Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot access links in Outlook or other links


  • This topic is locked This topic is locked
17 replies to this topic

#1 russelllynn

russelllynn

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 18 April 2013 - 07:52 PM

I ran the DDS and created the files. My computer said the files were already on the desktop but I couldn't see them. I wrote over them anyway but nothing appeared on my desktop. When I tried to Search for them nothing showed. Then, belatedly DDS came up again. Ran it again. Same thing, nothing on the desktop so I copied to a notebook and saved that.

Attached Files



BC AdBot (Login to Remove)

 


#2 russelllynn

russelllynn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 18 April 2013 - 08:46 PM

Addendum to original complaint. Anytime I try to access a link the following appears.

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."



Addendum to original complaint. Anytime I try to access a link the following appears.

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."



Addendum to original complaint. Anytime I try to access a link the following appears.

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:31 PM

Posted 21 April 2013 - 08:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Not sure if this will solve you problem but it's a similar situation.

http://www.msofficeforums.com/outlook/6609-outlook-2010-cant-access-hyperlinks-e-mails.html

Keep me posted.

#4 russelllynn

russelllynn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 22 April 2013 - 01:21 AM

Tried that but nothing has changed. I still have no access to links or Group Policy editor, System Restore has stopped working and MSC says that my Norton 360 is not working but Norton says it is.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:31 PM

Posted 22 April 2013 - 08:29 AM

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop, DO NOT ATTACH THE LOG.

#6 russelllynn

russelllynn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 22 April 2013 - 10:48 PM

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Dad [Admin rights]
Mode : Scan -- Date : 04/23/2013 15:42:03
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x826E07B3 -> HOOKED (Unknown @ 0x891BB6D0)
SSDT[14] : NtAlertThread @ 0x82659357 -> HOOKED (Unknown @ 0x891BB790)
SSDT[18] : NtAllocateVirtualMemory @ 0x826956AD -> HOOKED (Unknown @ 0x891C4E68)
SSDT[21] : NtAlpcConnectPort @ 0x826378A1 -> HOOKED (Unknown @ 0x88F488F0)
SSDT[42] : NtAssignProcessToJobObject @ 0x8260AB32 -> HOOKED (Unknown @ 0x891C5AD0)
SSDT[67] : NtCreateMutant @ 0x8266D9A3 -> HOOKED (Unknown @ 0x891BB480)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x8260D349 -> HOOKED (Unknown @ 0x891C57F0)
SSDT[78] : NtCreateThread @ 0x826DEDC8 -> HOOKED (Unknown @ 0x891C3CB8)
SSDT[116] : NtDebugActiveProcess @ 0x826B1F04 -> HOOKED (Unknown @ 0x891C5BB0)
SSDT[129] : NtDuplicateObject @ 0x82645581 -> HOOKED (Unknown @ 0x891C4FC0)
SSDT[147] : NtFreeVirtualMemory @ 0x824D1F6D -> HOOKED (Unknown @ 0x891A9710)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82607F3F -> HOOKED (Unknown @ 0x891BB550)
SSDT[158] : NtImpersonateThread @ 0x8261D584 -> HOOKED (Unknown @ 0x891BB610)
SSDT[165] : NtLoadDriver @ 0x825B8E12 -> HOOKED (Unknown @ 0x88F90960)
SSDT[177] : NtMapViewOfSection @ 0x8265D99C -> HOOKED (Unknown @ 0x891A9630)
SSDT[184] : NtOpenEvent @ 0x82646DFF -> HOOKED (Unknown @ 0x89142750)
SSDT[194] : NtOpenProcess @ 0x8266E13F -> HOOKED (Unknown @ 0x891C3BA0)
SSDT[195] : NtOpenProcessToken @ 0x8264EA60 -> HOOKED (Unknown @ 0x891B1DA8)
SSDT[197] : NtOpenSection @ 0x8265E794 -> HOOKED (Unknown @ 0x891425D0)
SSDT[201] : NtOpenThread @ 0x8266963B -> HOOKED (Unknown @ 0x891C3AD0)
SSDT[210] : NtProtectVirtualMemory @ 0x826673F2 -> HOOKED (Unknown @ 0x891C59E0)
SSDT[282] : NtResumeThread @ 0x82668C5A -> HOOKED (Unknown @ 0x891C14C8)
SSDT[289] : NtSetContextThread @ 0x826E025F -> HOOKED (Unknown @ 0x891C1708)
SSDT[305] : NtSetInformationProcess @ 0x826619EE -> HOOKED (Unknown @ 0x891A94A0)
SSDT[317] : NtSetSystemInformation @ 0x82633F18 -> HOOKED (Unknown @ 0x891424C8)
SSDT[330] : NtSuspendProcess @ 0x826E06EF -> HOOKED (Unknown @ 0x89142690)
SSDT[331] : NtSuspendThread @ 0x825E7945 -> HOOKED (Unknown @ 0x891C1588)
SSDT[334] : NtTerminateProcess @ 0x8263E173 -> HOOKED (Unknown @ 0x891B1E68)
SSDT[335] : unknown @ 0x82669670 -> HOOKED (Unknown @ 0x891C1648)
SSDT[348] : NtUnmapViewOfSection @ 0x8265DC5F -> HOOKED (Unknown @ 0x891A9570)
SSDT[358] : NtWriteVirtualMemory @ 0x8265AA2F -> HOOKED (Unknown @ 0x891C4D50)
SSDT[382] : NtCreateThreadEx @ 0x82669125 -> HOOKED (Unknown @ 0x891C58E0)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x875426C8)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x87542478)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x875423B8)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x87542538)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x875425F8)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x87542148)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x875422E8)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x87542218)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x87540D18)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x87540DE8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 816a06090571d4de7636ddbf5ba0dbc5
[BSP] 12057a48bfcb19096e649d7dae6524ed : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 294304 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 602736640 | Size: 10936 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04232013_02d1542.txt >>
RKreport[1]_S_04232013_02d1542.txt


