iondjp

Member
  • Content Count

    40
  • Joined

  • Last visited

Everything posted by iondjp

  1. I received a obviously suspicious email this morning. One of my email addresses was used for both the sender and recipient. The subject line was just my name, all in lower case. It had a jpeg attachment with a size about 192K. This obviously appears to be a ransomeware attempt, but I'd like t0 understand a few things because I get asked this by friends and clients all the time: Is there a way that the JPG can be looked at without doing harm? How does a JPG infect my machine?
  2. Sorry for leaving this hanging. I have given up on this and decided that it is a windows update issue. I have read a number of articles about issues with recent Windows releases. Most notably, https://www.computerworld.com/article/3216425/microsoft-windows/microsoft-patch-alert-octobers-been-a-nightmare.html. Earlier this summer, I also went through several weeks of back and forth recovery to eliminate Blue Screen boot errors. I was pissed and I don't want to find myself back down that rabbit hole. Thank god for reliable backups. Here's a tip of the hat to 'EaseUS To-0Do Backup'. So, for now I have prevented Windows from doing Auto Updates by setting my network adapter setting to 'Metered Connection'. Most frustrating about this is the paragraph (below) from the article about the insane game of roulette that Microsoft is unapologetic about. "Hard to believe that Windows 10 version rollouts could get any worse, but this month hit the bottom of a nearly bottomless barrel. Some folks who clicked “Check for updates” wound up with a brand spanking new copy of Win10 version 1809 — and all of the files in their \Documents, \Pictures, \Music, \Videos and other folders disappeared." This is reminds me of the B.S. that Microsoft made us suffer through back in the 1990s. ARRRGHHH!!! Thanks all.
  3. Thank You GT500 for all your help. I give up. I have tired your suggestion of using ShutUp10 and, well, I don't see what it accomplished. I have disabled the malware protection and let the thing boot without intervention, but I still get frequent update failure notifications daily. Strange things that are above my pay grade and beyond my understanding. I am reluctantly acceptting that this is just microsoft using the trial and error method again to release updates. It is not all updates that fail. In fact I don't understand a number of things I see. For example; why would I see 2018-09 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4457128) Successfully installed on ‎2018-‎09-‎11 and then further up the history I see; 2018-09 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4457128) (4) Last failed attempt on ‎2018-‎09-‎17 - 0x80070157 I thought it was already installed successfully?!?!?! Then I don't see it again higher up on the list with a new date. Has Windows decided to give up trying to install it, or has windows come to realize "oops" we already installed this one. Silly windows. I also notice even the Windows Defender Antivirus Definitions are failing sometimes. Definition Update for Windows Defender Antivirus - K2267602 (Definition 1.277.294.0) Failed to install on ‎2018-‎09-‎29 - 0x8024000b
  4. I want to thank you for your efforts, but I install Process Hacker and I just don't know where to start and it leaves me just as (more) confused. How do I know which process is launching the installer. By the time I get Process Hacker started to sort and attempt to see what process is guilty, the installer shuts down and evaporates. Is there nothing in the Event Manager that would reveal anything? I am close to just doing a full backup and then letting installer do it's thing and see what happens. Am I crazy to do so?
  5. Ran the various troubleshooters for Windows Update. How can I determine what is launching the installer? In other words, is there a way for me to determine if it is part of the Windows Update process? Is it normal for Windows Update to run installer upon reboot after an update install? What would happen if I click "Wait, I think this is safe?". Am I going to end up with a world of misery?
  6. FRST ran without a problem. Here's the two files. Addition.txt FRST.txt
  7. I don't mind if you forward it to support forum. I would just like to know what is going on and that Windows 10 is up to date. As far as the Windows Update being blocked....what should I look for? I see again today that there was a number of items in Emsisoft log showing Component=Scheduler & Action=Update "Downloaded and Installed". The system notified me of a required restart which I allowed to happen. Upon login to my user account, I saw Emsisoft alert me "Suspicious Behaviour "HiddenInstallation" of "MSIC461.tmp". If I was to click "Wait, I think this is safe" what would happen?
  8. This continues to happen whenever I restart windows. I am still seeing Windows complaining that it could not finish installing update. So,what recourse do I have? I do not have the experience to narrow my troubleshooting down. Is there something I could search for in the Event Viewer? Is there a trick in MSConfig to limit startup options to narrow down the culprit. I did look in the Task Manager startup options, but nothing jumps out at me.
