Jump to content

Vectrex

Members
  • Posts

    5
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hi Rui, On this particular desktop I don't have so many programs installed at the moment and I check them for updates regularly. I still installed FileHippo and it just found a new beta for Firefox. I had problem unistall FileHippo, leaving it on the PC but was removed from the list with installed program when I uninstalled it. I had to reinstall it and then I uninstalled it from CCleaner instead. I then used the DelFix and but it didn't get rid of everything. Even stuff it said it deleted in the log was left. I had to manually unistall Sophos and manually delete some stuff that RogueKiller left in C:\ProgramData I then added the HOSTS file and installed SpywareBlaster as suggested. Everything is running great now and also my browser is blazingly fast (so far). I guess we are done, right? Thanks for everything and take care! /Vectrex
  2. Hi Rui, Thank you very much again for all the clarifications and your pedagogical explanations. Not the least, all your advice. I'll take good care of them! The scan with Sophos Virus Removal Tool found nothing. I needed to logout and login for the deactivation of Windows Defender through the register to take effect. So I updated Sophos, closed it, disconnected from the Internet, logout, login and then relaunched Sophos and ran the scan. That is why you see a disruption in the log with a scan ending followed by a failure to update. Besides the log you asked for there is an additional one in the same folder named "SophosVirusRemovalTool_cloud4.log". It contains exclusively of sending SXL4 requests which then returns with a "failed to send file reputation request" every other line. It's large and ends with this -- Log truncated (too big) --. But I'm sure you already knew this as I was disconnected from the Internet during the never ending scan... Which reminds me that Malwarebytes did not finish a custom scan of C:\ from the day before I posted my first post. It ran for over 5 hours and got stuck between two files, jumping back and forth and not making any progress, somewhere in the C:\Windows folder. Below are the contents of the log. 2017-10-17 01:26:49.458 Sophos Virus Removal Tool version 2.6.1 2017-10-17 01:26:49.458 Copyright (c) 2009-2017 Sophos Limited. All rights reserved. 2017-10-17 01:26:49.458 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them. 2017-10-17 01:26:49.458 Windows version 6.2 SP 0.0 build 9200 SM=0x300 PT=0x1 WOW64 2017-10-17 01:26:49.458 Checking for updates... 2017-10-17 01:26:49.536 Update progress: proxy server not available 2017-10-17 01:26:58.036 Option all = no 2017-10-17 01:26:58.036 Option recurse = yes 2017-10-17 01:26:58.052 Option archive = no 2017-10-17 01:26:58.052 Option service = yes 2017-10-17 01:26:58.052 Option confirm = yes 2017-10-17 01:26:58.052 Option sxl = yes 2017-10-17 01:26:58.052 Option max-data-age = 35 2017-10-17 01:26:58.052 Option vdl-logging = yes 2017-10-17 01:26:58.067 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-10-17 01:26:58.067 Machine ID: a6ba9a6b906d48b1bdf25892d894b64b 2017-10-17 01:26:58.067 Component SVRTcli.exe version 2.6.1 2017-10-17 01:26:58.067 Component control.dll version 2.6.1 2017-10-17 01:26:58.067 Component SVRTservice.exe version 2.6.1 2017-10-17 01:26:58.067 Component engine\osdp.dll version 1.44.1.2286 2017-10-17 01:26:58.067 Component engine\veex.dll version 3.68.6.2286 2017-10-17 01:26:58.067 Component engine\savi.dll version 9.0.7.2286 2017-10-17 01:26:58.067 Component rkdisk.dll version 1.5.31.1 2017-10-17 01:26:58.067 Version info: Product version 2.6.1 2017-10-17 01:26:58.067 Version info: Detection engine 3.68.6 2017-10-17 01:26:58.067 Version info: Detection data 5.44 2017-10-17 01:26:58.067 Version info: Build date 2017-09-19 2017-10-17 01:26:58.067 Version info: Data files added 253 2017-10-17 01:26:58.067 Version info: Last successful update (not yet updated) 2017-10-17 01:28:00.902 Downloading updates... 