 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:31 PM

Posted 23 April 2013 - 07:56 AM

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


Now click Delete on the right hand column under Options

Post back the report which should be located on your desktop.
===

As of your Outlook problem try this.

Open Set Program Access and Computer Defaults by clicking
Start button
clicking Default Programs
clicking Set program access and computer defaults.
Click Custom
select your browser and click OK

Source: http://www.geekstogo.com/forum/topic/287055-outlook-2010-wont-open-email-links/

How is it now?

#8 russelllynn

russelllynn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 23 April 2013 - 10:30 PM

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Dad [Admin rights]
Mode : Remove -- Date : 04/24/2013 15:25:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x826DA7B3 -> HOOKED (Unknown @ 0x891FC848)
SSDT[14] : NtAlertThread @ 0x82653357 -> HOOKED (Unknown @ 0x8920DCA8)
SSDT[18] : NtAllocateVirtualMemory @ 0x8268F6AD -> HOOKED (Unknown @ 0x892001B0)
SSDT[21] : NtAlpcConnectPort @ 0x826318A1 -> HOOKED (Unknown @ 0x89073B40)
SSDT[42] : NtAssignProcessToJobObject @ 0x82604B32 -> HOOKED (Unknown @ 0x89201960)
SSDT[67] : NtCreateMutant @ 0x826679A3 -> HOOKED (Unknown @ 0x891FC598)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x82607349 -> HOOKED (Unknown @ 0x89200AA8)
SSDT[78] : NtCreateThread @ 0x826D8DC8 -> HOOKED (Unknown @ 0x891DF9D0)
SSDT[116] : NtDebugActiveProcess @ 0x826ABF04 -> HOOKED (Unknown @ 0x89201A40)
SSDT[129] : NtDuplicateObject @ 0x8263F581 -> HOOKED (Unknown @ 0x891FC290)
SSDT[147] : NtFreeVirtualMemory @ 0x824CBF6D -> HOOKED (Unknown @ 0x891FD2F0)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82601F3F -> HOOKED (Unknown @ 0x891FC688)
SSDT[158] : NtImpersonateThread @ 0x82617584 -> HOOKED (Unknown @ 0x891FC768)
SSDT[165] : NtLoadDriver @ 0x825B2E12 -> HOOKED (Unknown @ 0x89086F68)
SSDT[177] : NtMapViewOfSection @ 0x8265799C -> HOOKED (Unknown @ 0x891FD210)
SSDT[184] : NtOpenEvent @ 0x82640DFF -> HOOKED (Unknown @ 0x891FC4B8)
SSDT[194] : NtOpenProcess @ 0x8266813F -> HOOKED (Unknown @ 0x891FD008)
SSDT[195] : NtOpenProcessToken @ 0x82648A60 -> HOOKED (Unknown @ 0x891FC210)
SSDT[197] : NtOpenSection @ 0x82658794 -> HOOKED (Unknown @ 0x89201C68)
SSDT[201] : NtOpenThread @ 0x8266363B -> HOOKED (Unknown @ 0x891FD068)
SSDT[210] : NtProtectVirtualMemory @ 0x826613F2 -> HOOKED (Unknown @ 0x89201870)
SSDT[282] : NtResumeThread @ 0x82662C5A -> HOOKED (Unknown @ 0x8920DD88)
SSDT[289] : NtSetContextThread @ 0x826DA25F -> HOOKED (Unknown @ 0x891E2C58)
SSDT[305] : NtSetInformationProcess @ 0x8265B9EE -> HOOKED (Unknown @ 0x8920D740)
SSDT[317] : NtSetSystemInformation @ 0x8262DF18 -> HOOKED (Unknown @ 0x89201B20)
SSDT[330] : NtSuspendProcess @ 0x826DA6EF -> HOOKED (Unknown @ 0x891FC3D8)
SSDT[331] : NtSuspendThread @ 0x825E1945 -> HOOKED (Unknown @ 0x8920DE68)
SSDT[334] : NtTerminateProcess @ 0x82638173 -> HOOKED (Unknown @ 0x891E20F8)
SSDT[335] : unknown @ 0x82663670 -> HOOKED (Unknown @ 0x891E2B78)
SSDT[348] : NtUnmapViewOfSection @ 0x82657C5F -> HOOKED (Unknown @ 0x8920D830)
SSDT[358] : NtWriteVirtualMemory @ 0x82654A2F -> HOOKED (Unknown @ 0x891FF900)
SSDT[382] : NtCreateThreadEx @ 0x82663125 -> HOOKED (Unknown @ 0x89201770)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87545A90)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x89258050)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x891753E8)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x891777C0)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89258158)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x89175178)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x89175318)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89175248)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x892582B0)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x89258928)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 816a06090571d4de7636ddbf5ba0dbc5
[BSP] 12057a48bfcb19096e649d7dae6524ed : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 294304 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 602736640 | Size: 10936 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_04242013_02d1525.txt >>
RKreport[1]_S_04242013_02d1523.txt ; RKreport[2]_D_04242013_02d1525.txt


