itman

Member
  • Content Count

    130
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by itman

  1. Found and remove the malware manually. It is definitely one insidious bugger to say the least. Believe I have found a new and undetectable ransomware. Appears it is targeted at Win 10 and using Smartscreen's Outlook filter to do its dirty work. Explains why impact of it on my PC was minimal. I have MS Office installed but I don't use Outlook for my e-mail client. It must perform some fingerprinting on users w/MS Office installed. On to the gory details. I am attaching the reg. key where the malware was found. Note that same malware was found in all 3 instances of this key, 3B6C15BE-F9FD-7E15-F865-ABA8E2A09915, in the registry. In an case, Emsisoft needs to beef it it's self-protection. I still don't know how this sucker was able to modify EAM and EAM not detect it was tampered with. All statuses for EAM indicated all was normal with the software. Also I noticed that epp.sys is not in C:\Windows\System32\Drivers directory and is being loaded instead into the kernel global root table i.e. \??\C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys as a file system driver. Since this is EAM's protection platform driver, I question why this this driver is not being loaded as a kernel driver. regkey 1.zip
  2. Task Scheduler totally totally busted. Won't even start up. Can't type into "Search Windows" toolbar box anymore. God knows what else is borked. I am doing a system restore and will never run Farbar crap again.
  3. I ran FRST64 w/admin privileges and got a bit farther this time before it crapped out. Here's the log. Fixlog.txt
  4. Also now have a ton of the following errors in my event log: Log Name: Application Source: Microsoft-Windows-Security-SPP Date: 11/1/2016 5:12:15 PM Event ID: 16385 Task Category: None Level: Error Keywords: Classic User: N/A Computer: Don-PC Description: Failed to schedule Software Protection service for re-start at 2116-10-08T21:12:15Z. Error Code: 0x80070005. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" /> <EventID Qualifiers="49152">16385</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-11-01T21:12:15.667299100Z" /> <EventRecordID>17945</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>Don-PC</Computer> <Security /> </System> <EventData> <Data>0x80070005</Data> <Data>2116-10-08T21:12:15Z</Data> </EventData> </Event>
  5. FRST64 keeps aborting in the middle of the fix scan. Shut down EMET, disabled all of ESET except the firewall, and disabled all of EAM whose behavior blocker was going nuts. I am now pee-ood since Win 10 set IE11 search provider to Bing due to "corruption" and I can't reset to Google via "Manage Add-Ons." -EDIT- Was able to add Google search add-on from IE site. After I start up IE 11 again, it tells me its corrupted and do I want to use Bing instead. Is this bogus MS crap? Also noticed this: Task: {2131F82C-E0F0-4197-8BC1-C4D4E7D87DF4} - System32\Tasks\Delete URL Temp Files => C:\Don's Scripts\DelURLtm.bat [2016-10-23] () <==== ATTENTION I created that script and scheduled task, so that has to go. Attaching FRST log that was created. Source Farbar Recovery Scan Tool Summary Stopped working Date ‎11/‎1/‎2016 5:13 PM Status Report sent Description Faulting Application Path: C:\Users\Don\Desktop\FRST64.exe Problem signature Problem Event Name: APPCRASH Application Name: FRST64.exe Application Version: 30.10.2016.0 Application Timestamp: 5816796d Fault Module Name: FRST64.exe Fault Module Version: 30.10.2016.0 Fault Module Timestamp: 5816796d Exception Code: c0000005 Exception Offset: 0000000000026750 OS Version: 10.0.14393.2.0.0.768.101 Locale ID: 1033 Additional Information 1: 583f Additional Information 2: 583f9137d21dbec0cc050a1251a854c0 Additional Information 3: f51b Additional Information 4: f51b9752c0ea9b7d47b4c7685a851fe0 Extra information about the problem Bucket ID: 49bfca93be65de04f257b1f6bb657008 (120609072980) Fixlog.txt
  6. Here's the Farbar reports. FRST.txt Addition.txt
  7. Thanks. Found it and set to no re-scan. Will report back on if this fixed the problem.
  8. Quarantine folder is empty. I believe the issue is a temp folder is being created every time I boot regardless of if an actually sig. update occurred. It appears it is these folders that are not being auto deleted by EAM. Also might be a bug in the Quarantine scanning where it creates the folder regardless if there are any existing items. I will attempt to set re-scan to manual as you suggest. -EDIT- No option to set re-scan to manual. Might only be present if quarantine items exist?
