Jump to content

PCBungler

Honorary Members
  • Posts

    24
  • Joined

  • Last visited

Everything posted by PCBungler

  1. I posted one set for PC and one for laptop. You gave me the fix commands for the laptop which is now sorted (see above log) apart from an orphan sys tray icon. It was my bad for posting about two devices at once. I am going to nuke the PC and rebuild it as it is mainly a gaming box. We can close this now. Thanks for you help!
  2. Hi Other topic done and dusted. I tried the clean option on MBAM support to no avail. I tried the registry hack to reset the sys tray to no avail. Not 100% happy about posting a ton of detailed logs openly on the internet as I have no idea what they contain. I may just nuke the machine and start again.
  3. All done. Log looks ok? Fix result of Farbar Recovery Scan Tool (x64) Version: 26-02-2020 Ran by PCBungler (04-03-2020 14:31:38) Run:1 Running from C:\Users\PCBungler\Downloads Loaded Profiles: PCBungler (Available Profiles: PCBungler) Boot Mode: Normal ============================================== fixlist content: ***************** SystemRestore: On CreateRestorePoint: CloseProcesses: ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File FirewallRules: [{1C1C7FD2-9CA3-44D3-8280-99C2818F589E}] => (Allow) C:\Users\PCBungler\AppData\Roaming\Zoom\bin\airhost.exe No File CMD: netsh int ip reset CMD: ipconfig /flushDNS EmptyTemp: ***************** SystemRestore: On => completed Restore point was successfully created. Processes closed successfully. HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1C1C7FD2-9CA3-44D3-8280-99C2818F589E}" => removed successfully ========= netsh int ip reset ========= Resetting Compartment Forwarding, OK! Resetting Compartment, OK! Resetting Control Protocol, OK! Resetting Echo Sequence Request, OK! Resetting Global, OK! Resetting Interface, OK! Resetting Anycast Address, OK! Resetting Multicast Address, OK! Resetting Unicast Address, OK! Resetting Neighbor, OK! Resetting Path, OK! Resetting Potential, OK! Resetting Prefix Policy, OK! Resetting Proxy Neighbor, OK! Resetting Route, OK! Resetting Site Prefix, OK! Resetting Subinterface, OK! Resetting Wakeup Pattern, OK! Resetting Resolve Neighbor, OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , failed. Access is denied. Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Resetting , OK! Restart the computer to complete this action. ========= End of CMD: ========= ========= ipconfig /flushDNS ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 11034624 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 279228810 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 99952205 B Edge => 2082380 B Chrome => 0 B Firefox => 822482794 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 11742 B NetworkService => 111374 B PCBungler => 248166902 B RecycleBin => 0 B EmptyTemp: => 1.4 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 14:33:53 ====
  4. Cool Those are the laptop ones - will get on it!
  5. Thanks Since I posted logs for my PC and laptop (just to be awkward 😃) can I confirm which log this fix file is from? I think it is the laptop one as that is the only device I installed Zoom web conferencing on? Cheers!
  6. Cheers Am tight for time right now but will get to it as soon as I can.
  7. Cheers. The ghost icon does not appear in the actual tray but only in the control panel screen to edit which icons to show. A reboot has not yet clobbered it.
  8. Following the latest update when I try and edit which icons to show in the tray, I see two options for MWB. One works as per. The other has an orange triangle with a ! in it and is not visible. Any ideas? PCB
  9. Hi nasdaq Could you explain what the commands in the file do please and why they are there (I think I know the first set :))? Can you confirm was this for the PC or laptop FRST versions as I included both? It is mainly that laptop that I am concerned about as that is my office one and the PC is mainly gaming. Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File FirewallRules: [{1C1C7FD2-9CA3-44D3-8280-99C2818F589E}] => (Allow) C:\Users\PCBungler\AppData\Roaming\Zoom\bin\airhost.exe No File CMD: netsh int ip reset CMD: ipconfig /flushDNS EmptyTemp: End:: Thanks for clarifying the risk issue. I had a further thought about the blocks. Both the laptop and the PC had the VPN plugin but it was only the PC that had the js adware trojan detected by MSS and only the PC that had the popups. I wonder therefore if the blockers were related to that rather than the VPN. Since the plugin did not get picked up as a virus whilst installed and anything involving a login I did when it was installed would have been over HTTPS or equivalent, I am reasonably sure that even if the VPN was iffy, I should be ok the perspective of the messages being snifffed en route. Make sense?
  10. Also (sorry to be a pain) I assume that the "nothing suspicious" covers both the PC and laptop logs?
  11. Oh, I coild not see a fixlist attachment to download?
