Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am i infected ? Again ?


  • Please log in to reply
18 replies to this topic

#1 bluedough

bluedough

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 07 May 2015 - 05:45 AM

Hi everyone, i am posting this in need of help for confirming if i am hacked or infected again and for asking to help to clean them out if i am.

 

Situation/Problem :

I just finished re-formatting my pc / SSD / Win 7 64Bit SP1 as i have posted  at  here . The moment i connected to internet, i downloaded all the Win 7 updates, downloaded GeForce driver for my GPU, Emisoft Internet Security Trial and MalwareByte trial. Then a full scan on my pc using both Malwarebyte and Emisoft getting all clear.  That was all i did.

 

After a few mins this was what starting to happen :

 

Emisoft starting to detect and blocking few files or programs from connecting for reason by behaviour blocker as  Behaviour Hidden Installation  (mrtstub.exe) , few others were trojan downloader and backdoor/install( Ienrcode.exe ) and getting rapid multiple connection attempts to :

a ) afx8.net

b ) ad.turn.com

c ) d.turn.com

d ) jumptap.com

e ) pixel.sitescout.com

 

most are blocked by Emisoft.

 

So i googled on afx8.net to check out some infos on it. The moment i clicked on one of the result, my Internet Explorer suddenly closed and won't start again. Tried full scanning with Emisoft getting all clear results. Malwarebyte scan however failed to finish, malwarebyte won't start again. My pc became very slow and the network tab in taskmanager was using near full networking activity as if i am doing heavy downloading.

 

I got screenshots of full listing form the Emisoft blocked list, but i do not know how to upload it onto this post.

 

What i have done so far :

 

Read on some posts and decided to scan with some of the scan logging program frequently used by helpers here.

 

I have done scanning with SecurityCheck,  FSScan , MiniToolbox, ( connected to internet in normal mode on standard user account )

 

Malwarebyte fullscan ( in safe mode no network, no result ), MalwareByte Anti-Rootkit ( in safe mode no network, no result ) and RKill (iexplore renamed version, done in safe mode no network ). 

 

This are the logs.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Security Check

 

 Results of screen317's Security Check version 1.001  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
Emsisoft Internet Security      
Microsoft Security Essentials   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 13% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Farbar Service Scanner Version: 17-01-2015
Ran by Front (ATTENTION: The logged in user is not administrator) on 07-05-2015 at 00:03:31
Running from "C:\Personal"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Google.com is unreachable
Attempt to access Yahoo.com returned error: Yahoo.com is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

MiniToolBox by Farbar  Version: 14-04-2015
Ran by Front (ATTENTION: The logged in user is not administrator) on 07-05-2015 at 00:07:49
Running from "C:\Personal"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: System Product Name Manufacturer: System manufacturer
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================



========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Surfer-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.name

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : domain.name
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 20-CF-30-E4-69-AB
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, May 06, 2015 11:40:20 PM
   Lease Expires . . . . . . . . . . : Thursday, May 07, 2015 2:40:18 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.domain.name:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : domain.name
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:ca47:63c2:28a0:59b:3f57:fefd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::28a0:59b:3f57:fefd%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  UnKnown
Address:  192.168.1.1

Name:    google.com.domain.name
Address:  127.0.0.1


Pinging google.com [216.58.196.46] with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 216.58.196.46:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Server:  UnKnown
Address:  192.168.1.1

Name:    yahoo.com.domain.name
Address:  127.0.0.1


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
General failure.
Request timed out.

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...20 cf 30 e4 69 ab ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.2    276
      192.168.1.2  255.255.255.255         On-link       192.168.1.2    276
    192.168.1.255  255.255.255.255         On-link       192.168.1.2    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.2    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 13     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 13     58 2001::/32                On-link
 13    306 2001:0:ca47:63c2:28a0:59b:3f57:fefd/128
                                    On-link
 13    306 fe80::/64                On-link
 13    306 fe80::28a0:59b:3f57:fefd/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/06/2015 11:41:33 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 11:25:47 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: System.IdentityModel.Selectors, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 . Error code = 0x80070005

Error: (05/06/2015 11:15:18 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 10:46:27 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 09:40:18 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 09:39:06 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Failed to execute command from the offline queue: uninstall "mscorlib, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=amd64" /NoDependencies .  The error returned was Error: The specified assembly is not installed.
.

