Jump to content

satrow

Members
  • Posts

    30
  • Joined

  • Last visited

Everything posted by satrow

  1. (too late to edit) about:config settings (might be better as it's easier to magnify that page): New String: "general.useragent.override.malwarebytes.org" Value: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.9) Gecko/20100101 Firefox/45.9 (Pale Moon)"
  2. Hiya, John. Try this (it will be the default in the updated version, Pale Moon 27.0.2 slated to be published later today): (Alt >) Tools > Options > Advanced > General tab, set the Compatibility browser UA to 'Firefox compatibility'.
  3. No, malware is more commonly spread via specific exploits, such targeting older/vulnerable versions of Flash, Java, pdf readers and other common browser plugins, as well as infected email attachments and links but if you have users who do download a lot of software to try out, or download content via torrents, etc. then they need educating People will find a way past most safeguards like Family Safety if it stops them doing things; if you have multiple programs/methods blocking/protecting the computer with a wide range of special features you can spend less time physically guarding the computer from them.
  4. No, it uses an older detection engine. It's also almost completely non-configurable.
  5. Direct links: https://www.adobe.com/products/flashplayer/distribution3.html Firefox users might need to jump through a hoop or two to enable it.
  6. Follow Patrick's instructions. If you don't find any dumps to upload, continue with mine please.
  7. In the absence of a crash dump, the following might be useful: attach a zipped Autoruns.arn and a zipped MSInfo32.nfo, these will contain part of what would have been collected by the BSOD collection app. Download Autoruns: https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx (This method of setting up/running Autoruns enables a number of checks and lists only the unsigned Windows entries plus all non-Windows entries and allows direct checking of any Virustotal 'positives'.) Run Autoruns as Administrator, once it starts, hit Esc to stop the scanning, from the File > Options menu, select only the following: Hide Empty Locations Hide Windows Entries From the File > Options > Scan Options menu: Verify Code Signature Check VirusTotal.com Submit Unknown Images. Click the Refresh icon or press F5 for the scan to restart and any uploading to VirusTotal to begin. Allow time for any VirusTotal results to be returned, check the VirusTotal column, right side of the main panel, for progress, each entry should contain a x/xx (eg. 0/57, number of positives/number of scanners used). Once data checks are complete, File > Save As > Autoruns.ARN (the default file type), zip that saved file (Send to > Compressed folder from the mouse right-click menu) and then the Autoruns.zip can be uploaded and attached to a reply for checking. For MSInfo32, Start > Run > type in msinfo32 and press Enter/OK. The collection can take some time, you might be able to accelerate the data collection by clicking each section/sub-section and waiting for it to populate, you should be able to tell by the Status Bar - but there are likely to be some sections that don't populate where there isn't any relevant data anyway. The Components and Software environment subsections are the most important. Once you have the MSInfo32 fully populated, Save as > MSInfo32.NFO on your Desktop, right-click that and select Send to > Compressed folder - this will add an MSInfo32.zip to your Desktop, please attach that to your reply as well.
