Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-malware (multiple) won't update.


  • This topic is locked This topic is locked
50 replies to this topic

#1 magnesium

magnesium

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 16 July 2016 - 08:30 PM

Hi,

 

My son's PC slowed significantly last week. Applications open slowly. Applications hang.  The familiar "updating steam" popup hangs and never resolves.  But most worrisome is the inability to update any antimalware software.  Malwarebytes won't update.  RKill had to be imported on a USB drive (downloaded on an Ubuntu machine). A new download of Malwarebytes had to be imported by USB, too. Kaspersky antivirus won't update.  Update failures give a message "cannot reach server."  And nothing can be uninstalled.

 

I can access websites with Firefox, however, so we do have a connection with the outside world. 

 

Per Bleeping's instructions, I tried to go to the firewall dialog window.  It never opens. I disconnected the wifi antenna and only temporarily connected ethernet to test connectivity

 

FRST created a FRST file, but it has hung while "scanning hosts."  There is an Addition.txt, but it is 0 KB so far. 

 

UPDATE:  Addition.txt increased to 12 KB, but the window header says "(not responding)."

 

I will do a new post to this thread if FRST changes these files.

 

Thanks

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 17 July 2016 - 12:28 AM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 4 days will result in this thread being closed.


Hello magnesium,

My name is mAL_rEm018, but feel free to call me mAL.  I will be helping you with your malware related problems. :)

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.


Cobian Backup
DriveImage XML


To make sure everything goes smoothly, I would like you to observe the following rules:

  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread.  Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing you logs and will return as soon as possible, with additional instructions.


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#3 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 17 July 2016 - 02:05 AM

Hello magnesium,
 

(Bleeping Computer, LLC) F:\rikle64.exe

Did you rename "rkill.exe" to "rikle64.exe"?

 

Backup your registry using TCRB


  • Please download TCRB to your Desktop.
  • Open Tweaking.com Registry Backup.
  • Click on the Backup Registry tab and ensure that all options are checked.
  • Press on Backup Now.
  • Wait until the backup is complete and exit the program.

Both the logs you provided are incomplete.  Please move FRST64.exe to your desktop and do the following:



  • Right-click on FRST64.exe and select Run as administrator.
  • Ensure that Addition.txt is checked.
  • Select Scan.
  • When the scan is over two windows will open, FRST.txt and Addition.txt.
  • Please post the contents of both logs in your next reply.

Next..

Farbar Service Scanner


  • Please download Farbar Service Scanner from Here
  • Save it to your desktop.
  • Right-Click on FSS.exe and select Run as Administrator.
  • Ensure that the following options are checked:

     

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services

     

  • Click on Scan.
  • Once the process is over a log entitled FSS.txt will open.  Please post the contents of FSS.txt in your next reply.


-----------------------------------------
In your next reply, I would like to see..

  • Did you have trouble performing any of the steps?
  • Answer to my question.
  • FRST.txt
  • Addition.txt
  • FSS.txt

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#4 magnesium

magnesium
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 17 July 2016 - 08:42 AM

Hello mAL_rEm018,

 

Once again, I had trouble with FRST. It is currently hanging and I got the same .txt files, I think. FRST hung up like this last night; after an hour I killed it through Task Manager. Will post .txt files separately per your instructions, but I don't think that they exceed the size limiter.  I had no other problems.

 

Yes, I renamed Rkill to Rikl.  I also renamed Malwarebytes to Narita. Didn't fool it.

 

Files to follow.



#5 magnesium

magnesium
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 17 July 2016 - 08:45 AM

Addition.txt


FRST.txt

Attached Files



#6 magnesium

magnesium
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 17 July 2016 - 08:46 AM

FSS.txt

 

FRST is still thinking/hanging while it is "scanning hosts."

Attached Files

  • Attached File  FSS.txt   2.51KB   4 downloads


#7 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 17 July 2016 - 03:40 PM

Hello magnesium,

Please boot into safe mode and try to run the Farbar Recovery Scan Tool from there:  Boot to Safemode - Safely.


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#8 magnesium

magnesium
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 17 July 2016 - 05:55 PM

Thanks,

 

Booted in safe mode.  Perfect. 

 

I'm attaching the logs to this message.

Attached Files



#9 magnesium

magnesium
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 17 July 2016 - 06:20 PM

My apologies,

 

I forgot to run FRST and FSS as an administrator.  Looks like the logs may be different.  I am attaching them to this post.

 

Thanks

Attached Files



#10 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 17 July 2016 - 10:55 PM

Hello magnesium,
 

Booted in safe mode.  Perfect.

I'm attaching the logs to this message.

It worked, the logs are complete.  :thumbup2:  While I analyze them, I have a few questions I would like you to answer:



  • Did you set your Internet Explorer Start Page to about:blank?

    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKU\S-1-5-21-1175678232-650165808-294897172-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

  • I noticed quite a few Memory/minidump files on the computer.  These are the results of Blue Screen of Death (BSOD), which appear when there is a system crash.  Did the symptoms mentioned in your initial post appear after the BSODs started occuring?