Error: (05/06/2015 07:41:38 AM) (Source: Application Error) (User: )
Description: Faulting application name: mscorsvw.exe, version: 2.0.50727.4927, time stamp: 0x4a2746a1
Faulting module name: mscorwks.dll, version: 2.0.50727.5420, time stamp: 0x4ca2b7e1
Exception code: 0x80131506
Fault offset: 0x00000000004b0dd2
Faulting process id: 0x%9
Faulting application start time: 0xmscorsvw.exe0
Faulting application path: mscorsvw.exe1
Faulting module path: mscorsvw.exe2
Report Id: mscorsvw.exe3

Error: (05/06/2015 07:41:38 AM) (Source: .NET Runtime) (User: )
Description: .NET Runtime version 2.0.50727.5420 - Fatal Execution Engine Error (000007FEF21F0DD2) (80131506)

Error: (05/06/2015 01:56:20 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 01:51:45 AM) (Source: Application Error) (User: )
Description: Faulting application name: CtHdaSvc.exe, version: 6.0.100.1015, time stamp: 0x4eb38d61
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x748e7270
Faulting process id: 0x50c
Faulting application start time: 0xCtHdaSvc.exe0
Faulting application path: CtHdaSvc.exe1
Faulting module path: CtHdaSvc.exe2
Report Id: CtHdaSvc.exe3


System errors:
=============
Error: (05/06/2015 11:50:04 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
%%5

Error: (05/06/2015 11:40:23 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
%%5

Error: (05/06/2015 11:40:23 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%886

    Error Code: 0x80070005

    Error description: Access is denied.

    Reason: %%892

Error: (05/06/2015 11:23:48 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
%%5

Error: (05/06/2015 11:14:01 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
%%5

Error: (05/06/2015 11:14:01 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%886

    Error Code: 0x80070005

    Error description: Access is denied.

    Reason: %%892

Error: (05/06/2015 09:48:52 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
%%5

Error: (05/06/2015 02:04:55 AM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
%%5

Error: (05/06/2015 01:55:56 AM) (Source: Service Control Manager) (User: )
Description: The Windows Modules Installer service terminated with the following error:
%%16405

Error: (05/06/2015 01:51:46 AM) (Source: Service Control Manager) (User: )
Description: The SB Recon3D Service service terminated unexpectedly.  It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (05/06/2015 11:41:33 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 11:25:47 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: System.IdentityModel.Selectors, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 . Error code = 0x80070005
System.IdentityModel.Selectors, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Error: (05/06/2015 11:15:18 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 10:46:27 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 09:40:18 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 09:39:06 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Failed to execute command from the offline queue: uninstall "mscorlib, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=amd64" /NoDependencies .  The error returned was Error: The specified assembly is not installed.
.

Error: (05/06/2015 07:41:38 AM) (Source: Application Error)(User: )
Description: mscorsvw.exe2.0.50727.49274a2746a1mscorwks.dll2.0.50727.54204ca2b7e18013150600000000004b0dd2

Error: (05/06/2015 07:41:38 AM) (Source: .NET Runtime)(User: )
Description: .NET Runtime version 2.0.50727.5420 - Fatal Execution Engine Error (000007FEF21F0DD2) (80131506)

Error: (05/06/2015 01:56:20 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/06/2015 01:51:45 AM) (Source: Application Error)(User: )
Description: CtHdaSvc.exe6.0.100.10154eb38d61unknown0.0.0.000000000c0000005748e727050c01d087309d039ea3C:\Windows\sysWow64\CtHdaSvc.exeunknown64e18a2b-f34f-11e4-a37f-20cf30e469ab



