Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome/FF/ other apps don't open. IE8 still works. Win7 64


  • This topic is locked This topic is locked
27 replies to this topic

#1 avocadobaby

avocadobaby

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 08 May 2016 - 07:21 AM

Infected over 6 months ago probably from email opened by an employee. Computer has been unused since then but now I want to use it.

 

virus unknown. virus scanner: Webroot secure anywhere but not before infection. outdated Sophos also installed but can't remove it.

 

Reinstalling chrome and ff did not fix application blocked from loading. Also Malwarebytes installer, rKill, TDSSkiller and Esets installer(?) won't run either even with renaming the files.

 

When loading "blocked" applications, there is no warning or error message to say they couldn't load.  

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-05-2016
Ran by MDadmin (administrator) on ADMIN-PC (08-05-2016 22:56:15)
Running from C:\Users\MDadmin\Downloads
Loaded Profiles: MDadmin (Available Profiles: MDadmin & Admin)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\regedit.exe
(Microsoft Corporation) C:\Windows\System32\prevhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12446824 2012-01-31] (Realtek Semiconductor)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-27] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642728 2012-09-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM-x32\...\Run: [WRSVC] => C:\Program Files\Webroot\WRSA.exe [873072 2016-05-07] (Webroot)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3086200367-1568247121-1462640224-1115\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [22067296 2014-10-01] (Skype Technologies S.A.)
HKU\S-1-5-21-3086200367-1568247121-1462640224-1115\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-04-21] (SUPERAntiSpyware)
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll [218256 2012-09-21] (Sophos Limited)
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\sophos_detoured.dll => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll [221840 2012-09-21] (Sophos Limited)
ShellIconOverlayIdentifiers: [ ] -> {1914B27A-33C8-46F8-A1C2-F993268D4564} => C:\Windows\system32\WRusr.dll [2016-05-07] (Webroot)
ShellIconOverlayIdentifiers: [  ] -> {C14874EA-ACE4-4A47-8A81-18C4D1C40868} => C:\Windows\system32\WRusr.dll [2016-05-07] (Webroot)
ShellIconOverlayIdentifiers: [   ] -> {6DA1ED92-315E-4D0B-B354-9D5F519DBA95} => C:\Windows\system32\WRusr.dll [2016-05-07] (Webroot)
ShellIconOverlayIdentifiers: [    ] -> {8D7FC74C-E409-42DF-8EEE-69D45FAE2F30} => C:\Windows\system32\WRusr.dll [2016-05-07] (Webroot)
Startup: C:\Users\admin.JMD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KatMouse.lnk [2013-06-26]
ShortcutTarget: KatMouse.lnk -> C:\Program Files (x86)\KatMouse\KatMouse.exe ()
Startup: C:\Users\MDadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkill.scr - Shortcut.lnk [2016-05-08]
ShortcutTarget: rkill.scr - Shortcut.lnk -> C:\Users\MDadmin\Downloads\rkill.scr (Bleeping Computer, LLC)
Startup: C:\Users\MDadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdsskil1ler.exe - Shortcut.lnk [2016-05-08]
ShortcutTarget: tdsskil1ler.exe - Shortcut.lnk -> C:\Users\MDadmin\Desktop\tdsskil1ler.exe (Kaspersky Lab ZAO)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
Tcpip\..\Interfaces\{699AAA0A-F22F-4B9A-9D43-D5644AB97685}: [DhcpNameServer] 10.1.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3086200367-1568247121-1462640224-1115\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3086200367-1568247121-1462640224-1115\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3086200367-1568247121-1462640224-1115\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/en-au/?pc=U220&ocid=U220DHP
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll [2016-03-14] (Webroot)
BHO: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files\Common Files\Webroot\WebFiltering\wrflt.dll [2016-05-07] (Webroot)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll [2016-03-14] (Webroot)
BHO-x32: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files (x86)\Common Files\Webroot\WebFiltering\wrflt.dll [2016-05-07] (Webroot)
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll [2016-03-14] (Webroot)
Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll [2016-03-14] (Webroot)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\MDadmin\AppData\Roaming\Mozilla\Firefox\Profiles\zg00avcj.default
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-05-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-05-07] (Google Inc.)
FF Extension: Webroot Password Manager - C:\Users\MDadmin\AppData\Roaming\Mozilla\Firefox\Profiles\zg00avcj.default\Extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} [2016-05-07]
FF Extension: Skype - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2016-01-06]