  8. It looks to me, from the latest dump (070215-6567-01.dmp), that *something* is interfering with the Intel Wireless driver, Netwsw02.sys. As there are 4 machines involved, I suggest you follow the BSOD collection info here and attach the required files separately from each machine for individual analysis (perhaps the topic could be moved there, if the 3 txt files supplied don't furnish any definitive answer?). Mini Kernel Dump File: Only registers and stack trace are availableDbsSplayTreeRangeMap::Add: ignoring zero-sized range at ?00000000`00000000?DbsSplayTreeRangeMap::Add: ignoring zero-sized range at ?00000000`00000000?DbsSplayTreeRangeMap::Add: ignoring zero-sized range at ?fffff8a0`023e1c32?DbsSplayTreeRangeMap::Add: ignoring zero-sized range at ?fffff8a0`02376902?DbsSplayTreeRangeMap::Add: ignoring zero-sized range at ?fffff8a0`11a11c32?DbsSplayTreeRangeMap::Add: ignoring zero-sized range at ?fffff800`00b9a3c0?************* Symbol Path validation summary **************Response Time (ms) LocationDeferred srv*c:\symbols*http://msdl.microsoft.com/download/symbolsSymbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbolsExecutable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64Product: WinNt, suite: TerminalServer SingleUserTSBuilt by: 7601.18869.amd64fre.win7sp1_gdr.150525-0603Machine Name:Kernel base = 0xfffff800`03252000 PsLoadedModuleList = 0xfffff800`03499730Debug session time: Thu Jul 2 16:12:17.326 2015 (UTC + 1:00)System Uptime: 0 days 3:33:33.262Loading Kernel Symbols.Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.Run !sym noisy before .reload to track down problems loading symbols..................................................................................................................................................................................Loading User SymbolsLoading unloaded module list......................No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************Use !analyze -v to get detailed debugging information.BugCheck 9F, {3, fffffa80069e8060, fffff80000b9a3d8, fffffa801392fc60}Probably caused by : pci.sysFollowup: MachineOwner---------0: kd> !analyze -v******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************DRIVER_POWER_STATE_FAILURE (9f)A driver has failed to complete a power IRP within a specific time.Arguments:Arg1: 0000000000000003, A device object has been blocking an Irp for too long a timeArg2: fffffa80069e8060, Physical Device Object of the stackArg3: fffff80000b9a3d8, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stackArg4: fffffa801392fc60, The blocked IRPDebugging Details:------------------SYSTEM_SKU: Latitude E7250SYSTEM_VERSION: 01BIOS_DATE: 05/13/2015BASEBOARD_PRODUCT: 0V8RX3BASEBOARD_VERSION: A00BUGCHECK_P1: 3BUGCHECK_P2: fffffa80069e8060BUGCHECK_P3: fffff80000b9a3d8BUGCHECK_P4: fffffa801392fc60DRVPOWERSTATE_SUBCODE: 3IMAGE_NAME: pci.sysDEBUG_FLR_IMAGE_TIMESTAMP: 4ce7928fMODULE_NAME: pciFAULTING_MODULE: fffff88000fbf000 pciCPU_COUNT: 4CPU_MHZ: 8f6CPU_VENDOR: GenuineIntelCPU_FAMILY: 6CPU_MODEL: 3dCPU_STEPPING: 4CUSTOMER_CRASH_COUNT: 1DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULTBUGCHECK_STR: 0x9FPROCESS_NAME: SystemCURRENT_IRQL: 2ANALYSIS_VERSION: 10.0.10075.9 amd64freDPC_STACK_BASE: FFFFF80000BA0FB0STACK_OVERFLOW: Stack Limit: fffff80000b9afb0. Use (kF) and (!stackusage) to investigate stack usage.STACK_TEXT: fffff800`00b9a388 fffff800`03335510 : 00000000`0000009f 00000000`00000003 fffffa80`069e8060 fffff800`00b9a3d8 : nt!KeBugCheckExfffff800`00b9a390 fffff800`032d272c : fffff800`00b9a4c0 fffff800`00b9a4c0 00000000`00000000 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x324a0fffff800`00b9a430 fffff800`032d25c6 : fffffa80`16950a88 fffffa80`16950a88 00000000`00000000 00000000`00000000 : nt!KiProcessTimerDpcTable+0x6cfffff800`00b9a4a0 fffff800`032d24ae : 0000001d`d54cc5cb fffff800`00b9ab18 00000000`000c886d fffff800`03449028 : nt!KiProcessExpiredTimerList+0xc6fffff800`00b9aaf0 fffff800`032d2297 : 00000006`af66d4c2 00000006`000c886d 00000006`af66d41f 00000000`0000006d : nt!KiTimerExpiration+0x1befffff800`00b9ab90 fffff800`032be5ca : fffff800`03445e80 fffff800`03453cc0 00000000`00000002 fffff880`00000000 : nt!KiRetireDpcList+0x277fffff800`00b9ac40 00000000`00000000 : fffff800`00b9b000 fffff800`00b95000 fffff800`00b9ac00 00000000`00000000 : nt!KiIdleLoop+0x5aSTACK_COMMAND: kbFOLLOWUP_NAME: MachineOwnerIMAGE_VERSION: 6.1.7601.17514FAILURE_BUCKET_ID: X64_0x9F_3_POWER_DOWN_Netwsw02_IMAGE_pci.sysBUCKET_ID: X64_0x9F_3_POWER_DOWN_Netwsw02_IMAGE_pci.sysPRIMARY_PROBLEM_CLASS: X64_0x9F_3_POWER_DOWN_Netwsw02_IMAGE_pci.sysANALYSIS_SOURCE: KMFAILURE_ID_HASH_STRING: km:x64_0x9f_3_power_down_netwsw02_image_pci.sysFAILURE_ID_HASH: {912f5fd7-e5cd-3289-8e10-8dc81efec3f8}Followup: MachineOwner---------0: kd> !irp fffffa801392fc60Irp is active with 5 stacks 3 is current (= 0xfffffa801392fdc0) No Mdl: No System Buffer: Thread 00000000: Irp stack trace. cmd flg cl Device File Completion-Context [N/A(0), N/A(0)] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [N/A(0), N/A(0)] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000>[IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)] 0 0 fffffa8017b54050 00000000 00000000-00000000 Unable to load image \SystemRoot\system32\DRIVERS\Netwsw02.sys, Win32 error 0n2*** WARNING: Unable to verify timestamp for Netwsw02.sys*** ERROR: Module load completed but symbols could not be loaded for Netwsw02.sys \Driver\NETwNs64 Args: 00014400 00000000 00000004 00000002 [IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)] 0 e1 fffffa8016dc1cc0 00000000 fffff80003518210-fffffa80175e4da0 Success Error Cancel pending \Driver\vwifibus nt!PopSystemIrpCompletion Args: 00014400 00000000 00000004 00000002 [N/A(0), N/A(0)] 0 0 00000000 00000000 00000000-fffffa80175e4da0 Args: 00000000 00000000 00000000 00000000
  9. Twolane, have you brought up this issue at the Pale Moon forum yet? Some background info regarding EMET, Pale Moon and sandboxing techniques and pitfalls (similar to having multiple AVs running together) that may be useful: http://forum.palemoon.org/viewtopic.php?f=5&t=3637&p=21108&hilit=emet#p21108 http://forum.palemoon.org/viewtopic.php?f=3&t=917
  10. I went through my usual Analyze routine with CCleaner after selecting only the 3 Malwarebytes entries and nothing was selected for deletion, Ritchie; same result after I ran a MBAM scan. Seems like the winapp2's not working as intended, imo, a good thing, I dislike tools that remove logged data that might be useful in later troubleshooting.
  11. Can't Edit: Contents of my current winapp2.ini pertaining to Malwarebytes: Post MBAM Scan: still nothing selected to remove by CCleaner.
  12. Ritchie, Pedro, I just enabled only the Malwarebytes components in CCleaner w/ the latest winapp2.ini installed, after running an analyze from CCleaner, I see nothing at all selected. No clues at all.
  13. That's the impression I always get from you, Steven, whether it be via email or site -based correspondence. More power to your elbow, friend Keep safe and keep on doing the right thing, we deeply appreciate it. Thanks to everyone on the Malwarebytes team and staff.
  14. Thanks for taking the time to check this out, Steven, much appreciated.
  15. Yes, Andrew, there is. I see it happen from some normally clean and safe pages from a trusted site. I'm already in discussion with the site owner and it has been escalated there, my most recent information is that it's plugin -related (nrelate?) but it should be clean as they could not find anything amiss from their end (site, nrelate and site dev.). This only happened after switching from Pro to the Beta 2.0.
  16. Can I find out when/why this was added, please? Any idea if it's historical or whether there's an ongoing issue with it? Thanks.
  17. Right, that's why it's called "Website Blocking" and subtitled "If you feel a website was blocked by mistake, please report that false positives here.", I'll do that, thanks.
  18. Thanks for the quick reply. I have zero evidence either way, which is why I posed the question.
  19. Can I find out why/when it was added, is this ongoing or historical? Thanks.
  20. Scanning with the latest defs. now comes up clean. I guess the FP is now fixed, thanks all
  21. Same here, no file just the reg. entries "worm". I posted the regfile here yesterday.
  22. Attached is the regfile section flagged up by MBAM free, there were no files flagged during the full scan. Could you check it please? Thanks.Password Stealer SSID.rar
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.