=========================== Installed Programs ============================
AMD USB Filter Driver (x32 Version: 1.0.15.94 - Advanced Micro Devices, Inc.) Hidden
ATI Catalyst Install Manager (HKLM\...\{64555D45-1F57-BF1D-1A5E-BFD4C8C0ADB4}) (Version: 3.0.765.0 - ATI Technologies, Inc.)
Dolby Digital Live Pack (HKLM-x32\...\Dolby Digital Live Pack) (Version: 3.03 - Creative Technology Limited)
Emsisoft Internet Security (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd.)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.7.0205.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.7.205.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 37.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 37.0.2 (x86 en-US)) (Version: 37.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 37.0.2 - Mozilla)
NVIDIA 3D Vision Controller Driver 349.95 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 349.95 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 350.12 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 350.12 - NVIDIA Corporation)
NVIDIA Control Panel 350.12 (Version: 350.12 - NVIDIA Corporation) Hidden
NVIDIA Graphics Driver 350.12 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 350.12 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.33.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.33.0 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.175.1449 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.15.0324 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0324 - NVIDIA Corporation)
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.12.6514 - NVIDIA Corporation) Hidden
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.21.531.2010 - Realtek)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.4.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.4.0 - Renesas Electronics Corporation) Hidden
Sound Blaster Recon3D PCIe (HKLM-x32\...\{91923599-1A3C-4EEE-B70C-8B309269DEF7}) (Version: 1.00.07 - Creative Technology Limited)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 16%
Total physical RAM: 16382.18 MB
Available physical RAM: 13729.05 MB
Total Pagefile: 32762.55 MB
Available Pagefile: 29431.68 MB
Total Virtual: 4095.88 MB
Available Virtual: 3984.7 MB

========================= Partitions: =====================================

1 Drive c: (Eternal) (Fixed) (Total:223.57 GB) (Free:171.79 GB) NTFS

========================= Users: ========================================

User accounts for \\SURFER-PC

Administrator            Front                    Guest                    
Surfer                   

========================= Restore Points ==================================


**** End of log ****

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Update, 5/7/2015 12:45:39 AM, SYSTEM, SURFER-PC, Manual, Failed, Unable to access update server,
Scan, 5/7/2015 12:49:06 AM, SYSTEM, SURFER-PC, Manual, Start:5/7/2015 12:45:39 AM, Duration:3 min 26 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,

(end)

 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/07/2015 07:19:50 AM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * Base Filtering Engine (BFE) is not Running.
   Startup Type set to: Automatic

 * DHCP Client (Dhcp) is not Running.
   Startup Type set to: Automatic

 * DNS Client (Dnscache) is not Running.
   Startup Type set to: Automatic

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Windows Firewall (MpsSvc) is not Running.
   Startup Type set to: Automatic

 * Network Connections (Netman) is not Running.
   Startup Type set to: Manual

 * Network Store Interface Service (nsi) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Ancillary Function Driver for Winsock (AFD) is not Running.
   Startup Type set to: System

 * Windows Firewall Authorization Driver (mpsdrv) is not Running.
   Startup Type set to: Manual

 * NetBT (NetBT) is not Running.
   Startup Type set to: System

 * NSI proxy service driver. (nsiproxy) is not Running.
   Startup Type set to: System

 * NetIO Legacy TDI Support Driver (tdx) is not Running.
   Startup Type set to: System

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 05/07/2015 07:19:55 AM
Execution time: 0 hours(s), 0 minute(s), and 4 seconds(s)

 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Please help if anything is wrong. If there anythingelse i need to do please tell me how to do it whether on admin or standard window user account and whether to do them offline or online and finally on normal mode or safe mode. At the moment i have the problem pc turned off and offline until futher post or instructions from here. Thank you.

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 bluedough

bluedough
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 07 May 2015 - 12:00 PM

Thank you for checking and replying to my post.Yea i have done quite a lot of changes in the EIS setting like upping some of its security setups. Yes i am a bit paranoid from previous experience lol.

 

1 ) Is there possibilities EIS is also turning off the Malwarebyte when i'm using MB to scan the pc ?

 

2 ) Should i trial EAM instead for more flexibility than EIS ?

 

3 ) This part from FSS worries me , its doesn't mean i am being rerouted to hacker's server or something ?

 

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Google.com is unreachable
Attempt to access Yahoo.com returned error: Yahoo.com is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

And finally this log from Rkill when ran in normal boot with standard user account.

 

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/08/2015 12:18:23 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\DAODx.exe (PID: 3208) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 05/08/2015 12:19:15 AM
Execution time: 0 hours(s), 0 minute(s), and 51 seconds(s)
 



#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 07 May 2015 - 12:54 PM

Hi there,

1) Emsisoft and Malwarebytes does not interfere with each other - they play with each other as well as one can get. :)

2) The only difference between EAM and EIS is that EIS has a firewall - so if you have a router or hardware firewall then I recommend using EAM instead. Otherwise there is no base difference - both are easy to use and flexible :)

3) That part from Farbar Service Scanner just means that your computer cannot connect to those webpages - which usually indicates that there is no Internet connection.

4) Judging from the Emsisoft detections I'd say that they are caused by your settings.

