Cassiopessa

[ttanin]

Malware bytes finds this after each reboot and it keeps coming back.

 

Addition.txt

FRST.txt

[TwinHeadedEagle]

Hello,

You asked for help 3 times so far and in all of them there was a different PC. Are these all your machines or you're fixing it for someone? Do you have MalwareBytes subscription?

[ttanin]

I have malware bytes subsription for all the 3 PC. The first one was for my wife, the last 2 are mine. I use 2 laptops, one in my office and travelling, the other one sits at home.

[TwinHeadedEagle]

Okay, that's fine.

Please re-run Malwarebytes' Anti-Malware.

• Click the History tab.
• Click Application Logs and click on the newest Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and attach it in your next reply.

[ttanin]

Here it is.

malware.txt

[TwinHeadedEagle]

I don't see malware you mentioned in this log?

[ttanin]

here is the one for today. It does not come back after each reboot but iI know it is hidden somewhere. Sometimes malware bytes finds 4, today it found only one

malware.txt

[TwinHeadedEagle]

This log is still empty. Can you just make a picture of MalwareBytes findings?

[ttanin]

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/1/2015
Scan Time: 8:29 AM
Logfile: malware.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.09.30.09
Rootkit Database: v2015.09.22.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: HP

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 407565
Time Elapsed: 25 min, 38 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.Cassiopessa, HKLM\SOFTWARE\CLASSES\APPID\{ef494946-9425-4a5c-b373-74ccd38e8c48}, Quarantined, [bd5438fe5635d75ff402b6407f835ea2],
PUP.Optional.Cassiopessa, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{EF494946-9425-4A5C-B373-74CCD38E8C48}, Quarantined, [bd5438fe5635d75ff402b6407f835ea2],
PUP.Optional.Cassiopessa, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{EF494946-9425-4A5C-B373-74CCD38E8C48}, Quarantined, [bd5438fe5635d75ff402b6407f835ea2],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Cassiopessa, C:\Program Files (x86)\Mozilla Firefox\browser\components\lmn.js, Quarantined, [5db450e6e4a77bbb703722bc34d032ce],

Physical Sectors: 0
(No malicious items detected)


(end)

malware.txt

[TwinHeadedEagle]

Thanks.

Scan with Farbar Recovery Scan Tool

 

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

[ttanin]

This morning when I started Malwarebytes anti exploit gave me a message saying that malware bytes was not turned on, so I did a scan and found one more. I removed that and then Followed your instructions.

FRST.txt

Addition.txt

malwarebytesdiscovery1052015.txt

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

fixlist.txt

[ttanin]

Here it is

Fixlog.txt

[TwinHeadedEagle]

Very good. How is the situation now?

[ttanin]

So far so good. I rebooted few times and it has not re-appeared yet.

[ttanin]

It was fine for 6 hours then my browser crashed, when I rebooted my firefox had a russian webpage as homepage. So something is still there. I ran the same files again.

FRST.txt

[TwinHeadedEagle]

Can you reinstall Firefox?

- Uninstall Firefox (Programs and Features)

Then

Click Start, copy in search %appdata%\ Then delete folder Mozilla

Click Start, copy in search %LOCALAPPDATA%\ delete folder Mozilla

Then delete following folders:

C:\Program Files (x86)\mozilla firefox

C:\Program Files (x86)\Mozilla Maintenance Service

Restart your PC.

Then install Firefox again.

https://www.mozilla.org/en-US/firefox/new/

[ttanin]

DOne. Much better now. My laptop had stated blinking occassionally  last week so I thought I needed a new battery. Now the blinking is completely gone.

[ttanin]

I found this on my bookmarks on microsoft edge I dont use this browser so I left it there. Obviously related to malware

 

https://mail.yandex.ru/?win=197&clid=2100778-002

[TwinHeadedEagle]

Did you remove this?

[ttanin]

Yes, I removed it by right clicking the mouse over top of it, but I am not sure that will make it permanently go away

[TwinHeadedEagle]

Okay.

How is your PC behaving now?

[ttanin]

No issues

[TwinHeadedEagle]

Can we then consider this as solved?

[ttanin]

yes, one question. The malware bytes scanning history log has self protection as disabled in the report. Also whatever happened I dont have the anti exploit youhad recommended earlier. I may have mistakenly uninstalled it when I found out I have malware