Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Ads Playing in Chrome Browser - Cannot Access Anti-Spyware Software


  • This topic is locked This topic is locked
16 replies to this topic

#1 just10credible

just10credible

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 26 December 2015 - 09:42 AM

Good morning! I am using Windows 10 and I was trying to find a video converter software. Must have download and run a bad file because my browser wont stop running random advertisements. My Windows Defender is not accessible, and the virus seems to be blocking me from accessing anti-spyware sites. It even blocks bleepingcomputer.com (error says "The page cannot be displayed because an internal server error has occurred") so I am typing this from another PC. I was able to gain logs from the infected PC which are attached. Hopefully you all can help. The infected PC seems to block the installation of anti-spyware software even in Safe Mode.

 

Thanks in advance! Please let me know what other information is necessary.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 26 December 2015 - 10:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download these tools to a CD or Flash driver using a good computer.

Copy the files to the Desktop of the Compromised computer and run them.


--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Auto Clean


Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.

===

How is the computer running now?

#3 just10credible

just10credible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 26 December 2015 - 03:54 PM

Here is the RougeReport. It is attached as well as the ZOEK results.

 

RogueKiller V11.0.4.0 [Dec 20 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : Chris Tait [Administrator]
Started from : C:\Users\Chris Tait\Desktop\RogueKiller.exe
Mode : Scan -- Date : 12/26/2015 15:25:14

¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path] unused.exe(2536) -- C:\Windows\unused.exe[-] -> Killed [TermProc]
[Suspicious.Path] sin.exe(2676) -- C:\Windows\sin.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 17 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Partner -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\high (C:\WINDOWS\unused.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\scrub (C:\WINDOWS\sin.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\high (C:\WINDOWS\unused.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\scrub (C:\WINDOWS\sin.exe) -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2681385623-1556928977-4190701035-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2681385623-1556928977-4190701035-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8877;https=127.0.0.1:8877  -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2681385623-1556928977-4190701035-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8877;https=127.0.0.1:8877  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2681385623-1556928977-4190701035-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8877;https=127.0.0.1:8877  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2681385623-1556928977-4190701035-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://bing.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2681385623-1556928977-4190701035-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://bing.com/  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.240.205.161 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.240.205.161 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3a2109c-a177-42b3-8597-54ef2b979304} | DhcpNameServer : 10.240.205.161 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b3a2109c-a177-42b3-8597-54ef2b979304} | DhcpNameServer : 10.240.205.161 ([X])  -> Found

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Scan -ScheduleJob -RestrictPrivileges) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 6 (Driver: Not loaded [0xc000036b]) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe @ COMDLG32.dll) SHELL32!SHGetKnownFolderIDList : C:\Windows\System32\windows.storage.dll @ 0x74be50c0 (jmp dword [0x75ee4030])
[IAT:Inl(Hook.IEAT)] (chrome.exe @ COMDLG32.dll) SHELL32!SHGetKnownFolderItem : C:\Windows\System32\windows.storage.dll @ 0x74bf5f20 (jmp dword [0x75ee4034])
[IAT:Inl(Hook.IEAT)] (chrome.exe @ COMDLG32.dll) SHELL32!SHGetKnownFolderIDList : C:\Windows\System32\windows.storage.dll @ 0x74be50c0 (jmp dword [0x75ee4030])
[IAT:Inl(Hook.IEAT)] (chrome.exe @ COMDLG32.dll) SHELL32!SHGetKnownFolderItem : C:\Windows\System32\windows.storage.dll @ 0x74bf5f20 (jmp dword [0x75ee4034])
[IAT:Inl(Hook.IEAT)] (chrome.exe @ COMDLG32.dll) SHELL32!SHGetKnownFolderIDList : C:\Windows\System32\windows.storage.dll @ 0x74be50c0 (jmp dword [0x75ee4030])
[IAT:Inl(Hook.IEAT)] (chrome.exe @ COMDLG32.dll) SHELL32!SHGetKnownFolderItem : C:\Windows\System32\windows.storage.dll @ 0x74bf5f20 (jmp dword [0x75ee4034])

