FLau
Members-
Posts
11 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by FLau
-
Hi! Here is the fixlog. The mentioned entries are gone after a re-scan. I assume that fixes my problem. The only entry that remains and might be related is: Task: {8B430336-0EB3-416C-99BD-FF2263676703} - System32\Tasks\Windows Remote Disc => H:\Node\\node.exe [54800536 2020-04-29] (Node.js Foundation -> Node.js) -> "C:\ProgramData\Package Cache\{EE3E61FE-9C8D-4547-93F4-E6196313161D}\{80BDB538-79F6-4E58-88DE-53175C4C23B6}" But Farbar doesnt seem to identify it as a threat. Thank you for your help! Sincerely Flau Fixlog.txt
-
Hi! The following entries are questionable (FRST): Task: {73D75DFB-83C6-4372-8FA4-556CB6311BE8} - System32\Tasks\Intel(R)ContentKryptografiedienste => C:\Program Files (x86)\nodejs\node.exe -> C:\Windows\Installer\{8FF87EC6-8533-43AC-B0E9-0D4FCA0F3221}\{720A740F-4050-4BFD-B1D2-C325A30C496E} <==== ATTENTION Task: {AEDE2296-48D8-4036-A05F-1B035F691FD2} - System32\Tasks\Windows-AudioProtokollOfflinedateien => C:\Program Files\nodejs\node.exe -> C:\Windows\Installer\{95B63FA7-ED33-4E29-A708-0EF5B0306002}\{7AFB5CBB-AD8E-4A99-AC34-13CB5B160D9E} <==== ATTENTION Additions: FirewallRules: [TCP Query User{5C412A38-68F2-4431-A2C1-6AEC397336FD}C:\program files\lghub\lghub_agent.exe] => (Allow) C:\program files\lghub\lghub_agent.exe => No File FirewallRules: [UDP Query User{DAB571FF-E702-4961-BDB4-B2B8AD980C26}C:\program files\lghub\lghub_agent.exe] => (Allow) C:\program files\lghub\lghub_agent.exe => No File FirewallRules: [TCP Query User{AA36D589-2BEB-4EE1-9148-2AC374355ABC}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File FirewallRules: [UDP Query User{010D1AAA-A778-4CFF-8D76-3DA3B9BB9178}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File Sincerely, Flau Addition.txt FRST.txt
-
Hi! Yesterday evening I did another scan with the Farbar tool and looked at the FRST a bit longer an identified a few entries that I removed manually: Task: {8B430336-0EB3-416C-99BD-FF2263676703} - System32\Tasks\Windows Remote Disc => H:\Node\\node.exe [54800536 2020-04-29] (Node.js Foundation -> Node.js) -> "C:\ProgramData\Package Cache\{EE3E61FE-9C8D-4547-93F4-E6196313161D}\{80BDB538-79F6-4E58-88DE-53175C4C23B6}" Task: {AEDE2296-48D8-4036-A05F-1B035F691FD2} - System32\Tasks\Windows-AudioProtokollOfflinedateien => C:\Program Files\nodejs\node.exe -> C:\Windows\Installer\{95B63FA7-ED33-4E29-A708-0EF5B0306002}\{7AFB5CBB-AD8E-4A99-AC34-13CB5B160D9E} <==== ATTENTION Task: {73D75DFB-83C6-4372-8FA4-556CB6311BE8} - System32\Tasks\Intel(R)ContentKryptografiedienste => C:\Program Files (x86)\nodejs\node.exe -> C:\Windows\Installer\{8FF87EC6-8533-43AC-B0E9-0D4FCA0F3221}\{720A740F-4050-4BFD-B1D2-C325A30C496E} <==== ATTENTION I also removed the AndyImagesInstall and AndyPreInstall manually from the windows installer folder. The files are gone now but those entries remain. I also uninstalled node.js and reinstalled it at a different location (I need it for work). Since then, I had no more warnings from MalwareByte. I assume the only reason I don't get new warnings is the fact that I installed node on my H-partition. Those 2 are still a bit strange to me (additions.txt): FirewallRules: [TCP Query User{AA36D589-2BEB-4EE1-9148-2AC374355ABC}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File FirewallRules: [UDP Query User{010D1AAA-A778-4CFF-8D76-3DA3B9BB9178}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File Nonetheless, I still attached the files! Sincerely Flau SearchReg.txt
-
Hi! Unfortunately, the quarantine folder is empty, therefore I cannot restore any file and the problem remains. I skimmed through the additions.txt and found two entries of the software that originally caused the problem: AndyImagesInstall (HKLM\...\{3EBE5CF7-02CA-4187-83A2-FCA61F8863EB}) (Version: 47.0.260 - Andy OS Inc.) Hidden AndyPreInstall (HKLM\...\{C89FF20F-BE49-461E-83EC-E9AC933C0C1F}) (Version: 47.0.260 - Andy OS Inc.) Hidden Might it be a good idea to remove those too? Greetings Flau
-
Hello! Thanks for your assistance. Unfortunately, the situation hasn't changed and MalwareBytes still detected and blocked the same two applications as before. After that I also signed out of my Firefox and restarted my computer again. Unfortunately, the problem remains and the two applications showed up again. Sincerely Flau Fixlog.txt
-
