Jump to content

HardDriveWhiner

Members
  • Content Count

    9
  • Joined

  • Last visited

About HardDriveWhiner

  • Rank
    New Member
  1. I can't attach the .dll so I'm changing it to a .doc extension. Please change it back if you need to do so. How were you able to verify as a false positive? Was Emotet not in existence in 1998? Please let me know that this is definitely not a virus because reading about the emotet is fairly scary. THANKS. ds32.doc ds32a.doc
  2. Recent signature files identified 2 files on my computer as EMOTET. These files were in a dormant c:\ drive directory that were installed from a Sybex Book's CD called Mastering Database Programming in VB6. This directory hasn't been visited for years and just travels as a directory from one computer to another. The directory contains files that are dated from 1998. I know that the files have not been altered because I dug out the old CD and scanned it. The same two files are identified as Trojan.EMOTET. The C:\ directory has never come up with any flags for as long as I have been scanning with antivirus. Probably greater than 10 years. I can't actually see the file size because they are in quarantine. However, a set of these two files located on another logical HD show that the file size and dates from that location are the same as the ones on the CD. Before I restore them, can you please confirm that they are false positives. I can submit the actual files if you need them. ________________________________________________________________ HERE"S THE LOG FILE FROM THE C:\ DRIVE SCAN: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/21/18 Scan Time: 5:38 PM Log File: 24c542c2-0571-11e9-b9cf-0026b900b27c.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8431 License: Free -System Information- OS: Windows 10 (Build 17134.407) CPU: x64 File System: NTFS User: XPS1640\Robert -Scan Summary- Scan Type: Custom Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 499417 Threats Detected: 2 Threats Quarantined: 2 Time Elapsed: 2 hr, 6 min, 38 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.Emotet, C:\VB 6 MASTERING AND DATABASE PROGRAMMING\MASTDPVB (G)\ALPHA\SETUP\DS32A.DLL, Quarantined, [5854], [614685],1.0.8431 Trojan.Emotet, C:\VB 6 MASTERING AND DATABASE PROGRAMMING\MASTDPVB (G)\X86\SETUP\DS32.DLL, Quarantined, [5854], [614685],1.0.8431 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) ______________________________________________ Here's the log file from the CD: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/21/18 Scan Time: 8:27 PM Log File: c2d58b9a-0588-11e9-ba29-0026b900b27c.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8435 License: Free -System Information- OS: Windows 10 (Build 17134.472) CPU: x64 File System: NTFS User: XPS1640\Robert -Scan Summary- Scan Type: Custom Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 2102 Threats Detected: 2 Threats Quarantined: 0 Time Elapsed: 6 min, 17 sec -Scan Options- Memory: Disabled Startup: Disabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.Emotet, I:\ALPHA\SETUP\DS32A.DLL, No Action By User, [5854], [614685],1.0.8435 Trojan.Emotet, I:\X86\SETUP\DS32.DLL, No Action By User, [5854], [614685],1.0.8435 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)
  3. Sorry Kevin, Here is the fixlog.txt from the Fix after the first repair. Fixlog.txt
  4. Here are the two files from the 2nd Farbar recovery Scan. They are FRST.TXT and Addition.TXT I am concerned about two items in the FRST.TXT. The Whitelisted Internet Edge extensions which are dated 3/20/18. Edge was the application that prompted the popup, and I would like to eliminate these two whitelisted items because I am concerned that the fileless virus may be inserted into either of these extensions and lay dormant there. I have not run edge since the intrusions because I am afraid to do so. Could you send me back a fixlist with these two items to remove them from the whitelist. Thanks FRST.txt Addition.txt
  5. Hi Kevin, Enclosed are the MalwareScan results after running FBAR fix. It is called: Scan Results After Fix.Txt. Adware came up clean on the first pass. File enclosed. Sophos Virus Removal: 0 Threats I am enclosing a FRST.txt which is from a scan after the cleaning. I am concerned about two items. The Edge extensions which are dated 3/20/18. Edge was the application that prompted the popup, and I would like to eliminate these two whitelisted items because I am concerned that the fileless virus may be inserted into either of these extensions and lay dormant there. I have not run edge since the intrusions because I am afraid to do so. Could you send me back a fixlist with these two items to remove them from the whitelist. Thanks. Scan Results After Fix.txt AdwCleaner[C0].txt FRST.txt
  6. Hi Kevin again, sorry for confusion in the above sentence: " I also ran a MalwareBytes and Kaspersky 2018 scan which did not show any malware. " It should read: I THEN ran a MalwareBytes and Kaspersky 2018 scan which did not show any malware.
  7. Hi Kevin, Thanks for your help. I downloaded Farbar and ran it with Administrator Priv. Here are the two files. After I posted on Malewarebytes, but before your reply, I system restored to an earlier date (Mar 8). That executed properly. I also ran a MalwareBytes and Kaspersky 2018 scan which did not show any malware. (There were a couple of old programs on another logical drive that had minor vulnerabilities according to Kapersky, but no malicious entries.) (BTW Mcafee never showed any malware after the infection!!) I ran netstat -ano and did not come up with any definite PID concerns on . I did have a number of SVChost processses running and a search for SVCHost.exe turned up: 1) Windows (C:\Program files (X86)\Malewarebytes anti-malware\chameleon) dated 3/10/2016 2) System32 (C:\Windows\) 3) SYSWOW64 (C;\Windows\) I am enclosing the pictures of the netstat result in case it is of use: I don't know if a system restore would solve a potential fileless malware. I guess the registry would be overwritten but can the fileless malware write to the system restore backup registry or otherwise survive a system resotre? If the system restore is sufficient I won't do anything more. I was wondering what you meant by "exploit"? If it is injected into a running process does it then write a file, script, or executable to some location to be run in the future? Would a system restore be sufficient? I also have a complete backup of the partition and logical hard drive and I think I would be capable of overwriting the current system installation but I don't know for sure if it will work and I am reluctant to go down this road. However, it is exceedingly important to me that there not be any vulnerabilities left so I will do that if you think there is any chance of residual malicious software and you recommend it. n the files below, the executable PCOP.exe is software I wrote so ignore it if you think it is suspicious. FRST.txt Addition.txt
  8. I unfortunately was fooled by the "Update Adobe Flash popup" and got the following virus: Rootkit.Fileless.MTGen and Trojan.Fileless.MTGen Initially I was not able to open Malwarebytes but used an old version and the chameleon option which did allow me to upgrade to the most recent version with the most recent signatures. Next I disconnected from the internet. I then did a default threat scan and had three malicious registry key entries which I quarantined. A reboot and repeat default scan resulted in one further infected key being identified. I then rebooted and did two subsequent scans with the rootkit enabled and no malicious items were detected. I will enclose the logs of the two infected scans and then the clean scan numbered in sequence. 1) What I would like to know is whether my system is clean of virus, Trojan, and rootkit risk and that none of my files are at risk of being stolen from my hard drive, nor is my computer vulnerable to become a bot. The reason I ask, is because on the Malwarebytes website I read that these fileless viruses are capable of "disappearing" from detection. However, did the injected files open up other ways of gaining access to the computer that are not identifiable? Can this malicious event install some sort of executable file or script which is not detected after the infected items are removed? 2) Should I delete the 4 quarantined virus keys from the virus vault? I have no use for them unless you may need them in the future for some sort investigation. Also, I think I have the URL for the bogus web site and can send that to you if you have a need for it. Malwarebytes Virus Scan 03202018 Scan 1.txt Malwarebytes Virus Scan 03202018 Scan 2.txt Malwarebytes Virus Scan 03202018 Scan 3.txt
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.