Jump to content

fileless.mtgen


Recommended Posts

My PC was acting strange, like something was running and slowing down typing. Asked a friend and found these files he didn't know about?

---------------

C:\Users\Patti\AppData\Local\ca0f3>dir
 Volume in drive C is OS
 Volume Serial Number is F641-BD4C

 Directory of C:\Users\Patti\AppData\Local\ca0f3

08/07/2016  12:58 PM    <DIR>          .
08/07/2016  12:58 PM    <DIR>          ..
08/07/2016  12:58 PM            27,576 a4bb8.73fb72
08/07/2016  12:58 PM                58 a52cc.bat
08/07/2016  12:58 PM             1,013 ba3db.lnk
               3 File(s)         28,647 bytes

-----------------

If you delete them, they reappear almost immediately...

Ran FRST, logs attached.

I did call McAfee (I've got McAfee Live Safe with a valid license) and they got on my PC, did a lot of things but said I was OK and found nothing.

Do I have a problem?

Thanks for you help.

 

Addition_07-08-2016_13-04-39.txt

FRST_07-08-2016_13-04-39.txt

Edited by Maurice Naggar
Link to post
Share on other sites

Hi.  :welcome:

I will be guiding you as we go forward.  I do need to see other diagnostic information from this system, so that I can see about pinning down the source of this issue.
I would like to ask that you always attach any report or file I ask for, from time to time.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed, please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just always attach files / reports.
  •     
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable, it is unlikely, but things can go  wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen / flash drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • As we go along, from time to time, Windows User Account Control ( U A C ) will prompt whether to allow a tool or procedure to proceed forward.  Approve the Windows’ UAC prompt on by clicking on Continue or Yes.



When we are done, I'll give you instructions on how to clean up all the tools and logs
Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
Your topic will be closed if you haven't replied within 3 days.
 

Link to post
Share on other sites

This is the first thing to do.
Please do a Threat & Rootkit Scan:
Start the Anti-Malware program.
Please look at the Dashboard screen. Would you please press the blue line marked Update  and let it update itself.

Click the Settings icon ( on the top bar) > then click Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
Click on the Scan icon ( up on the top row ), then click on Start Scan button >> .

A Threat Scan will begin.


With _some infections_, you may see this message box.
'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart.    ( as needed )


Continue with the rest of these instructions.


When the scan is complete, be sure to press Review results and look at all of the listed items ( if any ).
It there are found items, be sure to have each line item check-box marked with a check-mark  in order to remove them.
click REMOVE Selected button.


Wait for the prompt to restart the computer to appear ( if any ), then click on Yes.
After the scan has completed, Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click the EXPORT button at the bottom left.
Click TEXT file
Be very aware as to what folder and what NAME you give this report.  You have to make a note so you can send it.

Then attach that file with your next reply.
 

Link to post
Share on other sites

After you have finished the Scan from the last message, then do what follows.  Just please be sure you have completed the last procedure first.

 

These steps are for  member PATDOO only. If you are a casual viewer, do NOT try this on your system!
If you are not  PATDOO and have a similar problem, do NOT post here;  start your own topic

Please close all open work documents ( if any ) and save your work.  Exit all other programs of yours that have open windows. This next procedure will involve a reboot at the end.

I am sending a custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the FIXLIST.zip  and select SAVE AS   and save it directly ( as is) to your system.  Next: extract the content to the folder named New folder that is on the DESKTOP.
That is very important.

If you are unsure how to extract the contents of the .zip folder, please see this tutorial from Microsoft:
http://windows.microsoft.com/en-us/windows/compress-uncompress-files-zip-files

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Double click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.


If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt ) in the same location from where it was run. Please attach the Fixlog.txt in your reply.

Also, let me know if you have any questions or need further assistance.

Fixlist.zip

Link to post
Share on other sites

That is very good news. Lets do a new scan run.  It should only take a few minutes.
 
Please do a Threat & Rootkit Scan:
Start the Anti-Malware program.
Please look at the Dashboard screen. Would you please press the blue line marked Update  and let it update itself.

Click the Settings icon ( on the top bar) > then click Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
Click on the Scan icon ( up on the top row ), then click on Start Scan button >> .

A Threat Scan will begin.


With _some infections_, you may see this message box.
'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart.    ( as needed )


Continue with the rest of these instructions.