Hi, I recently downloaded and installed some Android emulator named "Andy" or a German version of "Audacity". Unfortunately, the .exe also installed all kinds of other Software on my Windows 7 system. I removed most of the unwanted Software but one problem remained: A search result hijacker for every browser was part of the package. It replaces the top 4 results with some cryptic redirect links that are luckily displayed in a different font, otherwise I wouldn't have noticed at all. I tracked the issue down to an add-on in Firefox/Chrome that I cannot remove. MalwareByte can, but the Add-on always reinstalls itself after a PC restart. The Malware infects my Node.js installation and tries to download and reinstall all the components MalwareByte removes. Here is the detail of the trojan: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 04/12/2020 Protection Event Time: 08:30 Log File: a40458c0-3602-11eb-aea1-00ff69844060.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33848 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\nodejs\node.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: de.mynodejs.net IP Address: 172.67.202.103 Port: 80 Type: Outbound File: C:\Program Files\nodejs\node.exe (end) However, there is another component. Like clockwork there appears an .exe file in my Windows\Temp folder that executes itself and tries a similar thing as the infected Node.js. Here is the correspondi9ng log entry: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 04/12/2020 Protection Event Time: 08:23 Log File: ab94aee2-3601-11eb-b9df-00ff69844060.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33828 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Malware Details- File: 1 Malware.AI.1792791521, C:\Windows\Temp\8a24130b-0e49-bdb4-1910-164f3aaf6cb8\7e34ad56-75bd-a3b8-8e9d-685c2aae25c7.exe, Quarantined, 1000000, 0, 1.0.33828, 5968C09775D709B36ADBD3E1, dds, 01012108, F1B044E9C52A9E2F60051D39000CC046, B140231893C88C5D7F9697E5451AE17D69A94688D8FDF1CBE00C9D4794F34D17 (end) The hashes/name are always a bit different. I have no idea what else that adware infected, but it seems to be so deeply ingrained into my system that I cannot get rid of it. I tried basically all anti malware tools (MSERT.exe, tdsskiller, adwCleaner, SuperAntiSpywarePro, Avira, MalwareBytes, Spybot...). By now I am out of ideas. Any suggestion is very much appreciated! Edit: I also attached the logs from the Farbar Recovery Scan. I have regularly deleted the temp files before though. The Malwarebytes Scan doesn't yield anything but the 2 quarantined elements I posted above. Sincerely Flau Addition.txt FRST.txt
-
Hi, I recently downloaded and installed some Android emulator named "Andy" or a German version of "Audacity". Unfortunately, the .exe also installed all kinds of other Software on my Windows 7 system. I removed most of the unwanted Software but one problem remained: A search result hijacker for every browser was part of the package. It replaces the top 4 results with some cryptic redirect links that are luckily displayed in a different font, otherwise I wouldn't have noticed at all. I tracked the issue down to an add-on in Firefox/Chrome that I cannot remove. MalwareByte can, but the Add-on always reinstalls itself after a PC restart. The Malware infects my Node.js installation and tries to download and reinstall all the components MalwareByte removes. Here is the detail of the trojan: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 04/12/2020 Protection Event Time: 08:30 Log File: a40458c0-3602-11eb-aea1-00ff69844060.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33848 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\nodejs\node.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: de.mynodejs.net IP Address: 172.67.202.103 Port: 80 Type: Outbound File: C:\Program Files\nodejs\node.exe (end) However, there is another component. Like clockwork there appears an .exe file in my Windows\Temp folder that executes itself and tries a similar thing as the infected Node.js. Here is the correspondi9ng log entry: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 04/12/2020 Protection Event Time: 08:23 Log File: ab94aee2-3601-11eb-b9df-00ff69844060.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33828 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Malware Details- File: 1 Malware.AI.1792791521, C:\Windows\Temp\8a24130b-0e49-bdb4-1910-164f3aaf6cb8\7e34ad56-75bd-a3b8-8e9d-685c2aae25c7.exe, Quarantined, 1000000, 0, 1.0.33828, 5968C09775D709B36ADBD3E1, dds, 01012108, F1B044E9C52A9E2F60051D39000CC046, B140231893C88C5D7F9697E5451AE17D69A94688D8FDF1CBE00C9D4794F34D17 (end) The hashes/name are always a bit different. I have no idea what else that adware infected, but it seems to be so deeply ingrained into my system that I cannot get rid of it. I tried basically all anti malware tools (MSERT.exe, tdsskiller, adwCleaner, SuperAntiSpywarePro, Avira, MalwareBytes, Spybot...). By now I am out of ideas. Any suggestion is very much appreciated! Sincerely Flau