Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange problem with pagefile.sys and virus detection with SOPHOS


  • This topic is locked This topic is locked
12 replies to this topic

#1 Irondy

Irondy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 June 2018 - 07:17 AM

Hello,

 

I noticed a strange problem on my desktop PC with Windows 7 Home Edition. The installed antivirus program ist MS Essentials.

 

When I run a full scan with an offline scaner from SOPHOS under a LINUX OS, I got the finding for a virus like these:

The virus Bleah-da was found the the file pagefile.sys

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Bleah-da.aspx

 

No other viruses or malware was found on the computer with that full scan.

 

So I renamed the file under LINUX and started the computer with Windows 7 again.

All fine.

 

After a while working with this PC I started again a full scan with SOPHOS (started under LINUX) and now another finding in the new pagefile.sys was detected:

The virus DirtyDog was found the the file pagefile.sys

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/DirtyDog/detailed-analysis.aspx

 

I repeated the above procedure a few times (every time I renamed or deleted the pagefile.sys) and also found some other virus in the pagefile.sys (once per new loop of the above settings):

- Michelangelo-g

- Munya-A

- Nutcracker Boot

- Aardvark

- Playgame-1999

 

I used several other antivirus scanners under LINUX like

- Avira

- F-Secure

- ESET

and no one of these found any virus in a full scan of the hard drive.

 

Under Windows I also installed some other programs like

- Malwarebytes

- Sophos (!)

- F-Secure

and no virus was found in a full scan.

 

Has anyone a idea for this strange behaviour? 

Why can't the SOPHOS (actual premium version under Windows) scanner not detect one of the virus files which I stored in a separate directory (like this pagefile.sys.VIRUS)?

 

 

 



BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,869 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:34 PM

Posted 16 June 2018 - 07:19 AM

Please...post the FRST data requested at https://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ .  Post it to this topic, no need to initiate a new topic.

 

Louis



#3 Irondy

Irondy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 June 2018 - 08:03 AM

I attached the output of the FRST.txt (because the editor told me it is too long for posting).


[Addition.txt]

Zusätzliches Untersuchungsergebnis von Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01
durchgeführt von Andy (16-06-2018 14:31:03)
Gestartet von C:\Users\Andy\Downloads
Windows 7 Home Premium Service Pack 1 (X64) (2018-06-15 17:06:37)
Start-Modus: Normal
==========================================================


==================== Konten: =============================

Administrator (S-1-5-21-3384000725-1250479824-3934207906-500 - Administrator - Disabled)
Andy (S-1-5-21-3384000725-1250479824-3934207906-1000 - Administrator - Enabled) => C:\Users\Andy
Gast (S-1-5-21-3384000725-1250479824-3934207906-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3384000725-1250479824-3934207906-1002 - Limited - Enabled)
SophosSAUDELL-PCaaa (S-1-5-21-3384000725-1250479824-3934207906-1003 - Limited - Enabled)

==================== Sicherheits-Center ========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er entfernt.)

AV: Sophos Home (Enabled - Up to date) {FFADE7EA-DC92-4602-D6B2-626CD3450A0F}
AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Sophos Home (Enabled - Up to date) {44CC060E-FAA8-498C-EC02-591EA8C240B2}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installierte Programme ======================

(Nur Adware-Programme mit dem Zusatz "Hidden" können in die Fixlist aufgenommen werden, um sie sichtbar zu machen. Die Adware-Programme sollten manuell deinstalliert werden.)

