Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista 64 bit suspected hack/virus


  • Please log in to reply
23 replies to this topic

#1 bcreighton7

bcreighton7

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 19 November 2015 - 04:28 AM

Hi,

my anti-virus is Avira and it doesn't pick up anything.

was using firefox in a locked down standard account which had no installation privileges and child protection on. the account didn't even allow downloads.

 

Then Firefox installed the latest version of itself on its own - I had it set to ask if I wanted to update.

Then I couldn't open downloaded Comodo dragon file. 

Then browser seemed to get hijacked. I am in US. When I do a Google search it shows Norway crap. My Google account login info is all in Norwegian I think.

Now the account allows me to download whatever I want.

Did a combofix(I know) & attached file.

 

What do you think?

 

Long ago I think something got on my computer and started destroying the info on my drive. 

So I am now operating on a backup install. 

However, I was never able to install SP2 - kept getting errors. So rely on Comodo Firewall and Avira av. 

report shows a temp Avira dll file was deleted.

Attached Files



BC AdBot (Login to Remove)

 


#2 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 19 November 2015 - 04:52 AM

Looking at my antivirus, it does show one file in quarantine from 10/21/13

 

BTW I got mad and deleted Firefox, hoping that might get rid of some of my probs, and cuz I couldn't open any Comodo browsers, I am using Chrome.

 

From time to time my Windows is now telling me it "recovered from a serious error" when I start it.



#3 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 19 November 2015 - 11:25 AM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/19/2015
Scan Time: 7:37:30 AM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.11.19.03
Rootkit Database: v2015.11.14.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows Vista
CPU: x64
File System: NTFS
User: Alpine
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 399552
Time Elapsed: 20 min, 41 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
note: rootkits was disabled
did another scan with rootkit scan on, and result was still negative

Edited by bcreighton7, 19 November 2015 - 04:36 PM.


#4 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 19 November 2015 - 02:12 PM

Seems I might still have some kind of significant infection/hack.

 

I tried to do a Microsoft Windows update again and all the security updates failed. 

I downloaded and installed a hotfix.

Ran update again and although SP 1 showed it installed, it failed again. 

 
I also tried to use this: 

Update for Windows Vista for x64-based Systems (KB937286)

which was supposed to be a stand alone installer, but upon installation it said it did not apply to my system.

 

for the benefit of the reader when I finally found a true stand alone SP 1 update it told me I didn't have the right language. So once I uninstalled a Hebrew Language pack, I could finally get the updates to work, so now I am at SP2 + but I could still use help with some of these annoying issues.


Edited by bcreighton7, 20 November 2015 - 01:57 AM.


#5 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 19 November 2015 - 02:46 PM

One thing I noted when I started using this laptop more on the internet is that I started getting this popup on every start 

"A necessary file could not be loaded: NAVProd"
which related to an old Symantec Norton AV that came with the laptop, and got reinstalled. I just left it as one of those 
harmless bloatware things but started getting this popup. 
So I now went to uninstall Norton AV, and of course now it won't uninstall. Control Panel Uninstall opens up a Symantec window which 
immediately says "Installation failed" 
so this program appears to be compromised too, and one of the initial viruses may have hid there.
 
Neither the 64 bit nor 32 bit versions of Eeset AV uninstall tool would remove it.
 
When I finally got SP 2 installed I tried to run a new uninstall on Norton, but after a long time the big Symantec window disappeared and another smaller window popped up and was listing stuff all through my computer, socs, drives etc. Call me a little paranoid, but I think this Symantec file could be infected. Anyway I still have an uneasy feeling about it so would appreciate help with scans, thanks.

Edited by bcreighton7, 20 November 2015 - 03:16 AM.


#6 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 20 November 2015 - 11:09 AM

11/20 - upon logging in

"Malwarebytes was unable to load the Anti-Rootkit DDA Driver, this error may be caused by rootkit activity.

Do you want to reboot the system and attempt to install the Driver?

(If you don't choose to reboot, Anti-Rootkit scanning will be disabled for this session)"

 

Continuing saga here:

also got a message which I think gave an error for the "NSKcontol" of Malwarebytes.

On reboot I got a windows configuring update which could have been the last updated after SP2. Booted into the standard user, the Chrome shortcuts were gone, and when I opened Dragon which I finally got installed everything locked up.

Hard shut down, and opened back up into the admin account, and got a black screen with only the Malwarebytes screen showing an error and locked up.

Hard shut down, and rebooted into safe mode admin user.

Rebooted into regular admin, where I opened Chrome and am typing this. Will probably try a system restore as I am now concerned.

Task manager shows either svchost.exe running under system or TrustedInstaller.exe using 40-50% of cpu constantly.

 

On another note, for some time now when I tried to open Internet Explorer in either my admin or the standard accounts, I would get a message that "Internet Explorer cannot open the internet site: http: blabla.com The operation is aborted." listing whatever site I was trying to open, but then sometimes would go ahead and open it, although that got less frequent. Whoever was hacking me, I think wanted me to use Firefox, as it automatically started remembering passwords etc without me having to log into sites. I use generic passwords for most internet sites I visit. I now still get that message on the aol start page of IE, but it will open other sites now without the message.

