okosijomiti

Member
  • Content Count

    38
  • Joined

  • Last visited

Community Reputation

0 Neutral

About okosijomiti

  • Rank
    Member

Profile Information

  • Gender
    Not Telling
  1. Ok, thanks a lot! The only problem I have is that I can't seem to uninstall Combofix by running the command (I tried spelling it both with an upper F and a lower F, if that makes any difference). It says Combofix cannot be found. Are there other ways to uninstall it? edit: Nevermind, I got it to work by specifying ComboFix's path via command prompt. Everything seems to be fine now, apart from a system event viewer entry: "LoadUserProfile failure" due to a file being in use by another process. Happened after I ran the OTL clean-up, so if that's nothing to worry about, I guess this thread can be closed now. Thanks once more.
  2. Thanks. If everything looks clean, do you think fhhfso.sys and qozysh.sys were not virus related? Since our last clean up I've stayed away from any unknown applications as well as running browsers in sandbox at all times, so if my PC somehow got re-infected I'm starting to wonder if my security software has leaks that would allow someone with my IP to access the system and plant the files. If there are any extra steps to ensure nothing's wrong, let me know.
  3. Didn't run into problems, am not seeing anything unusual. Sorry, I didn't fully understand whether you were saying these files could have came from (or been modified) by WFP. What I'm trying to ask is could a file such as c:\windows\system32\dllcache\brmfrsmg.exe be included in the operating system install files, or whether this file coincidentally appeared through malicious sources just at the same time as I was running WFP.
  4. Didn't run into problems and am not noticing anything unusual right now. Can you see anything odd in the logs? Question: Does Windows File Protection create files on your system? There are a lot of files related to Brother MFL Pro printer software even though I don't own any printing software, and they've been created during the time I ran Windows File Protection (you can see the files in the comodo log under 'files created within 30 days' section)
  5. I found some suspicious things since we concluded this thread: 1) Out of curiosity, I ran a scan with COMODO Rescue Disk which should detect deeply hidden rootkits and it detected "brevif.dll" as malware. This file had been last modified around the time when we ran Windows File Protection, so maybe it could be related to that and be a false positive. 2) Before deleting it I rebooted to Windows to upload the file to virustotal ( https://www.virustotal.com/file/0dd463d2c45792ecba7600e9c02f40c2fce052ed8ae9ec6f3bf5c1a1f60dfbea/analysis/1359244828/ ) when I noticed randomly named files/services in system events viewer entries: Source: Service Control Manager ID: 7035 The tdclac service was successfully sent a start control. Source: sr ID: 1 The System Restore filter encountered the unexpected error "0xC0000243" while processing the file "fhhfso.sys" on the volume "HarddiskVolume1". It has stopped monitoring the volume. 3) System analysis by avz4 showed the following Kernel Space Module Viewer: qozysh.sys but after rebooting and running the system analysis again, it was not found. These don't appear very normal, or do they? Is it possible we didn't catch everything? edit: attached the avz4 log just in case you want to take a look. Note that the entry did not show up in any subsequent scans.
  6. Thank you for all the help. I will see for a few days how things run. If the problems return, I'll come back here and report. Otherwise, this thread can be closed. Thanks again.
  7. I was able to delete it. Though the path was not identical to what ComboFix picked up. ComboFix showed it was in HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ but there was no LocalSystem path in regedit, and so I found that key in HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components I deleted it from there. Any idea what that might have been?
  8. Ok, thanks! So it doesn't seem like there's been anything active going rampant on my system? But before we wrap up, did we get the locked registry key deleted succesfully? [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ów*] I found this (attached screenshot) in regedit, wondering if that's normal.
  9. I wonder if the 2 files it found are false positives? They don't have a very high detection ratio on virustotal: https://www.virustotal.com/file/ae626ecd21acada4d6ad15f93230910675886c8f692c36e64602525d71df355b/analysis/ https://www.virustotal.com/file/41eec42bfd44b18c6163a4e99dd03665edee0927e845f3dedec5b7adb89f5f98/analysis/1358547718/
  10. Ok, I ran it under max configuration (all except 'emulate low resources') and left it running for some hours. I received no notifications.
  11. Not sure if I did this properly. I did the standard configuration unsigned driver test first, but it did not even require me to boot, it ran it right then and there (found nothing). I then chose the developers test and ran the extensive test for all drivers. But once I booted, I didn't see anything, I didn't see verifier.exe in the taskmanager etc. But I assume something is running because my CPU usage has been at 100% since then. I ran verifier.exe and clicked "show the details of thus far checked driver files", and I can see a bunch of drivers, most loaded, a few not loaded. It says the only test in use is "extensive I/O testing".
  12. Ok, I ran sfc /scannow. It did prompt for a Windows CD and I left it running while I was away. I saw no report of anything when I came back, so I have no idea what it did. What's next?
  13. Done. Did not run into any problems. The only thing I can think of to report, is that yesterday during one of the EEK scans, I got a bunch of atapi errors in the system events viewer. "The device, \Device\Ide\IdePort0, did not respond within the timeout period." and "The driver detected a controller error on \Device\Ide\IdePort0." After that, my primary IDE controller's current transfer mode dropped from Ultra DMA 5 to PIO mode once again. This could happen because of the scan, right? It's probably Comodo Internet Security then, because I haven't had those other applications running in a while.
  14. Did one more scan with EEK; a custom scan. It found a cookie ("doubleclick.net"). It flagged it as high risk (why would a cookie be high risk?). I didn't remove it since I've been advised not to remove anything without being told to do so.