  9. I tried both. Neither would run on my Win 10 x64 1607 build. Believe the issue is Smartscreen. I checked my reliability history and Smartsceen appears to have crashed everytime I run Farbar. It did complain about both vers. when I tried to download them.
  10. FRST64.exe appears not to work for Win 10. Won't start up. I tried Win 8 compatibility mode and still a no-go.
  11. A bit more information on this incident. Appears this infected.txt file dates back to the last time I manually installed EAM which was on 8/26. Best theory I have is it arrived in the EAM installer. Don't know how that is possible since I always download EAM from the Emsisoft web site. At least that gets EAM's self-protection off the hook. Downright scary. In any case, EAM is reinstalled and no "infected.txt" is present in the EAM program directory.
  12. They are created when a virus sig. update occurs. However, today only one was created after the PC's initial boot.
  13. Thanks, that is want I needed to know. The question is how did it get around EAM's self-protection? To play it safe, I am going to uninstall EAM using Revo UninstallerPro and re-install.
  14. Stapp, I just want to know it that file is used by EAM. Really can't see how it is. My PC is clean.
  15. Found a file named infected.txt in my Emsisoft Antimalware program folder. It scanned cleaned at VirusTotal. Was created on 8/26 and update this afternoon. If this not a valid EAM file, I want to get rid of it. infected.zip
  16. No. See the files I circled in the below screen shot.
  17. As the title notes, ver. 12 not deleting its temp folders in %LocalAppData%\Temp directory. This appears to happen with every new release
  18. Using your suggestion, I created an alert rule in Surf Protection for the above mentioned web site. Unfortunately, no alert when accessing the web site which confirms my suspicion that Surf Protection is not fuctional in an AppContainer instance of IE11. I will also conclude that neither is the behavior blocker functional. This not a big deal for me since I also use Eset which does work in an AppContainer instance of IE11. I additionally use EMET which does inject its hook into an AppContainer instance of IE11. Hopefully, Emsisoft will fix this in the near future.
  19. I recently upgraded to Win 10. One of the first things I did afterwards was to enable advanced EPM protection in IE11 x64 to take advantage of the AppContainer protection. Using Process Explorer, I noticed that EAM's behavior blocker hook is not injected into the AppContainer instance of IE11. Thinking this might be an AppContainer permissions issue similar to that I encounter with Eset that I also use, I uninstalled EAM and reinstalled. Still no hook injection into the AppContainer instance of IE11. Due to the lack of EAM's hook, I am concluding that the behavior blocker is non-functional in the AppContainer instance of IE11. As such, I have no behavior blocker protection. Is this a correct assumption? Also why is the hook not being injected? Also another related question. Since upgrading to Win 10, I am getting virtually no alerts from EAM's Surf Protection. I went to a site I use, www.jrcigars.com, which I used to receive numerous privacy alerts in Win 7and now receive nothing. I can't believe that Win 10's Smart Screen filter has improved that much. Or more likely, Surf Protection also does not function within an AppContainer instance of IE11.
  20. It is a "mixed bag." Some see the injection on clean installs, some don't. Ditto for latter ver. clean installs and updates from. BTW - the .clb file is injected into EAM's service and GUI. Ditto for Eset ones. Interestingly, it is not injected into EMET's service or GUI.
  21. Been discussing this over at wilderssecurity.com and appears it is Win 10 build related. I upgraded to Win 10 from Win 7 using a initial release build 10240 ISO. People on later Win 10 builds are not seeing the same injection occurring. BTW - string display from Process Explorer indicates its COM+ utilities. Might be being used by RuntimeBroker.exe?
  22. I just upgraded to Win 10 From Win 7. I am puzzled by the file shown in the below screen shot, R00000000000d.clb, that is being injected into every running process. Only info I can glean from the web is its a necessary file. It certainly didn't exist in Win 7. Appears that when a process starts up in Win 10, svchost.exe is doing the injection but can't determine what service is being used. Is this something to do with Win 10 telemetry?
  23. My past experience w/whitelisting via the AV option is that it is buggy. Make sure a rule is set up in the behavior blocker for hwinfo64.exe and "all allowed" is selected for monitoring activity. That should do the trick.