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500G +++++
--- User ---
[MBR] 2af07d19591e372450d207a6932f840f
[BSP] 4afc8ec38a0ff2378684bfee68401e66 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476388 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 975849472 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 27 December 2015 - 09:58 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

(glass) C:\Windows\unused.exe
(lackadaisical) C:\Windows\sin.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostSync.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostSync_.exe
() C:\Program Files (x86)\teeny-tiny\unbiased.exe
(windows 99) C:\Program Files (x86)\rice\count.exe
() C:\Program Files (x86)\rice\hysterical.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse_.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse_.exe
(FrameZen Co.) C:\Program Files (x86)\winhostuse\WinHostUse_.exe
HKLM\...\Run: [cutoauto] => C:\Program Files (x86)\rice\hysterical.exe [42735 2015-12-25] ()
HKLM\...\Run: [interpee] => C:\Program Files (x86)\rice\count.exe [35840 2015-12-25] (windows 99)
HKLM-x32\...\Run: [cutoauto] => C:\Program Files (x86)\rice\hysterical.exe [42735 2015-12-25] ()
HKLM-x32\...\Run: [interpee] => C:\Program Files (x86)\rice\count.exe [35840 2015-12-25] (windows 99)
HKU\S-1-5-21-2681385623-1556928977-4190701035-1000\...\Run: [rutoauto] => C:\Program Files (x86)\rice\count.exe [35840 2015-12-25] (windows 99)
HKU\S-1-5-21-2681385623-1556928977-4190701035-1000\...\Run: [dutoauto] => C:\Program Files (x86)\rice\hysterical.exe [42735 2015-12-25] ()
HKU\S-1-5-21-2681385623-1556928977-4190701035-1000\...\Run: [interpee] => C:\Program Files (x86)\rice\count.exe [35840 2015-12-25] (windows 99)
Startup: C:\Users\Chris Tait\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\intr.lnk [2015-12-25]
ShortcutTarget: intr.lnk -> C:\Program Files (x86)\rice\count.exe (windows 99)
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyEnable: [S-1-5-21-2681385623-1556928977-4190701035-1000] => Proxy is enabled.
ProxyServer: [S-1-5-21-2681385623-1556928977-4190701035-1000] => http=127.0.0.1:8877;https=127.0.0.1:8877
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2681385623-1556928977-4190701035-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF user.js: detected! => C:\Users\Chris Tait\AppData\Roaming\Mozilla\Firefox\Profiles\su309cyh.default\user.js [2015-12-25]
R2 high; C:\WINDOWS\unused.exe [15360 2015-12-25] (glass) [File not signed]
R2 scrub; C:\WINDOWS\sin.exe [9216 2015-12-25] (lackadaisical) [File not signed]
R2 WinHostSvc; C:\Program Files (x86)\winhostuse\WinHostSync.exe [140992 2015-12-24] (FrameZen Co.)
R2 WinHostSvc2; C:\Program Files (x86)\winhostuse\WinHostSync_.exe [140992 2015-12-24] (FrameZen Co.)
U3 idsvc; no ImagePath
Task: {1D0D9684-3CBD-4629-90F2-0AC8D687D9BA} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {22AC4484-DF68-450C-9CF8-DC76E92469C7} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {44B6A350-10B6-4CE9-BF8F-BCE7D7386EC8} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {4A88B38A-B628-4B60-97EE-E453E262D470} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {4FA53318-88EB-4F05-A213-1DC6271EAFCB} - System32\Tasks\9591815 => C:\Program Files (x86)\teeny-tiny\unbiased.exe [2015-12-25] () <==== ATTENTION
Task: {5BBB4C21-9ED5-4C73-8DB7-CF0BA0FA6D50} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {5D28B322-FC51-4A8A-A6F4-0B62CDB882C2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {684C5A8D-62C9-46E8-A19E-C7D24139C9BA} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6CC353DC-5F6D-4F01-A2BB-396A0DF32F3E} - System32\Tasks\Ka068UjUPWRBGNwrjql3-ni-2015-12-25-ni-10924 => C:\Program Files (x86)\rice\count.exe [2015-12-25] (windows 99)