 

Also whatever is going on in the standard user account is rendering the dragon browser unusable - if I open it, everything just freezes up. I can't even tell how much cpu is being used by what, although before I open the browser the same 50% CPU usage is shown. The IE gives the "Can't open internet site" message, but will go on to open the start page and then yahoo, but when I try to go to other sites, it seems the admin account settings are being used to get parental controls to block them. Once that is triggered, all internet sites get blocked.

Also unless the last windows update changed my settings, something has changed my settings in both accounts to automatically connect my wifi - I always leave that on manual. 

 

Yeah, seems I'm definitely still hacked. The restore points created by Windows update are gone. I can't restore of course. I think this has to do with that window which popped up when I was trying to uninstall Norton again. I think I was getting reinfected again at that time cuz just after the SP2 update everything worked swell. 


Edited by bcreighton7, 20 November 2015 - 02:23 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:29 AM

Posted 21 November 2015 - 11:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Wait for further instructions.

#8 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 21 November 2015 - 04:18 PM

RogueKiller V10.11.6.0 [Nov 16 2015] (Free) by Adlice Software
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Alpine [Administrator]
Started from : C:\Users\Alpine\Downloads\RogueKiller.exe
Mode : Scan -- Date : 11/21/2015 13:08:49
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 10 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {EF99BD32-C1FB-11D2-892F-0090271D4F88} :   -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1376714825-3935665146-2788773236-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1376714825-3935665146-2788773236-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1376714825-3935665146-2788773236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1376714825-3935665146-2788773236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1376714825-3935665146-2788773236-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1376714825-3935665146-2788773236-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1} -> Found
 
¤¤¤ Hosts File : 2 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\WINDOWS\System32\drivers\etc\hosts] ::1             localhost
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] daaa790a14dd78a603535b38c6c56faa
[BSP] 425535855e5310d487234ca00f44619d : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 144883 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 296720550 | Size: 7742 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
 
 
My Avira says Farbar is a virus - should I turn off Avira?

Edited by bcreighton7, 21 November 2015 - 04:23 PM.


#9 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 21 November 2015 - 05:18 PM

I am having trouble copy and pasting, so I attached the Farbar reports.

 

Farbar ran twice for some reason, but the reports seem the same.

Attached Files


Edited by bcreighton7, 21 November 2015 - 05:56 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:29 AM

Posted 22 November 2015 - 08:04 AM


ATTENTION: System Restore is disabled

http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-vista
Click the Down arrow to see the Vista instructions. (On the left of the Title page)

Do this first so that the following fixes will be registered.
----

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: COMODO Defense+ (Enabled - Up to date) {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
FW: COMODO Firewall (Enabled) {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}


It's not recommanded to run two Antivirus simultaneously.
Both programs are working in real life will slow down your system and cause unusual problems (may be the cause of your windows updates not working.
Disable one of them.

I also see some Norton/Symantec entries in your log dated in 2006.
This could have be restores with your backup.
If that is an old program that you have previously removed I suggest you download Norton uninstaller tool for the version you had installed.

Dowload the tool and run it.
http://www.bleepingcomputer.com/download/norton-removal-tool/
Restart the computer when completed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicyUsers\S-1-5-21-1376714825-3935665146-2788773236-1001\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1376714825-3935665146-2788773236-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1376714825-3935665146-2788773236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {C244F2F5-5D64-448F-A78C-B82D15AF29AE} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000 -> {C244F2F5-5D64-448F-A78C-B82D15AF29AE} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {C244F2F5-5D64-448F-A78C-B82D15AF29AE} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1376714825-3935665146-2788773236-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {C244F2F5-5D64-448F-A78C-B82D15AF29AE} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=ushpl
BHO-x32: Yahoo! Toolbar Helper -> {02478D38-C3F9-4EFB-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-27] (Yahoo! Inc.)
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-27] (Yahoo! Inc.)
S1 Beep; no ImagePath
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U4 eabfiltr; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
CustomCLSID: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Alpine\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Alpine\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Alpine\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Alpine\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the both browsers that may have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Post the logs requested and let me know what problem persists.

#11 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 November 2015 - 08:20 AM

Hi Thank you Naz

Should I go ahead and let RogueKiller delete the PUP and PUMs it found before restarting?

 

I no longer have Firefox. I deleted it after I began to have too much problems. My IE is basically unusable.

My Chrome Icons got deleted for some reason on my standard user side & I can't access the browser in that account..

My Dragon doesn't really work on my standard user side, but when I open it, CPU usage quickly goes to 100% and everything locks up. 

The Norton Removal Tool seemed to work - Thank YOU!!

Do you have an opinion whether I should deactivate Avira heuristics or Comodo Defense? Which do you think is better?

You didn't mention the MBAM. I deactivated the Premium Trial and the regular.

I haven't yet run the fixtool.


Edited by bcreighton7, 22 November 2015 - 09:03 AM.


