Dwer23

CLOSED Would like to have a complete check of my computer for anything suspicious

Recommended Posts

Also forgot to mention, that few days ago i saw mouse cursor moving by itself to the left for like 1-2 pixels, that also had me worried. But this was way before the events described in my other thread so they are not related.

Share this post


Link to post
Share on other sites

Are you completely sure? Those logs are pretty long, how did you analyze them so fast? Would you say that my pc is clean if multiple virus scanners come up with nothing? I have scanned with emsisoft antimalware, malwarebytes, rkill, roguekiller, sophos, hitman pro, f-secure online scanner.

Can you say anything about that issue in the other thread?

Share this post


Link to post
Share on other sites

What you mean auto run section check? I downloaded zemana and just clicked scan button and it didnt find anything, should i have done something different?

Share this post


Link to post
Share on other sites

Yes, I am completely sure that your logs are clean.

@Barsukposts have been hidden.  Poster is not authorized to provide any advice or assistance in this portion of the Emsisoft Support Forums.

Share this post


Link to post
Share on other sites

I know you just checked my logs earlier, but i would greatly appreciate if you could check these new ones... I think theres something weird on my pc because i went to sleep while youtubevideos were playing on (on mode where next video up coming is automatically started always) and some video was stopped at the end without moving to next one when i returned to my computer, so maybe someone with remote access to my pc did that. Also earlier I got some errors windows regarding Sourcetree git files which i kinda gave a pass earlier.

I ran my Emsisoft antimalware custom scan and it found nothing.


Here are new logs:

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Your logs show no signs of infection.  You now have EAM, MBAM, and ZAM on your system.  That is overkill and will cause issues.

Videos will stop autoplaying once they reach the end of the playlist.  You should never leave you computer unattended, for any length of time.

Share this post


Link to post
Share on other sites

Thanks for checking logs. Its little weird that happened because the videos were not on any playlist, i have autoplay on so it always goes to the next "related" video.

 

About zemana, i only use it for scanning, Real time protection is off.

Share this post


Link to post
Share on other sites

i am looking at ntoskrnl.exe in windows/system32 folder and its creation date is 13 september but its creation date is 05 september. Thats weird.

its creation date and access date are identical: 13 september 00:15:27

 

Share this post


Link to post
Share on other sites

Thank you for your response. But damn.. i know youve worked with my logs before but i would need your expertise for third time again, sorry!

I installed a game from steam and during the installation of directx or something i got warnings of something which was approved by network later, but also got behavior warning about the game itself when i tried to run it, (it also had anti cheat system). Also earlier before this, i think my monitor flashed black when i was watching tv (now i know this might sound like eye glitch / paranoid..) So i wanna make sure those warnings were false alarms by confirming my pc is clean in these logs.

Here are farbar logs

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Here is the forensics log from my emsisoft

Forensics_170930-024402.txt

 

Also i know i still have zemana, but i wasnt sure if you meant that Zemana only gives issues when used as real time protection on top of current programs, so i kept it for now. I use it on demand scanner only.

 

Now that im looking at my emails, i may have gotten password reset email on my emsisoft support forum account that i didnt initialize. I did request password reset earlier though. Maybe someone else tried to change my password?

Please be extra cautious for anything you might feel is suspicious when reviewing those farbar logs.

Share this post


Link to post
Share on other sites

Virtually ever game made makes use of a rudimentary keylogger.  Games need to monitor key stokes, cursor position, and button clicks.  Most modern games have some kind of update feature, which is is technically a Trojan.backdoor and many games use inject code into Microsoft processes.  These are normal behavior for the most part.  There are thousands of Windows games available for download. It is not feasible to download and test all of them and create white-list rues for each and every game.  This is were it becomes incumbent on the end-user to know what they are downloading and installing and what modifications it is making and its behavior.

If you got the password reset request notification and not a notification that the password was reset, then you should be OK.  If you are not comfortable that your password was not compromised, then change your password.

Share this post


Link to post
Share on other sites

Thanks for your answer.

After that post, i actually just went and erased my ssd just to be sure. But now, in my clean system i have some issues. Hitman pro came up with log which is attached to this post, and F-secure online scanner doesnt start up, it tries to start to load up but comes up with error "Could not complete the operation", something fishy is going on which prevents this program running. Other virus scanners run normally. Also my internet has been behaving oddly recently, some downloads are really slow (like 50kbps.. when normally 2MBs, and others at max speed) Something is going on. I scanned pc earlier with Trend micro housecall, can you confirm if those hitman findings indeed are from Trend micro? Or did download some trendmicro software with malware? I did download it from https://www.trendmicro.com/en_us/forHome/products/housecall.html

Here are also newest far bar logs:

FRST.txt

Addition.txt

HitmanPro_20171005_0246.log

Share this post


Link to post
Share on other sites

Oh and heres also roguekiller log:

Especially part [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4B626774-E071-43F3-A16A-11FA4AAF0ECD} : v2.27|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\Pws\AppData\Local\Temp\HouseCall\tmase\drs\DrScaner.exe|Name=rule4scaner|Desc=rule4scaner|EmbedCtxt=rule4scaner|Edge=TRUE|Defer=App| [7] -> Found

rogkiller.txt

 

Share this post


Link to post
Share on other sites

I also got another email about password CHANGE immediately after i changed my password, though the emails have same timestamp and I tried to see if my password had changed from what i set it to be, i could log into with what i was set it to be. So maybe technical error on emsisoft support site?

Share this post


Link to post
Share on other sites

The items in the HMP log are not malicious.  Everything the the RogueKiller logs is normal.  Your FRST logs show no malware.

The PWD reset logs should be received when a PWD reset is requested and when one was done.

Share this post


Link to post
Share on other sites

Thank you for response, its glad to hear logs are normal. About the emails, it happened that i changed my password in my mobile phone in account settings, and if i press the "ok" button in password change screen twice during it loads up, it seems to send two emails about password change. The f secure online scanner started working again by itself.

Share this post


Link to post
Share on other sites

Yeah, the website password reset request likely registered multiple request.  Hence the multiple emails.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore

  • Click the Run button.


When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK folder in the root of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Question, if there was malware on system, how likely it is that it would not show up in farbar alongside roguekiller, hitman pro, emsisoft, f secure scanner and trend micro scanner? I know there are some pretty advanced CIA tools out there, but no one can really do anything about those since they are leaked only years after theyve been in use.

Share this post


Link to post
Share on other sites

Malware cannot completely evade detection.  There will always be something that will show up in the logs that will indicate that a system is infected.

Don't worry about those CIA/NSA tools, if you are not a person of interest you will never be targeted by either of those organizations.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.