Can you check the settings of Paranoid Mode (Protection => Behavior Blocker) and Privacy Risks (Protection => Surf Protection)?

When does the slowness occur? In Normal Mode or Safe Mode?

If you can answer my questions, it would help to shed some lights on things.

Regards,
Alex

#4 bluedough

bluedough
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 07 May 2015 - 01:46 PM

Hi again :) ,

 

1 )

 

3) That part from Farbar Service Scanner just means that your computer cannot connect to those webpages - which usually indicates that there is no Internet connection.

 

 

The FSS scan was done while connected to internet , as matter of fact i was on www.yahoo.com and ( https://www.google.com/?gws_rd=ssl ) just now while doing 2nd scan which also gave same log readings.  My concerns is possible router hacking or something like that, though i have resetted my router when i formatted my SSD nor do i have much knowledge to know if a hack can survive throught a reset or persist again. Can that be checked ?

 

2 ) As for Emisoft settings ,i think i might have messed up the setting to be too high. Paranoid mode is on ( i turned it on ). Privacy Risks is at Block and Notify ( not sure if its default or i turned it on ). I might messed up with firewall settings from the looks of it, all the rules are set to blocking :lmao: .

 

3 ) The slowness occurs when i am in normal mode. The safe mode was with no networking. All the scans was done in normal mode and connected to internet and the time they were done except the 1st Rkill , MB scan and MBR scan.


Edited by bluedough, 07 May 2015 - 02:01 PM.


#5 bluedough

bluedough
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 07 May 2015 - 02:25 PM

Finally i found the way to export from Emisoft logs :lol: .

 

Logs - Behaviour Blocker  :

 

