[BrandiCopas]

Sorry, again, I thought of another important fact, it seems to be infecting all my network pc's. Making the round's if you will. (  Thank you again for your help, time, and knowledge!!! I really appreciate it. 

Edited by BrandiCopas, 02 August 2017 - 08:26 PM.

[Advertisements]

See if you can get Windows Defender Offline to work:

 

https://support.micr...p-protect-my-pc

[RKinner]

See if you can get Windows Defender Offline to work:

 

https://support.micr...p-protect-my-pc

[BrandiCopas]

I ran it offline this am, no findings. I even dl'ed the program from laptop, onto disc, but I'm not sure about laptop either, to be honest. 

 

This is what made me think I have the nemocud infection. This was from 7/19/17. 

 

I removed some of the approved firewall rules, thinking that with full communication, this thing is growing, anyway, this is now one of the many warnings eset is providing. 

 

 Some of the rules I was unable to edit, once I selected edit, in attempt to remove, nor could I remove it. 

 

Any thoughts? 

 

this file couldn't be fixed before. 

 

The saved credentials I removed last night, are back today

 

this I just noticed, oddly, that program I cannot remove, is also network location.

[RKinner]

In the first picture, ESET scan what is the full path for the Objects?  Looks like it is probably C:\Windows\Temp

 

On the Kaspersky scan pic what is the full path for the file that it cannot remove?

 

On the last picture which PC is Explorer running on?

 

What happens when you try to uninstall DrFoneforAndroid?

[BrandiCopas]

I exported the eset logs

 

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here

6/27/2017 11:22:00 AM;Real-time file system protection;file;C:\Users\AIRWORX 2\AppData\Roaming\Belkasoft\Evidence Center\New case (2017.06.27 08_31_06)\New case (2017.06.27 08 31 06)\65\embeddedfile\4\1367.pdf;PDF/Phishing.Agent.ABA trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a file modified by the application: C:\Program Files (x86)\Belkasoft Evidence Center Ultimate\stub\ApplicationClient.exe (70B099C81CE54045D4283DA61A363AFB0FF7DAAD).;14B53EF55E205B16335A3FBF6F821329092FEF33;6/27/2017 11:19:21 AM

6/27/2017 11:35:06 AM;Real-time file system protection;file;C:\Users\AIRWORX 2\AppData\Roaming\Belkasoft\Evidence Center\New case (2017.06.27 08_31_06)\New case (2017.06.27 08 31 06)\65\embeddedfile\4\1754.doc;VBA/TrojanDropper.Agent.FT trojan;cleaned;AIRWORX2-PC\AIRWORX 2;Event occurred on a file modified by the application: C:\Program Files (x86)\Belkasoft Evidence Center Ultimate\stub\ApplicationClient.exe (70B099C81CE54045D4283DA61A363AFB0FF7DAAD).;45E856B5D954D0F52ABB6964738353767BC08EB3;6/27/2017 11:35:05 AM

6/29/2017 10:16:27 AM;Real-time file system protection;file;C:\CCSupport\Tools\ESETFunctionalityTester\Temp\eicar.txt;Eicar test file;cleaned by deleting;NT AUTHORITY\SYSTEM;Event occurred on a new file created by the application: C:\Windows\System32\mshta.exe (1C893D6150E0A8C0E16AE16DB8988387C1BEB871).;3395856CE81F2B7382DEE72602F798B642F14140;6/29/2017 10:16:27 AM

6/29/2017 10:16:31 AM;HTTP filter;file;http://amtso.securit...Win32/PUAtest.Bpotentially unwanted application;connection terminated;NT AUTHORITY\SYSTEM;Threat was detected upon access to web by the application: C:\Windows\System32\mshta.exe (1C893D6150E0A8C0E16AE16DB8988387C1BEB871).;00117F70C86ADB0F979021391A8AEAA497C2C8DF;6/29/2017 10:16:31 AM

6/29/2017 10:16:34 AM;HTTP filter;file;http://amtso.securit....exe;SuspiciousObject;connection terminated;NT AUTHORITY\SYSTEM;Threat was detected upon access to web by the application: C:\Windows\System32\mshta.exe (1C893D6150E0A8C0E16AE16DB8988387C1BEB871).;F4053231135502B4E8EA2B4D2E32ABEFE3A08765;6/29/2017 10:16:34 AM

7/12/2017 2:17:07 AM;Email filter - Outlook;email message;from: [email protected] to: [email protected] with subject Status of your UPS delivery ID:08653334 ;a variant of JS/Danger.ScriptAttachment trojan;contained infected files;AIRWORX2-PC\AIRWORX 2;;;