Chrome:
=======
CHR Profile: C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-05-08]
CHR Extension: (Google Drive) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-01]
CHR Extension: (YouTube) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-05-01]
CHR Extension: (Google Search) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-05-01]
CHR Extension: (Skype Click to Call) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2016-05-08]
CHR Extension: (Google Wallet) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-14]
CHR Extension: (Bitdefender QuickScan) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie [2015-01-14]
CHR Extension: (Gmail) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-05-01]
CHR HKLM-x32\...\Chrome\Extension: [kjeghcllfecehndceplomkocgfbklffd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-01-08]
CHR HKLM-x32\...\Chrome\Extension: [ngkhgikojglcgnckopipfdajaifmmnnc] - hxxp://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-08] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-08] (Microsoft Corporation)
S2 HicapsConnectServer; C:\Program Files (x86)\HICAPSConnect\HICAPSConnectService.exe [754176 2010-12-09] (HICAPS Pty Ltd.) [File not signed]
S2 HICAPSConnectServiceAgent; C:\Program Files (x86)\HICAPSConnect\HICAPSConnectServiceAgent.exe [159232 2010-12-09] (HICAPS Pty Ltd.) [File not signed]
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [121344 2012-02-07] () [File not signed]
S2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [133632 2012-02-09] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
S3 PrintNotify; C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll [2675200 2012-07-25] (Microsoft Corporation) [File not signed]
S2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [217592 2013-01-11] (Sophos Limited)
S2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [159296 2012-09-21] (Sophos Limited)
S3 SOEEmailServer; C:\Program Files (x86)\Software of Excellence\EXACT\eMailServer.exe [337920 2013-10-25] () [File not signed]
S2 SoeiDental.WorkstationUpdatePoller; C:\Program Files (x86)\Software of Excellence\EXACT\Soeidental\WorkstationUpdate\SoeiDental.WorkstationUpdatePoller.exe [14848 2013-10-25] (Software of Excellence) [File not signed]
S2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2890232 2013-02-04] (Sophos Limited)
S2 swi_update_64; C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [2010688 2012-11-12] (Sophos Limited)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S2 WRSVC; C:\Program Files\Webroot\WRSA.exe [873072 2016-05-07] (Webroot)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [49760 2011-09-21] (Asmedia Technology)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [25536 2012-02-09] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [25536 2012-02-09] ()
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-02-09] ()
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [154952 2012-09-21] (Sophos Limited)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [25608 2012-08-14] (Sophos Plc)
S3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2016-05-08] ()
R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [117728 2016-03-14] (Webroot)
S3 wrUrlFlt; C:\Windows\system32\DRIVERS\wrUrlFlt.sys [54512 2016-05-07] (Webroot)
S3 BS1074892107; \??\C:\Users\admin.JMD\AppData\Local\Temp\NTFS.sys [X]
U3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-08 22:56 - 2016-05-08 22:56 - 00015243 _____ C:\Users\MDadmin\Downloads\FRST.txt
2016-05-08 22:56 - 2016-05-08 22:56 - 00000000 ____D C:\FRST
2016-05-08 22:55 - 2016-05-08 22:55 - 02379264 _____ (Farbar) C:\Users\MDadmin\Downloads\FRST64.exe
2016-05-08 17:46 - 2016-05-08 17:46 - 00015970 _____ C:\ComboFix.txt
2016-05-08 17:43 - 2011-06-26 16:45 - 00256000 _____ C:\Windows\PEV.exe
2016-05-08 17:43 - 2010-11-08 03:20 - 00208896 _____ C:\Windows\MBR.exe
2016-05-08 17:43 - 2009-04-20 14:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-05-08 17:43 - 2000-08-31 10:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-05-08 17:43 - 2000-08-31 10:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-05-08 17:43 - 2000-08-31 10:00 - 00098816 _____ C:\Windows\sed.exe
2016-05-08 17:43 - 2000-08-31 10:00 - 00080412 _____ C:\Windows\grep.exe
2016-05-08 17:43 - 2000-08-31 10:00 - 00068096 _____ C:\Windows\zip.exe
2016-05-08 17:42 - 2016-05-08 17:46 - 00000000 ____D C:\Qoobox
2016-05-08 17:42 - 2016-05-08 17:45 - 00000000 ____D C:\Windows\erdnt
