Jump to content

fr8pil8

Honorary Members
 View Profile  See their activity

  • Posts

    66

  • Joined

  • Last visited

 Content Type 

Everything posted by fr8pil8

  1. fr8pil8

    MrC comes through once again. This is the third time we've worked together. Thanks again.

  2. fr8pil8
    Looks like things are back to normal. The "desktop.ini" icons went away when I re-hid the system files; no more uncommanded browser scrolling; and, total care complete 247 hasn't been back. Your preventive maintenance tips are good and I follow those routinely. Too bad my son doesn't. Thanks again for your expert advice...I put a little in your paypal sack...the next drink's on me!
  3. fr8pil8
    Well sir, the second scan gave the same blank txt report in notebook. I did notice a lot of path not found entries as the program ran...don't know if that's relevant.
  4. fr8pil8
    Thanks...
  5. fr8pil8
    The program ran but the log was an empty text file...I'll try it again.
  6. fr8pil8
    Do I run this security scan with Norton/Malwarebytes enabled or disabled?
  7. fr8pil8
    I meant to say it appears that the FRST fix took care of the scrolling issue...thanks, all appears normal...so far
  8. fr8pil8
    It appears that the "fix" got rid of the scrolling to the bottom of the page issues I was having with both Thunderbird and Chrome. When we get to the cleanup phase I'd like your opinion on this: sometime during the first round of scans with the various programs two "desktop.ini" icons appeared on my desktop (one from 2011, the other from 2013). Is it safe to delete these?
  9. fr8pil8
    Here's the log... Fixlog.txt
  10. fr8pil8
    OK......also, zoek is raising cain with mozilla thunderbird so the sooner we can get rid of it the sooner the wife will let me off the hook FRST.txt Addition.txt
  11. fr8pil8
    zoek has gone bonkers. It ran for ten minutes then froze when it got to C:\Users\Public\Desktop DB Check. I gave up on it after letting it run for another 40 minutes. I tried to close the program using the X close button, but the program kept coming back to the freeze point. Finally, after two hours plus I used Cont+Alt+Delete to try to shut it down with no luck
  12. fr8pil8
    Here's the results... Fix result of Farbar Recovery Scan Tool (x86) Version:21-08-2015Ran by Al & Mindy (2015-08-21 21:33:34) Run:1Running from C:\Users\Al & Mindy\Desktop\MB8-20Loaded Profiles: Al & Mindy (Available Profiles: Al & Mindy & UpdatusUser)Boot Mode: Normal ============================================== fixlist content:*****************CreateRestorePoint:Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]GroupPolicy: Group Policy on Chrome detected <======= ATTENTIONGroupPolicyScripts: Group Policy detected <======= ATTENTIONCHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONHKU\S-1-5-21-4019566695-2349307630-1478826107-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONSearchScopes: HKU\S-1-5-19 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}SearchScopes: HKU\S-1-5-20 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Security Suite\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL No FileToolbar: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} - No FileFF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-02-11] (Coupons, Inc.)CHR Extension: (No Name) - C:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\balimbofoedmklhpnchbgmlfipgpbjnl [2015-07-08]CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crxS2 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [X]CustomCLSID: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{994B47B9-7DB9-5058-EE22-08DD039ADC4B}\InprocServer32 -> {1FE960F5-9468-D082-A3F0-98EE85889A47} No FileCustomCLSID: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{DD0822EE-9A03-4BDC-B947-4B99B97D5850}\InprocServer32 -> {46CC2438-9468-D082-6EB4-BDB785889A47} No FileAlternateDataStreams: C:\Users\Al & Mindy\BCHW - Feburary Mount St. Helens Chapter newsletter.eml:OECustomPropertyAlternateDataStreams: C:\Users\Al & Mindy\Bells Mountain Trail.eml:OECustomPropertyAlternateDataStreams: C:\Users\Al & Mindy\Fwd- Bells Mountain Trail - Copy (1).eml:OECustomPropertyAlternateDataStreams: C:\Users\Al & Mindy\Fwd- Bells Mountain Trail.eml:OECustomPropertyAlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo ***************** Restore point was successfully created."HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully.C:\Windows\system32\GroupPolicy\Machine => moved successfullyC:\Windows\system32\GroupPolicy\GPT.ini => moved successfully"C:\Windows\system32\GroupPolicy\Machine" => File/Folder not found."HKLM\SOFTWARE\Policies\Google" => key removed successfully."HKU\S-1-5-21-4019566695-2349307630-1478826107-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully."HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => key removed successfully.HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => key not found. "HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => key removed successfully.HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => key not found. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully."HKCR\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully.HKU\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} => value removed successfully.HKCR\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} => key not found. "HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully.C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => moved successfullyC:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\balimbofoedmklhpnchbgmlfipgpbjnl => moved successfully"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully.SessionLauncher => service removed successfully."HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{994B47B9-7DB9-5058-EE22-08DD039ADC4B}" => key removed successfully."HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{DD0822EE-9A03-4BDC-B947-4B99B97D5850}" => key removed successfully.C:\Users\Al & Mindy\BCHW - Feburary Mount St. Helens Chapter newsletter.eml => ":OECustomProperty" ADS removed successfully..C:\Users\Al & Mindy\Bells Mountain Trail.eml => ":OECustomProperty" ADS removed successfully..C:\Users\Al & Mindy\Fwd- Bells Mountain Trail - Copy (1).eml => ":OECustomProperty" ADS removed successfully..C:\Users\Al & Mindy\Fwd- Bells Mountain Trail.eml => ":OECustomProperty" ADS removed successfully..C:\Users\Public\.DS_Store => ":AFP_AfpInfo" ADS removed successfully.. The system needed a reboot. ==== End of Fixlog 21:34:19 ==== # AdwCleaner v5.003 - Logfile created 21/08/2015 at 21:46:43# Updated 20/08/2015 by Xplode# Database : 2015-08-20.1 [server]# Operating system : Windows Vista Ultimate Service Pack 2 (x86)# Username : Al & Mindy - RUSTRANCH# Running from : C:\Users\Al & Mindy\Desktop\MB8-20\AdwCleaner.exe# Option : Scan ***** [ Services ] ***** ***** [ Folders ] ***** Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons ***** [ Files ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** ***** [ Web browsers ] ***** [C:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Default_Search_Provider_Data] Found : {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}{google:contextualSearchVersion}ie={inputEncoding}","usage_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_bit":true,"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"n","commands":{},"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"install_time":"13042140344411000","last_launch_time":"13084222849287800","location":5,"manifest":{"app":{"launch":{"web_url":"hxxps://chrome.google.com/webstore"},"urls":["hxxps://chrome.google.com/webstore"]},"description":"Chrome Web Store","icons":{"128":"webstore_icon_128.png","16":"webstore_icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtl3tO0osjuzRsf6xtD2SKxPlTfuoy7AWoObysitBPvH5fE1NaAA1/2JkPWkVDhdLBWLaIBPYeXbzlHp3y4Vv/4XG+aN5qFE3z+1RU/NqkzVYHtIpVScf3DjTYtKVL66mzVGijSoAIwbFCC3LpGdaoe6Q1rSRDp76wR6jjFzsYwQIDAQAB","name":"Store","permissions":["webstorePrivate","management"],"version":"0.2"},"page_ordinal":"n","path":"C:\\Program Files\\Google\\Chrome\\Application\\29.0.1547.66\\resources\\web_store","was_installed_by_default":false},"aohghmighlieiainnegkcijnfilokake":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"disable_reasons":1,"events":[],"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"has_declarative_rules":false,"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13067493018921800","lastpingday":"13084613983883651","location":1,"manifest":{"api_console_project_id":"619683526622","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en_US","default_locale":"en_US","description":"Create and edit documents ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJhLK6fk/BWTEvJhywpk7jDe4A2r0bGXGOLZW4/AdBp3IiD9o9nx4YjLAtv0tIPxi7MvFd/GUUbQBwHT5wQWONJj1z/0Rc2qBkiJA0yqXh42p0snuA8dCfdlhOLsp7/XTMEwAVasjV5hC4awl78eKfJYlZ+8fM/UldLWJ/51iBQwIDAQAB","manifest_version":2,"name":"Google Docs","offline_enabled":true,"update_url":"hxxps://clients2.google.com/service/update2/crx","version":"0.9"},"page_ordinal":"n","path":"aohghmighlieiainnegkcijnfilokake\\0.9_0","preferences":{},"regular_only_preferences":{},"state":0,"was_installed_by_default":true,"was_installed_by_oem":false},"apdfllckaahabafndbhieahigkjlhalf":{"ack_external":true,"active_bit":false,"active_permissions":{"api":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"manifest_permissions":[]},"app_launcher_ordinal":"x","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"manifest_permissions":[]},"has_declarative_rules":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13081623576698600","last_active_pingday":"13063795186262538","last_launch_time":"13063851359047538","lastpingday":"13084613983883651","location":1,"manifest":{"app":{"launch":{"web_url":"hxxps://drive.google.com/?usp=chrome_app"},"urls":["hxxp://docs.google.com/","hxxp://drive.google.com/","hxxps://docs.google.com/","hxxps://drive.google.com/"]},"background":{"allow_js_access":false},"current_locale":"en_US","default_locale":"en_US","description":"Google Drive: create, share and keep all your stuff in one place.","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIl5KlKwL2TSkntkpY3naLLz5jsN0YwjhZyObcTOK6Nda4Ie21KRqZau9lx5SHcLh7pE2/S9OiArb+na2dn7YK5EvH+aRXS1ec3uxVlBhqLdnleVgwgwlg5fH95I52IeHcoeK6pR4hW/Nv39GNlI/Uqk6O6GBCCsAxYrdxww9BiQIDAQAB","manifest_version":2,"name":"Google Drive","offline_enabled":true,"options_page":"hxxps://drive.google.com/settings","permissions":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"update_url":"hxxps://clients2.google.com/service/update2/crx","version":"14.0"},"page_ordinal":"n","path":"apdfllckaahabafndbhieahigkjlhalf\\14.0_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false},"balimbofoedmklhpnchbgmlfipgpbjnl":{"ack_settings_bubble":true,"active_permissions":{"api":["cookies","searchProvider","storage","tabs","unlimitedStorage"],"explicit_host":["hxxp://*/*","hxxps://*/*"],"manifest_permissions":[]},"blacklist_state":3,"commands":{},"content_settings":[],"creation_flags":9,"disable_reasons":1,"events":[],"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["cookies","searchProvider","storage","tabs","unlimitedStorage"],"explicit_host":["hxxp://*/*","hxxps://*/*"],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13079137717632000","lastpingday":"13084613983883651","location":1,"manifest":{"background":{"scripts":["/extensions_base/basejs/jquery-1.9.1.js","/extensions_base/basejs/products/zooms_musixlib_parameters_ds.js","/extensions_base/basejs/base.js","background.js"]},"chrome_settings_overrides":{"search_provider":{"alternate_urls":[],"encoding":"UTF-8","favicon_url":"hxxp://www.gozooms.com/images/favicon.ico","image_url":"hxxp://zooms.searchalgo.com/search/?category=images&q={searchTerms} ########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [6647 