Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

127.0.0.1:8080 proxy malware infection


  • Please log in to reply
16 replies to this topic

#1 krokodildo

krokodildo

  • Members
  • 27 posts
  • OFFLINE
  •  

Posted 24 November 2016 - 06:24 AM

 
 

Hello,

 

I have been redirected to this forum from your malware response team that tried to solve my problem within this post: http://www.bleepingcomputer.com/forums/t/632266/1270018080-proxy-malware-infection/page-3

 

Everything is documented in this link so I will just post the log from MiniToolBox here. Thank you!

 

 

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Vlasnik (administrator) on 24-11-2016 at 10:59:03
Running from "C:\Users\Vlasnik\Desktop"
Microsoft Windows 10 Home  (X64)
Model: 20351 Manufacturer: LENOVO
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.autoconfig_url", "data:text/plain, function FindProxyForURL(url, host) {if(isInNet(host, '192.168.0.0', '255.255.0.0')) return 'DIRECT'; \nif(host == 'us1-base.cd-n.net') return 'DIRECT'; \nif(host == 'us2-base.cd-n.net') return 'DIRECT'; \nif(host == 'us3-base.cd-n.net') return 'DIRECT'; \nif(host == 'jp1-base.cd-n.net') return 'DIRECT'; \nif(host == 'de1-base.cd-n.net') return 'DIRECT'; \nif(host == 'au1-base.cd-n.net') return 'DIRECT'; \nif(host == 'ca1-base.cd-n.net') return 'DIRECT'; \nif(host == 'ir1-base.cd-n.net') return 'DIRECT'; \nif(host == 'sg1-base.cd-n.net') return 'DIRECT'; \nif(host == 'kr1-base.cd-n.net') return 'DIRECT'; \nif(host == '127.0.0.1') return 'DIRECT'; \nif(host == 'localhost') return 'DIRECT'; \nif(host == 'ir1-base.cd-n.net') return 'DIRECT'; \nreturn 'HTTPS gy4s4obxfyzdcobogi2tcizrgq3tsmjwhaydama.2po.info:443';}"
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Ethernet (Connected)
Intel® Dual Band Wireless-AC 3160 = Wi-Fi (Media disconnected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 4" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 6" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : ivg-mmadaras
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ivg.local

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : ivg.local
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 68-F7-28-0B-61-ED
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4520:79c8:3617:dd5a%17(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.20.30.157(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 23. studenog 2016. 15:28:17
   Lease Expires . . . . . . . . . . : 25. studenog 2016. 7:37:46
   Default Gateway . . . . . . . . . : 10.20.30.1
   DHCP Server . . . . . . . . . . . : 10.20.30.1
   DHCPv6 IAID . . . . . . . . . . . : 57210664
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-DB-12-26-68-F7-28-0B-61-ED
   DNS Servers . . . . . . . . . . . : 10.20.30.1
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Local Area Connection* 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : D0-7E-35-18-6B-28
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 4:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
   Physical Address. . . . . . . . . : D2-7E-35-18-6B-27
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : gigaset.lan
   Description . . . . . . . . . . . : Intel® Dual Band Wireless-AC 3160
   Physical Address. . . . . . . . . : D0-7E-35-18-6B-27
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth PAN HelpText
   Physical Address. . . . . . . . . : D0-7E-35-18-6B-2B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.ivg.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : ivg.local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  ivg-dc01.ivg.local
Address:  10.20.30.1

Name:    google.com
Addresses:  2a00:1450:400d:803::200e
      216.58.214.238


Pinging google.com [216.58.214.238] with 32 bytes of data:
Reply from 216.58.214.238: bytes=32 time=14ms TTL=55
Reply from 216.58.214.238: bytes=32 time=14ms TTL=55

Ping statistics for 216.58.214.238:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 14ms, Maximum = 14ms, Average = 14ms
Server:  ivg-dc01.ivg.local
Address:  10.20.30.1

Name:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
      2001:4998:44:204::a7
      2001:4998:58:c02::a9
      98.138.253.109
      98.139.183.24
      206.190.36.45


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=199ms TTL=48
Reply from 206.190.36.45: bytes=32 time=199ms TTL=48