2016-05-08 17:42 - 2016-05-08 17:42 - 05658358 ____R (Swearware) C:\Users\MDadmin\Downloads\ComboFix.exe
2016-05-08 13:23 - 2016-05-08 13:23 - 00000000 ____D C:\Users\admin.JMD\AppData\Roaming\SUPERAntiSpyware.com
2016-05-08 13:13 - 2016-05-08 13:13 - 00177367 _____ C:\Users\MDadmin\AppData\Local\census.cache
2016-05-08 13:13 - 2016-05-08 13:13 - 00099875 _____ C:\Users\MDadmin\AppData\Local\ars.cache
2016-05-08 12:49 - 2016-05-08 12:49 - 00000036 _____ C:\Users\MDadmin\AppData\Local\housecall.guid.cache
2016-05-08 12:46 - 2016-05-08 12:46 - 00000000 ____D C:\Users\MDadmin\AppData\Local\old local folder
2016-05-08 12:39 - 2016-05-08 12:41 - 00000000 ____D C:\AdwCleaner
2016-05-08 12:39 - 2016-05-08 12:39 - 03615296 _____ C:\Users\MDadmin\Downloads\AdwCleaner.exe
2016-05-08 12:38 - 2016-05-08 12:38 - 02870984 _____ (ESET) C:\Users\MDadmin\Downloads\esetsmartinstaller_enu.exe
2016-05-08 12:38 - 2016-05-08 12:38 - 00080109 _____ C:\Users\MDadmin\Downloads\adwcleaner.htm
2016-05-08 11:58 - 2016-05-08 13:23 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-05-08 11:58 - 2016-05-08 11:58 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2016-05-08 11:58 - 2016-05-08 11:58 - 00000000 ____D C:\Users\MDadmin\AppData\Roaming\SUPERAntiSpyware.com
2016-05-08 11:58 - 2016-05-08 11:58 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-05-08 11:58 - 2016-05-08 11:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-05-08 11:56 - 2016-05-08 11:57 - 22851472 _____ (Malwarebytes ) C:\Users\MDadmin\Desktop\mbdam-setup-bc.1878-2.2.1.1043.exe
2016-05-08 11:54 - 2016-05-08 11:54 - 22851472 _____ (Malwarebytes ) C:\Users\MDadmin\Downloads\mbam-setup-2.2.1.1043.exe
2016-05-08 11:52 - 2016-05-08 11:52 - 25771544 _____ (SUPERAntiSpyware) C:\Users\MDadmin\Downloads\SUPERAntiSpyware.exe
2016-05-08 11:45 - 2016-05-08 11:45 - 00007422 _____ C:\Users\MDadmin\Downloads\startuplist.txt
2016-05-08 11:43 - 2016-05-08 11:43 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\MDadmin\Downloads\eXplorer.exe
2016-05-08 11:41 - 2016-05-08 11:41 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\MDadmin\Downloads\iExplore.exe
2016-05-08 11:41 - 2016-05-08 11:41 - 00000000 ____D C:\Users\MDadmin\AppData\Local\ElevatedDiagnostics
2016-05-08 11:36 - 2016-05-08 11:37 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\MDadmin\Downloads\rkill.scr
2016-05-08 11:35 - 2016-05-08 11:35 - 00000335 _____ C:\Users\MDadmin\Downloads\FixExe.reg
2016-05-08 11:26 - 2016-05-08 11:26 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\MDadmin\Desktop\tdsskil1ler.exe
2016-05-08 11:12 - 2016-05-08 11:12 - 00001169 _____ C:\Users\MDadmin\Desktop\sophos.bat
2016-05-08 11:12 - 2016-05-08 11:12 - 00000000 ____D C:\Users\MDadmin\AppData\Roaming\Adobe
2016-05-08 11:12 - 2016-05-08 11:12 - 00000000 ____D C:\Users\MDadmin\AppData\LocalLow\Adobe
2016-05-08 11:12 - 2016-05-08 11:12 - 00000000 ____D C:\Users\MDadmin\AppData\Local\Adobe
2016-05-08 10:59 - 2016-05-08 10:59 - 00000000 ____D C:\Users\MDadmin\AppData\Local\FSDART
2016-05-08 10:58 - 2016-05-08 11:04 - 00000000 ____D C:\ProgramData\F-Secure
2016-05-08 10:58 - 2016-05-08 10:58 - 00000000 ____D C:\Users\MDadmin\AppData\Local\F-Secure
2016-05-08 10:54 - 2016-05-08 10:54 - 02406064 _____ (Trend Micro Inc.) C:\Users\MDadmin\Downloads\HousecallLauncher64.exe
2016-05-07 11:17 - 2016-05-08 11:09 - 00000000 ____D C:\Users\MDadmin\Downloads\backups
2016-05-07 11:15 - 2016-05-07 11:15 - 00388608 _____ (Trend Micro Inc.) C:\Users\MDadmin\Downloads\HijackThis.exe
2016-05-07 11:13 - 2016-05-07 11:13 - 00002271 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-05-07 11:13 - 2016-05-07 11:13 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-05-07 11:10 - 2016-05-08 13:31 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-07 11:10 - 2016-05-08 12:47 - 00000000 ____D C:\Users\MDadmin\AppData\Local\Apps\2.0
2016-05-07 11:10 - 2016-05-08 11:15 - 00000902 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-07 11:10 - 2016-05-07 11:10 - 00003898 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-05-07 11:10 - 2016-05-07 11:10 - 00003646 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-07 11:10 - 2016-05-07 11:10 - 00000000 ____D C:\Users\MDadmin\AppData\Local\Deployment
2016-05-07 11:03 - 2016-05-08 11:12 - 00000000 ____D C:\Users\MDadmin\AppData\LocalLow\LastPass
2016-05-07 10:44 - 2016-05-07 10:44 - 00000000 ____D C:\Program Files\Common Files\Webroot