Emsisoft Internet Security - Version 9.0
BB log

Date    PID    Application    Event    Detection    
5/8/2015 3:02:12 AM    280    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed by rule    Behavior.Spyware    
5/8/2015 3:02:05 AM    280    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed by rule    Behavior.TrojanDownloader    
5/8/2015 2:34:58 AM    2928    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed by rule    Behavior.CodeInjector    
5/8/2015 2:34:43 AM    2928    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed by rule    Behavior.Spyware    
5/8/2015 2:34:37 AM    2928    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed by rule    Behavior.TrojanDownloader    
5/8/2015 2:28:18 AM    1124    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed by rule    Behavior.CodeInjector    
5/8/2015 2:28:04 AM    1124    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed by rule    Behavior.Spyware    
5/8/2015 2:27:56 AM    0    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    App rule modified        
5/8/2015 2:27:56 AM    1124    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed always by user    Behavior.TrojanDownloader    
5/8/2015 2:15:39 AM    3272    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed by rule    Behavior.CodeInjector    
5/8/2015 12:54:13 AM    3272    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed once by user    Behavior.TrojanDownloader    
5/8/2015 12:54:06 AM    0    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    App rule modified        
5/8/2015 12:54:06 AM    3272    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed always by user    Behavior.Spyware    
5/8/2015 12:32:07 AM    0    C:\Windows\SysWOW64\nslookup.exe    App rule modified        
5/8/2015 12:30:31 AM    0    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    App rule modified        
5/8/2015 12:30:31 AM    2696    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed always by user    Behavior.CodeInjector    
5/8/2015 12:26:00 AM    0    C:\Personal\iExplore64.exe    App rule deleted        
5/8/2015 12:25:59 AM    0    C:\Users\Surfer\Desktop\mbar\mbar.exe    App rule deleted        
5/8/2015 12:15:57 AM    3112    C:\Personal\iExplore64.exe    Allowed by rule    Behavior.CodeInjector    
5/7/2015 12:30:56 AM    2332    C:\Personal\iExplore64.exe    Allowed by rule    Behavior.CodeInjector    
5/7/2015 12:29:34 AM    0    C:\Personal\iExplore64.exe    App rule added        
5/7/2015 12:29:34 AM    3528    C:\Personal\iExplore64.exe    Allowed always by user    Behavior.CodeInjector    
5/7/2015 12:28:02 AM    0    C:\Windows\SysWOW64\rundll32.exe    App rule modified        
5/7/2015 12:28:02 AM    2656    C:\Windows\SysWOW64\rundll32.exe    Allowed always by user    Behavior.CodeInjector    
5/7/2015 12:27:36 AM    2656    C:\Windows\SysWOW64\rundll32.exe    Allowed once by user    Behavior.ServiceInstallation    
5/7/2015 12:27:21 AM    0    C:\Windows\SysWOW64\rundll32.exe    App rule added        
5/7/2015 12:27:18 AM    0    C:\Users\Surfer\Desktop\mbar\mbar.exe    App rule modified        
5/7/2015 12:27:18 AM    2036    C:\Users\Surfer\Desktop\mbar\mbar.exe    Allowed always by user    Behavior.CodeInjector    
5/7/2015 12:26:53 AM    2036    C:\Users\Surfer\Desktop\mbar\mbar.exe    Allowed once by user    Behavior.ServiceInstallation    
5/7/2015 12:26:49 AM    0    C:\Users\Surfer\Desktop\mbar\mbar.exe    App rule modified        
5/7/2015 12:25:59 AM    0    C:\Users\Surfer\Desktop\mbar\mbar.exe    App rule added        
5/7/2015 12:18:18 AM    4060    C:\Program Files (x86)\Mozilla Firefox\firefox.exe    Allowed once by user    Behavior.Spyware    
5/7/2015 12:16:01 AM    1032    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed once by user    Behavior.CodeInjector    
5/7/2015 12:12:28 AM    2928    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed once by user    Behavior.CodeInjector    
5/7/2015 12:08:37 AM    2244    C:\Windows\SysWOW64\nslookup.exe    Allowed once by user    Behavior.Spyware    
5/7/2015 12:08:08 AM    0    C:\Windows\SysWOW64\nslookup.exe    App rule added        
5/7/2015 12:04:00 AM    2928    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed once by user    Behavior.TrojanDownloader    
5/7/2015 12:01:43 AM    0    C:\Personal\FRST64.exe    App rule added        
5/7/2015 12:00:00 AM    3828    C:\Personal\MB Log\SecurityCheck.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 11:54:33 PM    3904    C:\Users\Front\Downloads\SecurityCheck.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 11:43:23 PM    3652    C:\Program Files\Internet Explorer\iexplore.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 11:43:13 PM    0    C:\Program Files\Internet Explorer\iexplore.exe    App rule modified        
5/6/2015 11:42:49 PM    0    C:\84aa4537e64846ba26339e6b35\Setup.exe    App rule deleted        
5/6/2015 11:28:48 PM    4356    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe    Allowed once by user    Behavior.AutorunCreation    
5/6/2015 11:28:29 PM    1112    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe    Allowed once by user    Behavior.ServiceInstallation    
5/6/2015 11:27:54 PM    2184    C:\temp\NVIDIA\ControlPanelInstallerTemp\setup.exe    Allowed once by user    Behavior.ServiceInstallation    
5/6/2015 11:27:40 PM    2184    C:\temp\NVIDIA\ControlPanelInstallerTemp\setup.exe    Allowed once by user    Behavior.HiddenInstallation    
5/6/2015 11:26:47 PM    3100    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe    Allowed once by user    Behavior.HiddenInstallation    
5/6/2015 11:26:42 PM    392    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe    Allowed once by user    Behavior.HiddenInstallation    