    2016-07-12 17:50 - 2016-07-12 17:50 - 00395160 _____ C:\Windows\Minidump\071216-16021-01.dmp
    2016-07-12 17:27 - 2016-07-12 17:27 - 00428960 _____ C:\Windows\Minidump\071216-16988-01.dmp
    2016-07-03 10:21 - 2016-07-03 10:21 - 00424752 _____ C:\Windows\Minidump\070316-7659-01.dmp
    2016-06-28 16:21 - 2016-06-28 16:21 - 01070320 _____ C:\Windows\Minidump\062816-6489-01.dmp
    2016-06-25 18:43 - 2016-06-25 18:43 - 00437536 _____ C:\Windows\Minidump\062516-6349-01.dmp
    2016-07-12 17:50 - 2016-03-20 08:20 - 655942567 _____ C:\Windows\MEMORY.DMP

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#11 magnesium

magnesium
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 18 July 2016 - 08:13 AM

Hi mAL_rEm018,

 

He did not change the home page in IE.  Not sure that we have used IE at all, unless it was opened by another link.

 

BSOD has happened on rare occasion over the last year.  I heard him complain more often in the preceding couple of weeks. 



#12 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 18 July 2016 - 09:46 PM

Hello magnesium,

Thank you for answering my questions.  Please boot into normal mode and do the following..

MiniToolBox
 

  • Please download MiniToolBox from Here
  • Save it to your desktop.
  • Right-Click on MiniToolBox.exe and select Run as Administrator.
  • Ensure that the following options are checked:

     

    • Flush DNS
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List IP Configuration
    • List Winsock Entries

     

  • Click on Go and the scan will now start.
  • Once the scan is over, a window entitled MTB.txt will open.
  • Please copy/paste the contents of MTB.txt in your next reply.


-----------------------------------------
In your next reply, I would like to see..

  • MTB.txt

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#13 magnesium

magnesium
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 18 July 2016 - 10:18 PM

Here is the result of the MiniToolBox scan:

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Ian (administrator) on 18-07-2016 at 22:10:36
Running from "C:\Users\Ian\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: H97N-WIFI Manufacturer: Gigabyte Technology Co., Ltd.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ==============================  
 
Proxy is not enabled.
No Proxy Server is set.
 
========================= FF Proxy Settings: ==============================  
 
========================= IP Configuration: ================================
 
Intel® Dual Band Wireless-AC 7260 = Wireless Network Connection (Connected)
VirtualBox Host-Only Ethernet Adapter = VirtualBox Host-Only Network (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Ian-PC
   Primary Dns Suffix  . . . . . . . :  
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : attlocal.net
 
Wireless LAN adapter Wireless Network Connection 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
   Physical Address. . . . . . . . . : 82-19-34-62-91-C5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wireless Network Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 82-19-34-62-91-C6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : attlocal.net
   Description . . . . . . . . . . . : Intel® Dual Band Wireless-AC 7260
   Physical Address. . . . . . . . . : 80-19-34-62-91-C5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2602:306:3b1d:af70::25(Preferred)  
   Lease Obtained. . . . . . . . . . : Monday, July 18, 2016 10:04:41 PM
   Lease Expires . . . . . . . . . . : Wednesday, August 17, 2016 10:04:40 PM
   IPv6 Address. . . . . . . . . . . : 2602:306:3b1d:af70:48dd:ec0e:b2dc:be95(Preferred)  
   Temporary IPv6 Address. . . . . . : 2602:306:3b1d:af70:1c0c:2c00:6377:f972(Preferred)  
   Link-local IPv6 Address . . . . . : fe80::48dd:ec0e:b2dc:be95%13(Preferred)  
   IPv4 Address. . . . . . . . . . . : 192.168.1.109(Preferred)  
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, July 18, 2016 10:04:35 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 19, 2016 10:04:34 PM
   Default Gateway . . . . . . . . . : fe80::923e:abff:fef4:1420%13
                                       192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 293607732
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-58-56-AF-80-19-34-62-91-C5
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 80-19-34-62-91-C9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter VirtualBox Host-Only Network:
 
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
   Physical Address. . . . . . . . . : 0A-00-27-00-00-11
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1da:f81e:3239:eaa2%17(Preferred)  
   Autoconfiguration IPv4 Address. . : 169.254.234.162(Preferred)  
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :  
   DHCPv6 IAID . . . . . . . . . . . : 671744039
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-58-56-AF-80-19-34-62-91-C5
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.attlocal.net:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : attlocal.net
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{A1E6D6C0-3FF2-48A7-8189-EFE401C42DC7}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{AD5470D1-44C9-4FDA-8AF4-D71A7A17B165}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{A3428554-5D0D-4487-B27C-EA644864E763}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{BB5F20FE-9C83-4687-8313-06854DEEC83E}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{B212A004-CC2A-4B0A-A2DE-B63B03C98EDF}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  dsldevice.attlocal.net
Address:  192.168.1.254
 