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-08 17:46 - 2013-08-22 08:58 - 01193228 _____ C:\Windows\ntbtlog.txt
2016-05-08 17:45 - 2009-07-14 12:34 - 00000215 _____ C:\Windows\system.ini
2016-05-08 13:43 - 2013-01-31 15:50 - 00034752 _____ C:\Windows\system32\Drivers\WPRO_41_2001.sys
2016-05-08 13:41 - 2009-07-14 15:08 - 00032564 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-05-08 13:37 - 2009-07-14 14:45 - 00021680 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-08 13:37 - 2009-07-14 14:45 - 00021680 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-08 13:32 - 2013-05-01 11:12 - 00000000 ____D C:\Users\MDadmin\AppData\Roaming\Skype
2016-05-08 13:31 - 2013-01-31 15:48 - 00000828 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2016-05-08 13:31 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\inf
2016-05-08 13:30 - 2013-04-28 21:14 - 00000000 ____D C:\Program Files (x86)\HICAPSConnect
2016-05-08 13:30 - 2009-07-14 15:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-08 13:23 - 2016-03-14 19:30 - 00000000 ____D C:\Users\admin.JMD\AppData\LocalLow\LastPass
2016-05-08 13:23 - 2013-05-02 10:56 - 00000000 ____D C:\Users\admin.JMD\AppData\Roaming\Skype
2016-05-08 13:22 - 2013-05-01 00:40 - 00000000 ____D C:\ProgramData\ControlCenter4
2016-05-08 13:22 - 2013-05-01 00:40 - 00000000 ____D C:\Program Files (x86)\ControlCenter4
2016-05-08 13:22 - 2013-05-01 00:40 - 00000000 ____D C:\Program Files (x86)\Browny02
2016-05-08 13:22 - 2013-04-29 10:20 - 00000000 ____D C:\Program Files (x86)\Brother
2016-05-08 13:22 - 2013-04-29 10:20 - 00000000 ____D C:\Brother
2016-05-08 13:22 - 2013-04-28 13:34 - 00000000 ____D C:\ProgramData\Adobe
2016-05-08 12:37 - 2009-07-14 15:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2016-05-08 11:04 - 2016-03-14 19:29 - 00000000 ____D C:\ProgramData\WRData
2016-05-08 10:42 - 2016-03-14 19:29 - 00000000 ____D C:\Program Files\Webroot
2016-05-08 10:42 - 2013-04-28 21:14 - 00000000 ____D C:\ProgramData\HICAPSConnect
2016-05-07 16:56 - 2013-01-31 15:48 - 00000830 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2016-05-07 11:27 - 2009-07-14 13:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2016-05-07 11:25 - 2015-01-13 17:12 - 00000000 ____D C:\Windows\system32\appmgmt
2016-05-07 11:13 - 2013-04-28 16:43 - 00000000 ____D C:\Program Files (x86)\Google
2016-05-07 11:10 - 2013-05-01 01:24 - 00000000 ____D C:\Users\MDadmin\AppData\Local\Google
2016-05-07 11:09 - 2013-07-03 09:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-05-07 10:58 - 2016-03-14 19:29 - 00181688 _____ (Webroot) C:\Windows\SysWOW64\WRusr.dll
2016-05-07 10:58 - 2016-03-14 19:29 - 00117304 _____ (Webroot) C:\Windows\system32\WRusr.dll
2016-05-07 10:44 - 2016-03-14 19:29 - 00054512 ____T (Webroot) C:\Windows\system32\Drivers\wrUrlFlt.sys