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 199ms, Maximum = 199ms, Average = 199ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 17...68 f7 28 0b 61 ed ......Realtek PCIe GBE Family Controller
 16...d0 7e 35 18 6b 28 ......Microsoft Wi-Fi Direct Virtual Adapter
  3...d2 7e 35 18 6b 27 ......Microsoft Hosted Network Virtual Adapter
 13...d0 7e 35 18 6b 27 ......Intel® Dual Band Wireless-AC 3160
  2...d0 7e 35 18 6b 2b ......Bluetooth PAN HelpText
  1...........................Software Loopback Interface 1
  5...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
  7...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.20.30.1     10.20.30.157     25
       10.20.30.0    255.255.255.0         On-link      10.20.30.157    281
     10.20.30.157  255.255.255.255         On-link      10.20.30.157    281
     10.20.30.255  255.255.255.255         On-link      10.20.30.157    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      10.20.30.157    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      10.20.30.157    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 17    281 fe80::/64                On-link
 17    281 fe80::4520:79c8:3617:dd5a/128
                                    On-link
  1    331 ff00::/8                 On-link
 17    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWoW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWoW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWoW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWoW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWoW64\winrnr.dll [24064] (Microsoft Corporation)
Catalog5 07 C:\WINDOWS\SysWoW64\wshbth.dll [51712] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [67584] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [62976] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 13 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/23/2016 10:23:45 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: IVG-MMADARAS)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service) (User: )
Description: Enumerating user sessions to generate filter pools failed.


Details:
    (HRESULT : 0x80040210) (0x80040210)


System errors:
=============
Error: (11/24/2016 07:38:12 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/24/2016 07:38:12 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/24/2016 07:38:10 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}{F72671A9-012C-4725-9D2F-2A4D32D65169}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/23/2016 10:23:45 PM) (Source: DCOM) (User: IVG-MMADARAS)
Description: CortanaUI.AppXtpp90jhw9p0njjb85kvhxpppgrqfp117.mca

Error: (11/23/2016 05:12:53 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/23/2016 04:30:13 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/23/2016 04:30:13 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/23/2016 04:30:12 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}{F72671A9-012C-4725-9D2F-2A4D32D65169}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/23/2016 03:29:22 PM) (Source: BugCheck) (User: )
Description: 0x0000001e (0xffffffffc0000005, 0xfffff80d310bd010, 0x0000000000000000, 0x00000000000000a0)C:\WINDOWS\MEMORY.DMP24202427-1d07-4bc9-b926-604c14e8a167

Error: (11/23/2016 03:28:30 PM) (Source: Service Control Manager) (User: )
Description: The SAService service failed to start due to the following error:
%%2 = The system cannot find the file specified.



Microsoft Office Sessions:
=========================
Error: (11/23/2016 10:23:45 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: IVG-MMADARAS)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI-2144927141

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)

Error: (11/23/2016 03:30:02 PM) (Source: Windows Search Service)(User: )
Description:
Details:
    (HRESULT : 0x80040210) (0x80040210)


CodeIntegrity Errors:
===================================
  Date: 2016-11-24 08:54:23.519
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-23 10:07:46.887
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-22 08:32:04.390
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-20 16:52:34.507
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-19 09:43:51.540
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-19 09:43:51.517
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-19 09:43:51.509
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-18 08:45:19.639
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-17 08:49:46.079
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-11-16 14:28:35.390
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


**** End of log ****
 

 


BC AdBot (Login to Remove)

 


#2 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 24 November 2016 - 11:39 PM

I would suggest you not use California usa google for dns since you are in Croatia. You are going across the ocean for dns which isn't the best.

 

Sorry but I didn't read anything in the last post that said you were malware/virus free.  As long as you are infected there isn't much we can do network wise.



#3 krokodildo

krokodildo
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  

Posted 25 November 2016 - 01:53 AM

I have a VPN proxy extension (Hoxx VPN) in firefox which I use occasionally to watch blocked youtube videos. The extension is off most of the time so I shouldn't be connected to California. I will remove that extension. But other than that, as far as I know, I shouldn't be connecting California usa google for dns as you see in the log.

 

Well you Malware response team on the forum that I linked said that I should come to you for help. I know that I'm not malware/virus free but coming here was the suggestion that I got.



#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:00 PM

Posted 25 November 2016 - 02:01 AM

An XP fix has been known to address errors you have on Win 10.

 

Please see this thread

http://www.tenforums.com/user-accounts-family-safety/58759-permissions-error-clsid-appid-since-anniversary-update.html

 

Error: (11/22/2016 05:10:01 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID  
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

 

Error: (11/22/2016 05:10:01 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID  
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 

 

Does your proxy problem resolve if you apply the fix?


Edited by TsVk!, 25 November 2016 - 02:06 AM.


