clower_element

MSE strange behaviour, infected?

Recommended Posts

Hi

I am worried about my laptop and would like your help please. MSE is giving me inconclusive feedback. There might be some infection lurking somewhere affecting MSE and MSE is not capable to deal with it fully.

I don’t know how long this has been going on because I only discovered I was having an issue when I ran Full Manual MSE scan and watched the scan running 4 days ago.

Couple minutes into Quick/Automatic/Full scans by MSE a warning message suddenly appears in MSE interface saying “ Preliminary results show that malicious or potentially unwanted software might exist on your system. You can review detected items when the scan has completed”.  

But when the scans complete there are no signs of any detections listed anywhere to be seen. There are no detections listed under the MSE “History tab” under all detected items/quarantine either.

There is a log in the “Event Viewer” straight after the MSE scan finishes which says “Microsoft Antimalware Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware”.  

Finding what is wrong with my system would be very much appreciated.

Thank you:)

 

 

 

FRST_20-03-2017 15.04.02.txt

Addition_20-03-2017 15.04.02.txt

Share this post


Link to post
Share on other sites
Hello clower_element and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Continue with the following:

Clean install Malwarebytes from version 2 to version 3...

Please download MBAM-clean and save it to your desktop.
 
  • Right-click on mbam-clean.exe icon and select user posted image Run as Administrator to start the tool.
  • It will ask you to reboot the machine - please do so.
  • Run the cleaner tool again, re-boot when complete. <<<---do not miss this step


If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes and is updated do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your reply...

Thanks,

Kevin...

Share this post


Link to post
Share on other sites

Hi kevinf80

Thank you very much for your kind reply and your instructions. Very much appreciated :) . 

So far I have....

Used MBAM clean tool twice, installed Malwarebytes version 3 and run a scan.

Here are the scan results:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/21/17
Scan Time: 1:56 AM
Logfile: new mbam threat scan.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1550
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: MCNEELY-VAIO\MCNEELY

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395926
Time Elapsed: 15 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

I've also downloaded AdwCleaner and run it. I am just posting the log file with all the detections it found at the moment. Please would you be so kind and advise me which items to keep because I have no idea what it found. For example I don't want to cripple my HP printer if this detection " Folder Found:  C:\Users\MCNEELY\AppData\LocalLow\HPAppData" relates to my printer and the same goes for the other detections as well. 

# AdwCleaner v6.044 - Logfile created 21/03/2017 at 10:10:15
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-20.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : MCNEELY - MCNEELY-VAIO
# Running from : C:\Users\MCNEELY\Desktop\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found:  C:\Users\MCNEELY\AppData\LocalLow\HPAppData
Folder Found:  C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Auslogics


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\MCNEELY\AppData\Local\Google\Chrome\User Data\Default\Web data] - uk.ask.com

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1263 Bytes] - [21/03/2017 10:10:15]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1336 Bytes] ##########

 

I will carry on with AdwCleaner cleaning and the rest of the steps after your advice. Thank you
 

 

Share this post


Link to post
Share on other sites

Thanks for the reply, use the clean option on all entries showing in AdwCleaner log...

Share this post


Link to post
Share on other sites

Here are the rest of the requested logs.

 

# AdwCleaner v6.044 - Logfile created 21/03/2017 at 10:49:18

# Updated on 28/02/2017 by Malwarebytes

# Database : 2017-03-20.1 [Server]

# Operating System : Windows 7 Home Premium Service Pack 1 (X64)

# Username : MCNEELY - MCNEELY-VAIO

# Running from : C:\Users\MCNEELY\Desktop\AdwCleaner.exe

# Mode: Clean

# Support : https://www.malwarebytes.com/support

 

 

 

***** [ Services ] *****

 

 

 

***** [ Folders ] *****

 

[-] Folder deleted: C:\Users\MCNEELY\AppData\LocalLow\HPAppData

[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Auslogics

 

 

***** [ Files ] *****

 

 

 

***** [ DLL ] *****

 

 

 