  24. I am attaching the dump files minus the full dump file since it is to large from the reliability monitor analysis. There is also something very odd. Yesterday when I examined .dll usage by a2service.exe, I noticed an unsigned OpenSLL .dll loaded. Below is extracted from one of the reliability monitor dump files. Today, I do not see that .dll loaded by a2service.exe. Why is a OpenSLL file that appears to date to 2005 and unsigned being loaded into a2service.exe? MATCHING_FILE NAME="ssleay32.dll" SIZE="411648" CHECKSUM="0xFEF6E8D6" BIN_FILE_VERSION="1.0.2.4" BIN_PRODUCT_VERSION="1.0.2.4" PRODUCT_VERSION="1.0.2d" FILE_DESCRIPTION="OpenSSL Shared Library" COMPANY_NAME="The OpenSSL Project, http://www.openssl.org/"PRODUCT_NAME="The OpenSSL Toolkit" FILE_VERSION="1.0.2d" ORIGINAL_FILENAME="ssleay32.dll" INTERNAL_NAME="ssleay32" LEGAL_COPYRIGHT="Copyright © 1998-2005 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved." VERDATEHI="0x0" VERDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x6CD31" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.2.4" UPTO_BIN_PRODUCT_VERSION="1.0.2.4" LINK_DATE="07/10/2015 09:07:54" UPTO_LINK_DATE="07/10/2015 09:07:54" EXPORT_NAME="SSLEAY32.dll" VER_LANGUAGE="English (United States) [0x409]" EXE_WRAPPER="0x0" WERFCC5.tmp.zip -EDIT- Will also add that there is a specific ver. of ssleay32.dll written for AMD64 processor which is what I use.
  25. I happened to be reviewing my reliability history in Win 7 and noticed that a2service.exe is not terminating properly at system shutdown time. This started on July 8 and has continued since that time. Also explains the delay I have been noticing at shutdown time. Also appears that this might be affecting other things since I had issues this morning at boot time with some apps working properly; IE11 and Win disk cleanup would not startup. A subsequent reboot corrected those issues. Note that the a2service.exe issue only occurs at system shutdown but not at system restart? Source Emsisoft Protection Service   Summary Stopped working   Date 7/16/2016 7:32 PM   Status Report sent   Description Faulting Application Path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe Problem signature Problem Event Name: APPCRASH Application Name: a2service.exe Application Version: 11.9.0.6513 Application Timestamp: 5772c632 Fault Module Name: StackHash_e951 Fault Module Version: 6.1.7601.23455 Fault Module Timestamp: 573a54b7 Exception Code: c0000374 Exception Offset: 00000000000bf262 OS Version: 6.1.7601.2.1.0.768.3 Locale ID: 1033 Additional Information 1: e951 Additional Information 2: e951a76a4c11b99caffbb03f3a1e3d40 Additional Information 3: 158d Additional Information 4: 158deb71759178f3e01090a46f6c6b30 Extra information about the problem Bucket ID: 244829027 -EDIT- Here some additional info from the event log. Also this error appears to occur sometimes but not always at system restart time: Log Name: Application Source: Application Error Date: 7/16/2016 7:32:53 PM Event ID: 1000 Task Category: (100) Level: Error Keywords: Classic User: N/A Computer: xxxx Description: Faulting application name: a2service.exe, version: 11.9.0.6513, time stamp: 0x5772c632 Faulting module name: ntdll.dll, version: 6.1.7601.23455, time stamp: 0x573a54b7 Exception code: 0xc0000374 Fault offset: 0x00000000000bf262 Faulting process id: 0x4a8 Faulting application start time: 0x01d1df5e17833f6b Faulting application path: C:\Program Files\Emsisoft Anti-Malware\a2service.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 9dc12495-4bad-11e6-976e-1c6f652f1513 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-07-16T23:32:53.000000000Z" /> <EventRecordID>126859</EventRecordID> <Channel>Application</Channel> <Computer>Don-PC</Computer> <Security /> </System> <EventData> <Data>a2service.exe</Data> <Data>11.9.0.6513</Data> <Data>5772c632</Data> <Data>ntdll.dll</Data> <Data>6.1.7601.23455</Data> <Data>573a54b7</Data> <Data>c0000374</Data> <Data>00000000000bf262</Data> <Data>4a8</Data> <Data>01d1df5e17833f6b</Data> <Data>C:\Program Files\Emsisoft Anti-Malware\a2service.exe</Data> <Data>C:\Windows\SYSTEM32\ntdll.dll</Data> <Data>9dc12495-4bad-11e6-976e-1c6f652f1513</Data> </EventData> </Event>