#5 krokodildo

krokodildo
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  

Posted 25 November 2016 - 02:10 AM

When I open "HKEY_CLASSES_ROOT\CLSID\CLSID" in registry, the AppID doesn't show as suggested in the fix so it isn't possible to move on with the steps.



#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:00 PM

Posted 25 November 2016 - 02:16 AM

You should be opening

 

HKEY_CLASSES_ROOT\CLSID\{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}

 

and selecting the appid from the right hand pane.

 

I highly suggest you back up your registry before continuing, and read the first post in that thread till you understand it and see how it relates to the XP fix.



#7 krokodildo

krokodildo
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  

Posted 25 November 2016 - 03:01 AM

When following the instructions from the last reply in this post (http://www.tenforums.com/user-accounts-family-safety/58759-permissions-error-clsid-appid-since-anniversary-update-2.html), I'm unable to change permission to full control in registry for the AppID. See attached SS.

EDIT:

I managed to change permissions in regedit on both keys from the error logs but the Launch and activation permissons in Component services for both keys are still greyed out.
EDIT2: After I changed all the permissons in regedit I restarted and got a BSOD with the stop code "KMODE EXCEPTION NOT HANDLED".

Attached Files


Edited by krokodildo, 25 November 2016 - 03:45 AM.


#8 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:00 PM

Posted 25 November 2016 - 05:02 PM

I'm at home for the weekend and I don't have a Win 10 machine here to verify a solution for you.

 

I will look at it again on Monday, if someone else hasn't helped you over this hurdle.



#9 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:11:30 AM

Posted 28 November 2016 - 03:03 AM

Hi krokodildo,

Have you tried going to safe mode with networking and tried visiting webpages after resetting the proxy settings?

 

How is this computer connected to internet?

Eg: Computer -- wifi - wireless router -- cable/DSL modem --TV cable -- ISP(internet)

 

Have you tried to connect with a different internet connection? (restart the computer after disconnecting from all networks and connect to the alternate internet connection after it loads desktop).


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#10 krokodildo

krokodildo
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  

Posted 28 November 2016 - 08:32 AM

Well it seems that reseting proxy settings in safe mode works. Which suprises me a lot because of how simple it is. Manual proxy settings don't revert back on its own (see SS) as it was the case before and all browsers work.

 

I'm using two different connections daily, one at work and one at home.
Home: laptop - wifi - router - ISP

Work: laptop - wifi - work server - ISP

 

Since there are no problems anymore I guess that's it unless something changes. Thank you!



#11 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:11:30 AM

Posted 29 November 2016 - 02:15 AM

Hi,

That's a good progress. :)

 

Does the change survive a restart to normal mode?

 

Does your work environment requires you to setup some configuration, like adding a proxy server?

 

While was the MiniToolBox log taken while the computer was connected to your home network?

Have you set these to your computer or home router:

   DNS Servers . . . . . . . . . . . : 10.20.30.1
                                        8.8.8.8

Edited by Nikhil_CV, 29 November 2016 - 02:19 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#12 krokodildo

krokodildo
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  

Posted 29 November 2016 - 06:04 AM

Yes, restarting into normal mode keeps everything as it was in safe mode so everything works.

 

No, my work environment doesn't require of me to do anything, I just connect to the network.

 

MiniToolBox log was made while I was connected to my work network.

 

No, I haven't done any manual setup on my home router.



#13 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:11:30 AM

Posted 30 November 2016 - 08:55 AM

All right, krokodildo.

Looks like the issue is almost fixed. :)

Could you please take a screenshot of "Advanced" tab of Internet settings and post?

To reach the Internet settings, type:

inetcpl.cpl

in the Run box. (Press Windows logo key and R simultaneously)


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#14 krokodildo

krokodildo
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  

Posted 30 November 2016 - 09:00 AM

Here you go!

 

EDIT: I'm trying to upload the rest of the screenshoots I made (remaining options on the settings list) but the forum doesn't allow me to because I have reached the threshold for uploading files.

Attached Files


Edited by krokodildo, 30 November 2016 - 09:03 AM.


#15 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:11:30 AM

Posted 30 November 2016 - 09:05 AM

Okay, thank you. Looks like everything is fine.

If you would like, you can check for any further infections (going back to old topic or creating a post at Am I infected? What do I do? )

 

Other than that, you're good to go.

Please make sure the SSL and TLS values are ticked (You can see them if you scroll down the tab to bottom, of same settings)

 

Good luck! :)


Edited by Nikhil_CV, 30 November 2016 - 09:06 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users