Is my computer infected or hijacked?

[Vectrex]

Hello experts,

I'm worried that my computer has been compromised, infected, hacked or hijacked by something or someone. It behaves a bit strange (especially the browser) and the hard drive is working/spinning more or less all the time. My extra hard drive wakes up constantly for no reason. Many processes are running and I think it also spread to other devices (a media box).
(If you like, I can develop more specifically about this event with the media player on the local network.)

Initially, a scan of mbam showed nothing, same with Windows Defender. I then uninstalled mbam and rebooted in safe mode with network and installed the latest version of Malwarebytes. Made a new scan after which it found a threat, RiskWare.HeuristicsReservedWordExploit on the file "C:\USERS\STEFAN\DESKTOP\USERINIT.EXE". It's now in quarantine.

I have made a blunder and used temporary file cleaners, uninstalled some software, removed cache, cookies and what not. Restored router and so on. This maybe caused in important traces to be deleted? I wish I had started with getting help here right away, instead of a naive attempt to solve this on my own.

I just want to know if something happened so I can have a peace of mind. At times everything seems to work fine but I have the feeling that something is wrong, possibly seriously wrong.

Requested log files are attached, including the scan which detected the threat.

 

detection.txt

FRST.txt

latest.txt

Edited October 13, 2017 by Vectrex
Addition.txt somehow ended up in the text.

[Vectrex]

Here is the Addition.txt as it seems to be missing in the previous post. Sorry about that.

 

Addition.txt

[Android8888]

Hello Vectrex and

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

I do not see evidences of infection in the FRST logs, just some leftovers. The infected item was quarantined by Malwarebytes at 10/02/2017 and the latest scan (10/13/2017) shows no infection. That means that Malwarebytes took care of it.

I will give you a fix with FRST just to clean up some leftovers but nothing serious at this point. We will check further.

 

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the Fixlog.txt in your next reply;
  

 

Next,

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
  Credits: Aura
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please attach that log in your next reply
  

 

Next,

• Download the right version of RogueKiller for your Windows version (64-bit)
• Once done, move the executable file to your computer's Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
• Wait for the scan to complete;
• NOTE: Do NOT remove any item it finds.
• On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
• This will open the report in Notepad.
• Save that file and attach it to your next reply.
  

Please attach the following logs to your next reply:
Fixlog.txt
AdwCleaner clean log.
RogueKiller scan log.

How is the computer behaving?

Rui

fixlist.txt

[Vectrex]

Hello Rui,

Thank you so much for assisting and helping me with this - much appreciated.

Your assessment by the initial logs sounds great and following the instructions you gave showed nothing as well (at least what I could perceive).

I have some additional thoughts and questions as I find it very odd that Malwarebytes found the "Heuristic.Reserved.Word.Exploit" threat the way it did (reinstalled and run in safe mode) and not on my first scans. I understand if you can't provide me with answers to specific questions like this and that's okay but if you're willing and able, please answer these.

1. What's your general idea of what the finding of "Heuristic.Reserved.Word.Exploit" on the file "C:\USERS\STEFAN\DESKTOP\USERINIT.EXE" could have been?
2. Is there any generic definition of what even "Heuristic.Reserved.Word.Exploit" is and which specific areas and context it is used?
3. Is it even possible that this was/is a false positive?
4. If I had an intruder or a bot monitoring/compromising my system or network for whatever reason, could this go unnoticed or would it leave any traces to determine if so was the case?
5. Do you have any recommendations or suggestions on what measures I could do if I want to be able to detect such activity on my system on the fly?

About the computer's behaviour... It doesn't behave notedly strange since the actions I took from the beginning (immediately after everything got weird and the threat was found), some of which I mention in my first post. Off the top of my head I still notice that my main HDD/computer is continuously working excessively hard as soon as I'm idling from it. For the most part this stops as soon as I interact with it again, like moving the mouse or something. I know similar behaviour like this could happen with for example a Windows update process or other things scheduled to do so but I've ruled out those. The other thing is that my additional internal HDD "wakes up" very often, for no obvious reasons.

The requested logs/reports are attached.

Thank you once again so much for your help Rui.

Fixlog.txt

AdwCleaner[C0].txt

rk_E66B.tmp.txt

[Android8888]

Hello Vectrex and sorry for the delay in responding.

You're very welcome and thank you for the logs. They are clean.

Below I will give instructions to run an online scan to check for leftovers.