bytes] ########## I ran JRT three times but it would not generate a report. The program self closed each time as it was checking the registry. Also, is it normal for this program to start off stating that "the system could not find the desired path" multiple times before it started the "create a restore point"? Here's the MB threat scan txt: Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 8/21/2015Scan Time: 10:18:56 PMLogfile: MBscan 8-21.txtAdministrator: Yes Version: 2.1.8.1057Malware Database: v2015.08.21.09Rootkit Database: v2015.08.16.01License: PremiumMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: Enabled OS: Windows Vista Service Pack 2CPU: x86File System: NTFSUser: Al & Mindy Scan Type: Threat ScanResult: CompletedObjects Scanned: 465062Time Elapsed: 23 min, 49 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 0(No malicious items detected) Registry Data: 0(No malicious items detected) Folders: 0(No malicious items detected) Files: 0(No malicious items detected) Physical Sectors: 0(No malicious items detected) (end) I am puzzled that this scan indicates that Malware Protection and Malicious Website Protection are Disabled? I doubled checked my settings in Malwarebytes and they show both of these settings to be Enabled.
  13. fr8pil8
    MR C...not that I don't like talking to ya, but I was hoping after the last two malware problems I had last year that I was done with needing your help. Anyway, here's the info... Rouge Killer: RogueKiller V10.10.1.0 [Aug 17 2015] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.com Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits versionStarted in : Normal modeUser : Al & Mindy [Administrator]Started from : C:\Users\Al & Mindy\Desktop\MB8-20\RogueKiller.exeMode : Scan -- Date : 08/21/2015 09:47:30 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 18 ¤¤¤[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> Found[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555 -> Found[PUM.SearchPage] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)]) -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)]) -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)]) -> Found[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2 -> Found[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> Found[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2 -> Found[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 1 ¤¤¤[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤[sSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e1357571000000[sSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e1357589000000[sSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x41e12ed8fc000000[sSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x41e1241be7000000[sSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x41e135747f000000[sSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x41e1357527000000[sSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x41e135742f000000[sSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x41e1357408000000[sSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x41e1357497000000[sSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x41e12ed92e000000[sSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x41e12ed8c8000000[sSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x41e1357541000000[sSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x41e1357559000000[sSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x41e13574c7000000[sSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x41e12ed8ac000000[sSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x41e135750f000000[sSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x41e12ca2d2000000[sSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x41e12ed916000000[sSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x41e13574df000000[sSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x41e12ed948000000[sSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x41e1357465000000[sSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : Unknown @ 0x41e13677e7000000[sSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[261] : Unknown @ 0x41e13677cd000000[sSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x41e13575a1000000[sSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x41e13575e9000000[sSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x41e12ed87a000000[sSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x41e13574af000000[sSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x41e13574f7000000[sSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x41e13575b9000000[sSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x41e12ed806000000[sSDT:Addr(Hook.SSDT)] unknown[335] : Unknown @ 0x41e13575d1000000[sSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x41e12ed894000000[sSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x41e12ed8e2000000[sSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x41e1357449000000[shwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x41e0ef3336000000[shwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x41e0ef3541000000[shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x41e0ef3529000000[shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x41e0ef3559000000[shwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x41e0ef3571000000[shwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x41e0ef34d4000000[shwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x41e0ef350f000000[shwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x41e0ef34ee000000[shwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x41e0ef333d000000[shwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x41e0ef3691000000 ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤+++++ PhysicalDrive0: ARRAY +++++--- User ---[MBR] aba52d45b8e1f2adf216397c6e932b8c[bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MBUser = LL1 ... OKError reading LL2 MBR! ([57] The parameter is incorrect. ) +++++ PhysicalDrive1: Seagate FA GoFlex Desk USB Device +++++--- User ---[MBR] 15185c225eb6fb0a3de71f124a83710c[bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Empty|VT.Unknown MBR CodePartition table:0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB [Windows XP Bootstrap | Windows XP Bootloader]User = LL1 ... OKError reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: DELL USB HS-CF Card USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: DELL USB HS-xD/SM USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: DELL USB HS-MS Card USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive5: DELL USB HS-SD Card USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive6: Canon MX870 series USB Device +++++Error reading User MBR! ([15] The device is not ready. )Error reading LL1 MBR! NOT VALID!Error reading LL2 MBR! ([32] The request is not supported. )Addition.txt FRST.txt rk_7CB8.tmp.txt scan 8-20a.txt scan 8-20b.txt
  14. fr8pil8
    I didn't get a screen shot of the "Warning" splash screen but it is the same as EricLee posted (see his post of 0635 today titled Remove"Windozssupport247.info". One difference is that mine shows the URL as "totalcarecomplete247.info". It's the same old 'you may have a virus' BS that pops up from time to time...'call tech support @...' Ctrl+Alt+Delete worked fine but I'd like to remove this #!*% with your help. Thanks!
  15. fr8pil8
    PayPal didn't work last night...I'll try again. So far, so good!
  16. fr8pil8
    Looks as if I got rid of all the tools, with the exception of MBAR. When I try to delete it from my desktop a msg tells me that I need permission to do it? Any ideas? I'll review you Prev. Mx tips again, but with a 28 yr old son who does a lot of surfing... Have a beverage of your choice on me via PayPal!
  17. fr8pil8
    no luck...hangs up at the same place...waited 20 minutes
  18. fr8pil8
    OK, got Security Check going. It seems to have stopped working although Task Mgr says it's running. For the last 20 minutes it has been "Performing System Health Check". Is this normal? I don't hear the hard drive spinning and CPU use is less than 10%.
  19. fr8pil8
    Working on it MrC...as I was downloading Security Check the computer started acting up (downloads section froze and no other windows would open (not responding). Then all my icons disappeared from the desktop. They finally came back a few minutes later and then disappeared again. My desktop was unresponsive so I shut down the system with the power button. After restart the computer started a CHKDSK program. Get the scan done as soon as things get back to normal...soon I hope!
  20. fr8pil8
    More tinkering and found a way to get the info to the clipboard: Filename: 00017421.tmp.xbad Threat name: Trojan.Poweliks!gm Full Path: c:\frst\quarantine\c\windows\system32\00017421.tmp.xbad ____________________________ Details Unknown Community Usage, Unknown Age, Risk High Origin Downloaded from Unknown Activity Actions performed: 98 ____________________________ On computers as of Not Available Last Used 11/13/2014 at 11:33:29 AM Startup Item No Launched No ____________________________ Unknown It is unknown how many users in the Norton Community have used this file. Unknown This file release is currently not known. High This file risk is high. Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium. ____________________________ Source: External Media ____________________________ File Actions File: c:\frst\quarantine\c\windows\system32\ 00017421.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00024626.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00009741.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00016118.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00024084.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00008723.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00022929.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00012859.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00016944.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00027644.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00015890.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00014771.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00016827.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00027529.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00032439.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00031101.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00025667.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00025547.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00007711.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00015141.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00027446.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00012623.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00005537.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00019629.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00009961.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00029658.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00022648.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00011942.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00019895.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00018756.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00026777.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00020037.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00026308.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00031115.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00019954.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00017673.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00005829.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00016541.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00022386.