***** [ WMI ] *****

 

 

 

***** [ Shortcuts ] *****

 

 

 

***** [ Scheduled Tasks ] *****

 

 

 

***** [ Registry ] *****

 

[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

 

 

***** [ Web browsers ] *****

 

[-] [C:\Users\MCNEELY\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: uk.ask.com

 

 

*************************

 

:: "Tracing" keys deleted

:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C0].txt - [1164 Bytes] - [21/03/2017 10:49:18]

C:\AdwCleaner\AdwCleaner[S0].txt - [1415 Bytes] - [21/03/2017 10:10:15]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1310 Bytes] ##########

 

 

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.44, January 2017 (build 5.44.13400.0)

Started On Wed Jan 11 11:28:48 2017

 

Engine: 1.1.13303.0

Signatures: 1.233.3409.0

Run Mode: Scan Run From Windows Update

 

Results Summary:

----------------

No infection found.

Successfully Submitted Heartbeat Report

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 11 11:31:44 2017

 

 

Return code: 0 (0x0)

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.45, February 2017 (build 5.45.13501.0)

Started On Fri Feb 24 14:59:53 2017

 

Engine: 1.1.13407.0

Signatures: 1.235.1858.0

Run Mode: Scan Run From Windows Update

 

Results Summary:

----------------

No infection found.

Successfully Submitted Heartbeat Report

Microsoft Windows Malicious Software Removal Tool Finished On Fri Feb 24 15:02:36 2017

 

 

Return code: 0 (0x0)

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.46, March 2017 (build 5.46.13601.0)

Started On Wed Mar 15 13:33:05 2017

 

Engine: 1.1.13504.0

Signatures: 1.237.571.0

Run Mode: Scan Run From Windows Update

 

Results Summary:

----------------

No infection found.

Successfully Submitted MAPS Report

Successfully Submitted Heartbeat Report

Microsoft Windows Malicious Software Removal Tool Finished On Wed Mar 15 13:35:44 2017

 

 

Return code: 0 (0x0)

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.46, March 2017 (build 5.46.13601.0)

Started On Tue Mar 21 11:12:38 2017

 

Engine: 1.1.13504.0

Signatures: 1.237.571.0

Run Mode: Interactive Graphical Mode

 

Results Summary:

----------------

No infection found.

Successfully Submitted Heartbeat Report

Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 21 11:17:02 2017

 

 

Return code: 0 (0x0)

 

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Post that log, also tell me if you have any remaining issues or concerns related to your PC..

Thank you,

Kevin..

fixlist.txt

Share this post


Link to post
Share on other sites
Posted (edited)

Hi Kevin

Thank you for your instructions. I followed them. 

Here is the Fixlog:

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by MCNEELY (21-03-2017 15:25:05) Run:1
Running from C:\Users\MCNEELY\Desktop
Loaded Profiles: MCNEELY (Available Profiles: MCNEELY)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
CHR Extension: (Chrome Media Router) - C:\Users\MCNEELY\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-11]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 semav6msr64; \??\C:\Windows\system32\drivers\semav6msr64.sys [X]
S3 semav6thermal64ro; \??\C:\Windows\system32\drivers\semav6thermal64ro.sys [X]
FirewallRules: [{640BEBBD-8664-4167-A781-6A6FB2D7039D}] => (Allow) svchost.exe
FirewallRules: [{CEFFC1E8-7BAE-41E3-9129-C6AE00C67EC9}] => (Allow) LPort=2869
FirewallRules: [{0AF7EAF7-2CE0-403D-8652-0A5AD8E925C6}] => (Allow) LPort=1900
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:
end
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\MCNEELY\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\catchme => key removed successfully
catchme => service removed successfully
HKLM\System\CurrentControlSet\Services\semav6msr64 => key removed successfully
semav6msr64 => service removed successfully
HKLM\System\CurrentControlSet\Services\semav6thermal64ro => key removed successfully
semav6thermal64ro => service removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{640BEBBD-8664-4167-A781-6A6FB2D7039D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CEFFC1E8-7BAE-41E3-9129-C6AE00C67EC9} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0AF7EAF7-2CE0-403D-8652-0A5AD8E925C6} => value removed successfully