5/6/2015 11:25:50 PM    0    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe    App rule added        
5/6/2015 11:24:40 PM    4012    C:\Program Files\Internet Explorer\iexplore.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 11:22:56 PM    3604    C:\84aa4537e64846ba26339e6b35\Setup.exe    Allowed once by user    Behavior.HiddenInstallation    
5/6/2015 11:20:39 PM    0    C:\84aa4537e64846ba26339e6b35\Setup.exe    App rule added        
5/6/2015 11:20:01 PM    0    C:\NVIDIA\DisplayDriver\350.12\Win8_WinVista_Win7_64\International\setup.exe    App rule added        
5/6/2015 11:19:10 PM    4012    C:\Program Files\Internet Explorer\iexplore.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 11:19:02 PM    4012    C:\Program Files\Internet Explorer\iexplore.exe    Blocked once by user    Behavior.CodeInjector    
5/6/2015 11:18:21 PM    0    C:\Program Files\Internet Explorer\iexplore.exe    App rule modified        
5/6/2015 11:17:48 PM    2412    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Blocked once by user    Behavior.Spyware    
5/6/2015 11:14:23 PM    2884    C:\Program Files\Internet Explorer\iexplore.exe    Blocked by rule    Behavior.CodeInjector    
5/6/2015 11:14:23 PM    2884    C:\Program Files\Internet Explorer\iexplore.exe    Blocked by rule    Behavior.CodeInjector    
5/6/2015 11:12:23 PM    536    C:\Program Files\Internet Explorer\iexplore.exe    Blocked by rule    Behavior.CodeInjector    
5/6/2015 11:12:23 PM    536    C:\Program Files\Internet Explorer\iexplore.exe    Blocked by rule    Behavior.CodeInjector    
5/6/2015 11:12:10 PM    0    C:\Program Files (x86)\Mozilla Firefox\firefox.exe    App rule added        
5/6/2015 11:11:57 PM    5072    C:\Program Files\Internet Explorer\iexplore.exe    Blocked by rule    Behavior.CodeInjector    
5/6/2015 11:11:57 PM    5072    C:\Program Files\Internet Explorer\iexplore.exe    Blocked by rule    Behavior.CodeInjector    
5/6/2015 11:09:50 PM    0    C:\Program Files\Internet Explorer\iexplore.exe    App rule modified        
5/6/2015 11:08:35 PM    0    C:\Program Files\Microsoft Security Client\MsMpEng.exe    App rule modified        
5/6/2015 11:08:35 PM    0    C:\Users\Front\AppData\Local\Temp\7zS2C4D.tmp\setup-stub.exe    App rule deleted        
5/6/2015 10:57:55 PM    0    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe    App rule modified        
5/6/2015 10:57:52 PM    0    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe    App rule modified        
5/6/2015 10:55:32 PM    3044    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 10:54:29 PM    3044    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed once by user    Behavior.TrojanDownloader    
5/6/2015 10:53:08 PM    0    C:\Users\Front\AppData\Local\Temp\7zS2C4D.tmp\setup-stub.exe    App rule added        
5/6/2015 10:46:08 PM    3820    C:\Program Files\Internet Explorer\iexplore.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 10:40:11 PM    4056    C:\Users\Front\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGZA32LW\SecurityCheck.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 10:29:38 PM    2176    C:\e4b5d1ddb7ae275a323760f0a1\    Quarantined by user    Behavior.HiddenInstallation    
5/6/2015 10:14:02 PM    2616    C:\Program Files\Internet Explorer\iexplore.exe    Allowed once by user    Behavior.BrowserSettingsChange    
5/6/2015 10:13:26 PM    0    C:\Program Files\Internet Explorer\iexplore.exe    App rule added        
5/6/2015 10:13:26 PM    0    C:\Program Files (x86)\Internet Explorer\iexplore.exe    App rule modified        
5/6/2015 9:56:57 PM    0    C:\Windows\Temp\IE1BFF9.tmp\IE11-support\ienrcore.exe    App rule modified        
5/6/2015 2:54:46 AM    3032    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 1:44:42 AM    4368    C:\Windows\Temp\IE1BFF9.tmp\IE11-support\ienrcore.exe    Allowed once by user    Behavior.CodeInjector    
5/6/2015 1:35:33 AM    3796    C:\Windows\Temp\IE1BFF9.tmp\IE11-support\ienrcore.exe    Allowed once by user    Behavior.TrojanDownloader    
5/6/2015 1:33:51 AM    3632    C:\Windows\Temp\IE1BFF9.tmp\IE11-support\ienrcore.exe    Allowed once by user    Behavior.TrojanDownloader    
5/6/2015 1:33:51 AM    0    C:\Windows\Temp\IE1BFF9.tmp\IE11-support\ienrcore.exe    App rule added        
5/6/2015 1:05:44 AM    4492    C:\e0bbb10aa4e861157a\mrtstub.exe    Quarantined by user    Behavior.HiddenInstallation    
5/6/2015 1:04:21 AM    0    C:\Program Files\Microsoft Security Client\MsMpEng.exe    App rule modified        
5/6/2015 12:57:14 AM    0    C:\Program Files\Microsoft Security Client\MsMpEng.exe    App rule added        
5/6/2015 12:56:46 AM    0    C:\Personal\Malwarebytes Anti-Malware\mbam.exe    App rule added        
5/6/2015 12:14:46 AM    0    C:\Program Files (x86)\Internet Explorer\iexplore.exe    App rule added        
5/6/2015 12:13:16 AM    0    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe    App rule added        
5/6/2015 12:13:16 AM    0    C:\Windows\system32\msiexec.exe    App rule added        
5/6/2015 12:13:16 AM    0    C:\Windows\SysWow64\perfhost.exe    App rule added        
5/6/2015 12:13:16 AM    0    C:\Windows\servicing\TrustedInstaller.exe    App rule added        
5/6/2015 12:13:16 AM    0    C:\Windows\system32\SearchIndexer.exe    App rule added        
5/6/2015 12:13:15 AM    0    C:\Windows\system32\svchost.exe    App rule added        
5/6/2015 12:13:15 AM    0    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe    App rule added        
5/6/2015 12:13:15 AM    0    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe    App rule added        
5/6/2015 12:13:15 AM    0    C:\Windows\sysWow64\CtHdaSvc.exe    App rule added        
5/6/2015 12:13:15 AM    0    C:\Windows\ehome\ehRecvr.exe    App rule added        
5/6/2015 12:13:15 AM    0    C:\Windows\ehome\ehsched.exe    App rule added        
 

