• Announcements

    • AdvancedSetup

      Support Alert - Hurricane Irma   09/08/2017

      Due to weather in the South East United States response times may be delayed. We appreciate your patience and understanding.  

thisisu

Staff
  • Content count

    2,835
  • Joined

  • Last visited

  • Days Won

    4

About thisisu

  • Rank
    Research Engineer

Recent Profile Visitors

12,824 profile views
  1. Hi KBJenkins, Can you try shutting down Kaspersky before attempting to run JRT in normal mode?
  2. I'm sorry for the inconvenience. I whitelisted the file that was quarantined according to the log. I'm not sure why it's continuing to detect as ransomware. If you want, you can try adding a file exclusion as well. The steps for adding an exclusion in Malwarebytes are: Settings ==> Exclusions ==> Add Exclusion ==> Exclude a File or Folder ==> Select Files... ==> Navigate to D:\Program Files (x86)\NODouble.exe ==> Select it and press OK. Again, sorry for your troubles. Best regards
  3. H Abilou, It might be fastest to reinstall the program as I can only go by what the log tells us, which is that the file was quarantined. 8/06/17 " 03:55:44.584" 56484717 0718 0f18 INFO CleanControllerImpl DOREngine::PreCleanIsRebootRequired "DOREngine.cpp" 118 "Must reboot, special file D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:44.584" 56484717 0718 0f18 INFO CleanControllerImpl QuarantineEngine::QuarantineFile "QuarantineEngine.cpp" 373 "Quarantining D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:44.589" 56484717 0718 0f18 INFO CleanControllerImpl Cleaner::RemediateAndWriteMetadata "Cleaner.cpp" 307 "Starting cleaning of File D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:44.590" 56484717 0718 0f18 INFO CleanControllerImpl RemovalEngine::RemoveFile "RemovalEngine.cpp" 1148 "Cleaning file D:\Program Files (x86)\NODouble.exe, anti-rootkit = false" 08/06/17 " 03:55:44.681" 56484810 0718 0f18 INFO CleanControllerImpl RemovalEngine::DeleteFileAPI "RemovalEngine.cpp" 1311 "Deleting file 'D:\Program Files (x86)\NODouble.exe', resolved path = 'D:\Program Files (x86)\NODouble.exe'" 08/06/17 " 03:55:50.175" 56490302 0718 0f18 ERROR CleanControllerImpl RemovalEngine::DeleteFileAPI "RemovalEngine.cpp" 1397 "Verification of deleting file D:\Program Files (x86)\NODouble.exe failed!" 08/06/17 " 03:55:50.175" 56490302 0718 0f18 INFO CleanControllerImpl RemovalEngine::LogCleanResult "RemovalEngine.cpp" 1499 "Scheduling DOR cleaning for file D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:50.176" 56490302 0718 0f18 INFO CleanControllerImpl QuarantineEngine::CopyMetadataToQuarantine "QuarantineEngine.cpp" 134 "Copying quarantine metadata for D:\Program Files (x86)\NODouble.exe" 08/06/17 " 03:55:50.177" 56490302 0718 0f18 INFO CleanControllerImpl QuarantineEngine::LogQuarantineResult "QuarantineEngine.cpp" 637 "Completed quarantining and DOR queueing File 'D:\Program Files (x86)\NODouble.exe'" 08/06/17 " 03:55:50.177" 56490302 0718 0f18 INFO CleanControllerImpl Cleaner::RemediateAndWriteMetadata "Cleaner.cpp" 307 "Starting cleaning of RegValue HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE" 08/06/17 " 03:55:50.177" 56490302 0718 0f18 INFO CleanControllerImpl RemovalEngine::RemoveRegValue "RemovalEngine.cpp" 136 "Cleaning reg value HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE" 08/06/17 " 03:55:50.178" 56490317 0718 0f18 INFO CleanControllerImpl RemovalEngine::LogCleanResult "RemovalEngine.cpp" 1484 "Succeeded cleaning reg value HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE" 08/06/17 " 03:55:50.178" 56490317 0718 0f18 INFO CleanControllerImpl QuarantineEngine::CopyMetadataToQuarantine "QuarantineEngine.cpp" 134 "Copying quarantine metadata for HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE" 08/06/17 " 03:55:50.179" 56490317 0718 0f18 INFO CleanControllerImpl QuarantineEngine::LogQuarantineResult "QuarantineEngine.cpp" 617 "Succeeded quarantining RegValue 'HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|D:\PROGRAM FILES (X86)\NODOUBLE.EXE'" Feel free to try the following search as well: Download and run SystemLook In the white box / text-field, type in the following two lines: :filefind NoDouble.exe Then press the "Look" button at the bottom. Wait while it searches your system. Attach or paste the contents of SystemLook.txt when finished.
  4. Hi, No worries. It was a false positive. I've whitelisted the file so it shouldn't be detected anymore. The file appears to be in quarantine. To restore it, open Malwarebytes, go to "Quarantine", and find the entry with Location: D:\Program Files (x86)\NODouble.exe. Place a check mark in that entry by left mouse clicking in the empty box, and press "Restore". The file should be restored to its original location. 78FC8B1F988DB71C107221F021E19897
  5. Weather Display quarantined

    I think you'd have to restore it from quarantine first as the files in quarantine aren't usable anymore. You can do that going into the Quarantine tab, placing a checkmark into the C:\wdisplay\WeatherDisplay.exe detection, and pressing the Restore button at the bottom right corner. If it's easier, attach the C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG first, then we can see if we still need the C:\wdisplay\WeatherDisplay.exe from your system.
  6. Hi Abilou, Please zip and attach D:\Program Files (x86)\NoDouble.exe to your next post. It will also help to include C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG too. Thank you
  7. Weather Display quarantined

    Hi mrigeo, Please zip and attach C:\wdisplay\WeatherDisplay.exe to your next post. It will also help if you attach C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG too. Thanks
  8. Hi Krayer, Let's gather a couple of diagnostic logs get a bit more information about your system. Please download the Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to the disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually Please attach both logs to your reply if possible. Otherwise, you may copy/paste the logs directly if you have to, but an attachment is better. To save attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.
  9. Hi Krayer, If you aren't able to open JRT in safe or normal mode, you'll want to ensure that your system isn't infected with something more serious than adware. I'd recommend downloading and scanning with Malwarebytes (MBAM) first. Afterwards, let MBAM reboot the system if it found any threats and retry JRT. Let me know if you need additional help. Regards
  10. False Detection

    Thank you. It should be fixed now. Sorry for the inconvenience.
  11. False Detection

    Hello mmmmmm, Can you please follow the directions here? We're currently not detecting this file. Thanks
  12. Hi Kevin, It looks like you're on the right track already. Can you retry the directions here? A malware removal expert should be with you shortly. I'm going to move your topic to the appropriate sub-forum for you to get assistance with your computer. The topic you posted in is only for submitting new malware samples. Thank you for your patience.
  13. No problem. Yes that's what I would recommend.
  14. Hi Hijin25, The newer version of JRT should be on your desktop in a folder called "JRT_NewerVersion". The original version does not get replaced. If you have trouble finding this folder, it may be due to a non-English operating system. Regards
  15. Is this a False Positive?

    Thank you. This was indeed a false positive and was fixed a few minutes ago. (8DF1B1C4108112298749511B09702CE5) I would recommend using the 'Restore' button. Let us know if there are any outstanding issues.