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00023811.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00019718.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00021538.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00006270.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00031322.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00009894.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00007376.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00006729.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00011840.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00013977.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00032391.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00028253.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00032757.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00019072.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00013931.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00030333.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00015350.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00009040.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00023805.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ yhyfaule.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00011323.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00011538.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00012382.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00015573.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00019264.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00026299.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00024393.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00019912.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00022190.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00009930.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00028703.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00032662.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00006868.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00015006.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00018716.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00030106.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00026924.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00022704.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00021726.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00031673.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00014604.tmp.xbad Removed File: c:\frst\quarantine\c\windows\system32\ 00028745.tmp.xbad Removed ____________________________ Registry Actions Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed ____________________________ File Thumbprint - SHA: 33035762c5d37e4ea67d82d13e8d1e9e23ff8b5c26452d70651da04ca14a3333 File Thumbprint - MD5: Not available
  21. fr8pil8
    Cant' get a text file except in binary form. I can't open .mcf files, but I tried to attach Norton's Quarantine Log in that format. Unfortunately, I get an error msg: "you aren't permitted to upload this kind of file". Essentially, the log shows that Trojan.Poweliks!gm was detected by their Auto-Detect mode and was Quarantined FOUR times today (45 times yesterday). The file names today were: 00017421.tmp.xbad 00012316.tmp.xbad 00017035.tmp 00024370.tmp
  22. fr8pil8
    Ran JRT twice, but neither run generated a log. Redownloaded JRT and ran it again with the same result--no log. In all three runs neither the "Registry B/U" check nor the "Start-up" showed any result except: "cannot find the specified path". Going down the rest of the categories the program closed after it had spent a minute or so checking the "Registry" category. Threat scan showed no problems. The multiple dlls have not shown up so far today. It's interesting, though, that Norton360 was still advising me this morning that it was detecting the malware
  23. fr8pil8
    # AdwCleaner v4.101 - Report created 13/11/2014 at 10:58:15 # Updated 09/11/2014 by Xplode # Database : 2014-11-12.2 [Live] # Operating System : Windows Vista Ultimate Service Pack 2 (32 bits) # Username : Al & Mindy - RUSTRANCH # Running from : C:\Users\Al & Mindy\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.7 Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.0.7 Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16584 -\\ Mozilla Firefox v33.1 (x86 en-US) -\\ Google Chrome v38.0.2125.111 ************************* AdwCleaner[R0].txt - [1159 octets] - [13/11/2014 10:50:18] AdwCleaner[s0].txt - [1086 octets] - [13/11/2014 10:58:15] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1146 octets] ##########
  24. fr8pil8
    Ran MBAR...it found two infections in the Registry and the final step (CLEAN, I believe it said) seems to have deleted the problem files. Next ran ESET...it found no problems. Lastly, reran FRST and have attached the files. One thing to note here, I use Norton 360 Antivirus. The first time I ran FRST this morning there was no conflict. Tonight Norton's Sonar sensor sent the FRST.exe file to quarantine when I tried to run the program. I forced a Restore, turned off Norton and ran FRST. Seems like things are back to normal. I'll recheck in the a.m. and get back to you. Thanks Addition.txt FRST.txt
  25. fr8pil8
    When I hit the reports button this web page came up also: http://www.adlice.com/poweliks-removal-with-roguekiller/ I didn't follow the advice given as I'm going to stick with your analysis and see if we can lick this thing; however, I didn't know if you had seen this linkl tigzy Post author 10/24/2014 at 12 h 20 minThe process is the following: – Scan with RogueKiller (do not close at the end!) – Kill all dllhost processes – Remove with RogueKiller – Reboot immediately. Some forum thread that may help: http://forum.adlice.com/index.php?topic=215.0
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.