==================== Files in the root of some directories =======

2016-03-14 19:30 - 2016-03-14 19:30 - 12964920 _____ (Webroot Software, Inc.) C:\Program Files (x86)\Common Files\wruninstall.exe
2016-05-08 13:13 - 2016-05-08 13:13 - 0099875 _____ () C:\Users\MDadmin\AppData\Local\ars.cache
2016-05-08 13:13 - 2016-05-08 13:13 - 0177367 _____ () C:\Users\MDadmin\AppData\Local\census.cache
2016-05-08 12:49 - 2016-05-08 12:49 - 0000036 _____ () C:\Users\MDadmin\AppData\Local\housecall.guid.cache

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-05-08 00:51

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 avocadobaby

avocadobaby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 08 May 2016 - 07:51 AM

Actually... Its weird but I'm in Safemode and I reinstalled firefox and it works. And so does Chrome now as well (which is weird because I haven't done anything to fix it that I can think of and it wasn't working earlier). I still can't load rKill, antimalware bytes installer so theres still something wrong.

 

I installed IE11(maybe prematurely) booted into normal mode and Firefox chrome and IE11 still don't load.

 

Safemode again, all browsers work. (I had to click on chrome heaps of times to get it to load 1 instance)


Edited by avocadobaby, 08 May 2016 - 08:34 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 08 May 2016 - 08:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Startup: C:\Users\MDadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkill.scr - Shortcut.lnk [2016-05-08]
ShortcutTarget: rkill.scr - Shortcut.lnk -> C:\Users\MDadmin\Downloads\rkill.scr (Bleeping Computer, LLC)
Startup: C:\Users\MDadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdsskil1ler.exe - Shortcut.lnk [2016-05-08]
ShortcutTarget: tdsskil1ler.exe - Shortcut.lnk -> C:\Users\MDadmin\Desktop\tdsskil1ler.exe (Kaspersky Lab ZAO)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3086200367-1568247121-1462640224-1115\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Google Wallet) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-14]
CHR HKLM-x32\...\Chrome\Extension: [ngkhgikojglcgnckopipfdajaifmmnnc] - hxxp://clients2.google.com/service/update2/crx
S3 BS1074892107; \??\C:\Users\admin.JMD\AppData\Local\Temp\NTFS.sys [X]
U3 catchme; \??\C:\ComboFix\catchme.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B [466]
C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please post and logs and let me know what problem persists with this computer.

#4 avocadobaby

avocadobaby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 08 May 2016 - 09:06 AM

Thanks nasdaq

 

I rebooted in normal mode:

Firefox and IE11 load, but chrome does not. It doesn't start. I can load an instance of chrome if I click on the icon about 8 times  very quickly, it took about 20 the first time, otherwise nothing happens.

 

The rkill.scr was a renamed rKill.exe tool. and tdsskil1ler.exe was a renamed Kaspersky tdsskiller.exe tool

 

I still can't install malwarebytes or use rKill. Online virus scanner won't load ESET. and I can't install the ESET scanner.

