Jump to content

anniyan

Honorary Members
  • Posts

    47
  • Joined

  • Last visited

Everything posted by anniyan

  1. i upgraded my OS to Windows 10 home x64 v.1909 recently. and today tried AdwCleaner 8.0.2. it runs fine without problems. :)
  2. i sincerely hope that i was of the required help to malwarebytes to fix this bug in adwcleaner 8.0.1. it was a pleasure.
  3. ok sir, but i am not much of a geek, so let me clarify this. i should execute this code as a bat file and post back the error code it returns, right? as for the help about the dumps, thanks a lot
  4. i found that there are no crashdumps created by adwcleaner in that location. only those by nahimicsvc32.exe. can you tell me what they mean by? i have PMed GoatCheez the link to the file by wetransfer.
  5. sorry about the late reply, i was quite held up. yes i would do the crash dumps thing and report back soon. thanks for your patience
  6. adwcleaner 8.0.1 will not run in safe mode with networking. here is the get-hotfix output: Source Description HotFixID InstalledBy InstalledOn ------ ----------- -------- ----------- ----------- DELL Update KB4533002 NT AUTHORITY\SYSTEM 14-12-19 12:00:00 AM DELL Security Update KB4497727 1-4-19 12:00:00 AM DELL Security Update KB4498523 NT AUTHORITY\SYSTEM 4-9-19 12:00:00 AM DELL Security Update KB4516115 NT AUTHORITY\SYSTEM 7-11-19 12:00:00 AM DELL Security Update KB4521863 NT AUTHORITY\SYSTEM 7-11-19 12:00:00 AM DELL Security Update KB4524569 NT AUTHORITY\SYSTEM 18-11-19 12:00:00 AM DELL Security Update KB4525419 NT AUTHORITY\SYSTEM 7-11-19 12:00:00 AM DELL Update KB4530684 NT AUTHORITY\SYSTEM 14-12-19 12:00:00 AM
  7. i have been redirected to here from https://www.bleepingcomputer.com/forums/t/709723/new-laptop-infected-mouse-pointer-alternates-betn-normal-and-working/page-3#entry4930134 my original symptom regarding the mouse pointer is no more but adwCleaner 8.0.1 will not run. when i double-click on it from my standard account as well as my administrator account, UAC dialog box opens up and then after enter the administrative password and click on YES, nothing happens. i found a similar thread here, but did not want to post this there coz it may mean hijacking that thread.
  8. the main reason i use 360-AV is that it has 5 engines including bitdefender and avira unlike other AV products. anyways, this is not the right place for me to talk about it. i have been using 360-AV and lastpass for ages but never have had this issue. but i am really thankful to you for everything. the next option i have is to re-install windows and see if the symptom persists. any suggestion is most welcome .
  9. UPDATE: the cmd process occurs for LASTPASS too when its NATIVE MESSAGING feature in the binary component of LASTPASS is activated. i emailed LASTPASS.COM support about this as follows: SUBJECT: cmd.exe runs with lastpass for chrome hi,i am using windows 7 home-premium 64 bit edition. i have installed lastpass in my windows for managing passwords in all my browsers. but everytime i run my chrome 64 bit browser, a cmd.exe process runs. it does not run if the lastpass chrome extension is disabled. is this normal, ie., does lastpass extension for chrome use a cmd process to run everytime? if it is abnormal i should consult a malware removal expert. thanks in advance. and here is what they replied: Hello, Thank you for reaching LastPass Support! We are happy to assist you! Please remove or uninstall your LastPass extension completely on your device (https://helpdesk.lastpass.com/uninstalling-deleting-lastpass/) and reinstall it again using our universal installer here https://lastpass.com/dl Please test the issue again. Thank you. Regards.
  10. hi sir, bad news: i installed chrome. then i installed the 360-AV's browser extension. immediately a cmd process started in the taskmanager and there was a popup from my AV asking whether to allow it. i did nothing so it got blocked by default. i closed chrome. next time i started chrome, the same thing happened. to check whether the same behavior happens, i installed vivaldi, another browser based on chromium and my then installed my AV's browser extension. the same thing happened here too. so the inference is that it affects all chromium-based browsers. then when i disable the extension in chrome, the cmd process terminates. the funny thing is that when i re-enable the extension in CHROME, the cmd process again starts and tries to affect the 360-AV extension in VIVALDI too, even when VIVALDI is not running. ie., everytime i enable the extension in CHROME (NOT VIVALDI), i get this warning that the cmd process is trying to infect VIVALDI: if the cmd process is blocked by my AV, the cmd process terminates in the taskmanager. {sorry about the many screenshots (just coz a picture can speak much more than a thousand words).} this was how things were too, the last time when i re-installed chrome. first this behavior was exhibited only with the 360-AV's extension. then after some days another cmd process that started running with lastpass's extension for chrome started appearing. that was when i sought help here. if the only option left is repaving my windows installation, i am ready to do that too, PROVIDED, the infection wont return back. waiting for your guidance, thank you.
