Is This A Valid Emsisoft File

[itman]

Found a file named infected.txt in my Emsisoft Antimalware program folder. It scanned cleaned at VirusTotal. Was created on 8/26 and update this afternoon.

 

If this not a valid EAM file, I want to get rid of it.

 

 

 

infected.zip

[stapp]

Please follow the steps here and attach the requested logs so that one of our experts can help you.

 

http://support.emsisoft.com/forum-6/announcement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/

[itman]

Stapp,

 

I just want to know it that file is used by EAM. Really can't see how it is.

 

My PC is clean.

[ShadowPuterDude]

That is not one of our files.

[itman]

That is not one of our files.

Thanks, that is want I needed to know.

 

The question is how did it get around EAM's self-protection?

 

To play it safe, I am going to uninstall EAM using Revo UninstallerPro and re-install. 

[itman]

A bit more information on this incident.

Appears this infected.txt file dates back to the last time I manually installed EAM which was on 8/26. Best theory I have is it arrived in the EAM installer. Don't know how that is possible since I always download EAM from the Emsisoft web site. At least that gets EAM's self-protection off the hook.

Downright scary. In any case, EAM is reinstalled and no "infected.txt" is present in the EAM program directory.

[ShadowPuterDude]

Not sure how that got there and where it came from.

We can take a look at the system.

download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to the disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[itman]

FRST64.exe appears not to work for Win 10. Won't start up. I tried Win 8 compatibility mode and still a no-go.

[ShadowPuterDude]

Try the 32-bit version.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.

[itman]

I tried both. Neither would run on my Win 10 x64 1607 build. Believe the issue is Smartscreen. I checked my reliability history and Smartsceen appears to have crashed everytime I run Farbar. It did complain about both vers. when I tried to download them.

[ShadowPuterDude]

Turn off SmartScreen and download a new copy of FRST64. Then run it.

http://www.groovypost.com/howto/turn-off-smartscreen-filter-windows-10/

[itman]

Here's the Farbar reports.

FRST.txt

Addition.txt

[ShadowPuterDude]