7/18/2017 1:56:53 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc937F3E0A-B80D-B148-9D57-187643393794.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/18/2017 1:56:42 PM

7/18/2017 1:57:01 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc4B0FC8B8-A8F4-764B-BE1A-30C01C27205B.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/18/2017 1:56:52 PM

7/18/2017 4:05:14 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc9C993D64-BF7B-5F4A-AA6D-7D51C2CCAEDD.js;JS/TrojanDownloader.Nemucod.CUP trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;EB4BE79C7E57C3540A34EB74892E955D1C90CA05;7/18/2017 4:05:00 PM

7/18/2017 8:34:15 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\iocB3A2BAD4-6975-BA45-9451-9A9CC7640F52.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/18/2017 8:34:01 PM

7/18/2017 8:34:18 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc78C7BA79-CF23-FE43-AD88-94D68A7A2200.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/18/2017 8:34:11 PM

7/18/2017 10:37:48 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc1C2A81EF-4D6C-514E-BC04-67EB6DC10E79.js;JS/TrojanDownloader.Nemucod.CUP trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;EB4BE79C7E57C3540A34EB74892E955D1C90CA05;7/18/2017 10:37:36 PM

7/18/2017 11:46:38 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc57BAFF42-B365-9D40-9E28-E873F79A626F.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/18/2017 11:46:26 PM

7/18/2017 11:46:42 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc494B2523-387F-864D-ADCB-F758646E6B23.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/18/2017 11:46:37 PM

7/19/2017 1:20:28 AM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc8C9E1821-7C50-314D-B1ED-078F5FDFA437.js;JS/TrojanDownloader.Nemucod.CUP trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;EB4BE79C7E57C3540A34EB74892E955D1C90CA05;7/19/2017 1:20:13 AM

7/19/2017 2:50:30 AM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc32C04CA4-EF00-E646-91B0-A70E6671D2B0.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/19/2017 2:50:20 AM

7/19/2017 2:50:30 AM;Real-time file system protection;file;C:\WINDOWS\TEMP\iocBF9A5302-E4DF-1043-852C-52D02451400E.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/19/2017 2:50:10 AM

7/19/2017 3:59:35 AM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc8A0CA6E1-8C7A-F14B-9021-9E4ECBFAD9BB.js;JS/TrojanDownloader.Nemucod.CUP trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;EB4BE79C7E57C3540A34EB74892E955D1C90CA05;7/19/2017 3:59:20 AM

7/19/2017 7:21:10 AM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc24BEF7A2-779E-F240-B8A6-8AE30F1105D3.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/19/2017 7:20:50 AM

7/19/2017 7:21:10 AM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc1AEE3120-404F-7A43-944D-5D11F3E9491B.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/19/2017 7:21:00 AM

7/19/2017 8:31:01 AM;Real-time file system protection;file;C:\WINDOWS\TEMP\iocB1D3812B-4C31-0042-980E-92D1BC704475.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/19/2017 8:30:40 AM

7/19/2017 8:31:01 AM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc880FC18D-01A9-AC46-A4C8-BE26B8BAF410.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/19/2017 8:30:50 AM

7/21/2017 12:10:26 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc329B01BE-B480-AA47-B266-EF6416742028.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/21/2017 12:10:04 PM

7/21/2017 12:10:29 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc4CA18A5F-1A8C-BC42-A92A-9E651A083F7A.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/21/2017 12:10:14 PM

7/21/2017 2:34:03 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc48BC09CE-F645-8747-8A47-2B5267E8BA17.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/21/2017 2:33:45 PM

7/21/2017 2:34:05 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\ioc1B5CD64B-6AA1-F049-AA96-7FF13B7EDBF6.js;JS/TrojanDownloader.Nemucod.COL trojan;cleaned by deleting;AIRWORX2-PC\AIRWORX 2;Event occurred on a new file created by the application: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avp.exe (135BEBD69E79622FBADB8859598520312301BE88).;786E6090054F269C28CF1EBDFBBAF8B5C30D845B;7/21/2017 2:33:55 PM

 

 

[BrandiCopas]

In the first picture, ESET scan what is the full path for the Objects?  Looks like it is probably C:\Windows\Temp

 

On the Kaspersky scan pic what is the full path for the file that it cannot remove?

 

On the last picture which PC is Explorer running on?

 

What happens when you try to uninstall DrFoneforAndroid?

