Aura Posted July 8, 2017 ID:1141389 Share Posted July 8, 2017 The ones you posted in your previous post. These were block notifications from Malwarebytes (it blocked a connection from being established). Do you still get them? Also, has the pop-up comeback yet or not? Link to post Share on other sites More sharing options...
scythemouse Posted July 9, 2017 Author ID:1141493 Share Posted July 9, 2017 No. But again, that means nothing.. It shows up when it wants. Link to post Share on other sites More sharing options...
Aura Posted July 11, 2017 ID:1141877 Share Posted July 11, 2017 Unfortunately there's nothing I can do right now since your logs do not show any signs of that infection. What I'm really curious about though is how the pop-up was removed the second time, since neither you or I touched it. Link to post Share on other sites More sharing options...
scythemouse Posted July 11, 2017 Author ID:1141939 Share Posted July 11, 2017 Since when? I closed the window and nothing more. I can do that at least. Link to post Share on other sites More sharing options...
Aura Posted July 12, 2017 ID:1142155 Share Posted July 12, 2017 It is possible that this pop-up is generated by a webpage, and closing it will just remove it. You only receive it while browsing the web, and not when you boot your computer, right? That would be my guess. Link to post Share on other sites More sharing options...
scythemouse Posted July 13, 2017 Author ID:1142316 Share Posted July 13, 2017 We're getting off track. We ere talking abou THIS THING, which is NOT generated by a webpage. https://gyazo.com/405c90553d2ec5150766e6c589175d90 Link to post Share on other sites More sharing options...
Aura Posted July 13, 2017 ID:1142356 Share Posted July 13, 2017 I know we are, but sadly, there are no traces of that infection in your logs at all. I'll ask my colleagues if they have any idea. Link to post Share on other sites More sharing options...
scythemouse Posted July 26, 2017 Author ID:1146390 Share Posted July 26, 2017 Still here. https://gyazo.com/1657d4d663cf4b798fa5dcdf83bf302d Link to post Share on other sites More sharing options...
Aura Posted July 26, 2017 ID:1146427 Share Posted July 26, 2017 Do you have the process and file location like the 2 others? What were you doing when the pop-up appeared? Link to post Share on other sites More sharing options...
scythemouse Posted July 27, 2017 Author ID:1146506 Share Posted July 27, 2017 (edited) I'm guessing you can't see the extra information when I link to these. https://gyazo.com/7ad7c29ddbcc593b2368750efd0edfdd The process was centred from mshta.exe, or something claiming to be it. I'd had to do a restart shortly before this to fix some unrelated issues with Origin. Edited July 27, 2017 by scythemouse Link to post Share on other sites More sharing options...
Aura Posted July 27, 2017 ID:1146633 Share Posted July 27, 2017 Well I saw the pop-up screenshot, but I didn't see the filename and path in the first link. Run the following fix. Also, I have an idea of what we could do to see what process create/drop that file on your system, but it's quite a longshot for now. fixlist.txt Link to post Share on other sites More sharing options...
scythemouse Posted July 28, 2017 Author ID:1147196 Share Posted July 28, 2017 Fixlog.txt Link to post Share on other sites More sharing options...
Aura Posted July 28, 2017 ID:1147198 Share Posted July 28, 2017 Nothing as always.... Let's see the Registry. Farbar Recovery Scan Tool (FRST) - Registry Search Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply. Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users); Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds; In the Search text area, copy and paste the following:48F37EAF-6C5B-1217-01C3-37FF25ABCB67 Once done, click on the Search Registry button and wait for FRST to finish the search; On completion, a log will open in Notepad. Copy and paste its content in your next reply; Looks like we might have to go with the longshot solution after this. Link to post Share on other sites More sharing options...
scythemouse Posted July 29, 2017 Author ID:1147514 Share Posted July 29, 2017 Quote Farbar Recovery Scan Tool (x64) Version: 29-07-2017 Ran by Nick (29-07-2017 16:33:18) Running from C:\Users\Nick\Downloads Boot Mode: Normal ================== Search Registry: "48F37EAF-6C5B-1217-01C3-37FF25ABCB67" =========== ====== End of Search ====== Link to post Share on other sites More sharing options...
Aura Posted August 1, 2017 ID:1148260 Share Posted August 1, 2017 (edited) Just a heads up to tell you that I haven't forgotten about you. Currently exploring a solution to find what drops the file (setup.log) and creates the folder on your system. We might use Moo0 File Monitor. http://www.moo0.com/?top=http://www.moo0.com/software/FileMonitor/ Even ProcMon would work, but the log could be really huge. Edited August 1, 2017 by Aura Link to post Share on other sites More sharing options...
Aura Posted August 1, 2017 ID:1148276 Share Posted August 1, 2017 Alright, there's a breakthrough. Run the following fix. Attach the fixlog.txt after. Also, a file called "DATE-TIME.zip" will be on your desktop after running the fix. Upload it to the link below. https://www.bleepingcomputer.com/submit-malware.php?channel=194 fixlist.txt Link to post Share on other sites More sharing options...
scythemouse Posted August 1, 2017 Author ID:1148332 Share Posted August 1, 2017 Sent. Fixlog.txt Link to post Share on other sites More sharing options...
Aura Posted August 1, 2017 ID:1148334 Share Posted August 1, 2017 You can delete this folder manually: C:\Program Files (x86)\Common Files\Totolesec Also, can you .zip the C:\FRST\Quarantine folder and upload it to the same link I provided? The task we deleted should be there, so I can take a look at it. Link to post Share on other sites More sharing options...
scythemouse Posted August 2, 2017 Author ID:1148897 Share Posted August 2, 2017 Done. Link to post Share on other sites More sharing options...
Aura Posted August 4, 2017 ID:1149478 Share Posted August 4, 2017 Let's see if the pop-up comes back now. Link to post Share on other sites More sharing options...
scythemouse Posted August 4, 2017 Author ID:1149634 Share Posted August 4, 2017 After two restarts, seemingly not. Link to post Share on other sites More sharing options...
Aura Posted August 4, 2017 ID:1149650 Share Posted August 4, 2017 Alright. We'll still leave it in monitoring for a few days, just in case Link to post Share on other sites More sharing options...
Aura Posted August 7, 2017 ID:1150575 Share Posted August 7, 2017 Did it come back yet, or not? Link to post Share on other sites More sharing options...
scythemouse Posted August 7, 2017 Author ID:1150672 Share Posted August 7, 2017 Doesn't look like it. Link to post Share on other sites More sharing options...
Aura Posted August 7, 2017 ID:1150688 Share Posted August 7, 2017 Alright. Usually did it come back systematically after every reboot, or it could lay low for a few days before coming back? Link to post Share on other sites More sharing options...
Recommended Posts