can access links after trying the fix about default browser. As you can see the RK didn't actually delete [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND it just replaced them



RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Dad [Admin rights]
Mode : Remove -- Date : 04/24/2013 15:25:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x826DA7B3 -> HOOKED (Unknown @ 0x891FC848)
SSDT[14] : NtAlertThread @ 0x82653357 -> HOOKED (Unknown @ 0x8920DCA8)
SSDT[18] : NtAllocateVirtualMemory @ 0x8268F6AD -> HOOKED (Unknown @ 0x892001B0)
SSDT[21] : NtAlpcConnectPort @ 0x826318A1 -> HOOKED (Unknown @ 0x89073B40)
SSDT[42] : NtAssignProcessToJobObject @ 0x82604B32 -> HOOKED (Unknown @ 0x89201960)
SSDT[67] : NtCreateMutant @ 0x826679A3 -> HOOKED (Unknown @ 0x891FC598)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x82607349 -> HOOKED (Unknown @ 0x89200AA8)
SSDT[78] : NtCreateThread @ 0x826D8DC8 -> HOOKED (Unknown @ 0x891DF9D0)
SSDT[116] : NtDebugActiveProcess @ 0x826ABF04 -> HOOKED (Unknown @ 0x89201A40)
SSDT[129] : NtDuplicateObject @ 0x8263F581 -> HOOKED (Unknown @ 0x891FC290)
SSDT[147] : NtFreeVirtualMemory @ 0x824CBF6D -> HOOKED (Unknown @ 0x891FD2F0)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82601F3F -> HOOKED (Unknown @ 0x891FC688)
SSDT[158] : NtImpersonateThread @ 0x82617584 -> HOOKED (Unknown @ 0x891FC768)
SSDT[165] : NtLoadDriver @ 0x825B2E12 -> HOOKED (Unknown @ 0x89086F68)
SSDT[177] : NtMapViewOfSection @ 0x8265799C -> HOOKED (Unknown @ 0x891FD210)
SSDT[184] : NtOpenEvent @ 0x82640DFF -> HOOKED (Unknown @ 0x891FC4B8)
SSDT[194] : NtOpenProcess @ 0x8266813F -> HOOKED (Unknown @ 0x891FD008)
SSDT[195] : NtOpenProcessToken @ 0x82648A60 -> HOOKED (Unknown @ 0x891FC210)
SSDT[197] : NtOpenSection @ 0x82658794 -> HOOKED (Unknown @ 0x89201C68)
SSDT[201] : NtOpenThread @ 0x8266363B -> HOOKED (Unknown @ 0x891FD068)
SSDT[210] : NtProtectVirtualMemory @ 0x826613F2 -> HOOKED (Unknown @ 0x89201870)
SSDT[282] : NtResumeThread @ 0x82662C5A -> HOOKED (Unknown @ 0x8920DD88)
SSDT[289] : NtSetContextThread @ 0x826DA25F -> HOOKED (Unknown @ 0x891E2C58)
SSDT[305] : NtSetInformationProcess @ 0x8265B9EE -> HOOKED (Unknown @ 0x8920D740)
SSDT[317] : NtSetSystemInformation @ 0x8262DF18 -> HOOKED (Unknown @ 0x89201B20)
SSDT[330] : NtSuspendProcess @ 0x826DA6EF -> HOOKED (Unknown @ 0x891FC3D8)
SSDT[331] : NtSuspendThread @ 0x825E1945 -> HOOKED (Unknown @ 0x8920DE68)
SSDT[334] : NtTerminateProcess @ 0x82638173 -> HOOKED (Unknown @ 0x891E20F8)
SSDT[335] : unknown @ 0x82663670 -> HOOKED (Unknown @ 0x891E2B78)
SSDT[348] : NtUnmapViewOfSection @ 0x82657C5F -> HOOKED (Unknown @ 0x8920D830)
SSDT[358] : NtWriteVirtualMemory @ 0x82654A2F -> HOOKED (Unknown @ 0x891FF900)
SSDT[382] : NtCreateThreadEx @ 0x82663125 -> HOOKED (Unknown @ 0x89201770)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x87545A90)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x89258050)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x891753E8)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x891777C0)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89258158)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x89175178)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x89175318)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x89175248)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x892582B0)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x89258928)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 816a06090571d4de7636ddbf5ba0dbc5
[BSP] 12057a48bfcb19096e649d7dae6524ed : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 294304 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 602736640 | Size: 10936 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_04242013_02d1525.txt >>
RKreport[1]_S_04242013_02d1523.txt ; RKreport[2]_D_04242013_02d1525.txt