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 28070926 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 177135792 B
Edge => 0 B
Chrome => 27053838 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 6832276 B
MCNEELY => 103222933 B

RecycleBin => 291038848 B
EmptyTemp: => 612 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 15:25:50 ====

 

 

 

After I was done with the Fixlist.txt  I went to test MSE which is the main concern of mine and the cause why I started this thread in the first place. Sadly, it looks like nothing has changed and the same problem with MSE persists.

 First Quick Manual Scan finished without the dreaded message but an hour or so later I performed Full Manual Scan and the warning message“ Preliminary results show that malicious or potentially unwanted software might exist on your system. You can review detected items when the scan has completed” appeared AGAIN. Then I ran another Quick Manual scan and it presented the same dreaded message too. Of course nothing is ever detected. 

 

Pics of MSE in scanning mode and couple event viewer logs, one when it completes the scan and one more log straight after it.

58d19e93c5640_mscanpostforum.PNG.37e1c4155230acc3d74a3844ba144be8.PNG

 

58d19ef8c6fe0_evenl-forum.PNG.9a61c3c01301195edf5f0eb58137c8c6.PNG

 

58d19f680404d_evenl-forum1.PNG.0de98ed5ee69b901c34dc886e2fd1b6c.PNG

 

I really have no clue what is causing this. Is there anything else we could try?

Thanks

 

Edited by clower_element

Share this post


Link to post
Share on other sites
Posted (edited)

Very strange indeed, Microsoft Windows Malicious Software Removal Tool was used under a quick scan and nothing was found....

If you open the History tab on MSE is any information available..?

Next,

Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image
 
Thank you,
 
Kevin...
Edited by kevinf80
typing error

Share this post


Link to post
Share on other sites

Hi Kevin

Thank you very much for your reply. This is what I see when I open History Tab on MSE. There are no detected items under Quarantine/Allowed and All Items. 

58d279fe4a760_f-22.3..PNG.40ec6e23203e556893ec63b320a1d0c0.PNG

 

 

 

I also ran the the Rogue Killer as you requested. Obviously I am not able to read the logs myself but is this detection ... "[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [xxxx://www.docrafts.com/] -> Found"  a false positive? I set this website "docrafts.com" as Google Homepage myself ages ago. Or is the site not to be trusted? 

 

I tried to attach the RK log but the forum gave me an error code: "There was a problem processing the uploaded file.-200" so I am copy/pasting it instead.

 

RogueKiller V12.10.1.0 (x64) [Mar 20 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : MCNEELY [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/22/2017 12:28:16 (Duration : 00:37:06)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [https://www.docrafts.com/] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 82c102291baac9b7855b8cc9293298a2
[BSP] 85d35a64660348e2957c1a36a0234f17 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13623 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 27901952 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 28106752 | Size: 463215 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

Thank you

Share this post


Link to post
Share on other sites

"Found" entries in RogueKiller logs are not always malicious, in your case threat possibility is 0 from 64 scanners at VirusTotal, i`d say yes to it being a FP..

I want you to run your system in "Clean Boot" mode, then run MSE and see if anything is found.

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135

Basically all none MS services are disabled, see how your system runs in that mode. Obviously 3rd party services that affect security or internet connection can be left active.

Run scan with MSE and see if clean boot makes any difference. If nothing is found it is now a process of elimination to find which non MS service(s) was affecting MSE...

If the same issue ocurrs in clean boot we can ignore the rest... If nothing is found then you can continue..

Go through the process again, this time with all MS services hidden again enable the top half of non MS services, re-boot and see how your system responds, if still ok the top half can be left enabled.

Repeat again, enable so many of the bottom half then re-boot. Continue until you locate the problem service(s). A process of elimination, a bit long winded but worth the effort. Let me know the outcome...
 
Thank you,
 
Kevin..