  9. I witnessed a pop up notification by Emsisoft. Here is the detail... 2018-08-24 8:47:25 AM Behavior Blocker detected suspicious behavior "HiddenInstallation" of "C:\Windows\Installer\MSI174C.tmp" (SHA1: 67ECD82937ED15C2159EA3892A07BA6ACB74179A) 2018-08-24 8:47:25 AM A notification message "Suspicious behavior has been found in the following program: C:\Windows\Installer\MSI174C.tmp" has been shown Now, coincidentally I have been monitoring windows updates and I see in the Windows Update History... 2018-08 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4343909) (9) Last failed install attempt on 2018-08-23 - 0x80070157 So, is the EIS notification indicating a legitimate behavior block, or is it interfering with Windows Updates? I am confused because the last failed attempt of the Windows Update is 2018-08-23. Incidentally, I have seen both the EIS behavior block and the Windows Update failure a number of times and I see 3 MSIxxxx.tmp files have been marked "Suspicious Behavior Quarantined by User" as well as 9 have been marked "Allowed by Anti-Malware Network, rule created". I was going to attach here the C:\Windows\Installer\MSI174C.tmp file, but the folder C:\Windows\Installer does not even exist. Also strange, the EIS Quarantine tab does not list the MSI174C.tmp file, nor does it list one of the other files the log indicates was quarantined (MSIBE3E.tmp) on 2018-08-13.
  10. I received an email stating that my laptop camera had been hi-jacked. The email had been labelled Junk mail and was disabled. I am almost certain that it is phishing attempt, but more than one person uses this laptop so who knows. In any case, it raises a few general questions about Emsisoft Anti-Malware. Is it possible for a rogue video to actually install something on the machine, or would EAM and Windows Firewall protect from that? If it was possible, would EAM scan be sufficient to find it? Would EAM behaviour blocker protect against it's operation? Is there more I should do at this stage? As usual....thanks in advance.
  11. The auto-diagnose tool did run and it did show that it had "Fixed" the problem, but it did not. Also noticed after posting this that I could no longer sync Outlook with phone using VCOrganizer app so I started to think about what may have changed. I recalled that I had uninstalled a number of programs using Revo Uninstaller. I was perhaps a bit too aggressive. So to resolve the firewall issue, I recovered a restore point to prior to that exercise and the firewall issue and outlook sync issue went away. I then removed the programs again one by one successfully. Thanks for your assistance.
  12. I was met with a notification today that the Windows Firewall is turned off. I launched Windows Defender Security Center and it shows "Windows Firewall service has stopped. Restart it now." Clicking the Restart button launches the UAC warning, but nothing after that. So, I look in Windows Firewall Security Center/Firewall & network protection. there is a red circle with X and "Windows Firewall is using settings that may make your device unsafe." Click Restore settings button, again shows UAC warning, but that disappears once I click to give permission to make changes to my system and nothing else happens. Strangely, on that same screen I see Private (discoverable) network followed by Network is not connected. The same below it..."Public (non-discoverable) network and "network is not connected. Now I am in fact connected through Wifi to WLAN and the internet. I also launched services.msc and I see the Windows Firewall status is Starting for along time. When I try to stop the service, I get "Windows could not stop the Windows Firewall service on Local Computer. The service did not return an error. This could be an internal Windows error or an internal service error...." I normally would not bother Emsisoft with a problem that seems to be related to windows 10, but there are numerous suggestions elsewhere that this may be related to the fact I am running Emsisoft Anti_Malware. Any advise would be appreciated.
  13. Does EIS Scan Browser Certificates or scan Trusted Authorities that appear in my browse certificate manager? In other words, how do I know that the Certificates, the Servers, and the Authorities that appear in the list are legitimate and trustworthy? I ask because I noticed by accident that the list of Authorities in Mozilla exceeds 91. Some of them I recognize, such as Thawte and Verisign, but there are several others and some are in foreign languages. Furthermore, under the Others Tab there are a number of other Certificates under The USERTRUST Network with strange names like Bogus GMail, Bogus Skype, Bogus Google. When I try to remove these, they just reappear. However that maybe because my Windows User Account is set to Standard User.
  14. Thank you for your Elise; Just to confirm, based on your comments I conclude... UNC or Mapped Drive Letters are both vulnerable read only files are not necessarily safe my local network server backup files are not necessarily safe So, I should install security protection on my WHS V1. Do you know if Emsisoft will install and play nice on a WHS V1? It is based on Windows Server 2003 R2.