2017-10-17 01:28:00.902 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1 2017-10-17 01:28:00.902 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-10-17 01:28:00.902 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-10-17 01:28:00.902 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=] 2017-10-17 01:28:00.902 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path= 2017-10-17 01:28:00.902 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path= 2017-10-17 01:28:00.902 Update progress: [I49502] sdds.data0910.xml: found supplement IDE545 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=] 2017-10-17 01:28:00.902 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE545 LATEST path= 2017-10-17 01:28:00.902 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE545 LATEST path= 2017-10-17 01:28:00.902 Update progress: [I49502] sdds.data0910.xml: found supplement IDE546 LATEST path= baseVersion= [included from product IDE545 LATEST path=] 2017-10-17 01:28:00.902 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE546 LATEST path= 2017-10-17 01:28:00.902 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE546 LATEST path= 2017-10-17 01:28:00.902 Update progress: [I49502] sdds.data0910.xml: found supplement IDE547 LATEST path= baseVersion= [included from product IDE546 LATEST path=] 2017-10-17 01:28:00.902 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE547 LATEST path= 2017-10-17 01:28:00.902 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE547 LATEST path= 2017-10-17 01:28:00.902 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-10-17 01:28:01.387 Update progress: [I19463] Syncing product SAVIW32 LATEST path= 2017-10-17 01:28:01.387 Update progress: [I19463] Product download size 174235198 bytes 2017-10-17 01:28:07.496 Update progress: [I19463] Syncing product IDE545 LATEST path= 2017-10-17 01:28:07.496 Update progress: [I19463] Product download size 2585002 bytes 2017-10-17 01:28:08.309 Update progress: [I19463] Syncing product IDE546 LATEST path= 2017-10-17 01:28:08.309 Update progress: [I19463] Product download size 1851477 bytes 2017-10-17 01:28:08.965 Update progress: [I19463] Syncing product IDE547 LATEST path= 2017-10-17 01:28:09.230 Installing updates... 2017-10-17 01:28:09.855 Error level 1 2017-10-17 01:28:28.402 Update successful 2017-10-17 01:28:41.199 Option all = no 2017-10-17 01:28:41.199 Option recurse = yes 2017-10-17 01:28:41.199 Option archive = no 2017-10-17 01:28:41.199 Option service = yes 2017-10-17 01:28:41.199 Option confirm = yes 2017-10-17 01:28:41.199 Option sxl = yes 2017-10-17 01:28:41.199 Option max-data-age = 35 2017-10-17 01:28:41.199 Option vdl-logging = yes 2017-10-17 01:28:41.215 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-10-17 01:28:41.215 Machine ID: a6ba9a6b906d48b1bdf25892d894b64b 2017-10-17 01:28:41.215 Component SVRTcli.exe version 2.6.1 2017-10-17 01:28:41.215 Component control.dll version 2.6.1 2017-10-17 01:28:41.215 Component SVRTservice.exe version 2.6.1 2017-10-17 01:28:41.215 Component engine\osdp.dll version 1.44.1.2286 2017-10-17 01:28:41.215 Component engine\veex.dll version 3.68.6.2286 2017-10-17 01:28:41.215 Component engine\savi.dll version 9.0.7.2286 2017-10-17 01:28:41.215 Component rkdisk.dll version 1.5.31.1 2017-10-17 01:28:41.215 Version info: Product version 2.6.1 2017-10-17 01:28:41.215 Version info: Detection engine 3.68.6 2017-10-17 01:28:41.215 Version info: Detection data 5.44 2017-10-17 01:28:41.215 Version info: Build date 2017-09-19 2017-10-17 01:28:41.215 Version info: Data files added 253 2017-10-17 01:28:41.215 Version info: Last successful update 2017-10-17 03:28:28 2017-10-17 01:28:58.277 Error level 1 2017-10-17 01:28:58.277 Scan completed. 2017-10-17 01:28:58.277 ------------------------------------------------------------ 2017-10-17 01:31:30.840 Sophos Virus Removal Tool version 2.6.1 2017-10-17 01:31:30.840 Copyright (c) 2009-2017 Sophos Limited. All rights reserved. 2017-10-17 01:31:30.840 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them. 2017-10-17 01:31:30.840 Windows version 6.2 SP 0.0 build 9200 SM=0x300 PT=0x1 WOW64 2017-10-17 01:31:30.840 Checking for updates... 