: FRST64.exe Fault Module Version: 30.10.2016.0 Fault Module Timestamp: 5816796d Exception Code: c0000005 Exception Offset: 0000000000026750 OS Version: 10.0.14393.2.0.0.768.101 Locale ID: 1033 Additional Information 1: 583f Additional Information 2: 583f9137d21dbec0cc050a1251a854c0 Additional Information 3: f51b Additional Information 4: f51b9752c0ea9b7d47b4c7685a851fe0 Extra information about the problem Bucket ID: 49bfca93be65de04f257b1f6bb657008 (120609072980) Fixlog.txt
  6. Here's the Farbar reports. FRST.txt Addition.txt
  7. Thanks. Found it and set to no re-scan. Will report back on if this fixed the problem.
  8. Quarantine folder is empty. I believe the issue is a temp folder is being created every time I boot regardless of if an actually sig. update occurred. It appears it is these folders that are not being auto deleted by EAM. Also might be a bug in the Quarantine scanning where it creates the folder regardless if there are any existing items. I will attempt to set re-scan to manual as you suggest. -EDIT- No option to set re-scan to manual. Might only be present if quarantine items exist?
  9. I tried both. Neither would run on my Win 10 x64 1607 build. Believe the issue is Smartscreen. I checked my reliability history and Smartsceen appears to have crashed everytime I run Farbar. It did complain about both vers. when I tried to download them.
  10. FRST64.exe appears not to work for Win 10. Won't start up. I tried Win 8 compatibility mode and still a no-go.
  11. A bit more information on this incident. Appears this infected.txt file dates back to the last time I manually installed EAM which was on 8/26. Best theory I have is it arrived in the EAM installer. Don't know how that is possible since I always download EAM from the Emsisoft web site. At least that gets EAM's self-protection off the hook. Downright scary. In any case, EAM is reinstalled and no "infected.txt" is present in the EAM program directory.
  12. They are created when a virus sig. update occurs. However, today only one was created after the PC's initial boot.
  13. Thanks, that is want I needed to know. The question is how did it get around EAM's self-protection? To play it safe, I am going to uninstall EAM using Revo UninstallerPro and re-install.
  14. Stapp, I just want to know it that file is used by EAM. Really can't see how it is. My PC is clean.
  15. Found a file named infected.txt in my Emsisoft Antimalware program folder. It scanned cleaned at VirusTotal. Was created on 8/26 and update this afternoon. If this not a valid EAM file, I want to get rid of it. infected.zip