Fix result of Farbar Recovery Scan Tool (x64) Version:07-05-2016
Ran by MDadmin (2016-05-09 00:54:34) Run:1
Running from C:\Users\MDadmin\Downloads
Loaded Profiles: MDadmin (Available Profiles: MDadmin & Admin)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Startup: C:\Users\MDadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkill.scr - Shortcut.lnk [2016-05-08]
ShortcutTarget: rkill.scr - Shortcut.lnk -> C:\Users\MDadmin\Downloads\rkill.scr (Bleeping Computer, LLC)
Startup: C:\Users\MDadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdsskil1ler.exe - Shortcut.lnk [2016-05-08]
ShortcutTarget: tdsskil1ler.exe - Shortcut.lnk -> C:\Users\MDadmin\Desktop\tdsskil1ler.exe (Kaspersky Lab ZAO)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3086200367-1568247121-1462640224-1115\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Google Wallet) - C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-14]
CHR HKLM-x32\...\Chrome\Extension: [ngkhgikojglcgnckopipfdajaifmmnnc] - hxxp://clients2.google.com/service/update2/crx
S3 BS1074892107; \??\C:\Users\admin.JMD\AppData\Local\Temp\NTFS.sys [X]
U3 catchme; \??\C:\ComboFix\catchme.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B [466]
C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
C:\Users\MDadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkill.scr - Shortcut.lnk => not found.
C:\Users\MDadmin\Downloads\rkill.scr => moved successfully
C:\Users\MDadmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdsskil1ler.exe - Shortcut.lnk => moved successfully
C:\Users\MDadmin\Desktop\tdsskil1ler.exe => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-3086200367-1568247121-1462640224-1115\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ngkhgikojglcgnckopipfdajaifmmnnc" => key removed successfully
BS1074892107 => service removed successfully
catchme => service removed successfully
C:\ProgramData\TEMP => ":9A870F8B" ADS removed successfully.
"C:\Users\MDadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
EmptyTemp: => 186 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 00:54:36 ====

 


Edited by avocadobaby, 08 May 2016 - 09:09 AM.


#5 avocadobaby

avocadobaby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 08 May 2016 - 10:01 AM

I know you didn't ask for this but thought I'd post a new log for frst. Sorry if it slows you down.

Attached File  FRST.txt   57.45KB   1 downloads 

Attached File  Addition.txt   28.67KB   1 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 08 May 2016 - 01:04 PM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.

====

Let me know if the problem persists.

#7 avocadobaby

avocadobaby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 09 May 2016 - 05:48 AM

Thanks Nasdaq

 

ran fix.

Cleared chrome cache and cookies to beginning of time.

 

Chrome still requires to be clicked multiple times(quickly) to load. Some times it might load after 2 clicks but usually it doesn't load at all.

malwarebytes installer is still disabled (other similar applications are disabled from launching)

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-05-2016
Ran by MDadmin (2016-05-09 21:35:16) Run:2
Running from C:\Users\MDadmin\Downloads
Loaded Profiles: MDadmin (Available Profiles: MDadmin & Admin)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start


CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

End
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully


The system needed a reboot.

==== End of Fixlog 21:35:16 ====



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 09 May 2016 - 07:38 AM

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

How is it now?

#9 avocadobaby

avocadobaby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 09 May 2016 - 09:13 AM

Great job, Chrome works: Uninstalled chrome. Downloaded/installed chrome x64 (previously 32bit). Chrome loads 1st click.

 

I still can't load the malwarebytes installer or rKill. or the ESET online scanner, or kaspersky tdsskiller



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 09 May 2016 - 01:00 PM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#11 avocadobaby

avocadobaby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 09 May 2016 - 05:22 PM

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by MDAdmin (administrator) on 10-05-2016 at 09:15:44
Running from "C:\Users\mdadmin\Downloads"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: To Be Filled By O.E.M. Manufacturer: To Be Filled By O.E.M.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================

Broadcom NetLink ™ Gigabit Ethernet = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Admin-PC
   Primary Dns Suffix  . . . . . . . : JMD.local
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : JMD.local
                                       iiNet

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : iiNet
   Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
   Physical Address. . . . . . . . . : BC-5F-F4-8B-89-22
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a844:3774:29e4:9390%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.1.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, 10 May 2016 9:12:42 AM
   Lease Expires . . . . . . . . . . : Wednesday, 11 May 2016 9:12:42 AM
   Default Gateway . . . . . . . . . : 10.1.1.1
   DHCP Server . . . . . . . . . . . : 10.1.1.1
   DHCPv6 IAID . . . . . . . . . . . : 247226356
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-9B-BD-D3-BC-5F-F4-57-1B-9E
   DNS Servers . . . . . . . . . . . : 10.1.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.iiNet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : iiNet
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  (null).iiNet
Address:  10.1.1.1

Name:    google.com
Addresses:  2404:6800:4006:806::200e
      59.167.145.249
      59.167.145.219
      59.167.145.240
      59.167.145.241
      59.167.145.230
      59.167.145.208
      59.167.145.227
      59.167.145.234
      59.167.145.218
      59.167.145.212
      59.167.145.245
      59.167.145.251
      59.167.145.223
      59.167.145.216
      59.167.145.238
      59.167.145.229