 

<script src="/cdn-cgi/apps/head/WF48Gl3PKYxHrReiZymeg1SEI3M.js"></script>

Last pic was on my main pc-Airworx 2-PC is the name. 

I cannot find the program to uninstall it, the data files are there, but no actual programs, as far as I can find. 

 

Not sure about the Kaspersky, b/c I had uninstalled it, it's back installed now, but not sure where to find the logs? I think that it's one that eset let Kasp find, and it deleted though. ) 

[BrandiCopas]

Now, I just got this notification. 

[RKinner]

Look at the details for each ESET detection and you will see that it is complaining about files created by Kaspersky and  Belkasoft.  This happens when you have more than one anti-virus.

 

Not sure where the popup warning comes from.  What were you trying to do?

[BrandiCopas]

Yes, it was strange, b/c Kasp found the infections, and eset removed them before Kasp got a chance. At one point, I think I'd mentioned that what ever this is, took control of Eset, like it now has with Defender. 

 

Was trying to search for an excel sheet, for work. Wouldn't let me search in the This PC folder. 

Edited by BrandiCopas, 03 August 2017 - 07:18 PM.

[BrandiCopas]

Granted, several of the infections in the report, were the Kasp ones, but the top portion were just the Eset findings. Forgot that part. Thx

[RKinner]

Don't think there were any infections - just two anti-viruses fighting each other.

 

What do you mean it wouldn't let you search?  What error do you get exactly?

[BrandiCopas]

Its the oicture i posted earlier. I'm posting from phone now, but it was at 12:12 this afternoon.

[RKinner]

Appears this is a common thing with Win 8

 

https://answers.micr...f5-800f1359edf8

 

See if the answer from 

gibboireland replied on  December 15, 2014

helps.

[BrandiCopas]

I'm running windows 10, is that the same? I will check that now, but wanted to let you know, and see if this makes any difference. So, I tried running defender offline in safe mode, it won't allow that program to run AT ALL!!! No mode, no overriding no cmdprompt or run with admin etc.. So, I typically use chrome, but keep ie as default, idk why. Anyway, IE is so slow, that it literally times out trying to reach even just google. 

 

So I was looking in the regedit-er earlier this am, and found a lot of odd looking registry entries. I only look, didn't change anything in there. These are a few that looked strange to me?

 

"C:\Program Files\WindowsApps\Microsoft.WinJS.1.0_1.0.9200.20789_neutral__8wekyb3d8bbwe"

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{009F3B45-8A6B-4360-B997-B2A009A16402}

 

There were several others, but these looked pretty strange, specifically the XWizards? Well, if you remember correctly, the messaging app I couldn't uninstall has the 8wekyb3dbbwe file name added to it too. 

 

And the file isn't Windows, it's WindowsApps, yet the directory should be Windows\Apps\Microsoft , right? 

 

 

I also have several new folders on desktop, one named Encrypted Documents, inside is only an excel "csv" file, I haven't opened the document. Also, one called Documents_1, one called Videos, one called Pictures each with nothing inside but an excel CSV file. Each created by "System" on July 25th '17

[RKinner]

! tried running defender offline in safe mode, it won't allow that program to run AT ALL!!! No mode, no overriding no cmdprompt or run with admin etc.

 

 

 

Perfectly normal.  It's not a windows files can only run from boot.  By the way.  If you install an anti-virus program the first thing it does is kill off Windows Defender so that there will not be 2 anti-viruses running.

 

 

So I was looking in the regedit-er earlier this am, and found a lot of odd looking registry entries. I only look, didn't change anything in there. These are a few that looked strange to me?

 

"C:\Program Files\WindowsApps\Microsoft.WinJS.1.0_1.0.9200.20789_neutral__8wekyb3d8bbwe"

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{009F3B45-8A6B-4360-B997-B2A009A16402}

 

There were several others, but these looked pretty strange, specifically the XWizards? Well, if you remember correctly, the messaging app I couldn't uninstall has the 8wekyb3dbbwe file name added to it too. 

 

And the file isn't Windows, it's WindowsApps, yet the directory should be Windows\Apps\Microsoft , right? 

 

 

Also normal/

 

See:

https://www.maketech...der-windows-10/

 

I also have several new folders on desktop, one named Encrypted Documents, inside is only an excel "csv" file, I haven't opened the document. Also, one called Documents_1, one called Videos, one called Pictures each with nothing inside but an excel CSV file. Each created by "System" on July 25th '17

 

 

 

Can you zip up one of the csv files and attach it?