 

Share this post


Link to post
Share on other sites

Hi Kevin

Thank you for your reply again.

I followed step by step instructions from this link https://support.microsoft.com/en-gb/kb/929135  you kindly provided and set windows up for clean boot mode.

Whilst in the clean boot mode I launched MSE and ran a quick scan. MSE behaved exactly the same as it currently behaves in my normal mode. Again it showed exactly the same warning message in its interface whilst it was running a scan and when it finished its scan there were no detections listed under MSE history tab. 

One thing I would like to mention. MSE was about half way into scanning and suddenly UAC popped up asking me whether I wanted (I think it was Vaio Care, can’t be sure 100%) to make changes to my computer. I had no idea how to deal with this in the clean boot mode (whether to allow it or not). I just closed this pop up window and soon after MSE finished scanning I left this mode and reset my laptop to start normally. Everything loaded back to normal as far as I could see except MSE icon was missing from the system tray next to the clock…. I had to kill msseces.exe process in the task manager to bring the icon back.

 

I am not really sure what to do next with my findings. I am having one of those moments not fully understanding perfectly good set of instructions.

Thank you

Share this post


Link to post
Share on other sites

Clean boot was to check if MSE returned the same issue with all non MS services disabled, in reality I would have expected Vaio Care to also be disabled, it is not a system file...

Looking back at installed programs there are several related to Vaio:

VAIO - Media Gallery (HKLM-x32\...\{DD88F979-FA58-41AC-980C-A6E1A82B61D9}) (Version: 1.3.0.06230 - Sony Corporation)
VAIO - PMB VAIO Edition Guide (HKLM-x32\...\InstallShield_{339F9B4D-00CB-4C1C-BED8-EC86A9AB602A}) (Version: 1.5.00.03020 - Sony Corporation)
VAIO - Xperia Link (HKLM-x32\...\{D91558BF-D1F3-411F-AEFE-8774CB406512}) (Version: 1.4.0.15030 - Sony Corporation)
VAIO Care (HKLM\...\{28D70998-F9F8-4F4B-BB1D-64C11123C01B}) (Version: 8.4.5.06021 - Sony Corporation)
VAIO Care Recovery (HKLM\...\{6ED1750E-F44F-4635-8F0D-B76B9262B7FB}) (Version: 1.1.1.13230 - Sony Corporation)

VAIO Control Center (HKLM-x32\...\{72042FA6-5609-489F-A8EA-3C2DD650F667}) (Version: 4.3.0.05310 - Sony Corporation)
VAIO Data Restore Tool (HKLM-x32\...\{57B955CE-B5D3-495D-AF1B-FAEE0540BFEF}) (Version: 1.4.0.05240 - Sony Corporation)
VAIO Data Restore Tool (x32 Version: 1.4.0.05240 - Sony Corporation) Hidden
VAIO DVD Menu Data (HKLM-x32\...\{596BED91-A1D8-4DF1-8CD1-1C777F7588AC}) (Version: 2.4.00.05300 - Sony Corporation)
VAIO Gate (HKLM-x32\...\{A7C30414-2382-4086-B0D6-01A88ABA21C3}) (Version: 2.2.0.06080 - Sony Corporation)
VAIO Gate Default (HKLM-x32\...\{B7546697-2A80-4256-A24B-1C33163F535B}) (Version: 2.2.0.07020 - Sony Corporation)
VAIO Hardware Diagnostics (x32 Version: 4.0.0.06230 - Sony Corporation) Hidden
VAIO Manual (HKLM-x32\...\{C6E893E7-E5EA-4CD5-917C-5443E753FCBD}) (Version: 1.1.0.05280 - Sony Corporation)
VAIO Media plus (HKLM-x32\...\{8DE50158-80AA-4FF2-9E9F-0A7C46F71FCD}) (Version: 2.1.0.18210 - Sony Corporation)
VAIO Media plus (Version: 2.1.0 - Sony Corporation) Hidden
VAIO Media plus (x32 Version: 2.1.0.18210 - Sony Corporation) Hidden
VAIO Media plus Opening Movie (HKLM-x32\...\{9238E8A4-BEBA-43A3-B926-769BDBF194C5}) (Version: 2.1.0.13220 - Sony Corporation)
VAIO Movie Story Template Data (HKLM-x32\...\InstallShield_{6FA8BA2C-052B-4072-B8E2-2302C268BE9E}) (Version: 2.5.00.05300 - Sony Corporation)
VAIO Movie Story Template Data (x32 Version: 2.3.00.06040 - Sony Corporation) Hidden
VAIO Sample Contents (HKLM-x32\...\{547C9EB4-4CA6-402F-9D1B-8BD30DC71E44}) (Version: 1.3.0.06041 - Sony Corporation)
VAIO screensaver (HKLM-x32\...\VAIO screensaver) (Version: 1.0.0.0 - Sony Europe)
VAIO Smart Network (HKLM-x32\...\{0899D75A-C2FC-42EA-A702-5B9A5F24EAD5}) (Version: 3.3.0.06080 - Sony Corporation)
VAIO Transfer Support (HKLM-x32\...\{5DDAFB4B-C52E-468A-9E23-3B0CEEB671BF}) (Version: 1.2.0.06230 - Sony Corporation)
VAIO Update (HKLM-x32\...\{9FF95DA2-7DA1-4228-93B7-DED7EC02B6B2}) (Version: 7.2.0.16270 - Sony Corporation)