  11. i can know that only after i re-install chrome. other than that i cant identify any symptoms of malware as of now.
  12. 2. IMMUNET frequently shows notifications like this: it allows almost all of them, but quarantines a few of them. i dont know what these files are. do these belong to qihoo-360-total-security?
  13. the full system scan is over. it found some PUPs and removed them. but there are some problems still: 1. i cant remove the USB drives using the safely remove method coz windows shows that the disk is in use, even though they are not. so i have to shut down the PC every-time before unplugging them. so i tried the software from http://safelyremove.com/ but even that cant stop whatever process that is running and shows the following screen:
  14. since i am including my external HDDs in my full system scan, it takes a long time. and i am quite held up out of station. thank you for the patience.
  15. i ran the scan without booting into safe mode. i hope it is ok? please find attached the log. mbam-scan.txt
  16. i did as per your instructions. upon restart, IDM popped up a message box saying that one of its files has been deleted and IDM needs to be installed again. i ignored the message and closed the box. Fixlog.txt
  17. i did as per your instructions. TFC did not ask for a reboot, but i rebooted to be on the safer side. i have not re-installed chrome. i have attached the logs of TFC and FRST. after uninstalling chrome, IE opened automatically asking for google's feedback. at that time IE displayed a message: i clicked on "fix settings for me" but i did not respond. i then closed IE. now i am posting here using cyberfox tfc.txt Addition.txt FRST.txt
  18. hi, my laptop has been infected through skype. i sought help at BLEEPINGCOMPUTER.COM and i was helped, yet he could not solve the issue fully. for a detailed overview of what my issue is and what had happened after that, please take a look at (many thanks for your patience) : http://www.bleepingcomputer.com/forums/t/630794/got-infected-through-skype/ http://www.bleepingcomputer.com/forums/t/631260/logs-got-infected-through-skype/ since the topics had been locked, and the person who was helping me was out of options (which he conveyed directly), i tried to investigate further as to what type of infection it could be. i installed system explorer from systemexplorer.net. from that, i found out that whenever google chrome starts, 2 cmd.exe processes load into memory - one piggybacked onto my AV's browser extension for chrome "360 Internet Protection" and the other cmd loads through "lastpass for chrome". if i disable these 2 extensions, the cmd processes stop running and if i enable these 2 extensions, the 2 cmd processes start running. one of them has the following parameter: C:\Windows\system32\DllHost.exe /Processid:{53362C64-A296-4F2D-A2F8-FD984D08340B} other has this parameter: C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\LastPass\nplastpass.exe" --parent-window=0 chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/ < \\.\pipe\chrome.nativeMessaging.in.c399b4121a0bed8f > \\.\pipe\chrome.nativeMessaging.out.c399b4121a0bed8f where the random string of characters varies from one browsing session to another. so my hunch is that the hacker is trying to record my online activity using the trusted file - cmd.exe.the module-details of the 2nd cmd process is attached as screenshot. i tried to clean the infection by installing immunet-5, but it did not detect it too. i ran SFC to know if the infection has corrupted any system files. it returned that some files had been corrupted but were successfully repaired. i am even ready to re-install windows, PROVIDED, the malware WON'T re-infect the new windows installation. what should i do now? or should i try to scan my laptop using any AV's recovery disc USB? or use combofix under guidance? somebody please help me. :'( please find attached the FRST.TXT and ADDITION.TXT Addition.txt FRST.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.