Task: {6DA17247-88F0-466A-8697-C8D61A32685A} - System32\Tasks\422964728044 => C:\Program Files (x86)\rice\count.exe [2015-12-25] (windows 99) <==== ATTENTION
Task: {7E466043-DD5B-4A62-9C1F-1B9CD420C25D} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {80A777E2-9AD5-48D9-BFE9-DC7712059B4D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {935054E2-679F-4D43-A211-06D6BCCE011E} - System32\Tasks\8975965897596589759658975965 => C:\Program Files (x86)\rice\count.exe [2015-12-25] (windows 99) <==== ATTENTION
Task: {ACDB664C-942F-4FDC-979A-13DA7BBAB42D} - \PCDEventLauncherTask -> No File <==== ATTENTION
Task: {B067CA89-29D1-478C-AD0B-E0E53A2D55B3} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {CE69FBF6-D07E-4D24-9A40-53ABEEB9A791} - System32\Tasks\Grapyy36691009Updates => C:\Program Files (x86)\record\annoyed.exe [2015-12-25] (fancy)
Task: {D7C75A02-B954-4D33-B5AB-45B77567FA61} - System32\Tasks\MySyy36691009ytemy => C:\Program Files (x86)\record\annoyed.exe [2015-12-25] (fancy)
Task: {E7CEE94D-287E-4568-BCF3-AA4B88AAE68D} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {EB43629E-AB62-4EF2-B767-0CF9EC9AA14B} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
2015-12-25 09:43 - 2015-12-25 09:43 - 00012288 _____ () C:\Program Files (x86)\teeny-tiny\unbiased.exe
2015-12-25 09:43 - 2015-12-25 09:43 - 00042735 _____ () C:\Program Files (x86)\rice\hysterical.exe
2015-12-26 09:23 - 2015-12-26 09:23 - 00011264 _____ () C:\Users\Chris Tait\AppData\Local\Temp\nsb8FEC.tmp\System.dll
2015-12-16 01:37 - 2015-12-16 01:37 - 53437440 _____ () C:\Program Files (x86)\WinHostUse\libcef.dll
2015-01-14 05:55 - 2015-01-14 05:55 - 00386560 _____ () C:\Program Files (x86)\WinHostUse\log4cplusU.dll
2015-12-16 01:37 - 2015-12-16 01:37 - 01976832 _____ () C:\Program Files (x86)\WinHostUse\libglesv2.dll
2015-12-16 01:37 - 2015-12-16 01:37 - 00075264 _____ () C:\Program Files (x86)\WinHostUse\libegl.dll
FirewallRules: [{E4B3D03C-6479-4E52-B8D4-C00DA02F82AB}] => (Allow) C:\Program Files (x86)\teeny-tiny\unbiased.exe
FirewallRules: [{B5E5FFCE-F9A3-41C5-B721-48B4CEF4192D}] => (Allow) C:\Program Files (x86)\teeny-tiny\unbiased.exe
FirewallRules: [{16CED0C8-C6C9-4AB3-B695-1952E457ED2B}] => (Allow) C:\Program Files (x86)\record\annoyed.exe
FirewallRules: [{0F813895-E187-43D7-87C0-13F9EA79E24C}] => (Allow) C:\Program Files (x86)\record\annoyed.exe
FirewallRules: [{5BDD520D-69C2-4838-A965-9B63BFC3AF68}] => (Allow) C:\a\Ka068UjUPWRBGNwrjql3-ni-2015-12-25-ni-10924.exe
FirewallRules: [{9DDBD437-8F33-474F-8B00-0252BB302ECC}] => (Allow) C:\a\vchk.exe
FirewallRules: [{9E41BFAE-BB8B-4A9F-ACE7-35A65116CE53}] => (Allow) C:\a\vchk.exe
FirewallRules: [{DD71AEAE-81BB-4367-A42C-9451F9261FA5}] => (Allow) C:\Program Files (x86)\rice\hysterical.exe
FirewallRules: [{A43F666B-9D44-49FE-8514-79DE31DE52B4}] => (Allow) C:\Program Files (x86)\rice\hysterical.exe
FirewallRules: [{C27A0DAF-656E-429C-B93C-2E0E8C0DB40C}] => (Allow) C:\a\winonit.exe
FirewallRules: [{61E6F386-6707-494E-91C9-BD536D99B8C2}] => (Allow) C:\a\winonit.exe
FirewallRules: [{D06C8DE8-7E36-4AE4-A637-49DA2A2284FE}] => (Allow) C:\Program Files (x86)\rice\getcap.exe
FirewallRules: [{88E5C813-99DE-40DD-A180-0B0900D59C3B}] => (Allow) C:\Program Files (x86)\rice\getcap.exe
FirewallRules: [{EF507CF2-ACBC-4B64-A314-7392132ED6AE}] => (Allow) C:\Program Files (x86)\rice\count.exe
FirewallRules: [{B73B76B5-8439-42A4-BD20-1FCC1C8927EC}] => (Allow) C:\Program Files (x86)\rice\count.exe
C:\Program Files (x86)\teeny-tiny
C:\Program Files (x86)\rice
C:\Program Files (x86)\record
C:\Users\Chris Tait\AppData\Local\Temp\nsb8FEC.tmp
C:\Program Files (x86)\WinHostUse
C:\a
C:\Windows\unused.exe
C:\Windows\sin.exe
C:\Users\Chris Tait\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\intr.lnk