Broadcom NetXtreme-I Netlink Driver and Management Installer (HKLM\...\{5569655A-9653-42CD-A599-5617DF767D2A}) (Version: 12.37.01 - Broadcom Corporation)
DisplayDriverAnalyzer (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_DisplayDriverAnalyzer) (Version: 398.11 - NVIDIA Corporation) Hidden
HitmanPro.Alert 3 (HKLM\...\HitmanPro.Alert) (Version: 3.6.16.617 - SurfRight B.V.) Hidden
IrfanView 4.51 (64-bit) (HKLM\...\IrfanView64) (Version: 4.51 - Irfan Skiljan)
Malwarebytes Version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Microsoft .NET Framework 4.7.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft .NET Framework 4.7.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft Office Home and Business 2013 - de-de (HKLM\...\HomeBusinessRetail - de-de) (Version: 15.0.5041.1001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3384000725-1250479824-3934207906-1000\...\OneDriveSetup.exe) (Version: 17.3.4604.0120 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.13.26020 (HKLM-x32\...\{7474cd6e-76cc-4257-837e-5b9261e526af}) (Version: 14.13.26020.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.13.26020 (HKLM-x32\...\{5c045b7f-e561-4794-91f8-c6cda0893107}) (Version: 14.13.26020.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 60.0.2 (x64 de) (HKLM\...\Mozilla Firefox 60.0.2 (x64 de)) (Version: 60.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 60.0 - Mozilla)
NVIDIA 3D Vision Controller-Treiber 390.41 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 390.41 - NVIDIA Corporation)
NVIDIA 3D Vision Treiber 398.11 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 398.11 - NVIDIA Corporation)
NVIDIA Grafiktreiber 398.11 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 398.11 - NVIDIA Corporation)
NVIDIA HD-Audiotreiber 1.3.37.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.37.4 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.17.0524 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0524 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.5041.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.5041.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0407-0000-0000000FF1CE}) (Version: 15.0.5041.1001 - Microsoft Corporation) Hidden
Sophos Anti-Virus (HKLM-x32\...\{577896A8-08F6-47E2-B2EB-DE5265701F39}) (Version: 10.8.1.398 - Sophos Limited) Hidden
Sophos AutoUpdate (HKLM-x32\...\{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54}) (Version: 5.12.206 - Sophos Limited) Hidden
Sophos Diagnostic Utility (HKLM-x32\...\{4627F5A1-E85A-4394-9DB3-875DF83AF6C2}) (Version: 1.20.0.4 - Sophos Limited) Hidden
Sophos Exploit Prevention (HKLM\...\{866151B2-E14E-40E0-B6D9-64B1D428F5CB}) (Version: 3.6.16.20 - Sophos Limited) Hidden
Sophos Home (HKLM\...\Sophos Endpoint Agent) (Version: 1.3.0 - Sophos Limited)
Sophos Home (HKLM-x32\...\{6F87527E-4184-417C-BD0D-365D6EBE6254}) (Version: 2.2.65 - Sophos Limited) Hidden
Sophos Home Clean (HKLM\...\Sophos Home Clean) (Version: 3.7.21.158 - Sophos Limited) Hidden
Sophos Management Communications System (HKLM-x32\...\{2C14E1A2-C4EB-466E-8374-81286D723D3A}) (Version: 4.7.15 - Sophos Limited) Hidden
Sophos Network Threat Protection (HKLM\...\{66967E5F-43E8-4402-87A4-04685EE5C2CB}) (Version: 1.3.2.40 - Sophos Limited) Hidden
Sophos System Protection (HKLM\...\{934BEF80-B9D1-4A86-8B42-D8A6716A8D27}) (Version: 2.6.0.71 - Sophos Limited) Hidden
VeraCrypt (HKLM-x32\...\VeraCrypt) (Version: 1.22 - IDRIX)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.6 - VideoLAN)

==================== Benutzerdefinierte CLSID (Nicht auf der Ausnahmeliste): ==========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers1: [SophosHomeShellExt] -> {2FE0F6D6-426A-4728-B435-7CF2FE926449} => C:\Program Files (x86)\Sophos\Sophos Home\SophosHomeShellExtX64.dll [2018-05-22] (Sophos Limited)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers2: [SophosHomeShellExt] -> {2FE0F6D6-426A-4728-B435-7CF2FE926449} => C:\Program Files (x86)\Sophos\Sophos Home\SophosHomeShellExtX64.dll [2018-05-22] (Sophos Limited)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers4: [SophosHomeShellExt] -> {2FE0F6D6-426A-4728-B435-7CF2FE926449} => C:\Program Files (x86)\Sophos\Sophos Home\SophosHomeShellExtX64.dll [2018-05-22] (Sophos Limited)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2018-06-01] (NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers6: [SophosHomeShellExt] -> {2FE0F6D6-426A-4728-B435-7CF2FE926449} => C:\Program Files (x86)\Sophos\Sophos Home\SophosHomeShellExtX64.dll [2018-05-22] (Sophos Limited)