Name:    google.com
Addresses:  2607:f8b0:4002:c05::64
      172.217.4.142
 
 
Pinging google.com [2607:f8b0:4007:801::200e] with 32 bytes of data:
Request timed out.
Reply from 2607:f8b0:4007:801::200e: time=131ms  
 
Ping statistics for 2607:f8b0:4007:801::200e:
    Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 131ms, Maximum = 131ms, Average = 131ms
Server:  dsldevice.attlocal.net
Address:  192.168.1.254
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
      2001:4998:c:a06::2:4008
      2001:4998:58:c02::a9
      98.138.253.109
      206.190.36.45
      98.139.183.24
 
 
Pinging yahoo.com [2001:4998:c:a06::2:4008] with 32 bytes of data:
Reply from 2001:4998:c:a06::2:4008: time=114ms  
Reply from 2001:4998:c:a06::2:4008: time=115ms  
 
Ping statistics for 2001:4998:c:a06::2:4008:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 114ms, Maximum = 115ms, Average = 114ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 15...82 19 34 62 91 c5 ......Microsoft Virtual WiFi Miniport Adapter #2
 14...82 19 34 62 91 c6 ......Microsoft Virtual WiFi Miniport Adapter
 13...80 19 34 62 91 c5 ......Intel® Dual Band Wireless-AC 7260
 11...80 19 34 62 91 c9 ......Bluetooth Device (Personal Area Network)
 17...0a 00 27 00 00 11 ......VirtualBox Host-Only Ethernet Adapter
  1...........................Software Loopback Interface 1
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
 16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
 23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.109     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link   169.254.234.162    266
  169.254.234.162  255.255.255.255         On-link   169.254.234.162    266
  169.254.255.255  255.255.255.255         On-link   169.254.234.162    266
      192.168.1.0    255.255.255.0         On-link     192.168.1.109    281
    192.168.1.109  255.255.255.255         On-link     192.168.1.109    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.109    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link   169.254.234.162    266
        224.0.0.0        240.0.0.0         On-link     192.168.1.109    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link   169.254.234.162    266
  255.255.255.255  255.255.255.255         On-link     192.168.1.109    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 13    281 ::/0                     fe80::923e:abff:fef4:1420
  1    306 ::1/128                  On-link
 13     33 2602:306:3b1d:af70::/64  On-link
 13     41 2602:306:3b1d:af70::/64  fe80::923e:abff:fef4:1420
 13    281 2602:306:3b1d:af70::25/128
                                    On-link
 13    281 2602:306:3b1d:af70:1c0c:2c00:6377:f972/128
                                    On-link
 13    281 2602:306:3b1d:af70:48dd:ec0e:b2dc:be95/128
                                    On-link
 17    266 fe80::/64                On-link
 13    281 fe80::/64                On-link
 17    266 fe80::1da:f81e:3239:eaa2/128
                                    On-link
 13    281 fe80::48dd:ec0e:b2dc:be95/128
                                    On-link
  1    306 ff00::/8                 On-link
 17    266 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
**** End of log ****



#14 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 19 July 2016 - 10:32 PM

Hello magnesium,

Please answer the following question..

  • Are you or your son aware of the following restriction?

GroupPolicyScripts-x32: Restriction <======= ATTENTION

 

 

Please run the following fix and give me an update on the computer's behavior..

 

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
CreateRestorePoint:

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1175678232-650165808-294897172-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
C:\Users\Ian\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Ian\AppData\Local\Temp\jre-8u45-windows-au.exe
C:\Users\Ian\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\Ian\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\Ian\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Ian\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Ian\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\Ian\AppData\Local\Temp\som_fs.exe
C:\Users\Ian\AppData\Local\Temp\som_mp4_encoder.exe
C:\Users\Ian\AppData\Local\Temp\{867E4163-4355-41DB-890F-5280DDC78088}.exe
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {527BB031-94D9-44AC-B9EE-9BDC8A8C8D64} - \WPD\SqmUpload_S-1-5-21-1175678232-650165808-294897172-1000 -> No File <==== ATTENTION
Task: {936747EC-7274-428A-8DA7-52738B650FC7} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {DC35D645-8B95-42B7-96F8-7C20B7A0876B} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
FirewallRules: [TCP Query User{8D1832F9-7529-448D-B99F-26E7A58D4BC6}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{63E136D2-4120-4870-85BA-A617D2A089F7}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe

Hosts:
EmptyTemp:
  •  
  • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system


  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

 

-----------------------------------------
In your next reply, I would like to see..

  • Answer to my question
  • fixlog.txt

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#15 magnesium

magnesium
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 19 July 2016 - 11:16 PM

We know nothing about that or any other restrictions.

 

I copied/pasted the text, saved it in the same folder with the name that you specified.  FRST has been saying "Fixing in progress, please wait..." and is not responding.  I will leave it alone. Will post when it completes the fixlog.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users