Recommended Posts

Hi!  I have an urgent problem!  Emsisoft does not detect the Trojan below.  However, Kaspersky does detect it, but cannot remove it:

Detected:  MEM:Trojan.Script.AngryPower.gen

Location:  System memory.

Any suggestions please?

Share this post


Link to post
Share on other sites

SECOND POST [Scans attached]:

Hi!  I have an urgent problem!  Emsisoft does not detect the Trojan below.  However, Kaspersky does detect it, but cannot remove it:

Detected:  MEM:Trojan.Script.AngryPower.gen

Location:  System memory.

Any suggestions please?

Addition.txt

Scan_170627-132852.txt

FRST_27-06-2017 13.42.06.txt

Addition_27-06-2017 13.42.06.txt

Share this post


Link to post
Share on other sites

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-2036737855-1592510443-1916522820-1001\...\MountPoints2: {b1957a76-8fa1-11e2-9a65-806e6f6e6963} - E:\autorun.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\lnj2x8cg.default -> Ask.com
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\lnj2x8cg.default -> Ask.com
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
2015-09-07 15:54 - 2015-09-07 15:54 - 48519888 _____ (Microsoft Corporation) C:\Users\Owner\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe
2012-10-02 13:15 - 2012-10-02 13:15 - 0612712 _____ (NVIDIA Corporation) C:\Users\Owner\AppData\Local\Temp\nvStInst.exe
2013-12-14 12:36 - 2013-12-14 12:36 - 44809728 _____ (Logitech, Inc.) C:\Users\Owner\AppData\Local\Temp\qc_a402013b_7656_4f6f_b57f_5a8ef69f5fc4_32.exe
2014-05-12 08:27 - 2009-01-22 15:10 - 0244224 _____ (Thomson Reuters) C:\Users\Owner\AppData\Local\Temp\Risweb32.exe
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> "C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.79\delegate_execute.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.111\psuser.dll => No File
Task: {338B53FC-D00F-4C1C-996E-6E8C37CA3255} - \WPD\SqmUpload_S-1-5-21-2036737855-1592510443-1916522820-1000 -> No File <==== ATTENTION
Task: {68A26E26-3DC5-4C4D-89BF-F8D94A5B12BB} - \GoogleUpdateTaskUserS-1-5-21-2036737855-1592510443-1916522820-1000UA -> No File <==== ATTENTION
Task: {7715A9B4-D067-4697-A88D-E0760619FAAA} - \GoogleUpdateTaskUserS-1-5-21-2036737855-1592510443-1916522820-1000Core -> No File <==== ATTENTION
Task: {EFD6ACC5-7D01-4774-A0FC-C9A108894A00} - System32\Tasks\{76F3F346-6DBB-4C4C-93DF-82CE57F216C3} => pcalua.exe -a C:\Users\Owner\Downloads\lide20lide30n670un676un1240uvst7031a_xpen\SetupSG.exe -d C:\Users\Owner\Downloads\lide20lide30n670un676un1240uvst7031a_xpen
Shortcut: C:\Users\Owner\Documents\Scanlan\PhD\LeximancerProjects\Leximancer 3 Config.lnk -> C:\Documents and Settings\s310646\Leximancer-Desktop\Leximancer3Config.bat (No File)
Shortcut: C:\Users\Owner\Documents\Scanlan\PhD\LeximancerProjects\Leximancer 3.lnk -> C:\Documents and Settings\s310646\Leximancer-Desktop\Leximancer3.bat (No File)

Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Kaspersky is most likely intercepting the Trojan first and deleting it from memory before Emsisoft has a chance to detect it.  When one detects something and takes action the other security software will not because there is nothing to detect. Another scenario is that KIS and EAM are in conflict.

Reboot the system to Safe Mode and uninstall EAM.

Share this post


Link to post
Share on other sites

OK. I have all of the bits together in one folder. Am now running emsisoft emergency kit scan on desktop computer in safe mode. Is that it? I haven't found anything that says "fix"  yet? I am afraid to turn the computer off.

Share this post


Link to post
Share on other sites

FRST.txt

scan_170628-125413.txt

Thanks for your help so far. I would like to/must start again please Kevin.

At this point, after running FRST.exe and on getting to the end clicking on "fix" only elucidates a reply that everything should be in the same place; there is no "fix" so to speak. So it seems I need to return to the beginning. 

I am operating in safe mode on the crashed desktop computer. My messages to you come from my laptop. I am running a USB from the laptop to the desktop computer to transfer information etc. I have done the tasks again [in safe mode] on the desktop computer and ask that you create another fixlist.txt file for me please; and tell me exactly how and where [i.e. so that all the files, including fixlist.txt, are together somewhere; and where that should be] to save it on the crashed desktop computer via USB.