Regarding your questions:

1., 2. and 3. The file userinit.exe is a Windows Operating System program that is launched directly after a user logs into Windows. This program restores your profile, fonts, colors, etc for your username. This startup is a required and important system file for Windows. However its correct path (location) is C:\Windows\System32\userinit.exe instead of C:\USERS\STEFAN\DESKTOP\USERINIT.EXE.
"Heuristics.Reserved.Word.Exploit" is most likely a false positive detection in Malwarebytes used simply to note when a file is out of its correct place. For example, when userinit.exe is the name for a file on the Desktop (which was the case), it would be detected because its real location is in C:\Windows\System32 and not where it was found. So, how did this file appeared out of its 'location'? Well, I can't tell you that for sure but be aware that if you browse the Internet in Safe Mode, your system is completely exposed to any kind of malware even if you only visit an infected website. You don't even need to download anything to become infected.

4. An easy way to monitor the Processes activity in your system is using Task Manager by pressing CTRL+ALD+DEL simultaneously and then select Task manager. There you can see all the active processes in your system. If you think a process is suspect, just try a search on Google for its name. If you don't find anything related, you can always ask for help here in the forum.

5. You can also download and use Process Monitor which is an advanced monitoring tool for Windows to watch the activity (processes, Registry, files...) of your system.

Concerning the HDDs activity, let me tell you that your system may have active tasks that are still running according to their scheduled date and time. If you check the Task Scheduler in your system (see here on how to do it) will be very likely that you find active tasks which you even did not know they were there. Most part of these tasks should not be cancelled since they are necessary for the correct operation of the system.
After looking into the logs that you provided I must say that it is very likely that some of these active Tasks are the cause of constant accesses to disk when the system is idle. If you’re following a good computer maintenance routine, your PC should be secure.

Just to let you know that at this point on my Windows 10, I have 114 active schedule tasks to be run.

Okay, let's run one last scan with Sophos Virus Removal Tool. This is a very thorough scan and it may take several hours to complete according to the number of programs and files installed in your system, but it is worth it.

The Sophos Virus Removal Tool scans the following areas of your computer:

Memory, including system memory on 32-bit (x86) versions of Windows;
The Windows Registry;
All local hard drives, fixed and removable;

Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable a threat to spread. You will be asked to click 'Start Cleanup' to remove the threats before continuing the scan.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

• Right-click the icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Next button.
• Select 'I accept the terms in the license agreement', then click Next twice.
• Click the Install button and wait until the installation is complete.
• Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
• Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
• Click Yes to accept any security warnings that may appear.
• After it updates and a "Start Scanning" button appears in the lower right:
  
  • Disconnect from the Internet or physically unplug your Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.

• Click the "Start Scanning" button in the lower right to start the scan.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
• If any threats are found click Details, then View Log file (bottom left-hand corner).
• Copy and paste its contents in your next reply and note any errors encountered.
• Close the Notepad document, close the Threat Details screen, then click Start cleanup.
• Click Exit to close the program.
• If no threats were found, please confirm that result.
  

Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please let me know the final result of the scan and post the contents of the log in your next reply.

Are there any issues or concerns with the computer at this point?

Rui

[Vectrex]

Hi Rui,

Thank you very much again for all the clarifications and your pedagogical explanations. Not the least, all your advice. I'll take good care of them!

The scan with Sophos Virus Removal Tool found nothing.

I needed to logout and login for the deactivation of Windows Defender through the register to take effect. So I updated Sophos, closed it, disconnected from the Internet, logout, login and then relaunched Sophos and ran the scan. That is why you see a disruption in the log with a scan ending followed by a failure to update.

Besides the log you asked for there is an additional one in the same folder named "SophosVirusRemovalTool_cloud4.log". It contains exclusively of sending SXL4 requests which then returns with a "failed to send file reputation request" every other line. It's large and ends with this -- Log truncated (too big) --. But I'm sure you already knew this as I was disconnected from the Internet during the never ending scan... Which reminds me that Malwarebytes did not finish a custom scan of C:\ from the day before I posted my first post. It ran for over 5 hours and got stuck between two files, jumping back and forth and not making any progress, somewhere in the C:\Windows folder.

Below are the contents of the log.

2017-10-17 01:26:49.458    Sophos Virus Removal Tool version 2.6.1
2017-10-17 01:26:49.458    Copyright (c) 2009-2017 Sophos Limited. All rights reserved.