==================== Geplante Aufgaben (Nicht auf der Ausnahmeliste) =============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

Task: {22374D5D-0E2E-45CD-A870-D85E29F1D2B4} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-12-12] (Microsoft Corporation)
Task: {893E7EE7-5A0B-41E2-8D71-8E416EE8934A} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-12-12] (Microsoft Corporation)
Task: {F41099B6-416F-4B7E-B517-8D275DD2EDAA} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-11-14] (Microsoft Corporation)

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Aufgabe verschoben. Die Datei, die durch die Aufgabe gestartet wird, wird nicht verschoben.)


==================== Verknüpfungen & WMI ========================

(Die Einträge können gelistet werden, um sie zurückzusetzen oder zu entfernen.)


==================== Geladene Module (Nicht auf der Ausnahmeliste) ==============

2018-06-16 09:12 - 2017-01-17 04:25 - 000117440 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2018-06-15 19:31 - 2017-11-24 09:12 - 000158288 _____ () C:\totalcmd\wcmzip64.dll
2018-06-16 13:17 - 2018-04-25 13:16 - 002297040 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-06-16 13:17 - 2018-05-30 09:22 - 002493648 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-01-26 19:23 - 2017-01-26 19:23 - 000234336 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\http.plg
2017-01-26 19:23 - 2017-01-26 19:23 - 000141424 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\ip.plg
2017-01-26 19:23 - 2017-01-26 19:23 - 000120072 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\ipv6.plg
2017-01-26 19:23 - 2017-01-26 19:23 - 000077432 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\portmap.plg
2017-01-26 19:23 - 2017-01-26 19:23 - 000165728 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\tcp.plg
2017-01-26 19:23 - 2017-01-26 19:23 - 000149168 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\udp.plg
2018-06-16 09:12 - 2018-06-16 09:12 - 000325824 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll

==================== Alternate Data Streams (Nicht auf der Ausnahmeliste) =========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird nur der ADS entfernt.)


==================== Abgesicherter Modus (Nicht auf der Ausnahmeliste) ===================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Der Wert "AlternateShell" wird wiederhergestellt.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SntpService => ""="service"

==================== Verknüpfungen (Nicht auf der Ausnahmeliste) ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt.)


==================== Internet Explorer Vertrauenswürdig/Eingeschränkt ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt.)


==================== Hosts Inhalt: ===============================

(Wenn benötigt kann der Hosts: Schalter in die Fixlist aufgenommen werden um die Hosts Datei zurückzusetzen.)

2009-07-14 04:34 - 2009-06-10 23:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Andere Bereiche ============================

(Aktuell gibt es keinen automatisierten Fix für diesen Bereich.)

HKU\S-1-5-21-3384000725-1250479824-3934207906-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Andy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.178.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall ist aktiviert.

==================== MSCONFIG/TASK MANAGER Deaktivierte Einträge ==


==================== Firewall Regeln (Nicht auf der Ausnahmeliste) ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

FirewallRules: [{A06A4FCE-2FE8-4181-8E2A-B5603ACBC1AE}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{4A7023F4-3316-46E0-8345-C700C3154E57}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{8B5DDB3B-1F35-4927-81B8-59B26756A647}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{DB5FE643-D90B-467E-8BA3-189486FC51A2}] => (Allow) C:\Users\Andy\AppData\Local\Microsoft\OneDrive\OneDrive.exe

==================== Wiederherstellungspunkte =========================

15-06-2018 22:39:52 Windows Update
15-06-2018 23:22:36 Sprachpaketdeinstallation
16-06-2018 03:02:19 Windows Update
16-06-2018 08:56:13 Windows Update
16-06-2018 09:01:11 Windows Update
16-06-2018 09:05:01 Windows Update
16-06-2018 10:16:16 Windows Update
16-06-2018 10:33:12 Windows Update
16-06-2018 10:41:49 Windows Update

==================== Fehlerhafte Geräte im Gerätemanager =============

Name: USB (Universal Serial Bus)-Controller
Description: USB (Universal Serial Bus)-Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Fehlereinträge in der Ereignisanzeige: =========================

Applikationsfehler:
==================
Error: (06/16/2018 02:19:54 PM) (Source: Sophos Management Communications System) (EventID: 8001) (User: )
Description: Ein HTTP-Status '503' wurde vom Client-Dienst 'Sophos Management Communications System' an den Server übermittelt. Unter Umständen bedeutet das, dass Handlungsbedarf vorhanden ist.

Error: (06/16/2018 02:02:12 PM) (Source: Sophos Management Communications System) (EventID: 8001) (User: )
Description: Ein HTTP-Status '503' wurde vom Client-Dienst 'Sophos Management Communications System' an den Server übermittelt. Unter Umständen bedeutet das, dass Handlungsbedarf vorhanden ist.

Error: (06/16/2018 01:56:21 PM) (Source: Sophos Management Communications System) (EventID: 8001) (User: )
Description: Ein HTTP-Status '503' wurde vom Client-Dienst 'Sophos Management Communications System' an den Server übermittelt. Unter Umständen bedeutet das, dass Handlungsbedarf vorhanden ist.

Error: (06/16/2018 01:51:17 PM) (Source: Sophos Management Communications System) (EventID: 8001) (User: )
Description: Ein HTTP-Status '503' wurde vom Client-Dienst 'Sophos Management Communications System' an den Server übermittelt. Unter Umständen bedeutet das, dass Handlungsbedarf vorhanden ist.

Error: (06/16/2018 01:49:50 PM) (Source: Sophos Management Communications System) (EventID: 8001) (User: )
Description: Ein HTTP-Status '503' wurde vom Client-Dienst 'Sophos Management Communications System' an den Server übermittelt. Unter Umständen bedeutet das, dass Handlungsbedarf vorhanden ist.

Error: (06/16/2018 01:48:46 PM) (Source: Sophos Management Communications System) (EventID: 8001) (User: )
Description: Ein HTTP-Status '503' wurde vom Client-Dienst 'Sophos Management Communications System' an den Server übermittelt. Unter Umständen bedeutet das, dass Handlungsbedarf vorhanden ist.

Error: (06/16/2018 01:36:42 PM) (Source: HitmanPro.Alert) (EventID: 911) (User: )
Description: Mitigation   BadUSB

Platform     6.1.7601/x64 v617 06_1e

Keyboard name        Natural® Ergonomic Keyboard 4000
Hardware ID        HID\VID_045E&PID_00DB&REV_0173&MI_00

Error: (06/16/2018 01:31:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: fsbl.exe, Version: 2.2.1092.0, Zeitstempel: 0x48a543e2
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000d08cd
ID des fehlerhaften Prozesses: 0x14f8
Startzeit der fehlerhaften Anwendung: 0x01d40565876f4566
Pfad der fehlerhaften Anwendung: C:\Users\Andy\Downloads\fsbl.exe
Pfad des fehlerhaften Moduls: unknown
Berichtskennung: ca5f1b21-7158-11e8-97cb-842b2b9c5a0a


Systemfehler:
=============
Error: (06/16/2018 02:17:42 PM) (Source: SAVOnAccess) (EventID: 15) (User: )
Description: Der On-Access-Treiber konnte kein Identitätstoken für die Datei %2 erstellen.

Error: (06/16/2018 02:17:42 PM) (Source: SAVOnAccess) (EventID: 15) (User: )
Description: Der On-Access-Treiber konnte kein Identitätstoken für die Datei \Device\HarddiskVolume3\Windows\System32\shell32.dll erstellen.