Two stand out with "care" in the name, I`ve highlighted them in the above list. Just going of your description of what happened during the scan can you check in services and change to disabled.

Select Windows key and R key together, type or copy/paste services.msc into the run box, tap enter. Services window should open, Scroll to those two entries.

Right click on each entry and select "Properties" in the new window stop the service and change start up type too disabled...

Try mse again...

Thank you,

Kevin...

Share this post


Link to post
Share on other sites

Very odd, can you stop and change to disabled the two Vaio entries that start Automically or Automically delayed.. See if that makes any difference...

Share this post


Link to post
Share on other sites

I stopped and changed those 2 Vaio entries to disabled.

Then I ran MSE scan. The same problem with MSE persists.

After the MSE scan I changed back those 2 Vaio entries I previously disabled back to "started".

Thank you

Share this post


Link to post
Share on other sites

This is very strange for sure, MSE is not identifying anything specific. All it provides is a statement saying perliminary scan results show that malicious or potentially unwanted software might exist on your computer...

Another look at the image you posted does identify this entry C:\MSOCache\All The folder MSOCache is related to MS Office and is needed for future use should you need to repair or reinstall MS Office.

Can you move that folder to a USB flashdrive so it is off your system, then try MSE again....

Share this post


Link to post
Share on other sites

That image I posted that identifies this entry C:\MSOCache\All I actually took just as an example to document the existence of the warning message when my MSE was scanning. It is not an actual spot where MSE would stall and and that warning message appeared. It is even hard to tell whether the message comes up at exactly the same spot each time because I have got a funny suspicion I have seen the message appearing in different spots in the past few days. 

I don't know if this helps a bit but I have just ran MSE quick scan twice in a row to catch MSE in action in real time and used the print screen button on my laptop to document the first appearance of the warning message. Strangely this time on both occasions the item in question seems to be "schvost". 

Also I have to add I don't have a USB flash drive. 

 

58d43cf61cea7_caughtprint1.png.3926b1dd4cccc84a8b20ab2f5703b710.pngand used the print screen button on 

58d43c8bef2d0_caughtprintscreen.png.c417c10fd330ae425e3fad1a493f81eb.png

Thank you

Share this post


Link to post
Share on other sites

SvcHost is a system process that hosts multiple MS Services in the Windows NT operating systems. Svchost is essential in the implementation of shared service processes, especially where a number of services can share a process in order to try and reduce resource consumption. 

One more scan please:

Download Gmer from Here by clicking on the "Download EXE" Button.
 
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...

  • Sections
    IAT/EAT
    Show All
    ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.


Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…

Share this post


Link to post
Share on other sites

Here are results of the GMER scan. I think it found something. Are these real threats or false positives? If they are false positives how do I release them back into my system. I still have got the Gmer Interface open.

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-03-23 22:15:47
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0006 465.76GB
Running: mxm852ir.exe; Driver: C:\Users\MCNEELY\AppData\Local\Temp\uwtirkog.sys


---- Registry - GMER 2.2 ----

Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a27abb                      
Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38e4dd08                      
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a27abb (not active ControlSet)  
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38e4dd08 (not active ControlSet)  

---- EOF - GMER 2.2 ----
 

Thank you

Share this post


Link to post
Share on other sites

I will uninstall MSE from Control Panel and reinstall it tomorrow. I will report how it went tomorrow. I have to go to bed now. 

Thank you for your help so far,Kevin:). Very much appreciated. 

 

Share this post


Link to post
Share on other sites

Hi Kevin

I uninstalled MSE, restarted my laptop and installed fresh MSE from the link you provided. 

MSE seemed to install fine. It also performed its first self update and self scan automatically. I watched the scan run and this time for the duration of the whole scan the warning message DIDN'T resurface. Scan completed with no infections found. 

I'm going to monitor MSE scans for couple more days and come back (probably on Monday) to report if the dreaded warning message comes back again. 

I am secretly hoping it was just some kind of corruption with the old MSE at this point and nothing sinister lurking on my laptop.

Thank you

Share this post


Link to post
Share on other sites

Thanks for the update, will catchup again on Monday..

Thanks,

Kevin

Share this post


Link to post
Share on other sites

Hi Kevin

I have been keeping my eye on MSE since it was freshly installed last Friday. 

Here are my findings:

The message “ Preliminary results show that malicious or potentially unwanted software might exist on your system. You can review detected items when the scan has completed” NO longer appears in the MSE interface whilst MSE is scanning. On one hand this seems like good news but on the other hand the (Event 5007) "Microsoft Antimalware Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware” still persists. This (Event 5007) makes me worried because it is not me who is doing any changes to trigger that in the event log.

MSE also self updates before automatic scan starts with the latest definitions so I don't understand what is causing the "Event 2010" to retrieve additional signatures either?  

 

15:14:42 "Event 2000,Microsoft Antimalware"- MSE updates with Antivirus signatures

15:14:42 "Event 2000, Microsoft Antimalware"- MSE updates with AntiSpyware signatures

15:14:44 "Event 1000, Microsoft Antimalware"- Scan started

15:16:09 "Event 19,Windows Update Client" - Windows successfully installed the definition update for MSE

15:26:56 "Event 2010,Microsoft Antimalware"- Dynamic Signature Service used to retrieve additional signatures to help protect your machine (Antivirus)

15:26:56 "Event 2010,Microsoft Antimalware" Dynamic Signature Service used to retrieve additional signatures to help protect your machine (AntiSpyware)

15:26:56 "Event 1001, Microsoft Antimalware"- Scan finished

15:26:57 Event 5007 “Microsoft Antimalware Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware”.  

 

27-3.PNG.06750bf49ae93d30850026a72edce4d1.PNG

 

58d94702abc01_27-31.PNG.65ad28d239bf4e3ac72496491ee1719f.PNG

 

58d947223b6ce_27-32.PNG.aac5c8ec48ea95ced2e2d91b6060b322.PNG

 

58d94750ee59f_27-33.PNG.e6e5f6652af6198bf65a73740940fa53.PNG

 

58d94770b6e38_27-34.PNG.6d8411189ee840219dd0e244204ed751.PNG

 

58d9478cdc059_27-35.PNG.b204f3766760f31db0755aa2f10e0a16.PNG

 

58d947a406c4b_27-36.PNG.a6f9fabaf34cf3482aebaad3e0f6a0d7.PNG

 

58d947c76c6c4_27-37.PNG.03cba4e3f414fad4e85c3e451913992d.PNG

 

Thank you

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.