2017-10-17 01:26:49.458    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2017-10-17 01:26:49.458    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2017-10-17 01:26:49.458    Checking for updates...
2017-10-17 01:26:49.536    Update progress: proxy server not available
2017-10-17 01:26:58.036    Option all = no
2017-10-17 01:26:58.036    Option recurse = yes
2017-10-17 01:26:58.052    Option archive = no
2017-10-17 01:26:58.052    Option service = yes
2017-10-17 01:26:58.052    Option confirm = yes
2017-10-17 01:26:58.052    Option sxl = yes
2017-10-17 01:26:58.052    Option max-data-age = 35
2017-10-17 01:26:58.052    Option vdl-logging = yes
2017-10-17 01:26:58.067    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2017-10-17 01:26:58.067    Machine ID:    a6ba9a6b906d48b1bdf25892d894b64b
2017-10-17 01:26:58.067    Component SVRTcli.exe version 2.6.1
2017-10-17 01:26:58.067    Component control.dll version 2.6.1
2017-10-17 01:26:58.067    Component SVRTservice.exe version 2.6.1
2017-10-17 01:26:58.067    Component engine\osdp.dll version 1.44.1.2286
2017-10-17 01:26:58.067    Component engine\veex.dll version 3.68.6.2286
2017-10-17 01:26:58.067    Component engine\savi.dll version 9.0.7.2286
2017-10-17 01:26:58.067    Component rkdisk.dll version 1.5.31.1
2017-10-17 01:26:58.067    Version info:    Product version    2.6.1
2017-10-17 01:26:58.067    Version info:    Detection engine    3.68.6
2017-10-17 01:26:58.067    Version info:    Detection data    5.44
2017-10-17 01:26:58.067    Version info:    Build date    2017-09-19
2017-10-17 01:26:58.067    Version info:    Data files added    253
2017-10-17 01:26:58.067    Version info:    Last successful update    (not yet updated)
2017-10-17 01:28:00.902    Downloading updates...
2017-10-17 01:28:00.902    Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1
2017-10-17 01:28:00.902    Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-10-17 01:28:00.902    Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-10-17 01:28:00.902    Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=]
2017-10-17 01:28:00.902    Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path=
2017-10-17 01:28:00.902    Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path=
2017-10-17 01:28:00.902    Update progress: [I49502] sdds.data0910.xml: found supplement IDE545 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=]
2017-10-17 01:28:00.902    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE545 LATEST path=
2017-10-17 01:28:00.902    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE545 LATEST path=
2017-10-17 01:28:00.902    Update progress: [I49502] sdds.data0910.xml: found supplement IDE546 LATEST path= baseVersion= [included from product IDE545 LATEST path=]
2017-10-17 01:28:00.902    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE546 LATEST path=
2017-10-17 01:28:00.902    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE546 LATEST path=
2017-10-17 01:28:00.902    Update progress: [I49502] sdds.data0910.xml: found supplement IDE547 LATEST path= baseVersion= [included from product IDE546 LATEST path=]
2017-10-17 01:28:00.902    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE547 LATEST path=
2017-10-17 01:28:00.902    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE547 LATEST path=
2017-10-17 01:28:00.902    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-10-17 01:28:01.387    Update progress: [I19463] Syncing product SAVIW32 LATEST path=
2017-10-17 01:28:01.387    Update progress: [I19463] Product download size 174235198 bytes
2017-10-17 01:28:07.496    Update progress: [I19463] Syncing product IDE545 LATEST path=
2017-10-17 01:28:07.496    Update progress: [I19463] Product download size 2585002 bytes
2017-10-17 01:28:08.309    Update progress: [I19463] Syncing product IDE546 LATEST path=
2017-10-17 01:28:08.309    Update progress: [I19463] Product download size 1851477 bytes
2017-10-17 01:28:08.965    Update progress: [I19463] Syncing product IDE547 LATEST path=
2017-10-17 01:28:09.230    Installing updates...
2017-10-17 01:28:09.855    Error level 1
2017-10-17 01:28:28.402    Update successful
2017-10-17 01:28:41.199    Option all = no
2017-10-17 01:28:41.199    Option recurse = yes
2017-10-17 01:28:41.199    Option archive = no
2017-10-17 01:28:41.199    Option service = yes
2017-10-17 01:28:41.199    Option confirm = yes
2017-10-17 01:28:41.199    Option sxl = yes
2017-10-17 01:28:41.199    Option max-data-age = 35
2017-10-17 01:28:41.199    Option vdl-logging = yes
2017-10-17 01:28:41.215    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2017-10-17 01:28:41.215    Machine ID:    a6ba9a6b906d48b1bdf25892d894b64b
2017-10-17 01:28:41.215    Component SVRTcli.exe version 2.6.1
2017-10-17 01:28:41.215    Component control.dll version 2.6.1
2017-10-17 01:28:41.215    Component SVRTservice.exe version 2.6.1
2017-10-17 01:28:41.215    Component engine\osdp.dll version 1.44.1.2286
2017-10-17 01:28:41.215    Component engine\veex.dll version 3.68.6.2286
2017-10-17 01:28:41.215    Component engine\savi.dll version 9.0.7.2286
2017-10-17 01:28:41.215    Component rkdisk.dll version 1.5.31.1
2017-10-17 01:28:41.215    Version info:    Product version    2.6.1
2017-10-17 01:28:41.215    Version info:    Detection engine    3.68.6
2017-10-17 01:28:41.215    Version info:    Detection data    5.44
2017-10-17 01:28:41.215    Version info:    Build date    2017-09-19
2017-10-17 01:28:41.215    Version info:    Data files added    253
2017-10-17 01:28:41.215    Version info:    Last successful update    2017-10-17 03:28:28
2017-10-17 01:28:58.277    Error level 1