 

Logs - Surf Protection Log :

 

Emsisoft Internet Security - Version 9.0
SP log

Date    PID    Application    Event    Detection    
5/6/2015 11:28:58 PM    4000    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    ad.turn.com    
5/6/2015 11:25:05 PM    3256    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    pixel.sitescout.com    
5/6/2015 11:24:57 PM    3256    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    d.turn.com    
5/6/2015 11:24:57 PM    3256    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    www.burstnet.com    
5/6/2015 11:24:54 PM    2756    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    ad.turn.com    
5/6/2015 11:24:53 PM    3256    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    search.spotxchange.com    
5/6/2015 11:24:53 PM    3256    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    jumptap.com    
5/6/2015 11:17:16 PM    3276    C:\Program Files (x86)\Mozilla Firefox\firefox.exe    Blocked by rule    jumptap.com    
5/6/2015 11:11:36 PM    3568    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    axf8.net    
5/6/2015 10:47:59 PM    3568    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    axf8.net    
5/6/2015 10:46:20 PM    3568    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    jumptap.com    
5/6/2015 10:46:19 PM    3568    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    search.spotxchange.com    
5/6/2015 10:19:02 PM    3984    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    ad.turn.com    
5/6/2015 10:18:00 PM    2900    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    ad.turn.com    
5/6/2015 10:17:51 PM    4936    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    ad.turn.com    
5/6/2015 10:14:36 PM    3672    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    ad.turn.com    
5/6/2015 1:09:23 AM    4388    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    adblade.com    
5/6/2015 1:09:23 AM    4388    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    intellitxt.com    
5/6/2015 12:40:07 AM    2932    C:\Program Files (x86)\Internet Explorer\iexplore.exe    Blocked by rule    ad.turn.com  



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 07 May 2015 - 02:33 PM

Hi there,

2 ) As for Emisoft settings ,i think i might have messed up the setting to be too high. Paranoid mode is on ( i turned it on ). Privacy Risks is at Block and Notify ( not sure if its default or i turned it on ). I might messed up with firewall settings from the looks of it, all the rules are set to blocking :lmao:

Actually, this explained everything.

- When Emsisoft (regardless of product) has Paranoid Mode enabled, the Behavior Blocker will flag any program with malware-like behavior, regardless of whether that file is benign or not. Those files that EIS flagged are normal parts of Windows and pose no harm (one belongs to the Microsoft Malicious Software Removal Tool, the other is an update for IE).

- By default Privacy Risks are not blocked in Surf Protection, so I think you turned it on. :) The list of items blocked in Surf Protection are analytic services and other things that Emsisoft deems a risk to your privacy - I also have Privacy Risks set to Block and notify in my own EIS installation, and it pesters me all day. :lmao: (I intentionally left it that way, because it's the only way to reassure myself that EIS is still there - suite's pretty quiet)

- FSS shows that it cannot connect to those webpages because the EIS firewall blocked it - there is nothing wrong with your Internet connection.

My verdict is that there is nothing wrong with your beloved computer. :)

Turn off Paranoid Mode, set Privacy Risks to Don't block or Block silently, reset the settings in your Firewall and you are good to go. :)

And finally, please read these to keep your computer safe:

Best Practices for Safe Computing - Prevention of Malware Infection
How Malware Spreads - How did I get infected
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

Emsisoft and Malwarebytes are a pretty solid combo. Combined with safe surfing practices and you can keep your machine clean for years to come.

