Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Moved topic from Windows forum, problems......


  • Please log in to reply
7 replies to this topic

#1 plat1098

plat1098

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:42 PM

Posted 15 December 2015 - 02:46 PM

Hello, the Windows forum topic concerned my needing to get rid of a piece of non-security software in its entirety.  After using the proprietary tool and manually deleting all I could find, I thought that was the end of it.  Recently, I discovered a piece of this software was still there, in a hidden folder, and I couldn't unhide or access it.  The advice from the other topic was very well-meaning, but knowing my situation best, I opted for a system refresh.

 

Following the refresh, there were some weird and funny issues, namely black screen with the name of my online shield across the top when restarting, off-center graphics, and other anomalies.  After enabling my online shield and Windows Defender, went online intending only to quickly grab my firewall key.  Within literally 2 seconds of opening Internet Explorer to the default homepage (I hadn't changed this yet), an exploit was blocked and the issue recorded in Event Viewer.   Closed browser at once and ran ESET, and while this was running, it occurred to me I'd neglected to install some 190 Windows updates (for the love of MIKE) before going online. After an eternity of Windows updates and scans, I am asking for review of the reports-- naturally, I'm concerned about the above issues and whether something is lurking around that hasn't been detected yet.  By the way, the hidden file was eliminated. Thank you!

 

Attached File  FRST_14-12-2015_17-09-09.txt   494.95KB   6 downloadsAttached File  Addition_14-12-2015_17-09-09.txt   25.27KB   7 downloadsAttached File  MBscan.txt   1.03KB   6 downloadsAttached File  Capture77.PNG   88.1KB   0 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 16 December 2015 - 02:02 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

No virus or malware was found on your logs.
This is just a cleanup of empty items.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No File
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
AlternateDataStreams: C:\ProgramData\Temp:19F8EB29
AlternateDataStreams: C:\ProgramData\Temp:2187A2BB
AlternateDataStreams: C:\ProgramData\Temp:2CB9631F
AlternateDataStreams: C:\ProgramData\Temp:413177C4
AlternateDataStreams: C:\ProgramData\Temp:43D2A298
AlternateDataStreams: C:\ProgramData\Temp:4FE3FB06
AlternateDataStreams: C:\ProgramData\Temp:660BDAE1
AlternateDataStreams: C:\ProgramData\Temp:77E239B1
AlternateDataStreams: C:\ProgramData\Temp:8967C154
AlternateDataStreams: C:\ProgramData\Temp:8AED9359
AlternateDataStreams: C:\ProgramData\Temp:8C12CFCD
AlternateDataStreams: C:\ProgramData\Temp:9B721CFF
AlternateDataStreams: C:\ProgramData\Temp:A9ABA3FF
AlternateDataStreams: C:\ProgramData\Temp:C5D38708
AlternateDataStreams: C:\ProgramData\Temp:C6D0ABC3
AlternateDataStreams: C:\ProgramData\Temp:C6EB7815
AlternateDataStreams: C:\ProgramData\Temp:C9B27A06
AlternateDataStreams: C:\ProgramData\Temp:D442BE9A
AlternateDataStreams: C:\ProgramData\Temp:D8936165
AlternateDataStreams: C:\ProgramData\Temp:FE61B3F6

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#3 plat1098

plat1098
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:42 PM

Posted 16 December 2015 - 04:27 PM

Hello, nasdaq, I am glad to see nothing was found.  I had to ask, though, due to the exploit and other assorted issues.  I have also read the article included in your reply.

 

Thank you for helping me, it is appreciated. :)

 

plat1098

 

Attached File  Fixlog_16-12-2015_16-17-49.txt   3.03KB   3 downloads



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 17 December 2015 - 10:00 AM

Glad we could help.

