6 Indium

## Possible Malware

This is on my Windows 7 64 bit system.

Starting this morning, I get a popup in the notificaton area that  "Operation Failed" .  The contents of the noticification is: "Backup Validation task execution failed.  Description: Stage Description.  See operation log for details"

From what I can find this COULD be related to the Windows backup, however I don't have it turned on since I use Acronis True Image.

Looking at some system logs I also found refrence to "SASDIFSV" and "SASKUTIL"  which is apparently related to Super Antispyware, which I do not have.  I ran a full Malwarebytes scan (I have a paid version) and it did not find anything.  MSE scan did not find anything either.

I did find, doing a google search, that the SASDIFSV and SASKUTIL can be deleted from the registry.  I did a registry scan and found them in 3 places.  There was a 3rd SAS file but I don't remember what it was.  They were pointing to some garbage characters and then my hard drive\users\my name\appdata\local but I didn't find anything there.  With the garbage characters before the hard drive letter, it looks suspicious.  They are still being referenced in the Windows Event Log, as I've restarted the system after deleting the registry entries.

I generated a Hijack log with WinPatrol but I didn't see anything, but maybe I don't know what I was really looking for.

Worst case I can reformat and restore from my last Acronis full hard drive backup on 6/4.

I am not a Dell Employee

Dell forum member since 2002

Dell Inspiron 15 - 5577 Laptop

Home Built Desktop PC with ASUS ROG Z170, i7 6700K CPU

Windows 10 64 bit Pro and Windows 10 Insider Program Beta Versions. SSD drives. Cakewalk by BandLab and Studio One 4.1 Recordng Studio Software.

Dell S2719dgf Monitor

Member of Nashville based R.O.P.E.

1 Solution

Accepted Solutions
3 Zinc

## Re: Possible Malware

Since this issue appears to be resolved  the topic has been closed. Glad we could help.:emotion-21:

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]

15 Replies
3 Zinc

## Re: Possible Malware

Hi fireberd,

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE

** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE

• Double click on the icon to run it, Vista or Windows 7 users right click and select Run as Administartor. Make sure all other windows are closed and to let it run uninterrupted.
• In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
• Under the Custom Scan box paste this in
 CODE netsvcsdrivers32%SYSTEMDRIVE%\*.*%systemroot%\*. /mp /sCREATERESTOREPOINT%systemroot%\System32\config\*.savHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

Kevin

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]

6 Indium

## Re: Possible Malware

Kevin, I am one of the forum VIP's... (Jack)  I

I am not a Dell Employee

Dell forum member since 2002

Dell Inspiron 15 - 5577 Laptop

Home Built Desktop PC with ASUS ROG Z170, i7 6700K CPU

Windows 10 64 bit Pro and Windows 10 Insider Program Beta Versions. SSD drives. Cakewalk by BandLab and Studio One 4.1 Recordng Studio Software.

Dell S2719dgf Monitor

Member of Nashville based R.O.P.E.

6 Indium

## Re: Possible Malware

Data Deleted

I am not a Dell Employee

Dell forum member since 2002

Dell Inspiron 15 - 5577 Laptop

Home Built Desktop PC with ASUS ROG Z170, i7 6700K CPU

Windows 10 64 bit Pro and Windows 10 Insider Program Beta Versions. SSD drives. Cakewalk by BandLab and Studio One 4.1 Recordng Studio Software.

Dell S2719dgf Monitor

Member of Nashville based R.O.P.E.

3 Zinc

## Re: Possible Malware

Hiya Jack,

I do not see anything related to SuperantiSpyware in your logs. You also mention a reference to a backup failure,I do not see any entries for windows backup, there is a reference to Nero BackItUp Scheduler 4.0. This is currently disabled and stopped. Im not familiar with Nero as I do not use it, is it possibly scheduled as a windows task and that is the alert because the sheduler is off..

Bit of cleaning up but nothing malicious showing in the logs...

Re-Run by double left click, Vista and Widows 7 users right click and select Run as Administrator.
• Under the box at the bottom, paste in the following

• Then click button at the top
• Let the program run unhindered, reboot the PC when it is done

Next,

Uninstall Java(TM) 6 Update 3 via Start > Control Panel > Uninstall a program.

Next,

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version.
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 26.

• Go to Sun Java
• Select Windows 7/XP/Vista/2000/2003/2008 If using 64 bit OS Select Information about the 64-bit Java plug-in and follow prompts
• Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.

Let me see the log from OTL, also tell me how your system is responding, are you still having the original issues?

Kevin

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]

6 Indium

## Re: Possible Malware

The Nero has been there, disabled, for a long time.  It was part of the Nero software package, but as I noted I use Acronis True Image so all other backup program is disabled.  I need to uninstall Nero 8 as I'm up to Nero 10 and it must not have uninstalled that when V10 installed.

The backup errir message that I started getting today concerns me.  There was nothing changed yesterday, as far as programs, so it has to be some roque malware that is causing it. I did see a reference to "block level backup engine" in one of the Windows logs and that, according to what I can find belongs to the Windows backup, but as noted in my original post I do not have the Windows backup enabled or configured.

I do PC repair and when I get a client's PC in with Malware I can run Malwarebytes and it will fix it.  I ran a "full scan" with my Malwarebytes and nothing showed up.

If I can't find what it is, I'm going to restore using my last full hard Acronis drive back, from last week.  There is nothing since last week, except for some Recording studio work and I've already separately saved that to another internal hard drive.  I can restore and what will be lost, such as some e-mails are not an issue.

Jack

I am not a Dell Employee

Dell forum member since 2002

Dell Inspiron 15 - 5577 Laptop

Home Built Desktop PC with ASUS ROG Z170, i7 6700K CPU

Windows 10 64 bit Pro and Windows 10 Insider Program Beta Versions. SSD drives. Cakewalk by BandLab and Studio One 4.1 Recordng Studio Software.

Dell S2719dgf Monitor

Member of Nashville based R.O.P.E.

3 Zinc

## Re: Possible Malware

Have you carried the instructions as per my last reply? also complete the following:

• Double-click VEW.exe. to start, Vista and Windows 7 users Right Click and select "Run as Administrator"
• Under 'Select log to query...check the boxes for both Application and System.
• Under 'Select type to list... select both Error and Critical.
• Click the radio button for 'Number of events...Type 10 in the 1 to 20 box.
• Then click the Run button.
• Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.

If you intend to re-image please let me know.....

Kevin

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]

6 Indium

## Re: Possible Malware

Deleted

I am not a Dell Employee

Dell forum member since 2002

Dell Inspiron 15 - 5577 Laptop

Home Built Desktop PC with ASUS ROG Z170, i7 6700K CPU

Windows 10 64 bit Pro and Windows 10 Insider Program Beta Versions. SSD drives. Cakewalk by BandLab and Studio One 4.1 Recordng Studio Software.

Dell S2719dgf Monitor

Member of Nashville based R.O.P.E.

6 Indium

## Re: Possible Malware

Deleted

I am not a Dell Employee

Dell forum member since 2002

Dell Inspiron 15 - 5577 Laptop

Home Built Desktop PC with ASUS ROG Z170, i7 6700K CPU

Windows 10 64 bit Pro and Windows 10 Insider Program Beta Versions. SSD drives. Cakewalk by BandLab and Studio One 4.1 Recordng Studio Software.

Dell S2719dgf Monitor

Member of Nashville based R.O.P.E.

3 Zinc