nobus
asked on
virus or malware or what ?
my pc was behaving weird, so i installed and scanned with MBAM
this found 1 item FRAUD usd.teutorigos-phi.com
but it does not seem to remove it
do you have any suggestions - except a freh install? ( iknow that, and will do it, )
but i want to know more about this thing
this found 1 item FRAUD usd.teutorigos-phi.com
but it does not seem to remove it
do you have any suggestions - except a freh install? ( iknow that, and will do it, )
but i want to know more about this thing
Does it show where it is located? Hosts file or just history of browser?
Can you send a screnshot of the MBAM report?
Sounds like it’s just blocked the URL rather than anything actually running on your PC
The site itself doesn’t seem to be a particular risk.
https://www.hybrid-analysis.com/sample/948da24fd536df0f44787429bbb6912aac3d0554b19d5d6273d97dd856548902/5b77e1e37ca3e117a41a8827
Sounds like it’s just blocked the URL rather than anything actually running on your PC
The site itself doesn’t seem to be a particular risk.
https://www.hybrid-analysis.com/sample/948da24fd536df0f44787429bbb6912aac3d0554b19d5d6273d97dd856548902/5b77e1e37ca3e117a41a8827
Restart your PC in Safe Mode and scan again with Malwarebytes. It should then be able to remove it.
MBAM is just informing you that that website is blocked
i.e.
i.e.
Malwarebytes
www.malwarebytes.com
-Log Details-
Protection Event Date: 8/18/18
Protection Event Time: 7:34 AM
Log File: 9a681e04-a2da-11e8-a938-02155ddecda5 .json
Administrator: Yes
-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.391
Update Package Version: 1.0.6397
License: Premium
-System Information-
OS: Windows 10 (Build 17735.1000)
CPU: x64
File System: NTFS
User: System
-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0
-Website Data-
Category: Fraud
Domain: usd.teutorigos-phi.com
IP Address: 52.7.54.213
Port: [49948]
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chro me.exe
(end)
ASKER
here the mbam report attached.
the weird behaviour is this :
at startup, i see an icon in the task bar (second one)
and some tasks - explorer or edge, do not open to full page
i also found this installed - and it can not be removed- says the file is not there;see below
also, the mbam warning appears without opening the IE- or Edge
the weird behaviour is this :
at startup, i see an icon in the task bar (second one)
and some tasks - explorer or edge, do not open to full page
i also found this installed - and it can not be removed- says the file is not there;see below
also, the mbam warning appears without opening the IE- or Edge
uninstall that particular application
Does look like you've got something running that shouldn't be there :(
Do you use Firefox as your browser (that's the icon that pops up next to your snipping tool)?
Do you have a pop-up blocker installed?
Any recent installations? I think this might have been bundled with something legitimate.
Could you run a scan with FRST and attach the files it produces?
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Check your MBAM and AV quarantine logs for 2.1.2.3 likely to have been disabled as a PUP and so you can't remove as locked.
Do you use Firefox as your browser (that's the icon that pops up next to your snipping tool)?
Do you have a pop-up blocker installed?
Any recent installations? I think this might have been bundled with something legitimate.
Could you run a scan with FRST and attach the files it produces?
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Check your MBAM and AV quarantine logs for 2.1.2.3 likely to have been disabled as a PUP and so you can't remove as locked.
Could you run a scan with FRST and attach the files it produces?
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Wish this would work with 64bit installs of Windows
ASKER
i removed the soft with revo
wwill run frst and report
wwill run frst and report
@Andrew
"Wish this would work with 64bit installs of Windows"
You know there's a separate 64bit version? Download from the same page.
"Wish this would work with 64bit installs of Windows"
You know there's a separate 64bit version? Download from the same page.
@MASQ
Damn, I clearly didn't look at the page closely enough. Thank you.
Damn, I clearly didn't look at the page closely enough. Thank you.
ASKER
i don't use Firefox
files are attached
there are 2candidate softwaares for virus installed : ubcd4win and Fairstairs CD Ripper
FRST.txt
Addition.txt
files are attached
there are 2candidate softwaares for virus installed : ubcd4win and Fairstairs CD Ripper
FRST.txt
Addition.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
See if that helps
ASKER
i see a reference to Firefox - that's understandable
how do you come to the rest?
how do you come to the rest?
uim_im.sys is a driver for Paragon but it should be signed, you can delete that line if you’re confident you're running Paragon and the file is not infected.
C:\Users\Kipje\AppData\Roa ming\teinO bj\update. exe
is the executable for the infection
The rest is tidying loose ends
C:\Users\Kipje\AppData\Roa
is the executable for the infection
The rest is tidying loose ends
ASKER
Masq, tx for the info; however, how do you know that Roaming\teinObj\update.exe is the infection source?
btw i ran your fix and it seems much better now - i'll test a couple of days to be sure
btw i ran your fix and it seems much better now - i'll test a couple of days to be sure
Hi nobus, sorry hectic day :(
Google "update.exe" for details, there is a legitimate Microsoft file but it would never be in that location.
Although it's described on the Interent as Update.exe "virus" this isn't the case it's simply the launcher for your rogue Firefox install set in the registry to launch at start-up so MBAM and AV software ignore it.
"how do you know that "
Experience ... ? ;)
Google "update.exe" for details, there is a legitimate Microsoft file but it would never be in that location.
Although it's described on the Interent as Update.exe "virus" this isn't the case it's simply the launcher for your rogue Firefox install set in the registry to launch at start-up so MBAM and AV software ignore it.
"how do you know that "
Experience ... ? ;)
ASKER
FRST makes me remember the old hijackthis - does it work the same way?
Yes very similar in parts although HJT looked mainly at the registry and browser start up lists. FBAR is more comprehensive but it's also easier to mess up. The core code for HJT is now Open Source.
ASKER
masq - you earned this one
i'll post a new one shortly
i'll post a new one shortly
"i'll post a new one shortly" - Oh noes!!! :)
** Inserts usual Farbar caveat ** - this solution is time and situation specific to the affected computer described in the thread - fixlist.txt scripts should never be re-used in the hope they will fix a similar problem. **
** Inserts usual Farbar caveat ** - this solution is time and situation specific to the affected computer described in the thread - fixlist.txt scripts should never be re-used in the hope they will fix a similar problem. **
ASKER
i did not mean about virus - just another Q ( you're in already
Heading off to Italy in a few hours so might not see that one through.
ASKER
enjoy - and admire the bella donna's