2017-10-17 01:31:30.840 Update progress: proxy server not available 2017-10-17 01:31:32.604 Update error: failed to read remote metadata (error 4) [T46381] ..\SUL\Handle.cpp:98 + SU::Handle::readRemoteMetadata() [T75884] ..\SUL\Metadata.cpp:144 SU::Metadata::readRemoteMetadata() [I40394] Downloading customer file from sophos:1:1 [E26245] Error fetching data from http://dci.sophosupd.com/update/1/6c/16c4d85f89f044ddac3c52b38fad4968.dat: WinHttpSendRequest 12007 [I20317] No proxy was used. [I40394] Downloading customer file from sophos:2:1 [E26245] Error fetching data from http://dci.sophosupd.net/update/1/6c/16c4d85f89f044ddac3c52b38fad4968.dat: WinHttpSendRequest 12007 [I20317] No proxy was used. [I40394] Downloading customer file from sophos:3:1 [E75373] Ran out of sophos aliases for this update source [E35369] Out of update sources [E99999] Out of sources 2017-10-17 01:31:39.635 Option all = no 2017-10-17 01:31:39.635 Option recurse = yes 2017-10-17 01:31:39.635 Option archive = no 2017-10-17 01:31:39.635 Option service = yes 2017-10-17 01:31:39.635 Option confirm = yes 2017-10-17 01:31:39.635 Option sxl = yes 2017-10-17 01:31:39.635 Option max-data-age = 35 2017-10-17 01:31:39.635 Option vdl-logging = yes 2017-10-17 01:31:39.651 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-10-17 01:31:39.651 Machine ID: a6ba9a6b906d48b1bdf25892d894b64b 2017-10-17 01:31:39.651 Component SVRTcli.exe version 2.6.1 2017-10-17 01:31:39.651 Component control.dll version 2.6.1 2017-10-17 01:31:39.651 Component SVRTservice.exe version 2.6.1 2017-10-17 01:31:39.651 Component engine\osdp.dll version 1.44.1.2286 2017-10-17 01:31:39.651 Component engine\veex.dll version 3.68.6.2286 2017-10-17 01:31:39.651 Component engine\savi.dll version 9.0.7.2286 2017-10-17 01:31:39.651 Component rkdisk.dll version 1.5.31.1 2017-10-17 01:31:39.651 Version info: Product version 2.6.1 2017-10-17 01:31:39.651 Version info: Detection engine 3.68.6 2017-10-17 01:31:39.651 Version info: Detection data 5.44 2017-10-17 01:31:39.651 Version info: Build date 2017-09-19 2017-10-17 01:31:39.651 Version info: Data files added 253 2017-10-17 01:31:39.651 Version info: Last successful update 2017-10-17 03:28:28 2017-10-17 01:34:55.783 Couldn't apply option 'SXLLiveProtection' to the detection engine. 2017-10-17 02:26:30.504 Could not open C:\hiberfil.sys 2017-10-17 02:26:37.691 Could not open C:\pagefile.sys 2017-10-17 02:36:14.785 Could not open C:\swapfile.sys 2017-10-17 02:36:15.129 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-10-17 02:36:15.129 Could not open C:\System Volume Information\{3a95e6b2-b142-11e7-b3eb-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-10-17 02:36:15.129 Could not open C:\System Volume Information\{51208938-a723-11e7-b3de-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-10-17 02:36:15.129 Could not open C:\System Volume Information\{5909e288-afd3-11e7-b3e8-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-10-17 02:36:15.129 Could not open C:\System Volume Information\{7e5b5fd6-b258-11e7-b3f0-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-10-17 02:36:15.129 Could not open C:\System Volume Information\{aec0b4f6-b0c9-11e7-b3eb-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-10-17 02:53:34.489 Could not open C:\Windows\System32\config\BBI 2017-10-17 02:53:34.818 Could not open C:\Windows\System32\config\RegBack\DEFAULT 2017-10-17 02:53:34.833 Could not open C:\Windows\System32\config\RegBack\SAM 2017-10-17 02:53:34.833 Could not open C:\Windows\System32\config\RegBack\SECURITY 2017-10-17 02:53:34.849 Could not open C:\Windows\System32\config\RegBack\SOFTWARE 2017-10-17 02:53:34.880 Could not open C:\Windows\System32\config\RegBack\SYSTEM 2017-10-17 03:16:39.850 Could not open LOGICAL:0003:00000000 2017-10-17 03:16:39.850 Could not open D:\ 2017-10-17 03:18:24.053 Could not check X:\-= CoinOPS Project =-\CoinOPS_NES\romsConsoles\NES\NES_NintendoWorldChampionships1990.zip (corrupt) 2017-10-17 03:19:04.506 Could not open X:\Boot\BCD 2017-10-17 03:19:13.287 Error level 0 At this point I don't think there is any issues or concerns besides my paranoia.