The FRST logs show no malware, but do show several issues that should be fixed.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Winlogon: [Userinit]  [X]
HKU\S-1-5-21-688685898-805468341-453270983-1001\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-688685898-805468341-453270983-1001\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
GroupPolicy: Restriction <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyScripts-x32: Restriction <======= ATTENTION
GroupPolicyScripts-x32\User: Restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-688685898-805468341-453270983-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-688685898-805468341-453270983-1001 -> No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No File
Toolbar: HKU\S-1-5-21-688685898-805468341-453270983-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Task: {00B4728B-6124-42B7-883A-C7D21AE063CC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {0325B7D7-8B1C-4636-8BFC-4CBA4E051804} - \Microsoft\Windows\Media Center\InstallPlayReady -> No File <==== ATTENTION
Task: {11A74AD8-E541-4D65-882C-0A585F748607} - \Microsoft\Windows\Media Center\UpdateRecordPath -> No File <==== ATTENTION
Task: {1A5A9FB9-E5BE-43EE-8E56-1FCA3597E717} - \Microsoft\Windows\Media Center\OCURActivate -> No File <==== ATTENTION
Task: {1C515CA3-0C6B-436D-A639-5031602620B7} - \Microsoft\Windows\Media Center\MediaCenterRecoveryTask -> No File <==== ATTENTION
Task: {1C91A605-D0F1-475A-8F2E-D3566FD9DAFE} - \Microsoft\Windows\Media Center\RegisterSearch -> No File <==== ATTENTION
Task: {1CD74521-A495-4F57-BB08-811D35F2EE67} - \Microsoft\Windows\Media Center\PBDADiscovery -> No File <==== ATTENTION
Task: {2131F82C-E0F0-4197-8BC1-C4D4E7D87DF4} - System32\Tasks\Delete URL Temp Files => C:\Don's Scripts\DelURLtm.bat [2016-10-23] () <==== ATTENTION
Task: {4050F588-36F1-4A87-B610-D99E37C68BF0} - \Microsoft\Windows\Media Center\DispatchRecoveryTasks -> No File <==== ATTENTION
Task: {46010519-E8CF-4816-A2D4-D7FEF19C3570} - \Microsoft\Windows\Media Center\RecordingRestart -> No File <==== ATTENTION
Task: {4B359C07-DC82-43A9-AE9B-DCD039C8ACE7} - \Microsoft\Windows\Media Center\ActivateWindowsSearch -> No File <==== ATTENTION
Task: {4F845F61-1E97-4844-836C-915B26C201AA} - \Microsoft\Windows\Media Center\PBDADiscoveryW1 -> No File <==== ATTENTION
Task: {5ECB20C7-1662-4D36-9545-FB509DE0748D} - \Microsoft\Windows\Media Center\SqlLiteRecoveryTask -> No File <==== ATTENTION
Task: {5F94ED09-7B00-47C0-B180-0E1C8DDA29E4} - \Microsoft\Windows\Media Center\PvrRecoveryTask -> No File <==== ATTENTION
Task: {6671437D-2AD5-44BD-8FA1-17827135BE10} - \Microsoft\Windows\Media Center\ehDRMInit -> No File <==== ATTENTION
Task: {6A4A7A92-51BA-4DBE-97FD-4D72EF36922D} - \Microsoft\Windows\Media Center\ObjectStoreRecoveryTask -> No File <==== ATTENTION
Task: {72394665-ACFB-48D2-97B7-801B388EA3A6} - \Microsoft\Windows\Media Center\ReindexSearchRoot -> No File <==== ATTENTION
Task: {7E983C54-6A36-4CC6-9F7D-9425368B71EE} - \Microsoft\Windows\Media Center\PeriodicScanRetry -> No File <==== ATTENTION
Task: {8BC4DB8F-FEE2-4F49-8536-3943CE96D134} - \Microsoft\Windows\Media Center\OCURDiscovery -> No File <==== ATTENTION
Task: {A81B5E66-CB07-4D94-AFCD-AC2B53D5FA01} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {AEF57E03-9B49-4D2F-AD42-60ED7B1926E5} - \Microsoft\Windows\Media Center\PvrScheduleTask -> No File <==== ATTENTION
Task: {B903FCA1-9873-4FB5-96F5-08B07CE1DBF5} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {BE447B32-7B61-4602-831B-028FD9DE489E} - \Microsoft\Windows\Media Center\ConfigureInternetTimeService -> No File <==== ATTENTION
Task: {D8569657-6AAB-4543-92C7-3D3D7E2AAA0C} - \Microsoft\Windows\Media Center\mcupdate_scheduled -> No File <==== ATTENTION
Task: {DB138D04-E271-4E15-84AF-6B5C100DBCA4} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E66B2DCF-F028-4C08-AEA5-C109EB6A7715} - \Microsoft\Windows\Media Center\PBDADiscoveryW2 -> No File <==== ATTENTION
Task: {EB963F50-E819-41D0-AAC5-E95575DEA726} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {ECE9CC3C-1EFC-433B-A706-6962D33B7B72} - \Microsoft\Windows\Media Center\StartRecording -> No File <==== ATTENTION
Task: {F09A8B07-093E-4520-9815-DC06DE83D634} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {F1AEFCC8-4E5C-43B8-929C-FAFC0B0AB763} - \Microsoft\Windows\Media Center\mcupdate -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [119]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[itman]

FRST64 keeps aborting in the middle of the fix scan. Shut down EMET, disabled all of ESET except the firewall, and disabled all of EAM whose behavior blocker was going nuts.

 

I am now pee-ood since Win 10 set IE11 search provider to Bing due to "corruption" and I can't reset to Google via "Manage Add-Ons."

 

-EDIT- Was able to add Google search add-on from IE site. After I start up IE 11 again, it tells me its corrupted and do I want to use Bing instead. Is this bogus MS crap?