When the scan is complete, be sure to press Review results and look at all of the listed items ( if any ).
It there are found items, be sure to have each line item check-box marked with a check-mark  in order to remove them.
click REMOVE Selected button.


Wait for the prompt to restart the computer to appear ( if any ), then click on Yes.
After the scan has completed, Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click the EXPORT button at the bottom left.
Click TEXT file
Be very aware as to what folder and what NAME you give this report.  You have to make a note so you can send it.

Then attach that file with your next reply.

Link to post
Share on other sites

Thanks for sending the zip file.  Appreciate that. After re-review and study, it turns out that 2 innocent exe files were removed.  Now, we need to restore the two back.

These are Windows files and had no part of the pest that had been around.  To begin the restoration, I need for you to locate the prior file FIXLIST.txt and delete it.

Also delete the old FIXLIST.zip off your system.   ( the older file I had sent before).

Now, on to do the restoration. I am attaching a new ZIP file.   

Please RIGHT-click the FIXLIST.zip  and select SAVE AS   and save it directly ( as is) to your system.  Next: extract the content to the folder named New folder that is on the DESKTOP.
That is very important.


NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Double click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.


If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt ) in the same location from where it was run. Please attach the Fixlog.txt in your reply.

Also, let me know if you have any questions or need further assistance.

Fixlist.zip

Link to post
Share on other sites

OK.  Allow me to suggest one last scan and lets see what is reported.

Please do a Threat & Rootkit Scan:
Start the Anti-Malware program.
Please look at the Dashboard screen. Would you please press the blue line marked Update  and let it update itself.

Click the Settings icon ( on the top bar) > then click Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
Click on the Scan icon ( up on the top row ), then click on Start Scan button >> .

A Threat Scan will begin.


With _some infections_, you may see this message box.
'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart.    ( as needed )


Continue with the rest of these instructions.


When the scan is complete, be sure to press Review results and look at all of the listed items ( if any ).
It there are found items, be sure to have each line item check-box marked with a check-mark  in order to remove them.
click REMOVE Selected button.


Wait for the prompt to restart the computer to appear ( if any ), then click on Yes.
After the scan has completed, Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click the EXPORT button at the bottom left.
Click TEXT file
Be very aware as to what folder and what NAME you give this report.  You have to make a note so you can send it.

Then attach that file with your next reply.

Link to post
Share on other sites

I'm still getting either pop-ups or programs opening on boot minimized to the taskbar.

Pop-up I got (first one added)

On boot I noticed something on the taskbar and opened it (it closed shortly after by itself) which is the second capture.

I did look in the REGISTRY using REGEDIT and that it NOT there?

 

Snip It.JPG

Snip It #2 Java.JPG

Link to post
Share on other sites

Identify if you can just where that startup link is.   and do not use it.  You mentioned it is on taskbar.  Please do not mess with it.

 

I am suggesting the use of a tool named ZOEK to get details from this machine.
I am sending a file that is a custom script.  It will go with ZOEK.
Please download ZOEK  and save it to your desktop (preferred version is the *.exe one) from this link  
http://download.bleepingcomputer.com/smeenk/zoek.exe

Save (from this email)  the attached text file: zoekscript.txt to your desktop.

Disable your antivirus , so it doesn't interfere with the running of zoek.exe. You can find instructions how to disable your security applications
http://www.bleepingcomputer.com/forums/topic114351.html
 or
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html

Please do a run with  zoek.exe with the attached customized script as follows:   This involves a DRAG and drop on the DESKTOP.

So you need to have a clear view to the DESKTOP area.


Now drag zoekscript.txt onto  Zoek.exe on your *desktop* .


Please approve any UAC prompt to allow this action to proceed.

Please answer "*Yes*" to the following prompt to allow the zoek script to run.



This will cause Zoek.exe to start automatically.  Please be patient while zoek is scanning.

When zoek is finished running, a log will open (if a reboot is required it will open afterward).
Please let me know how it went.  And kindly attach the new log  zoek-results.log


When all done, please be sure to turn back ON the antivirus program.

 

 

zoekscript.txt

Link to post
Share on other sites

OK, did it and I have a friend who is familiar with Windows. He found some stuff and thinks he has the 'answer'.

First the log you want...

He found these lines in it...

==========

O4 - Startup: 6c53b.lnk = C:\Windows\System32\cmd.exe
O4 - Startup: d0eee.lnk = ?

===========

Confirms what he saw...