  15. Good Day; I recently read a very interesting and disconcerting blog on your website about ransomware. I was aware of it, but was unaware that it could ‘crawl’ through my network. I was hoping to get some more clarification on Ransomware and how it can conduct its destruction. I am particularly concerned and interested in the behavior of malware like this and how it behaves on a small home network. I consider myself to be as knowledgeable as most home network administrators, which is to say I can make it work, but I’m not aware of certain consequences. Here’s my case for example, maybe this can serve as a basis of the discussion. I run a Windows Home Server with a number of hard drives. I use it to do backups from laptop machines but I also have a number of network accessible shares that contain music, family photos, home videos. Each of those shared folders is set to ‘read only’ and accessible by two standard user accounts on laptops and Android devices in the house. There is another seldom used Administrator account for writing files to those shared folders via my laptop. I also have another shared folder where I store some business files (call it ‘Personal Business’ shared folder ) because I don’t want those files on my laptop. This shared folder has read/write permissions from my Windows account the moment I login to my laptop. Just to elaborate a little further, I have been using the server such that the user accounts on the server have the same user ID and password as the laptop. This offers the convenience of making the remote shares appear almost as if they were on my laptop without having to login to the server shares. One last detail before I get to my questions. I do not have the hard drive letters mapped. But, I do use UNC addresses to access the server shares. Questions: The article explained clearly that a ransomware program like cryptowall, if it was to infect my laptop, it would be able to spread to any mapped shares. I am not clear whether that means cryptowall would be able to proliferate using the UNC. Does using the UNC provide any additional protection? Are there other malware infections that will behave the same with network shares over a LAN? Since my shared folders are read-only, with the exception of the ‘Personal Business’ shared folder, are they safe if my laptop gets infected? If the ransomware was able to access and encrypt the files in my ‘Personal Business’ shared folder, would it also be able to botch up the backup database files. This would be the scariest scenario. (If you are not familiar with WHS it is based on Server 2003 and the client machine backups are stored in a separate hidden folder on the server machine with Administrator/System/Creator Owner Permissions ranging from ‘Full’ to ‘Read/Execute’) Do you have any suggestions on how I might better protect the ‘Personal Business’ shared folder without giving up all convenience? Thx for any clarification.
  16. Thanks Elise; Sorry I did not notice this came in last week. I will try these and report back when I get some time....maybe, just maybe, when the kids are back to school! (just Kidding, I should find time next week.)
  17. While trying to find a solution to an issue on laptop with Windows 7 Home Premium SP1. Part of the troubleshooting and solution required me to confirm if Windows Modules Installer (WMI) had Startup set to Automatic. I did that, and then thought I should try to start the service but I was met with an unexpected response. Windows could not start the Windows Modules Installer service on Local Computer. Error 225: Operation did not complete successfully because the file contains a virus. (See attached Graphic for exact windows prompt) The properties dialogue for the executable is C:\Windows\servicing\TrustedInstaller.exe So, I ran a Scan Using Emsisoft Internet Security V.10.0.0.5641 and it came back clean. Any assistance would be appreciated. Edit: I later did a scan with MalwareBytes Rootkit Revealer and nothing was revealed.
  18. Sorry I just noticed these replies.... Thanks for this. Gives me some peace of mind.
  19. Forgive me if this is not the correct forum for this. I downloaded Soda PDF 7 software to try. Upon installing it, Emsisoft Internet Security through up an alert that it was trying to install invisibly. I blocked the installer program and decided to post my experience here. This software boasts it is a Microsoft Partner on its web site (http://sodapdf.com). This software is relatively widely known and distributed so how can it be malware. Because I do not understand the details of the alert (i.e.: installing invisibly) so I am forced to trust Emsisoft however, I am disappointing because I need to try this software or something else similar. Feedback and advise will be greatly appreciated.
  20. Hi all. I haven't dropped this. I replied and sent the logs to [email protected] as per the instructions in Christian's response. Any progress with this? Do I need to upload the logs here?
  21. Yes. I am able to reproduce by simply shutdown/restart system. How do I get debug logs? I am able to open the logs tab, but I see no entries in the firewall log. I do notice that there have been update logs today.
  22. The network adapters properties are all set to private network. As I said, I believe everything in the firewall tab is set to the default.
  23. Running Windows 7 64 Bit Emsisoft Internet Security 9.0.0.45?? Previously had installed Emsisoft Anti-Malware with Online Armour Just noticed in the past week that the network access to our Windows Home Server is being blocked. The Sever does not appear in Windows Explorer Entering UNC paths in Explore does not work I can ping IP address of server I cannot ping host name - (results in - "ping request could not find host") If I turn off firewall temporarily, server appears and remains accessible even after firewall is turned on again. All EIS firewall settings are at default
  24. Thanks so much. I am sure that I am not the only one who appreciates the almost always patient, respectful, and informative responses from Emsisoft employees. It really is refreshing. Keep up the good work folks.