Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Admin tools all unavailable, seemingly fake dropbox and a few other pr

Malware unknown virus

  • Please log in to reply

#46
BrandiCopas

BrandiCopas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

That's the weird thing, I uninstalled anything related to Apple, iTunes, or Bonjour a few days ago, and here it is again. I don't use any of them. As well as any of the wild tangent games, all gone, but still appearing in scans.

 

I tried to start my Rock Gym Program last night, which is the pos and digital waiver system, my employer uses, anyway, it's a local sql server based program. THE pc I'm on, AIRWORX 2-PC is the old server, from our location in here before she sold business. Anyway, so that cannot start for some reason, anymore.

 

So, in looking through my logs in desktop folder I created called Cleanup Apps I found this log -

 

Log name is a2settings.ini

 

[General]
Revision=2
Language=en-us
SectionsCount=32

[Position]
Revision=1
Length=44
Flags=0
ShowCmd=1
ptMinX=-1
ptMinY=-1
ptMaxX=-1
ptMaxY=-1
rcNormalLeft=448
rcNormalTop=240
rcNormalRight=1472
rcNormalBottom=800
rcNormalTopLeftX=448
rcNormalTopLeftY=240
rcNormalBottomRightX=1472
rcNormalBottomRightY=800

[Connection]
Revision=2

[Download]
Revision=2

[Folders]
Revision=1

[InfoBox]
Revision=3

[Submit]
Revision=1

[News]
Revision=1
Message=[clr=13010179/b]Spotlight on ransomware: Ransomware encryption methods[/clr]

[News1]
Revision=1
Message=Spotlight on ransomware: Ransomware encryption methods
URL=http://emsi.at/sor3/...gn=ticker170718
Date=1500249600

[News2]
Revision=1
Message=New in 2017.6: Double Pulsar Mitigation and Email Notifications
URL=http://emsi.at/updat...aign=news170703
Date=1499040000

[News3]
Revision=1
Message=Petya ransomware variant attacks computers worldwide
URL=http://emsi.at/petya...gn=ticker170627
Date=1498521600

[News4]
Revision=1
Message=Doxware: Ransomware evolution or media hype?
URL=http://emsi.at/doxwa...gn=ticker170615
Date=1497571200

[News5]
Revision=1
Message=New in 2017.5: Anti-Ransomware
URL=http://emsi.at/updat...aign=news170531
Date=1496188800

[LastScan]
Revision=2
LastDetection=1500362334
Date=1500371406
Detected=1

[LastUpdated]
Revision=1
Date=1500362039
Result=1
LastTryResult=1

[TimeDelta]
Revision=1

[Logging]
Revision=3

[LicenseDetails]
Revision=6
MachineKey=C830EACA0D49E89D9AD331AA214F45946B6DB50D
MachineName=AIRWORX2-PC
ID=14962626
Model=1
Starts=1500304439
Ends=32503680000
Offline=0

[AccountDlg]
Revision=1

[ReScanQuarantine]
Revision=1

[CachedFolders]
Revision=1
AddScanFolder=I:\
SaveScanSettings=C:\Users\AIRWORX 2\Desktop\Cleanup apps\Scansets\

[LicenseType]
Revision=1
Type=8

[Key]
Revision=3
RegistrationKey=UdWdN75mSLmXS2jSPcLa
RegistrationKeys=JtvrTLnxU7rST5zwN7GgNqzWJsTFOc5aNs9bPcLZNrzFUdWdN75mSLmXS2jSPcLaJs1ZQ6LXPM5bJsTFOc5aNs9bPrzVNrzF

[NewsLetter]
Revision=1

[ElevatedRisk]
Revision=1

[MemoryUsage]
Revision=2

[ScanPerformance]
Revision=1
ThreadsToUse=5
ThreadAffinity=15
ThreadPriority=2

[ScannerOptions]
Revision=1
DetectPUP=1
OnScanFinishSettings=|0|1|

[GridsSettings]
Revision=2

[ShutdownScanStatistics]
Revision=1

[SystemConnection]
Revision=1
SectionType=9

;File timestamp: 1500371595

 

Then I have a few screen clips to upload so I'll do those next.