Error: (06/16/2018 01:46:02 PM) (Source: SAVOnAccess) (EventID: 15) (User: )
Description: Der On-Access-Treiber konnte kein Identitätstoken für die Datei %2 erstellen.

Error: (06/16/2018 01:46:02 PM) (Source: SAVOnAccess) (EventID: 15) (User: )
Description: Der On-Access-Treiber konnte kein Identitätstoken für die Datei \Device\HarddiskVolume3\Windows\system32\shell32.dll erstellen.

Error: (06/16/2018 12:54:33 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Die Initialisierung des Speicherabbildes ist fehlgeschlagen.

Error: (06/16/2018 10:18:02 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070308 fehlgeschlagen: Sicherheitsupdate für Windows 7 für x64-basierte Systeme (KB2965788)

Error: (06/16/2018 10:18:00 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070308 fehlgeschlagen: Update für Windows 7 für x64-basierte Systeme (KB3172605)

Error: (06/16/2018 10:17:48 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT-AUTORITÄT)
Description: Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070308 fehlgeschlagen: Sicherheitsupdate für Windows 7 für x64-basierte Systeme (KB3042058)


==================== Speicherinformationen ===========================

Prozessor: Intel® Core™ i7 CPU 870 @ 2.93GHz
Prozentuale Nutzung des RAM: 35%
Installierter physikalischer RAM: 8151.08 MB
Verfügbarer physikalischer RAM: 5250.45 MB
Summe virtueller Speicher: 16300.32 MB
Verfügbarer virtueller Speicher: 11302.24 MB

==================== Laufwerke ================================

Drive c: () (Fixed) (Total:931.51 GB) (Free:864.2 GB) NTFS ==>[Laufwerk mit Startkomponenten (eingeholt von BCD)]
Drive d: (WD2TB-A) (Fixed) (Total:1863.02 GB) (Free:481.13 GB) NTFS
Drive e: (WD2TB-B) (Fixed) (Total:1863.01 GB) (Free:165.21 GB) NTFS
Drive k: (Elements5TB) (Fixed) (Total:4657.49 GB) (Free:29.06 GB) NTFS


==================== MBR & Partitionstabelle ==================

========================================================
Disk: 0 (Protective MBR) (Size: 1863 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 1 (Size: 1863 GB) (Disk ID: 218F6EF6)

Partition: GPT.

========================================================
Disk: 2 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: 2A1E5125)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 7.

==================== Ende von Addition.txt ============================



#4 Irondy

Irondy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 June 2018 - 08:05 AM

FRST.txt as attachment.

Attached Files

  • Attached File  FRST.txt   281.18KB   3 downloads


#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 PM

Posted 21 June 2018 - 07:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/679169 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 Irondy

Irondy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 23 June 2018 - 05:30 AM

Here are the new scan files as an attachment.

 

Attached Files



#7 Irondy

Irondy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 24 June 2018 - 05:45 AM

I have an original Win 7 DVD at my site.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:34 AM

Posted 29 June 2018 - 03:58 AM

Hi, my apologies for the delay, I'll assist you with this issue. :)

Before anything, pagefile.sys is a legitimate file, it's used by Windows as virtual memory swap file. It can be that Sophos detected a file inside virtual memory and therefore flagged the pagefile.

Aside from this issue, do you have any actual problem that might point to malware (slowness, browser redirects, pop ups, freezes, other weirdness)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Irondy

Irondy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 29 June 2018 - 05:22 AM

Hello,

 

no real problems.

I just wonder about the virus findings in that file.

And this is repeatable - on other windows machines with the same virus scanner is no detection.



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:34 AM

Posted 29 June 2018 - 05:50 AM

To summarize, this detection happens when you run Sophos on linux (but not on windows) and only sophos detects this? When the detection occurs, does it give you any additional information at all?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Irondy

Irondy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 29 June 2018 - 09:17 AM

Yes this is correct.
Sophos shows a link to their database but the infos are not very helpful.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:34 AM

Posted 29 June 2018 - 09:22 AM

Any chance you can make a screenshot of the detection?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:34 AM

Posted 13 July 2018 - 04:16 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users