Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Changed programs and settings as well as redirects


  • Please log in to reply
10 replies to this topic

#1 xanduq

xanduq

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:00 PM

Posted 06 May 2018 - 01:37 AM

I posted in Am I Infected. A helpful, if not exactly tactful person suggested to post the logs to a program. I had run the program just before reading this suggestion, so I did include the optional selections. If I need to resubmit let me know. 

 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:00 PM

Posted 06 May 2018 - 08:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {41B3F80E-72D3-48A0-9057-B18DF862CB7A} - System32\Tasks\{70D50768-36C5-4E36-B1ED-43F9D7ABDB91} => C:\Windows\system32\pcalua.exe -a D:\HBCD\Programs\ComboFix.exe -d D:\HBCD\Programs

C:\Windows\System32\Tasks\{70D50768-36C5-4E36-B1ED-43F9D7ABDB91}
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#3 xanduq

xanduq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:00 PM

Posted 06 May 2018 - 07:30 PM

nasdaq: Thanks so much for trying to help. I do think some things changed for a time, but when running the program, it updated--I was pretty sure it should not, so I went back to the original a few dozen times. I think it ran, but when running the "fix" the computer gave an error message that the fixlog wasnt found and should be in the same file. It was. Either it got tired of it before I did because I think it ran. There were a few things listed that were not changed. I will go to that computer and try to post the logs now

Also, I had a lot of trouble getting in the account... :(

 

Whew only took three tries this time.  

 

 

Attached Files


Edited by xanduq, 06 May 2018 - 07:42 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:00 PM

Posted 07 May 2018 - 07:07 AM

Hi,

Your current profile may be damaged.
Create a new User Account with Administration rights.

Follow the instructions on this page.

https://support.microsoft.com/en-ca/help/4026923/windows-10-create-a-local-user-or-administrator-account
Create a local user or administrator account in Windows 10

====

Restart the computer in the new account.

Let me know if you have any issues in that new account.

#5 xanduq

xanduq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:00 PM

Posted 07 May 2018 - 12:54 PM

nasdaq: I think I found a Dell problem with the ID I need to resolve or I wont be able to create another User account, Trojan present or not. The system originated with 7 Pro which I asked for at the time. When I purchased it from Dell, I did not know it was refurbished--called them on that, but I like the device and kept it--It came to me with 8.1 Pro. Called them. They sent me a disk with 7 Pro and 10 Pro.

I felt that if I were going to do a clean install, Windows 10 Pro would be the most secure. But the activation code is not right. If I had gone to my "vault" on Dell's website, I could possibly d/l an ISO of at least version 1709 of Windows 10 Pro. But, many feel that I need to go back to 8.1 Pro or even 7 Pro first.

I didn't try to update the OS when the computer trojan issues started, so that's not the cause, but I'm pretty sure changing the OS, especially on a Dell, isn't helping the situation.

Further suggestions? What should be my next step?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:00 PM

Posted 07 May 2018 - 01:37 PM

If you are still on the 8.1 version, try the Windows 7.

With this old computer it's your best bet.

#7 xanduq

xanduq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:00 PM

Posted 07 May 2018 - 02:00 PM

I was wrong. The original OS was either 8 Pro or 8.1 Pro. It's got a label, but that corner curled up. Since I asked for 7 Pro, they sent me 7 Ultimate to make up for their error and the Win 10 Pro. I actually wanted Pro. I never used the disk. I probably would have had the exact same issues if I had tried then. Dell never said anything about it. Apparently, the system will plug in the right activation and key with their process, but I will have to go back to 8.1 Pro first. Pretty sure my disk says 8.1 Pro, but it could be 8 Pro. Searching for my disk now... They were together, so I know it's closeby.

However, my son has another suggestion. He bought a legal Windows 10 key really cheap directly from Microsoft for his computer. Can I do that for this computer to bypass the Dell stuff or am I locked into it?

Oh, I actually updated to Windows 10 Pro already..

Edited by xanduq, 07 May 2018 - 02:02 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:00 PM

Posted 08 May 2018 - 06:27 AM

I do not know.

Ask in the Windows 10 forum
https://www.bleepingcomputer.com/forums/f/229/windows-10-support/

An expert in with may be able to help you.

#9 xanduq

xanduq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:00 PM

Posted 08 May 2018 - 10:24 AM

I'll hop over there, but I found the 8.1 Pro disk. If I have to do that, fine, will do. From what the blog on Dell said, the program should have digitally secured the activation of 10 from the bios, not the NIC, which was deleted in a full format of the disk. I tried restore before and it didnt remove the issue. I did flash the bios to the current Dell has posted. I was not able to successfully update Window 10 though. Many failures and many "other" programs tried to update as well... which was curious.

While I am working with Dell and Windows, may I run and post FRST logs on a second computer--also Dell, XPS8900 Desktop? I think Windows 10 Pro will run okay on it. It is running Windows 7 Pro currently... could stay with that if you feel it is patched and secure with updates.

Also, wanted to ask you if I can find a safe download while using an infected computer for an updated OS? The downloads of drivers and security updates seem to be the downfall.

My son asked me what the "fix" corrected. He writes computer programs, but not familiar with virus removal. I saw changes for the better. Just curious.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,447 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:00 PM

Posted 08 May 2018 - 01:39 PM

Hi,

This taks that was removed was running Combofix. I know that the program does change some setting in order to work. That may have been the cause of the new settings you are talking about.
Task: {41B3F80E-72D3-48A0-9057-B18DF862CB7A} - System32\Tasks\{70D50768-36C5-4E36-B1ED-43F9D7ABDB91} => C:\Windows\system32\pcalua.exe -a D:\HBCD\Programs\ComboFix.exe -d D:\HBCD\Programs

Dell is very particular with his opetaring system.
I would not do any upgrade to Windows 10. Your call.
If it's not broken do not fix it.

#11 xanduq

xanduq
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:00 PM

Posted 08 May 2018 - 06:27 PM

Okay, you're the boss. I will reinstall Windows 8.1 Pro.

added:

I reread an earlier post. Totally agree with you about going to Windows 7, but the computer's original OS was 8.1. I think I'd be in the same boat either way...

I can check with the Windows 10 board and Dell to see if I can activate 10 without going back to 8.1 first, since it is already on the computer-- and it was a very long process. I heard there are updated iso's somewhere... maybe I can asked about them. Either way progressing ...

Edited by xanduq, 08 May 2018 - 10:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users