2017-10-17 01:28:58.277    Scan completed.
2017-10-17 01:28:58.277    

------------------------------------------------------------

2017-10-17 01:31:30.840    Sophos Virus Removal Tool version 2.6.1
2017-10-17 01:31:30.840    Copyright (c) 2009-2017 Sophos Limited. All rights reserved.

2017-10-17 01:31:30.840    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2017-10-17 01:31:30.840    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2017-10-17 01:31:30.840    Checking for updates...
2017-10-17 01:31:30.840    Update progress: proxy server not available
2017-10-17 01:31:32.604    Update error: failed to read remote metadata (error 4)
[T46381] ..\SUL\Handle.cpp:98 + SU::Handle::readRemoteMetadata()
[T75884] ..\SUL\Metadata.cpp:144 SU::Metadata::readRemoteMetadata()
[I40394] Downloading customer file from sophos:1:1
[E26245] Error fetching data from http://dci.sophosupd.com/update/1/6c/16c4d85f89f044ddac3c52b38fad4968.dat: WinHttpSendRequest 12007
[I20317] No proxy was used.
[I40394] Downloading customer file from sophos:2:1
[E26245] Error fetching data from http://dci.sophosupd.net/update/1/6c/16c4d85f89f044ddac3c52b38fad4968.dat: WinHttpSendRequest 12007
[I20317] No proxy was used.
[I40394] Downloading customer file from sophos:3:1
[E75373] Ran out of sophos aliases for this update source
[E35369] Out of update sources
[E99999] Out of sources
2017-10-17 01:31:39.635    Option all = no
2017-10-17 01:31:39.635    Option recurse = yes
2017-10-17 01:31:39.635    Option archive = no
2017-10-17 01:31:39.635    Option service = yes
2017-10-17 01:31:39.635    Option confirm = yes
2017-10-17 01:31:39.635    Option sxl = yes
2017-10-17 01:31:39.635    Option max-data-age = 35
2017-10-17 01:31:39.635    Option vdl-logging = yes
2017-10-17 01:31:39.651    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2017-10-17 01:31:39.651    Machine ID:    a6ba9a6b906d48b1bdf25892d894b64b
2017-10-17 01:31:39.651    Component SVRTcli.exe version 2.6.1
2017-10-17 01:31:39.651    Component control.dll version 2.6.1
2017-10-17 01:31:39.651    Component SVRTservice.exe version 2.6.1
2017-10-17 01:31:39.651    Component engine\osdp.dll version 1.44.1.2286
2017-10-17 01:31:39.651    Component engine\veex.dll version 3.68.6.2286
2017-10-17 01:31:39.651    Component engine\savi.dll version 9.0.7.2286
2017-10-17 01:31:39.651    Component rkdisk.dll version 1.5.31.1
2017-10-17 01:31:39.651    Version info:    Product version    2.6.1
2017-10-17 01:31:39.651    Version info:    Detection engine    3.68.6
2017-10-17 01:31:39.651    Version info:    Detection data    5.44
2017-10-17 01:31:39.651    Version info:    Build date    2017-09-19
2017-10-17 01:31:39.651    Version info:    Data files added    253
2017-10-17 01:31:39.651    Version info:    Last successful update    2017-10-17 03:28:28