 

Also noticed this: Task: {2131F82C-E0F0-4197-8BC1-C4D4E7D87DF4} - System32\Tasks\Delete URL Temp Files => C:\Don's Scripts\DelURLtm.bat [2016-10-23] () <==== ATTENTION

I created that script and scheduled task, so that has to go.

 

Attaching FRST log that was created.

 

Source
Farbar Recovery Scan Tool

Summary
Stopped working

Date
‎11/‎1/‎2016 5:13 PM

Status
Report sent

Description
Faulting Application Path: C:\Users\Don\Desktop\FRST64.exe

Problem signature
Problem Event Name: APPCRASH
Application Name: FRST64.exe
Application Version: 30.10.2016.0
Application Timestamp: 5816796d
Fault Module Name: FRST64.exe
Fault Module Version: 30.10.2016.0
Fault Module Timestamp: 5816796d
Exception Code: c0000005
Exception Offset: 0000000000026750
OS Version: 10.0.14393.2.0.0.768.101
Locale ID: 1033
Additional Information 1: 583f
Additional Information 2: 583f9137d21dbec0cc050a1251a854c0
Additional Information 3: f51b
Additional Information 4: f51b9752c0ea9b7d47b4c7685a851fe0

Extra information about the problem
Bucket ID: 49bfca93be65de04f257b1f6bb657008 (120609072980)

Fixlog.txt

[itman]

Also now have a ton of the following errors in my event log:

 

Log Name:      Application
Source:        Microsoft-Windows-Security-SPP
Date:          11/1/2016 5:12:15 PM
Event ID:      16385
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Don-PC
Description:
Failed to schedule Software Protection service for re-start at 2116-10-08T21:12:15Z. Error Code: 0x80070005.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
    <EventID Qualifiers="49152">16385</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-11-01T21:12:15.667299100Z" />
    <EventRecordID>17945</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Don-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>0x80070005</Data>
    <Data>2116-10-08T21:12:15Z</Data>
  </EventData>
</Event>

[itman]

I ran FRST64 w/admin privileges and got a bit farther this time before it crapped out. Here's the log. 

Fixlog.txt

[itman]

Task Scheduler totally totally busted. Won't even start up. Can't type into "Search Windows" toolbar box anymore. God knows what else is borked.

 

I am doing a system restore and will never run Farbar crap again.

[ShadowPuterDude]

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[itman]

Found and remove the malware manually. It is definitely one insidious bugger to say the least.

 

Believe I have found a new and undetectable ransomware. Appears it is targeted at Win 10 and using Smartscreen's Outlook filter to do its dirty work. Explains why impact of it on my PC was minimal. I have MS Office installed but I don't use Outlook for my e-mail client. It must perform some fingerprinting on users w/MS Office installed. On to the gory details.

 

I am attaching the reg. key where the malware was found. Note that same malware was found in all 3 instances of  this key, 3B6C15BE-F9FD-7E15-F865-ABA8E2A09915, in the registry.

 

In an case, Emsisoft needs to beef it it's self-protection. I still don't know how this sucker was able to modify EAM and EAM not detect it was tampered with. All statuses for EAM indicated all was normal with the software.

 

Also I noticed that epp.sys is not in C:\Windows\System32\Drivers directory and is being loaded instead into the kernel global root table i.e. \??\C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys as a file system driver. Since this is EAM's protection platform driver, I question why this this driver is not being loaded as a kernel driver.

regkey 1.zip

[ShadowPuterDude]

Farbar is not responsible for breaking your task scheduler. Things can and do get broken during malware removal. Most of the stuff that gets broken can be fixed without resorting to a restore.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  • Create registry backup
  • Purge system restore
• Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

• UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

• Open the CCleaner Folder on your Desktop and double-click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
• Click "Options" and choose "Advanced"
• Uncheck "Only delete files in Windows Temp folders older than 24 hours"
• Then go back to "Cleaner" and click the "RunCleaner" button.
• Exit CCleaner.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Articles to Read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

[ShadowPuterDude]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.