#12 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 November 2015 - 10:40 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:20-11-2015
Ran by Alpine (2015-11-22 07:24:29) Run:1
Running from C:\Users\Alpine\Downloads
Loaded Profiles: Alpine (Available Profiles: Alpine & Internet User)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
GroupPolicyUsers\S-1-5-21-1376714825-3935665146-2788773236-1001\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1376714825-3935665146-2788773236-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1376714825-3935665146-2788773236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {C244F2F5-5D64-448F-A78C-B82D15AF29AE} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000 -> {C244F2F5-5D64-448F-A78C-B82D15AF29AE} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {C244F2F5-5D64-448F-A78C-B82D15AF29AE} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1376714825-3935665146-2788773236-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {C244F2F5-5D64-448F-A78C-B82D15AF29AE} URL = hxxp://www.ask.com/web?q={searchTerms}&l=dis&o=ushpl
BHO-x32: Yahoo! Toolbar Helper -> {02478D38-C3F9-4EFB-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-27] (Yahoo! Inc.)
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-27] (Yahoo! Inc.)
S1 Beep; no ImagePath
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U4 eabfiltr; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
CustomCLSID: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Alpine\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Alpine\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Alpine\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Alpine\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1376714825-3935665146-2788773236-1001\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1376714825-3935665146-2788773236-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-1376714825-3935665146-2788773236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{C244F2F5-5D64-448F-A78C-B82D15AF29AE}" => key removed successfully
HKCR\Wow6432Node\CLSID\{C244F2F5-5D64-448F-A78C-B82D15AF29AE} => key not found. 
"HKU\S-1-5-21-1376714825-3935665146-2788773236-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C244F2F5-5D64-448F-A78C-B82D15AF29AE}" => key removed successfully
HKCR\CLSID\{C244F2F5-5D64-448F-A78C-B82D15AF29AE} => key not found. 
HKU\S-1-5-21-1376714825-3935665146-2788773236-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C244F2F5-5D64-448F-A78C-B82D15AF29AE} => key not found. 
HKCR\CLSID\{C244F2F5-5D64-448F-A78C-B82D15AF29AE} => key not found. 
HKU\S-1-5-21-1376714825-3935665146-2788773236-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C244F2F5-5D64-448F-A78C-B82D15AF29AE} => key not found. 
HKCR\CLSID\{C244F2F5-5D64-448F-A78C-B82D15AF29AE} => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}" => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => value removed successfully
"HKCR\Wow6432Node\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" => key removed successfully
Beep => service removed successfully
blbdrive => service removed successfully
catchme => service removed successfully
eabfiltr => service removed successfully
IpInIp => service removed successfully
NwlnkFlt => service removed successfully
NwlnkFwd => service removed successfully
"HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => key removed successfully
"HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-1376714825-3935665146-2788773236-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => key removed successfully
EmptyTemp: => 885.2 MB temporary data Removed.
 
 
The system needed a reboot.
 
 
Cleared browswers. Checking things out.


#13 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 November 2015 - 12:28 PM

Things seem to be working decently in my administrator account except when I open IE - the AOL homepage still gives the popup message that the site cannot be opened, but when I close the popup, I can see the page, and open others without the message. Svchost.exe system user is still using about 50% CPU. I notice at night that drops and CPU usage is single digit or teens.

I reinstalled Comodo Dragon, and it seems to work good. 

When I open the standard user account, I get a message that the user profiles cannot be updated correctly and that a temporary profile is being created.

IE doesn't work, and each page I try to open is blocked by that popup.

Comodo Dragon opens but shows over 100 processes running(only 75 in my Admin user acct) and all the memory is used up(97+%) so that everything just locks up. 

 

While I am waiting for your response I will try creating a new limited account to see if I can get stuff to work in it.  



#14 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 November 2015 - 02:52 PM

I got the dragon browser to work a little in the new user account but after going to a few sites, the memory usage climbed up.

I took a picture of my older standard account task manager window and attached it - picture taken while using Dragon browser the first time. Lots of SVChost.exe files!

I also reinstalled Chrome - works fine on admin account although somewhat heavy CPU and memory usage. On the new user standard account when I try to use Chrome, the memory usage climbed up to 97% and everything froze up. Chrome actually worked decently on my old standard account before I began all this, so something is up. Now it won't work decently on either the old or the new standard account. IE works ok in the new standard account.

Attached Files


Edited by bcreighton7, 22 November 2015 - 06:20 PM.


#15 bcreighton7

bcreighton7
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 23 November 2015 - 12:22 AM

K nite again and CPU use is back down in the single or teen digits. In my Admin account everything works decently with exception noted for IE. 

In my other 2 standard accounts CPU and memory usage is low. When I open my Chrome or Dragon the usage goes up a little but is still low. Memory might go up to 40s% usage, but is usually lower. Then while browser is open if I connect to the internet, the memory use goes screaming up to 97+% within about 5 secs and the browser is rendered unusable. I've never seen anything like this. It seems like I'm getting some kind of attack or already some malware instruction on board? Please help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users