The windows appeared on re-boot and he use PROCESS MONITOR to identify the task putting them up.

First the LINK error.... Task PID 6416, points back to CMD.EXE...

Next the JAVA SCRIPT ERROR, that also shows CMD with 3 other processes and PID's, but they appear to not be there, probably closed as the data couldn't be found.

Of course, he did find them in STARTUP and I think all he needs to do it DELETE the two entries in STARTUP

=================

C:\Users\Patti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>dir
 Volume in drive C is OS
 Volume Serial Number is F641-BD4C

 Directory of C:\Users\Patti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

08/09/2016  11:05 PM    <DIR>          .
08/09/2016  11:05 PM    <DIR>          ..
08/10/2016  05:06 PM             1,049 6c53b.lnk
08/10/2016  05:09 PM             1,058 d0eee.lnk
               2 File(s)          2,107 bytes
               2 Dir(s)  945,473,359,872 bytes free

=======================

Comments?

 

zoek-results.txt

error1.JPG

error2.JPG

error3.JPG

Link to post
Share on other sites

Not 100 percent sure? Odd things are happening.

First of all yesterday I might have made a mistake according to my friend. I got on FireFox an 'urgent' tab open up about a Java update is needed. I ran it, the file was FIREFOX-PATCH.JS. Called my friend and he got on my PC and couldn't locate anything from it or the file.

Today I ran MalwareBytes and the scan said I was AGAIN infected. I selected FIX... ran scan again after a re-boot, system clean. Did a SHUTDOWN and boot, again clean.

However some stuff HAS returned in the ca0f3 folder?

===========================

C:\Users\Patti\AppData\Local\ca0f3>dir
 Volume in drive C is OS
 Volume Serial Number is F641-BD4C

 Directory of C:\Users\Patti\AppData\Local\ca0f3

08/13/2016  09:25 AM    <DIR>          .
08/13/2016  09:25 AM    <DIR>          ..
08/13/2016  09:24 AM            42,064 a4bb8.73fb72
08/13/2016  11:00 AM             1,347 ba3db.lnk
               2 File(s)         43,411 bytes
               2 Dir(s)  943,920,775,168 bytes free

====================

The lnk file points to C:\Users\Patti\AppData\Local\ca0f3\a52cc.bat which doesn't exist (although it is in my Quarantine folder)?

Operational wise I don't see any degradation nor signs of any malware running. Hijack Hunter didn't seem to see anything either? See log attached.

What do you think?

Tried some other utilities, rootkit scanners, nothing. Hitman Pro found some stuff, but not the infection.

Scan of August 13.JPG

logs_8-13-2016_11_00_46_AM.log

Link to post
Share on other sites

Run a brand new Malwarebytes scan  ( as below).  But please do not fall for any fake "update firefox message".  Especially those with JS javacript.  You can always do a manual update check within Firefox itself.  Start FF.  Click Help > About Firefox> Check for Update.

It is a shame that the fileless issue is still around.  It should have been squashed long ago.

 

Please do a Threat & Rootkit Scan:
Start the Anti-Malware program.
Please look at the Dashboard screen. Would you please press the blue line marked Update  and let it update itself.

Click the Settings icon ( on the top bar) > then click Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
Click on the Scan icon ( up on the top row ), then click on Start Scan button >> .

A Threat Scan will begin.


With _some infections_, you may see this message box.
'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart.    ( as needed )


Continue with the rest of these instructions.


When the scan is complete, be sure to press Review results and look at all of the listed items ( if any ).
It there are found items, be sure to have each line item check-box marked with a check-mark  in order to remove them.
click REMOVE Selected button.


Wait for the prompt to restart the computer to appear ( if any ), then click on Yes.
After the scan has completed, Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click the EXPORT button at the bottom left.
Click TEXT file
Be very aware as to what folder and what NAME you give this report.  You have to make a note so you can send it.

Then attach that file with your next reply.

p.s. Please no more screen shots of the MBAM result screen.  A actual AS IS copy of the TEXT report itself is much much more detailed and useful.

 

Edited by Maurice Naggar
Link to post
Share on other sites

Very good. We can wrap up this case.

The following procedures will implement some cleanup procedures to remove the tools I had you use.

bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot



Any other programs or logs that are still remaining, you can manually delete.

I am glad to see this resolved and to have helped you.  Thanks for choosing Malwarebytes.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.