kafpolo
-
Posts
22 -
Joined
-
Last visited
Posts posted by kafpolo
-
-
11 minutes ago, itman said:
Depends on the "pool corruption" that occurred. According to Microsoft it is usually related to a bad driver but can also be caused by faulty memory. A couple of refs. below:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header
I have no idea what manual cleaning you did and that could be related to this BSOD activity. You can always try a system restore using a restore point prior to when you started these cleaning activities.
-
Before closing this I have just one more question, can this incident make BSOD error "pool_corruption"?
-
16 minutes ago, itman said:
Again I believe that this bugger was installed by some resident software on your device. I also feel this would be something of a trusted utility nature that you would not suspect. Finally, whatever it is doing is not classified as malware, PUA, etc.. by virtual all security software.
What should I do about this? how could this problem be solved?
__
Is this because of a bloatware? if so, What bloatware?
-
7 hours ago, itman said:
I got ASUS LU with the lates update.
-
6 hours ago, itman said:
Look in this registry key for any suspicious .exe's not installed by you; e.g.:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
In the IFEO there are only CFGOptions, MitigationOptions and DisableExceptionChainValidation. I don't think there are any suspicious .exes
-
7 minutes ago, itman said:
The OP in this posting stated he had a "new build." This leads me believe that this software was installed by the OEM of the device. In any case, removing that startup entry for the software, prevented it from running thereafter. So my opinion is yes, you have eliminated whatever this thing was.
If it reappears, I would start looking for any built-in diagnostic software or the like that was installed by the OEM of your device and uninstall that.
I don't think that this apply in my case, I got my pc (which is an ASUS) 1 year ago
-
So, that means that my pc is clear of infection?
-
51 minutes ago, itman said:
As I posted previously if their existence bothers you, delete them. This will send the files to the Recycle folder. If there are any subsequent system issues after their deletion, you can always restore the files from the Recycle folder
I moved them to the recycle bin and nothing happened after i turned on the pc.
Then I accidentally moved some back to the omnisoft folder and they changed their name, with $ and random letters an numbers, why did this happened?
-
18 hours ago, Nightowl said:
This is probably due to infected KMSPico , it might not apply to his case
No, it doesn't apply, I haven't installed any hacktool for Windows.
-
21 hours ago, itman said:
Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected.
I did this and used the avast boot-time tool, there were no detections.
--
Does that means that there isn't an infection?
If so, what do I have to do with the omnisoft files and folders?
Do I have to make any other scans?
-
58 minutes ago, itman said:
Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected.
I will do it.
Do you recommend to use Avast Boot-Time scan tool in addition to the Eset Costum scan?
-
1 minute ago, itman said:
Something just occurred to me.
This Omnisoft stuff might be related to some extension or the like you installed directly or inadvertently in FireFox. Perhaps something by Mozilla itself. This would at least explain the signed cert. by Mozilla for update.exe.
But I uninstalled firefox and this remained, as I started the pc this program started opening pages in the malicious firefox.
-
14 minutes ago, itman said:
This key is interesting. Did you check if there was an uninstaller program located in C:\Program Files (x86)\Common Files\OmniSoft\uninstall directory?
Yes, but it does not open any pop up, it does not run and it does not appear in the Task Manager.
Basically doesn't work at all.
-
25 minutes ago, itman said:
Otherwise, you will have to do a manual cleaning of all folders, files, and registry entries related to Omnisoft. If you don't know what you are doing here, you can bork your existing Windows installation. There are tools such as Revo Uninstaller: https://www.revouninstaller.com/ , that can do a forced uninstall. But, you have to know how to use it properly. Also if it is used in aggressive removal mode, it also can cause system issues thereafter.
So in the registry I could find only this
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched :: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Common Files\OmniSoft\update.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store :: C:\Program Files (x86)\Common Files\OmniSoft\uninstall\helper.exe
Then I used the "revouninstaller" tool but there wasn't anything related to the Malware
-
3 minutes ago, itman said:
Then you solved the problem it appears.
If you are worried about any traces of it, I would start by looking in Control Panel -> Programs and Features if something exists that relates to this software. If so, install it.
There is nothing related to the malware software at control panel.
------
4 minutes ago, itman said:Otherwise, you will have to do a manual cleaning of all folders, files, and registry entries related to Omnisoft. If you don't know what you are doing here, you can bork your existing Windows installation. There are tools such as Revo Uninstaller: https://www.revouninstaller.com/ , that can do a forced uninstall. But, you have to know how to use it properly. Also if it is used in aggressive removal mode, it also can cause system issues thereafter.
Thanks, I will try this.
-
1 minute ago, itman said:
Don't understand your reply. Are you saying it runs when you restart the PC?
No it doesn't runs since I did that
-
1 minute ago, itman said:
Is it still running after you did this?
not even when I restart the pc.
-
15 hours ago, Nightowl said:
Firefox updater is located in C:\Program Files\Mozilla Firefox and it's called updater not update.exe
This file is malicious , and it's suspicious
Upload it to one of these :
https://www.virustotal.com/gui/home/upload
No detections...
9 hours ago, itman said:This C:\program files x(86)\common files\omnisoft\update.exe obviously has nothing to do with FireFox. It's update program is located in its specific C:\program files x(86) or C:\program files directory. For this reason alone, I say the program has nefarious purposes.
Software located in C:\program files x(86)\common files directory get there usually as a result of something you downloaded and was placed there via installer method. It could also be adware that that was embedded or possibly even a coin miner since you state it is using a lot of system resources.
The first place to check is Windows installed programs via Control Manager for anything that you don't recollect manually installing.
I would start by creating an Eset firewall rule to block any outbound traffic from C:\program files x(86)\common files\omnisoft\update.exe. Make sure you enable event alert and log entry creation. When the alert occurs copy the Eset Network protection log entries related to the outbound traffic and post them in a forum reply. This will give us an idea of the server IP addresses the bugger is trying to connect to.
I created the Firewall rule, the alert and log, but 4 hours later it has not detected anything yet.
---
Is ther anything that I can do to get rid of this malware?
-
4 hours ago, Nightowl said:
Firefox updater is located in C:\Program Files\Mozilla Firefox and it's called updater not update.exe
This file is malicious , and it's suspicious
Upload it to one of these :
https://www.virustotal.com/gui/home/upload
Do I have to upload the .EXE or all the files that are in that folder?
-
5 hours ago, Marcos said:
Is the file detected by some other AVs at VirusTotal? It's obviously signed; is the digital signature ok if you select the appropriate tab in file properties?
Yes, in Digital Signatures it appears that it is signed by Mozilla, and compared to the original, it has exactly the same configurations.
-
At the beginning when the computer was turned on the program was automatically executed, the program uses many resources and can even crash the computer.
I managed to disable its execution at startup, and after making an analisys the ESET antivirus did not detected the malware.
So, I know the location of the executable "C:\Program Files (x86)\Common Files\OmniSoft" but I don't see how to uninstall this program, It is not at the contoll panel.
having access to the location of the program folder, how can I uninstall it?
Firefox uptadte.exe virus
in Malware Finding and Cleaning
Posted · Edited by kafpolo
It could be, but why until now? many months have passed since the instalation, I'm sure I downloaded it from the official website, and from all the EXEs the only one that I have installed in the past, was "μtorrent"