AT2014

Thanks for the info, Kevin. I read some of that earlier and I noticed something called hips? I used to use a firewall, I think it was called Comodo that offered something called hips protection. Would that be good with my mwb premium and avast free? thansk

he asked me to post this.

No, the notifications area. Windows 7, but I ended up rebuilding the cache through Prompt as per a Microsoft answer, restarted and voila. Now, I do have a question for you. In order to prevent this again in the future which is both a waste of time for me and you, would it be wise for me to be a good brother and purchase a anti exploit license or rather purchase a combo license right now for him to prevent these drive by attacks in future? Though I'm confused. Anti-ransomeware is currently in beta 8 per forum records. Is one or the other in addition to a quality AV and MalwareBytes Anti-Malware Premium with Anti-Exploit a better route? To me they seem to be the same thing unless I'm missing something crucial here. I do wish MB would combine these programs together in one package but it makes more sense to split them apart to slow down an attack's ability to prevent or shut down service. Then again, there's Chameleon. Have a good weekend and early happy holidays.

As far as vector of infection goes, I'd imagine it was a fly by ad that escaped adblock or one of those precarious adult sites *roll eyes*.

Actually, 1 question before I leave for work, his Windows doesn't seem to show the icon in the task bar but the software is running when you look for it in taskman~.exe. Was or is there an option to show the emblem down there or is something corrupt and I should reinstall the software?

Good morning, Kevin. Unfortunately, or rather fortunately, I think this thread should be closed. I am the OP's brother. I came over early this morning to take a look. As he did, I, too, ran various scans and even used the same software that you guys recommend. Incidentally, it's something I use myself at work (S.SE) and couldn't find anything. I went ahead and looked at various parts of the system and couldn't figure out why RegSvcs.exe was behaving in this manner. I myself have used MalwareBytes since you guys were around in the very old days. Quality stuff here. Anyway, I ran various tools again, even going and looking through the registry until I decided to unhide files and went digging. I found a file in a alphanumeric folder under %appdata%. The file within contained some three or four files. Do excuse me, I only got 4 hours of sleep last night before waking up to do this before work. Anyway, I noticed the extensions of the files were .lock which I'd only seen in test bed computers where they were exposed to ransomeware. I could not delete the file through explorer, but did install unlocker and looked at what file it was relating to. It pointed directly at the file in the OP's problem under the .Net Framework slash 4.0 319 whatsit. I booted into safe mode, ran RKill and some other scans, yet again, then was able to delete the files and then some suspicious ones. For some, I did have to use unlocker. I dumped the %temp% folder as well, just in case, and then rebooted out of safe mode thru msconfig. I've been sitting at said computer for roughly 20 minutes it seems and reopening the log files occasionally. All I see is the unit starting and stating it is running. So far so good. Going by the FRST files, I see nothing out of the ordinary. Which is nigh confusing seeing as it should show up unless he came across some nifty ransomware. Thankfully, MalwareBytes Pro stopped it from downloading and encrypting any files. I went ahead and opened a few hundred files here and there and nothing seems amiss. I'm still confused why it wasn't picking up in earlier scans. My skillset doesn't extend much into pen-testing so you guys will have to fill me in here. Though from the logs I did google the dynamic dns address it was attempting to connect to. I googled that and found it had been brought up in research databases long ago. What I got from that was that it was connected to something called nanocore RAT, which I'd read about a couple of years ago. This was a fresh Xeon build so I was very confused at how this could happen until I realized on the prior build I'd set up some Group Software Policies and cordoned off the majority of the C drive from typical ransomewares. It all started with the Cryptolocker debacle in late 2014 or was it earlier than that? Anyway, I'll be leaving his computer on for the day and come back after work to check on the logs. I've sent the FRST logs to my work email to print them out in large text there and go over them. If still puzzled, I'll PM you if possible. In closing, MalwareBytes rocks. Give a big hug to Marcin for me.

I've spent hours trying to figure out what's going on. MWB keeps blocking access from a .net framework file called RegSvcs to a domain online. Every 2 seconds. I renamed the file and then it tried to do so from another version of .net install of the same file. I've ran rkill, MW bytes, adwkill and a bunch of other programs and still haven't figured it out. I ran the ,net removal tool and reinstalled .net through windows upgrade and it's still showing up. It wasn't yesterday. All I get from googleing is that it's a NANO Admin or w/e that means.

As with MalwareBytes Anti-Malware 1, are we required to set up exceptions for our Anti-virus apps and vice-vers ato prevent performance issues from arising?

No problem. Aneres, just add the EXE file to your file exclusions list. Thanks again, Mieke. Say hi to the cookie monster for me.

Cheers! I've gone ahead and manually placed it on MBAM's ignore list. I'm guessing broad definition? Also any idea when the next update will be? By the way, as a software engineer I can certainly understand that not everything turns out to be perfect, and I really do appreciate the very fast help! This is why I always install MBAM and recommend people buy the paid version.

Also I did uninstall Dragon in the end, cleaned all the folders out, ran CC cleaner, ran MBAM scan in that drive, checked AV, etc. Installed it from their webserver, and still got the issue. Installed it on other computers I have with MBAM on it and they also quarantined it. I've been using Comodo's software for nearly 10 years now. This is the first time I've ever experienced a F/P with their stuff.

Sure! dragon.rar

Forgot to attach txt file in ZIP/RAR> mbam comodo.rar

Just 20 minutes ago MBAM Pro gave me an error stating that Comodo Dragon is a trojan.kryptik. To my knowledge it is not, I have flash and NoScript for Dragon installed. I also prevent autoinstallers by way of the group policy editor in Windows. Nothing is capable of installing itself anywhere on the computer. I now cannot access Dragon, even with MBAM disabled. I cannot uninstall it, I cannot update it and cannot do anything because MBAM decided to restrict it by way of NSIS errors.