  12. Thanks. A relief! I will do so shortly. Regarding the VPN FF plugin, the suspicious website blocks and the fact that they went after I removed the plugin - do you think there is a risk I have had any data compromised whilst the plugin was installed bearing in mind I have Defender, MWB premium and MWB FF Browser plugin running? I really do not want to have to go and reset all the passwords for the sites I have used since I stupidly put in the VPN plugin? Thanks again!
  13. Here are th ye laptop logs. If you could review these as well I would be grateful. Interestingly, I note that both the PC and laptop have a "No Name" extension. Thanks in advance. Addition - laptop.txt FRST - laptop.txt
  14. Edit: Am also curious as to why the Trojan only appeared when I clicked on certain sites? Were these sites that the Trojan used to phone home?
  15. Updated information I realised I had FF sync across my PC and laptop so checked that out (in the middle of the night as I could not sleep). It had the VPN plugin. Oddly with that installed but turned off it did not cause the blocked Trojan pop up like it did on the PC. The version on the laptop had the user information filled in on the plugin page which the PC one did not. When I clicked on the developer link, I got a 404 saying Mozilla had removed it under TOS. Clearly it was dodgy. Being half asleep I deleted it from the lap top which with the sync means it is no longer on the PC either so can't run FRST with it on there - am still doing that and will add here anyway (doh!). I ran ADWCleaner overnightt (before I deleted it) and that reported clean. Microsoft Safety Scanner (again overnight before I rfemoved the plugin) detected go.microsoft.com/fwlink/?linkid=139454&name=Adware:JS/InjectorAd.A which it removed. I am currently running a deep MWB scan (currently 10 hours). Would still appreciate an assessment of the FRST report so I can do a threat assessment on whether I need to change a bazillion passwords or rebuild my machines Lesson learned - do not install VPN plugins on Firefox.
  16. Hi I installed from the FF extensions store - is this an OK source given it warns about it? PCBungler
  17. Hi So I posed in the Website Blocking section that I kept getting an MWB block on certain websites. See log below. Someone suggested I check FF plugins. It turns out I had a VPN plugin enabled but not active. When I deactivated it, the block stopped. I need to do a threat assessment on the VPN (which I can no longer find on the FF extensions store). Defender and MWB scans show no issue. Attached the the FRST logs. I need to know: Do I need to reset all my passwords? Can this extension peruse stuff outside of the executing FF session? Cheers PCBungler (appropriate name in the circumnstances!) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 28/02/2020 Protection Event Time: 12:29 Log File: 0230ecc4-5a26-11ea-a44c-1c6f65fc04e6.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19950 Licence: Premium -System Information- OS: Windows 10 (Build 18362.657) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Trojan Domain: clarklordy.com IP Address: 172.64.138.9 Port: 443 Type: Outbound File: C:\Program Files\Mozilla Firefox\firefox.exe (end) FRST.txt Addition.txt
  18. I assume that a malicious plugin can only spy on what the browser is doing?
  19. Well that was annoying. I had a Firefox VPN extension (enabled but not active). Turning it off stopped the message. It was odd that only certain sites triggered it whilst it was active but not running VPN. I now can't find it in the list of vpn extensions on FF, so wonder if it has been removed. In hindsight I was an idiot because reading the other ones they all say not recommended. That being said, I have MWB browser guard, MWB and defender all behaving and showing no issues. It was only this week when it decided to play up. I hope having it sitting there enabled but not active has not compromised me. I guess the bess thing to do is go through all the bloody accounts I have and change the password. ARGH!
  20. Sorry for spamming - do not know how to edit a post I inspected the HTML and the only thing that is suspect is some google ad tracking code
  21. Thanks So far no detections on my deep scan. Does thins simply mean the browser is being served malicious code from a website that MWB is catching? Why would the site be accessing this site? Cheers
  22. Hi So recently when browsing, I have been getting the occasional block alert for a site called clarklordy.com. Today I have downloaded a backup copy of a website I am decomissioning and when I tested the local browsing, one page popped up the dreaded warning. Oddly the same page does not trigger the alert on the live website. The only significant thing about the page in question is that it has an embedded Google calendar. I did a defender and MWB scan of the downloaded site and both came up clean. Any ideas? Log output below... Cheers!!!! Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 27/02/2020 Protection Event Time: 21:16 Log File: 7ab16d98-59a6-11ea-b495-1c6f65fc04e6.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19938 Licence: Premium -System Information- OS: Windows 10 (Build 18362.657) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Trojan Domain: clarklordy.com IP Address: 104.28.17.15 Port: 443 Type: Outbound File: C:\Program Files\Mozilla Firefox\firefox.exe (end)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.