  • 0

Advertisements


#47
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,388 posts
  • MVP

a2settings.ini is supposedly created by emisoft when you run their Emsisoft Command Line Scanner.  Going to be out most of the day.


  • 0

#48
BrandiCopas

BrandiCopas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Capture13.JPG    These were a few of the kasp items found

 

Kasp findings.JPG

 

Cannot uninstall.JPG Thought this "App" looked strange, so I tried to uninstall, and cannot?

 

Installation dates are too recent for most of these programs.JPG The dates are all very recent, despite knowing they weren't recently installed, a bit of investigating

 

 

https://blogs.techne...alware-attacks/ found this, and several weird things related to it. I.E. something has reconfigured pretty much every program in the past few days.

 

https://portal.msrc....dc-000d3a32fc99

 

Wow, this discusses or includes many of my problem programs, I forgot to mention, I've not been able to use edge at all, but I don't typically, so it didn't seem like a big deal.

 

 

wondering if numbers after service should be there.JPG this is in services menu, should the numbers be present after the service name? There are several like that.

Attached Thumbnails

  • device managerJPG.JPG
  • virtual device.JPG

  • 0

#49
BrandiCopas

BrandiCopas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Forgot to post those results

 

Emsisoft Emergency Kit - Version 2017.6
Last update: 7/18/2017 7:13:59 AM
User account: AIRWORX2-PC\AIRWORX 2
Computer name: AIRWORX2-PC
OS version: Windows 10x64

Scan settings:

Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, D:\, I:\

Detect PUPs: On
Scan archives: On
Scan mail archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: On

Scan start: 7/18/2017 7:17:48 AM
C:\Users\AIRWORX 2\AppData\Roaming\Passware\  detected: Application.Win32.PassRecover (A) [222439]

Scanned 740688
Found 1

Scan end: 7/18/2017 9:50:04 AM
Scan time: 2:32:16

C:\Users\AIRWORX 2\AppData\Roaming\Passware\  Application.Win32.PassRecover (A)

Quarantined 1


  • 0

#50
BrandiCopas

BrandiCopas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

This log is from 7/12/17 I've run it 2x since, with no findings?

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.07.12.05
  rootkit: v2017.05.27.01

Windows 10 x64 NTFS
Internet Explorer 11.1480.14393.0
AIRWORX 2 :: AIRWORX2-PC [administrator]

7/12/2017 6:53:44 AM
mbar-log-2017-07-12 (06-53-44).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 468336
Time elapsed: 50 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Temp\services.exe.mui (Trojan.Agent) -> Delete on reboot. [b2b32d3813961a1cdc37706bda287888]

Physical Sectors Detected: 0
(No malicious items detected)

(end)


  • 0

#51
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,388 posts
  • MVP

Let Kaspersky delete anything it found.

 

If you don't what the programs and have already uninstalled them then delete the folders.

 

The numbers are normal.  Win 10 loves numbers.

 

To uninstall messenger:

Try this command in Powershell

 
Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage
 

Start Powershell by following the instructions here:  https://www.howtogee...reinstall-them/

 

Acronis is backup software.  Nothing to worry about.


  • 0

#52
BrandiCopas

BrandiCopas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

This was the error msg I received from powershell

 

Remove-AppxPackageGet-AppxPackage : The term 'Remove-AppxPackageGet-AppxPackage' is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:41
+ ... age *Microsoft.Messaging* | Remove-AppxPackageGet-AppxPackage *Micros ...
+                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Remove-AppxPackageGet-AppxPackage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException


  • 0






Similar Topics


Also tagged with one or more of these keywords: Malware, unknown virus

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP