3 Attachment(s)
Logs, script and strange things.
About the logs, After running the latest FRST fix, (the script did its thing flawlessly, thanks again) I was able to download RK and Mbam through your links, run them without any problem and get the logs posted.
As for the "strange things" part of of the title... At this point, the best I've been able to get out of the browser is by sticking with the bookmarks and internal links on legit sites, although I'm still a Yahoo cookie magnet. I managed to get the browser to switch to google search,
this left me with a search bar that gave me the results you will see in the attached Screen shots. (irrelevant, useless results) Note that in both examples I searched "jexepackers" in one and "jexepacker threat" in the other. this was done from the search bar then, the resulting url, I copy/pasted to the notepads you see. Funny, how a browser can misread an entry then result something like "jetpack" but I guess nobody is perfect, eh? Now, about why I'm searching jexepackers, (as well as code.jquery) I see these things in my "shark logs" this leads to learning what I can about wpad as well as a lot of other security settings and "stuff".
Fix result of Farbar Recovery Scan Tool (x64) Version: 19-05.2019
Ran by oldman (21-05-2019 11:28:26) Run:4
Running from C:\Users\oldman\Desktop
Loaded Profiles: oldman (Available Profiles: oldman)
Boot Mode: Normal
==============================================
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
U4 npcap_wifi; no ImagePath
C:\Users\oldman\x.exe
2019-05-15 22:42 - 2019-05-15 22:42 - 000111688 _____ (Duckware) C:\Users\oldman\x.exe
C:\Windows\Temp\*.*
*****************
Processes closed successfully.
Restore point was successfully created.
HKLM\System\CurrentControlSet\Services\npcap_wifi => removed successfully
npcap_wifi => service removed successfully
C:\Users\oldman\x.exe => moved successfully
"C:\Users\oldman\x.exe" => not found
=========== "C:\Windows\Temp\*.*" ==========
not found
========= End -> "C:\Windows\Temp\*.*" ========
The system needed a reboot.
==== End of Fixlog 11:30:00 ====
RogueKiller Anti-Malware V13.2.0.0 (x64) [May 14 2019] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.17763) 64 bits
Started in : Normal mode
User : oldman [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20190521_110536, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2019/05/21 11:53:08 (Duration : 01:32:26)
いいいいいいいいいいいい Processes いいいいいいいいいいいい
いいいいいいいいいいいい Process Modules いいいいいいいいいいいい
いいいいいいいいいいいい Services いいいいいいいいいいいい
いいいいいいいいいいいい Tasks いいいいいいいいいいいい
いいいいいいいいいいいい Registry いいいいいいいいいいいい
いいいいいいいいいいいい WMI いいいいいいいいいいいい
いいいいいいいいいいいい Hosts File いいいいいいいいいいいい
Hosts file is too big
いいいいいいいいいいいい Files いいいいいいいいいいいい
いいいいいいいいいいいい Web browsers いいいいいいいいいいいい
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 4/1/19
Scan Time: 6:20 PM
Log File: 1de4401f-54dd-11e9-80c0-38eaa7eb314f.json
-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.563
Update Package Version: 1.0.9962
License: Trial
-System Information-
OS: Windows 10 (Build 17763.379)
CPU: x64
File System: NTFS
User: System
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 347886
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 56 min, 46 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 0
(No malicious items detected)
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
These will be the full urls (disabled by the usual space)That I mentioned were displayed by the browser while searching jexepacks
https://www.google. com/search?client=firefox-b-1-d&q=jexepackers
https://www.google. com/search?client=firefox-b-1-d&q=jexepack+threat
See attached screenshots of the pages that loaded.
I nearly forgot to answer this from a previous post, sorry.
From what I can find the file (Duckware) C:\Users\oldman\x.exe could possibly be from there."
No, not intentionally but a drive by is always a possibility. I have a few thoughts on this duck "stuff", could be related to "Donald Duck" (More on that in updates).
After yesterdays post, I was clearing Super cookies with my STM program. As I scrolled over the process monitor, I came across a FF browser running after I closed the window. This is something I've never seen before but the most concerning part to me, is that on the program description area of the line was Text from a post (update) that I had made to you. This has never happened and have no idea why it displayed that way. I'll keep you updated.
Cheers