Pinging google.com [59.167.145.249] with 32 bytes of data:
Reply from 59.167.145.249: bytes=32 time=26ms TTL=61
Reply from 59.167.145.249: bytes=32 time=27ms TTL=61

Ping statistics for 59.167.145.249:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 26ms, Maximum = 27ms, Average = 26ms
Server:  (null).iiNet
Address:  10.1.1.1

Name:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
      2001:4998:44:204::a7
      2001:4998:58:c02::a9
      206.190.36.45
      98.139.183.24
      98.138.253.109


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=222ms TTL=52
Reply from 206.190.36.45: bytes=32 time=221ms TTL=52

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 221ms, Maximum = 222ms, Average = 221ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...bc 5f f4 8b 89 22 ......Broadcom NetLink ™ Gigabit Ethernet
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.1.1         10.1.1.6     20
         10.1.1.0    255.255.255.0         On-link          10.1.1.6    276
         10.1.1.6  255.255.255.255         On-link          10.1.1.6    276
       10.1.1.255  255.255.255.255         On-link          10.1.1.6    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link          10.1.1.6    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link          10.1.1.6    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    276 fe80::/64                On-link
 11    276 fe80::a844:3774:29e4:9390/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/10/2016 09:14:29 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/10/2016 09:12:38 AM) (Source: ISCT Agent) (User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (05/10/2016 01:12:29 AM) (Source: ISCT Agent) (User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (05/10/2016 01:11:32 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is . The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (05/10/2016 01:07:26 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/10/2016 01:05:35 AM) (Source: ISCT Agent) (User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (05/10/2016 01:04:05 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is . The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (05/10/2016 01:00:00 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/10/2016 12:58:08 AM) (Source: ISCT Agent) (User: )
Description: CAgentState::DoPeriodicSuspendResume    ****Error in initialize NetDetect, status = 0x2

Error: (05/09/2016 10:58:30 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.


System errors:
=============
Error: (05/10/2016 09:12:52 AM) (Source: Microsoft-Windows-GroupPolicy) (User: JMD)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (05/10/2016 09:12:50 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (05/10/2016 09:12:39 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (05/10/2016 09:12:38 AM) (Source: Service Control Manager) (User: )
Description: The Sophos Web Intelligence Service service failed to start due to the following error:
%%1053

Error: (05/10/2016 09:12:38 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Sophos Web Intelligence Service service to connect.

Error: (05/10/2016 09:12:38 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the SoeiDental.WorkstationUpdatePoller service to connect.

Error: (05/10/2016 09:12:38 AM) (Source: Service Control Manager) (User: )
Description: The Sophos Anti-Virus status reporter service failed to start due to the following error:
%%1053

Error: (05/10/2016 09:12:38 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Sophos Anti-Virus status reporter service to connect.

Error: (05/10/2016 09:12:38 AM) (Source: Service Control Manager) (User: )
Description: The Sophos Anti-Virus service failed to start due to the following error:
%%1053

Error: (05/10/2016 09:12:38 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Sophos Anti-Virus service to connect.


Microsoft Office Sessions:
=========================
Error: (12/03/2014 10:18:41 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 0 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (11/10/2014 08:53:51 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 4 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (10/09/2014 08:24:25 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1993 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (09/02/2014 08:09:27 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 389 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (05/07/2014 08:13:07 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 0 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (01/14/2014 10:08:16 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 0 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (01/07/2014 08:26:04 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 0 seconds with 0 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2016-05-08 17:45:19.229
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-05-08 17:45:19.229
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


**** End of log ****
 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 10 May 2016 - 06:59 AM

Please remove Sophos using their uninstaller tool.
https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

restart the computer normally.

Any improvement?

#13 avocadobaby

avocadobaby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 10 May 2016 - 07:20 AM

I downloaded it but it seems to be blocked from loading just like the other applications I mentioned earlier. I also tried in safemode.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 10 May 2016 - 07:27 AM

Webroot may be objecting.

See if you can restore it from the quarantine folder.
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Managing-Quarantined-Items/ta-p/55120

#15 avocadobaby

avocadobaby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:49 AM

Posted 10 May 2016 - 07:32 AM

I had disabled webroot. Theres an option to turn off protection and you enter a code. Its not in the quarantine.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users