If you got any remaining questions about Emsisoft, feel free to ask and I will try to answer it to the best of my ability.

Regards,
Alex

#7 bluedough

bluedough
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 09 May 2015 - 12:14 AM

Thank you for all the answers to my questions up there and for guiding me to set things up right again. I really appreciate them =)



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 09 May 2015 - 12:52 AM

Hi there,

A member of the Emsisoft Team let me know that you can reset most of the protection settings to default by using the Factory Defaults button in Settings => General. It will reset the settings in your Firewall back to default (in addition to turning off Paranoid Mode and return Privacy Risks to Don't block).

If you have any questions about Emsisoft Internet Security, you can seek assistance from the Emsisoft Support Forum - the Emsisoft folks are reowned for their customer support (which, IMO, is the best of all antivirus vendors).

Since you have ran several tools, please run this to clean things up.

Download DelFix from here and save it to your Desktop.
  • Close all running programs and start DelFix.
  • Make sure all available options are checked.
  • Click Run.
  • DelFix will remove the most of the tools used during the cleaning process.
Have a nice (malware-free) day, and stay safe on the 'Net :)

Regards,
Alex

#9 bluedough

bluedough
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 09 May 2015 - 01:17 AM

Thank you i guess most of my issues are settled except for the part where

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Farbar Service Scanner Version: 17-01-2015
Ran by Front (ATTENTION: The logged in user is not administrator) on 07-05-2015 at 00:03:31
Running from "C:\Personal"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Google.com is unreachable
Attempt to access Yahoo.com returned error: Yahoo.com is unreachable

 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

I have tried pinging few other Ip numbers in cmd prompts with failed results on all of them while i am connected to internet just fine. Just hoping theres explanation for it, it doen't indicate i am being rerouted to a hacker's server or something ? At least now we know the pc is totally cleaned the last concern is the router.

 

Or should i make new post for this ? And in which section of the forum.

 

Thank you.



#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 09 May 2015 - 01:21 AM

Hi there,

Please reset Emsisoft Internet Security's settings to default using instructions in my previous post. After that please do this.

Farbar Service Scanner

Please download Farbar Service Scanner and save it to your Desktop.
  • Right click on FSS.exe and select Run as Administrator.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Regards,
Alex

#11 bluedough

bluedough
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 09 May 2015 - 01:53 AM

Hi o/. I have reset all the settings in EIS and ran the DelFix to clean up the removal tools. Then i have downloaded the FSS to my desktop with said setting above while i am connected to internet and able to surf normally.

 

The result of the scan are as follows:

 

Farbar Service Scanner Version: 17-01-2015
Ran by Surfer (administrator) on 09-05-2015 at 14:44:33
Running from "C:\Users\Front\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Google.com is unreachable
Attempt to access Yahoo.com returned error: Yahoo.com is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

It still shows unreachable which is weird and all my ping check failed on cmd prompts except to my own ip/machine.

Thank you very much for helping me and checking this out :thumbup2: .


Edited by bluedough, 09 May 2015 - 01:55 AM.


#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 09 May 2015 - 01:56 AM

Hi there,

Please take a screenshot of Emsisoft Internet Security's Firewall rules and upload it here.

You can upload the screenshot to an external hosting service (i.e. Imgur), then copy the link into your reply.

Regards,
Alex

#13 bluedough

bluedough
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 09 May 2015 - 02:16 AM

EE20iOG.png



#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 09 May 2015 - 02:22 AM

Hi there,

I have to admit that a FSS scan on my own machine produces the same results - Google IP and Yahoo.com are unreachable, but Google.com is reachable.

I have forwarded your question to one of our Emsisoft representatives and support members - however, since it's late where he is I think it will be some time before he can come over and answer your question.

Meanwhile, I don't think there is anything wrong with your machine, so no worries :thumbup2:

Regards,
Alex

#15 bluedough

bluedough
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:02 AM

Posted 09 May 2015 - 02:53 AM

Thank you Alex :) , just recovered from being hacked. Still bit paranoid in making sure everything is fine now from pc being clean and connection not being rerouted silently lol.

If you feel like checking it out, you'll know what i have done before connecting to internet again and my 1st post here .

Other than that we'll wait till he comes over and conclusion can be made, it might not be EIS that causes it though. Hopefuly there is no problem at all. :)  






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users