I see that Farbar found 10 files. Trusting in your guidance, I believe that I am ready to remove tools and quarantine folders. Is there a risk in doing so?Originally Posted by Juliet
I note that we have seen no sign of the ransom ware. Does this surprise you?
The files we removed with FRST was a tidy up event, they were lose files that added nothing to the machine.
As for having a Ransomeware infection, no signs of it.
And there was no mention of any notes or alerts telling you your computer had been infected and of money to get your files back.
The encrypted files for this specific infection will have the extension '.VXLOCK' appended to the end of the file name and on this machine there were none.
I can't say why, but I think what you saw was a false-positive.
Use this tool to remove quarantined items:
Please download KpRm by Kernel-panik and save to your Desktop.
- Click on KpRm.exe to run the tool.
Vista/Windows 7/8/10 users right-click and select Run As Administrator.- Put a check mark next to these items:
- Delete tools
- Delete now- Click the "Run" button.
- When the tool has finished, it will create and open a log report and delete itself.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
Thank you for your further instructions. Your idea that this is a false positive are potentially comforting!
I am wondering a bit about EEK's new user interface. You wrote, in Post 13, that EEK would take some time to run: it ran rapidly.
I also see in #13 that, with the old UI, I would have needed to check Run Directly. In scan...txt, I see Direct Disk Access: Off. Should I have turned it on in Settings?
Another thought: I do not use Outlook. Is the email application I am using protecting my PC?
I say potentially false-positive because I and the tools used to scan for infections were not there.
In the past, online scanners took hours to scan a computer because hard drives can be so full and people save tons of items.
The interface of the scanner had changed recently, they don't contact those who help with malware removal, kinda wish they did so I wouldn't look so stupid.
If you feel we should run other scanners to try and find something we can but since you haven't mentioned anything out of the ordinary happening I just don't think it's necessary.
Email servers
It's the person behind the computer who is your best security tool.
I did a few minutes of research on Pegasus Mail (Of which I have never used, not saying good or bad about this email client I just don't know anything about it myself)
I personally use the email client that came with the ISP provided here, I do not freely give it out.Pegasus Mail
is a donationware, proprietary email client
distribution and development of Pegasus Mail had ceased due to inadequate financial support from the sale of the manuals
I hate, I absolutely hate having to open attachments. I have windows defender scan it before opening and use MalwareBytes to scan.
I get junk mail and out it goes.
Happy Easter.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
Happy Easter!
I downloaded and ran (as Administrator) KpRm as you suggested. Here's the log:
# Run at 2022-04-17 16:51:06
# KpRm (Kernel-panik) version 2.9.3
# Website https://kernel-panik.me/tool/kprm/
# Run by Chris from C:\Users\Chris\Desktop
# Computer Name: MOLLY
# OS: Windows 7 X86 (7601) Service Pack 1
# Number of passes: 1
- Checked options -
~ Delete Tools
~ Delete Quarantines
- Delete Tools -
## AdwCleaner
[OK] C:\AdwCleaner deleted
## Emisoft Emergency Kit
[R] C:\Users\Chris\Desktop\EmsisoftEmergencyKit.exe deleted
[R] C:\EEK deleted
## ESET Online Scanner
[OK] C:\Users\Chris\AppData\Local\ESET\ESETOnlineScanner deleted
[OK] HKLM\SOFTWARE\ESET\ESET Online Scanner deleted
## FRST
[OK] C:\Users\Chris\Desktop\Addition.txt deleted
[OK] C:\Users\Chris\Desktop\Fixlog.txt deleted
[OK] C:\Users\Chris\Desktop\FRST-OlderVersion deleted
[OK] C:\Users\Chris\Desktop\FRST.exe deleted
[OK] C:\Users\Chris\Desktop\FRST.txt deleted
[OK] C:\FRST deleted
-- KPRM finished in 92.13s --
- Need to Restart -
I restarted.
- As has been the case earlier, MalwareBytes window showed, inviting me to update.
- I clicked on Install
- It offered Browser Guard
- I declined the offer because I am running AdBlockPlus in Firefox: the two may conflict
- "Installing" showed, then Installation failed. Please restart your system then try running the installer again".
- Early in this thread, I had to work around Win 7 not being fully patched.
- What, if anything, should I do further?
- Should I be running Malwarebytes regularly?
BTW I remember Opening an email in Pegasus back in March. The text was in green, not the normal black. The window blurred for several seconds then the email disappeared from the screen, and was not in any likely Pegasus folder. Perhaps this was Pegasus successfully defeating the ransomware? I think that the rest of the screen stayed in focus.
Here are SS&D's current schedule settings.
Attachment 13304
Attachment 13305
Do these look reasonable? I thought I had set Scan to once a week.
I don't know what is going on with MalwareBytes, trying to download and install over an older version? You may need to completely uninstall then reinstall.
There is a MalwareBytes support forum that can probably give answers as to why it's not updating or installing, you'll need to register and then create a new topic.
https://forums.malwarebytes.com/foru...support-forum/
The email, when it opened, could you read what it said?
Typically with a ransomeware note, it remains on desktop so there is no avoidance that it's hit your machine. And the computer will act very un-normal.
I can't say 100% there is not that sort of infection on here but I can say there is/was no evidence that i found.
I can also say that in todays world there is a lot of criminal/hacking activity happening world wide to the point it's scary.
In case or for safe practices, change all your passwords from a known secure computer.
The attachments you posted would not only me to open. You should scan your computer often and follow safe online practices.
- Answers to common security questions - Best Practices by quietman7, MVP
- How Malware Spreads - How did I get infected? by quietman7, MVP
- Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
- How to Prevent Malware by miekiemoes, MVP
- How to backup and restore your data using Cobian Backup by YourHighness
- Slow Computer/browser? It May Not Be Malwareby quietman7, MVP
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
About the odd email:
- I was not yet fully awake when it arrived in my inbox.
- I can add that it had what looked like a PDF button
- The email had shown in New email. I clicked on it, then on Open (rather than just seeing it in Preview).
- The email disappeared from New email.
There was no ransomware note. I only know about it because a Spybot scan showed it. When I fixed it there, its "cousin" showed in the next scan.
We are very careful about passwords. We never accept offers from Firefox to remember them. We do change them.
Using a small program that I wrote, I back up incrementally at least daily. It:
- looks for the archive bit being set,
- selects files based on rules in a metadata file,
- gives me, at run time, the ability not to back up a file,
- backs up to a USB stick that is otherwise offline.
My wife and I share an email address. On her PC, Pegasus is set to receive emails. Mine is set not to check for incoming emails. When an email arrives for me, she moves it to New email on my PC. (I can also move an email from her PC to mine, in Pegasus Mail.)
I also backup using Acronis True Image weekly.
BTW I note, thanks to your guidance, on my PC, Firefox's favicons file has dropped from 34MB to 4MB. On my wife's PC, which also showed the ransomware in a scan, Firefox crashes several times a day, causing her to open links again. Which tool cleaned up Firefox for me?
Posting Permissions