can access links after trying the fix about default browser. As you can see the RK didn't actually delete [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND it just replaced them



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:31 PM

Posted 24 April 2013 - 11:56 AM

I lean something everyday.

http://www.vistax64.com/tutorials/222866-local-group-policy-editor-open.html

Sorry, but the Local Group Policy Editor is not available in the Vista Home Basic and Home Premium editions.

What is wrong with the access to your links.
Can you elaborate.

#10 russelllynn

russelllynn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 24 April 2013 - 10:39 PM

Yes, I didn't know that either. Suddenly my links are now working. But I have no System Restore. This worries me greatly. I fear my computer is compromised and there is little I can do about it. I also understand that unless I have a Faraday Cage my computer will be accessible to anyone who wishes to look at my content. So, how do I keep secure? Is windows8 a better program? Should I upgrade? I am a writer and recently discovered that some of my writing had been altered. Is this a taunt that they can get in and alter anything they like. I'm tempted to buy a word processor and stay offline.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:31 PM

Posted 25 April 2013 - 08:04 AM

Please download Farbar Service Scanner and run it on the computer with the issue.
Make sure the following options are checked:
[1] Windows Firewall
[2] System Restore
[3] Security Center/Action center
[4] Windows Update
[5] Windows Defender


Press Scan.
This will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

====

You can try this free office software. I use it.
http://www.openoffice.org/

Why Apache OpenOffice
http://www.openoffice.org/why/

#12 russelllynn

russelllynn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 25 April 2013 - 08:39 PM

Farbar Service Scanner Version: 14-04-2013
Ran by Russell (ATTENTION: The logged in user is not administrator) on 26-04-2013 at 13:32:48
Running from "C:\Users\Russell\Downloads"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************



Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: ATTENTION!=====> Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:31 PM

Posted 26 April 2013 - 07:26 AM

The following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
Vista and Seven - http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/
===

Please download Vista.zip file from here: http://www.smartestc...y-network-keys/
Unzip the file to a temporary folder your desktop.

These files will be extracted:
afd.reg
bit.reg
bfe.reg
mpssvc.reg
nsiproxy.reg
sdrsvc.reg
tdx.reg
wscsvc.reg
windefend.reg
wuauserv.reg

legacy_afd.reg
legacy_bfe.reg
Legacy_bit.reg
legacy_mpssvc.reg
legacy_nsiproxy.reg
legacy_sdrsvc.reg
legacy_tdx.reg
Legacy_windefend.reg
legacy_wscsvc.reg
legacy_wuauserv.reg

start_services.bat


Double-click each one of the following .reg files

sdrsvc.reg
legacy_sdrsvc.reg


in turn and click Yes to add it to the Registry
Allow registry merge.
When the 2 files have been executed.

Restart the computer normally.

If the Restore is not available run the Farbar tool again and post a fresh log.

#14 russelllynn

russelllynn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 27 April 2013 - 05:05 AM

Tried this. Unable to register legacy_sdrsvc.reg but sdrsvc.reg seemed to register. System Restore was unable to create restore point due to transient problem???

This is new scan off Freebar.

 

Farbar Service Scanner Version: 14-04-2013
Ran by Dad (administrator) on 27-04-2013 at 21:54:02
Running from "C:\Users\Dad\Downloads"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-14 21:56] - [2013-01-04 23:28] - 0914792 ____A (Microsoft Corporation) 3535CD93F944C00F098E73E12EE7FEB6

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

I don't know? This is driving me nuts.



#15 russelllynn

russelllynn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 PM

Posted 27 April 2013 - 05:08 AM

The log of Farbar saves in windows visual basics 2005






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users