Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About GammaRayBurst

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Thank you for the good answers. I guess it's always a choice between ease of use versus absolute security. We live in a different time now. One thing I had done fairly recently that was different was that I had used the free wifi at our local public library, about 6:30pm on a Saturday. That may have opened me up to something. A couple more questions: What user information is malvertising like that able to grab from the browser and/or my system on my phone? I worried that my gmail passwords could have been compromised, because my phone automatically reconnects to my two dif
  2. Hi Nathan. I didn't want to do that "responding to my own post" thing before I got a reply, as I know that's sort of frowned upon. Yes, I was certain that it was Chrome browser related after reading on an androidcental forum that I should boot into safe mode, delete the Chrome updates, then reinstall, which I did. (Does doing that delete the former browser cache?) I figured out the installation issue. Ever since I added a 32GB SD card to the device, it has been installing all apps to the SD card, not sure why. While looking at my apps list in Safe Mode, I took note of which
  3. Hello, Late yesterday afternoon I got what I'm sure is a virus on my phone (possibly as a result of using the free wifi at my local library). It was an alarm "event" that was going off, saying "You have won an iPhone..." with options for dismiss or snooze. I knew that you never want to click on something like that, so I didn't want to use the buttons to dismiss it. I clicked the home button, but it didn't work. So I powered off the phone and restarted. The alarm event was gone, but then I started seeing notifications saying the same. They had an odd icon to the left of them, nothing I wan
  4. By the way, my computer was taking five minutes to shut down. Whatever your fixes did, it's now pretty fast again! Possibly it had to do with those McAfee problems. Great job.
  5. Hi again Ron, I completed the second fix (log attached), ran Farbar again (two logs attached), then called up MSCONFIG, changed to normal start (it was set to Selective Start), rebooted just fine, then look to see that it was still set to normal (yes). I made some comments for you in the bottom of the fixlog, that all of the registry keys that were marked "Access denied," and which couldn't be deleted even on reboot, no longer exist. (I went in and looked for them.) As I mentioned earlier, I thoroughly researched all of the software in the hidden installs. The only ones that mak
  6. Hi Ron, I ran the very first fixlist from #12, in order to remove the WMI ActiveScriptEventConsumer embedded script, and a few other odds and ends (Chrome cleaned out, etc.). It ran fine, and I confirmed with the Sysinternals Autoruns that the installed script is indeed gone <<BLAMMO!>>. Thank you Malwarebytes for stopping this thing from contacting the mothership in Russia---otherwise I would never have known it was there. (I'm attaching the log from the fix for the removal of this vicious script.) I then ran the Farbar Recovery Scan Tool again. (Logs attached.) My
  7. Hi Ron, I've been trying to wrestle computer away from spouse, who's using for business (grrr). It's tough when you share a computer. Sorry about that. Hope to get caught up tonight and this weekend. I've been looking at both fixlists, and not sure what, if anything, is being deleted (besides the WMI script). Just wanted to check about any deletes. There's stuff on there I think that I haven't used in a while, but not sure I'd want to delete, unless you're thinking it might be used for entry? You said most of the fixlist was just un-hiding programs so that they'll appear in the Unins
  8. Hi Ron, I finished doing the three uninstalls that you listed. 1. McAfee LiveSafe 2. McAfee Virtual Technician (took 3 seconds, whew) 3. Adobe Flash Player 19 ActiveX Now getting ready to run the FRST64.exe with the fixlist.txt from #12. Was looking over a tutorial I found on geekstogo, which mentioned that you'd need to 1. Launch as administrator. 2. Does it make a difference for the fix where I launch the program from? Desktop? vs. External drive? I've been running it from H:\Cindy's Data\Installation Downloads\Farbar on my portable drive.
  9. Hi again Ron, I decided to run the removal tool that you gave the link for, MCPR.exe. The tool gave regular reports about what it was removing, but at the end said that it was not able to remove all of the components, and to see the log file. (I'm attaching the screen print, and the log file.) The log file is simply huge. Lots of the registry keys, folders and files say "does not exist." I suppose it's possible that because I ran the uninstall program, some or many of the components had already been removed. Update: I ran autoruns to see what was still there, did a search, and found
  10. Hi Ron, I tried to uninstall McAfee LiveSafe. It got about half way, and appeared to just hang for a really looooooong time. In my experience with uninstalls, they don't usually hang like that. Something was wrong, so I called up the task manager. It was running McAfee Security Center. I tried to kill it, and it, and it said the program wasn't responding, so I forced it to close. Something is still running in background though, as when I minimize Chrome and File Explorer, I still have a spinning blue wheel. I can't figure out if some process is still running. I opened task manag
  11. Hi Ron, REMOTE SUPPORT SERVICES I believe that my computer only has one remote support tool that I would use, and it's called HP Support Assistant. I saw it listed in the FRST.txt file in the Hewlett-Packard directory under Program Files (x86). I looked for the two remote support programs you have listed in the fixlist.txt file, and did find the directory with Tific Client. The Tific directory under C:\Users\[Me]\AppData\Roaming was modified on March 18, 2018. That is the date that the script last ran, but not the time of day that it last ran. The last time the malicious script
  12. Hi Ron, As of right now, the malicious script, since I unchecked its box on the autorun, has not made a single peep. The Malwarebytes Anti-Malware Premium version (and by the way, I had already bought this product) comes up clean. I downloaded the latest version of Adwcleaner and ran it, and it found a couple little PUP-related things, cleaned and rebooted. The interesting thing is that it is showing nothing malicious in WMI, and that is where the malicious script is sitting. I don't know whether, because it is disabled from running, it is being ignored?? I'll bet tha
  13. It's now 3:11 pm my time, and the outbound communication, which had been going off regularly every three hours at five minutes past the hour, did not happen!! The question is whether leaving the script entry unchecked in autoruns will affect the WMI database itself...such as at restart ... ??
  14. I did just what it said on the entry line for that (un-timestamped) autorun task for that "script in the WMI database": "Double click to open copy." This is our culprit I'm sure, as it references the website address that's being blocked. Not sure what it's designed to do, but it looks really malicious. As I said earlier, I unchecked the checkbox at the head of the entry for the script. The WMI database is apparently something very important to Windows, so disabling the database (monitors system health, etc.) would be a bad thing. Hopefully, unchecking the checkbox disables only the s
  15. Hi Ron, I wanted to make you aware of what I just found. Malwarebytes Anti-Malware Premium's real-time blocking has been regularly blocking outbound communication to the Russian website, as you know. I have now noticed that it is re-queueing itself to run exactly every three hours (12:05 am, 3:05 am; 6:05 am, 12:05 pm was the latest). I checked the Task Scheduler, but didn't see anything, and in fact had read that tasks can be scheduled to be hidden. While looking up something online about viruses scheduling hidden tasks, I found a program from Microsoft called autoruns - sysinternals des
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.