I have not uninstalled EAM on the desktop computer yet as I do not understand how then I am going to run Emsisoft again after that, or do I somehow install another one on the desktop computer later; bearing in mind that I cannot access the internet on the desktop computer because of the Trojan? When do I uninstall EAM; before or after I paste in the new fixlist.txt file you send me? I do need an answer to these questions.

I have saved all/each of the relevant files you need again together [as attached] to identical folders on "C" Drive and on the "desktop" of the desktop computer. The folders are:  "FRST", "EEK", and "Downloads". Is this appropriate?

I have been running Emsisoft and Kaspersky side-by-side on the desktop computer for many years without a problem; so I wonder that this has caused the infection now.

I am avoiding having the desktop computer turn off at this stage as I suspect it may never start again.

I look forward to your reply and answers to my questions,

Cheers,

R.J. Scanlan

Addition.txt

Share this post


Link to post
Share on other sites

Kaspersky Internet Security and Emsisoft Anti-Malware are not compatible.  Uninstall Kaspersky Internet Security or Emsisoft Anti-Malware.  You can only have one of those installed, otherwise you will have problems.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-2036737855-1592510443-1916522820-1001\...\MountPoints2: {b1957a76-8fa1-11e2-9a65-806e6f6e6963} - E:\autorun.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\lnj2x8cg.default -> Ask.com
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\lnj2x8cg.default -> Ask.com
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
2015-09-07 15:54 - 2015-09-07 15:54 - 48519888 _____ (Microsoft Corporation) C:\Users\Owner\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe
2012-10-02 13:15 - 2012-10-02 13:15 - 0612712 _____ (NVIDIA Corporation) C:\Users\Owner\AppData\Local\Temp\nvStInst.exe
2013-12-14 12:36 - 2013-12-14 12:36 - 44809728 _____ (Logitech, Inc.) C:\Users\Owner\AppData\Local\Temp\qc_a402013b_7656_4f6f_b57f_5a8ef69f5fc4_32.exe
2014-05-12 08:27 - 2009-01-22 15:10 - 0244224 _____ (Thomson Reuters) C:\Users\Owner\AppData\Local\Temp\Risweb32.exe
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> "C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.79\delegate_execute.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> "C:\Users\User\AppData\Local\Google\Update\1.3.21.115\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.115\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-2036737855-1592510443-1916522820-1001_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.21.111\psuser.dll => No File
Task: {338B53FC-D00F-4C1C-996E-6E8C37CA3255} - \WPD\SqmUpload_S-1-5-21-2036737855-1592510443-1916522820-1000 -> No File <==== ATTENTION
Task: {68A26E26-3DC5-4C4D-89BF-F8D94A5B12BB} - \GoogleUpdateTaskUserS-1-5-21-2036737855-1592510443-1916522820-1000UA -> No File <==== ATTENTION
Task: {7715A9B4-D067-4697-A88D-E0760619FAAA} - \GoogleUpdateTaskUserS-1-5-21-2036737855-1592510443-1916522820-1000Core -> No File <==== ATTENTION
Task: {EFD6ACC5-7D01-4774-A0FC-C9A108894A00} - System32\Tasks\{76F3F346-6DBB-4C4C-93DF-82CE57F216C3} => pcalua.exe -a C:\Users\Owner\Downloads\lide20lide30n670un676un1240uvst7031a_xpen\SetupSG.exe -d C:\Users\Owner\Downloads\lide20lide30n670un676un1240uvst7031a_xpen
Shortcut: C:\Users\Owner\Documents\Scanlan\PhD\LeximancerProjects\Leximancer 3 Config.lnk -> C:\Documents and Settings\s310646\Leximancer-Desktop\Leximancer3Config.bat (No File)
Shortcut: C:\Users\Owner\Documents\Scanlan\PhD\LeximancerProjects\Leximancer 3.lnk -> C:\Documents and Settings\s310646\Leximancer-Desktop\Leximancer3.bat (No File)

Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

I have similar "detection" if I run Kaspersky Virus Remooval Tool (on demand scanner), while Emsisoft Anti-MAlware is installed. Also got this detection when no real-time Av was installed but EEK and KVRT was run at the same time.

It seems that this might be FP from Kaspersky when scanning memory.

Share this post


Link to post
Share on other sites

Kaspersky and Emsisoft are not compatible and both companies recommend only using one or the other, not both.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.