#5 plat1098

plat1098
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:42 PM

Posted 17 December 2015 - 01:05 PM

One detail, and maybe there is something about this at Bleeping Computer? Regarding Event Viewer, it seems I had a "stack pivot" exploit via Internet Explorer, can you tell me what that is? Not too keen about researching this online at the moment, and I wish I could export the entire report to this post but I don't know how. A screenshot of the shield's general report is the best I can do. The shield's proprietary event ID was coded "911" of all things, no further information or online help. There's nothing else I can do, as the site isn't accessible to me via email or other means right now. I see there is some technical detail in the Addition text. The way this shield worked was via the Windows Smart Screen and believe me, it was fast! "Attack" with a big green bar across the monitor was the notice.

Thanks for additional info, plat1098
Attached File  shield report.PNG   31.71KB   0 downloads

#6 plat1098

plat1098
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:42 PM

Posted 17 December 2015 - 08:04 PM

I will now add additional information as I'm currently dealing with the ripple effects of this malicious process. Here are the issues I'm facing and I'll be as concise as possible:

 

--The online shield did not uninstall during the system refresh.  Is this expected?

 

All of my other programs, including firewall, were removed.  When initially booting from the refresh, instead of my lock screen, a black screen with the shield's name appeared.  After a few seconds, I could access the desktop normally.  The shield was then found to be fully activated and functional, unaffected by the refresh.  The shield is directly connected to the Windows operating system. This has happened twice, the second time, I tried fixing with a reinstall of the shield.

 

--I suspect an eventual failure of the Windows operating system is likely.

 

The shield became active, apparently, during the installation of Windows components, specifically, I'm wondering, Internet Explorer.  There were a number of critical errors during that time, all around the time the shield's error entry in the log was recorded.  One error involved the Volume Shadow Copy Service, screenshot below, which is why your article was of such interest to me. Because the refresh is routinely a "pure" Windows process, I'm asking whether HP-A's activity at that time may have caused some issues as it was right  there along with Windows. Did Windows recognize what was actually happening? Probably not, there were just a bunch of Windows-y error messages. Instead of the little white dots moving in a little circle at startup, the circle is larger in diameter, something I've come to find is associated with the dreaded Automatic Repair thing.  So, do I avert a System Restore by initiating a System Restore?

 

--I am concerned about lingering issues at the kernel level which would make this machine more vulnerable with respect to future updates and installations.

 

Would dearly love to know how to relay this to the HP-A developers. My only options at the moment are via Outlook (precisely the type of connection I don't want right now)  or sending a letter to The Netherlands. I tried Sophos website--no dice.  I'm thinking this type of exploit is not as common as some of the others, and the developers would know firsthand how the product interacts with Windows processes and whether there are precedents. It also may explain why the exploit appeared and was blocked virtually the moment I opened IE to the MSN homepage. I'm guessing it was already primed and not a coincidental "drive by."

 

So this is where the issue really stands right now.  Thanks, plat1098

Attached Files


Edited by plat1098, 17 December 2015 - 08:07 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:42 PM

Posted 18 December 2015 - 10:44 AM

Tell you the truth I'm not familiar with this StackPivot.

I searched google and was not able to find any solutions.


I search the Bleepingcomputer forums for "stack pivot" and found only your topic.

Create an e-mail account with Google mail.

https://www.google.com/intl/en/mail/help/about.html

It's always nice to have one more way to communicate on occasion.

The you can check with HP.

#8 plat1098

plat1098
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:42 PM

Posted 23 December 2015 - 02:44 PM

I apologize for the delayed response, much damage to mop up.  Tried refreshing the machine again and couldn't load the final 20 updates due to corrupted BITS.  Finally installed another Windows version and hoping I'm not on shaky ground somewhere. 

 

I'll take your above advice because the thing about this situation is I wasn't even in an open browser, just online. I'm looking at the Addition.txt in initial post and it's pretty graphic  and obvious but I'm not quite sure what it's depicting.  I hope more information about this type of exploit comes out, and soon.  Also looking into disabling Volume Shadow Copy Service even though there is some "inconvenience" associated with that.

 

Many, many thanks for your help and information.  This issue is SOLVED but here's hoping more info about this is coming soon.

 

Regards, plat1098


Edited by plat1098, 23 December 2015 - 02:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users