  3. Hello Rui, Thank you so much for assisting and helping me with this - much appreciated. Your assessment by the initial logs sounds great and following the instructions you gave showed nothing as well (at least what I could perceive). I have some additional thoughts and questions as I find it very odd that Malwarebytes found the "Heuristic.Reserved.Word.Exploit" threat the way it did (reinstalled and run in safe mode) and not on my first scans. I understand if you can't provide me with answers to specific questions like this and that's okay but if you're willing and able, please answer these. What's your general idea of what the finding of "Heuristic.Reserved.Word.Exploit" on the file "C:\USERS\STEFAN\DESKTOP\USERINIT.EXE" could have been? Is there any generic definition of what even "Heuristic.Reserved.Word.Exploit" is and which specific areas and context it is used? Is it even possible that this was/is a false positive? If I had an intruder or a bot monitoring/compromising my system or network for whatever reason, could this go unnoticed or would it leave any traces to determine if so was the case? Do you have any recommendations or suggestions on what measures I could do if I want to be able to detect such activity on my system on the fly? About the computer's behaviour... It doesn't behave notedly strange since the actions I took from the beginning (immediately after everything got weird and the threat was found), some of which I mention in my first post. Off the top of my head I still notice that my main HDD/computer is continuously working excessively hard as soon as I'm idling from it. For the most part this stops as soon as I interact with it again, like moving the mouse or something. I know similar behaviour like this could happen with for example a Windows update process or other things scheduled to do so but I've ruled out those. The other thing is that my additional internal HDD "wakes up" very often, for no obvious reasons. The requested logs/reports are attached. Thank you once again so much for your help Rui. Fixlog.txt AdwCleaner[C0].txt rk_E66B.tmp.txt
  4. Here is the Addition.txt as it seems to be missing in the previous post. Sorry about that. Addition.txt
  5. Hello experts, I'm worried that my computer has been compromised, infected, hacked or hijacked by something or someone. It behaves a bit strange (especially the browser) and the hard drive is working/spinning more or less all the time. My extra hard drive wakes up constantly for no reason. Many processes are running and I think it also spread to other devices (a media box). (If you like, I can develop more specifically about this event with the media player on the local network.) Initially, a scan of mbam showed nothing, same with Windows Defender. I then uninstalled mbam and rebooted in safe mode with network and installed the latest version of Malwarebytes. Made a new scan after which it found a threat, RiskWare.HeuristicsReservedWordExploit on the file "C:\USERS\STEFAN\DESKTOP\USERINIT.EXE". It's now in quarantine. I have made a blunder and used temporary file cleaners, uninstalled some software, removed cache, cookies and what not. Restored router and so on. This maybe caused in important traces to be deleted? I wish I had started with getting help here right away, instead of a naive attempt to solve this on my own. I just want to know if something happened so I can have a peace of mind. At times everything seems to work fine but I have the feeling that something is wrong, possibly seriously wrong. Requested log files are attached, including the scan which detected the threat. detection.txt FRST.txt latest.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.