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

I suspect that this infection has some Password steeling functions.
I suggest you change all yourinternet passwords.

===

Post the Fixlog.txt for my review.

Run also the RogueKiller and the Farbar tool normally and post fresh logs for my review.

Let me know what problem persists.

#5 just10credible

just10credible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 27 December 2015 - 11:44 AM

Thank you for the help so far. What passwords should I be changing? E-Mail? Facebook? What does this infection encompass? The new logs are attached.

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 27 December 2015 - 03:11 PM

Looking much better.

What the the current issues with this computer.

#7 just10credible

just10credible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 27 December 2015 - 04:09 PM

No issues with browsing so far so good. When I try to open Windows Defender it still says this app is turned off by group policy. What programs should I be using to protect my device? Also, what passwords should I be changing? Thanks again!


Edited by just10credible, 27 December 2015 - 04:12 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 28 December 2015 - 08:03 AM

Try this fix for restore your Windows Defender.


Copy the text IN THE CODE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000000

Restart the when completed.

You can delete the fixme.reg file when done.

===

I would change all of my important Passwords.
Banking, and important passwords for you.

#9 just10credible

just10credible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 28 December 2015 - 10:40 AM

Ok I seem to be back up and running with Windows Defender! Is that sufficient software to protect the machine or is there something else I should have as well?



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 28 December 2015 - 11:17 AM


Enable the Windows Firewall.
http://windows.microsoft.com/en-us/windows-10/turn-windows-firewall-on-or-off

Read this page. Decide if you with to install a free Antivirus.
If you do Windows Defender will be disabled when the installation is completed.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 just10credible

just10credible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 28 December 2015 - 11:28 AM

Ok the Firewall was already enabled. Weird new issue just started. When I try to browse on Chrome I get this message:

 

Unable to connect to the proxy server
ERR_PROXY_CONNECTION_FAILED

 

Windows Edge and Mozilla are both fine. I tried to uninstall Chrome but I was told to close all Chrome browsers before continuing but nothing was open.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 29 December 2015 - 07:49 AM


Refer to this page and remove any proxy settings that you should see.
https://support.google.com/chrome/answer/96815?hl=en

#13 just10credible

just10credible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 30 December 2015 - 08:37 PM

I never changed any proxy settings but now it seems to be running ok. Thanks again!



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:09 AM

Posted 31 December 2015 - 08:37 AM

The proxy was changed by the infection.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#15 just10credible

just10credible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 31 December 2015 - 08:42 AM

Oh no I was saying I never changed the proxy after your direction. I went to change them and the browser was working correctly. Should be OK?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users