2017-10-17 01:34:55.783    Couldn't apply option 'SXLLiveProtection' to the detection engine.
2017-10-17 02:26:30.504    Could not open C:\hiberfil.sys
2017-10-17 02:26:37.691    Could not open C:\pagefile.sys
2017-10-17 02:36:14.785    Could not open C:\swapfile.sys
2017-10-17 02:36:15.129    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-10-17 02:36:15.129    Could not open C:\System Volume Information\{3a95e6b2-b142-11e7-b3eb-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-10-17 02:36:15.129    Could not open C:\System Volume Information\{51208938-a723-11e7-b3de-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-10-17 02:36:15.129    Could not open C:\System Volume Information\{5909e288-afd3-11e7-b3e8-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-10-17 02:36:15.129    Could not open C:\System Volume Information\{7e5b5fd6-b258-11e7-b3f0-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-10-17 02:36:15.129    Could not open C:\System Volume Information\{aec0b4f6-b0c9-11e7-b3eb-b8ac6fb0fd2c}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-10-17 02:53:34.489    Could not open C:\Windows\System32\config\BBI
2017-10-17 02:53:34.818    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2017-10-17 02:53:34.833    Could not open C:\Windows\System32\config\RegBack\SAM
2017-10-17 02:53:34.833    Could not open C:\Windows\System32\config\RegBack\SECURITY
2017-10-17 02:53:34.849    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2017-10-17 02:53:34.880    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2017-10-17 03:16:39.850    Could not open LOGICAL:0003:00000000
2017-10-17 03:16:39.850    Could not open D:\
2017-10-17 03:18:24.053    Could not check X:\-= CoinOPS Project =-\CoinOPS_NES\romsConsoles\NES\NES_NintendoWorldChampionships1990.zip (corrupt)
2017-10-17 03:19:04.506    Could not open X:\Boot\BCD
2017-10-17 03:19:13.287    Error level 0

At this point I don't think there is any issues or concerns besides my paranoia.

[Android8888]

Hi Vectrex.

14 hours ago, Vectrex said:

The scan with Sophos Virus Removal Tool found nothing.

I'm glad to hear that!
It's time to say that your computer appears to be clean and malware free.

Now it's time to check for outdated programs.
Outdated programs contains security vulnerabilities that are exploited by malware in order to infect the computer without the user's knowledge. Usually this is one of the ways that more contributes to the infection of your computer.

Run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated.

When the updates are complete, you can delete all the tools we used in the removal process by using DelFix.

• Download DelFix and move the executable to your Desktop;
• Right-click on DelFix.exe and select Run as Administrator;
• Check the following options :
  
  • Activate UAC (This option will activate the User Account Control feature).
  • Remove disinfection tools (this option will remove the tools used in the cleaning process).
  • Create registry backup (this option will create a backup from the Windows Registry).
  • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
  • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
    
• Once the options mentioned above are checked, click on Run;
• After DelFix is done running, a log will open. I do NOT need to see that log. You can close and delete it.
  

 

If all is running well with the computer:

To help keep malware off your system below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer.

Keep your Windows Operating System up-to-date.

Keep your AntiVirus program up-to-date.

Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Keep Malwarebytes Anti-Malware (MBAM) update and perform a regular scan to your system as it will make it harder for malware to reside on your computer.
A tutorial on using MBAM can be found here and a complete guide here

Please Note: Only the paid for version has real time capabilities. Please Note: Only the paid for version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster, available here

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here.

Please keep your programs up to date. This applies to most of the programs and all your Internet Browsers in particular. Vulnerabilities in the programs are often exploited in order to install malware on your PC.

Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.

Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.

Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.

Don't click on links received in instant message programs.

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here

For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices:
So how did I get infected in the first place
Answers to common security questions - Best Practices

Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help.

Happy surfing and stay safe.

Android8888

[Vectrex]

Hi Rui,

On this particular desktop I don't have so many programs installed at the moment and I check them for updates regularly. I still installed FileHippo and it just found a new beta for Firefox.
I had problem unistall FileHippo, leaving it on the PC but was removed from the list with installed program when I uninstalled it. I had to reinstall it and then I uninstalled it from CCleaner instead.

I then used the DelFix and but it didn't get rid of everything. Even stuff it said it deleted in the log was left.
I had to manually unistall Sophos and manually delete some stuff that RogueKiller left in C:\ProgramData

I then added the HOSTS file and installed SpywareBlaster as suggested.

Everything is running great now and also my browser is blazingly fast (so far).

I guess we are done, right? Thanks for everything and take care!

/Vectrex

[Android8888]

Hi Vectrex,

17 hours ago, Vectrex said:

I then used the DelFix and but it didn't get rid of everything. Even stuff it said it deleted in the log was left.
I had to manually unistall Sophos and manually delete some stuff that RogueKiller left in C:\ProgramData

I forgot to say that DelFix may left some stuff that it does not remove. No problem with that, just delete it by yourself, it's safe.

Come back whenever you need.

Kindly regards,

Rui

 

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!