Jump to content

FaTone

Members
  • Posts

    24
  • Joined

  • Last visited

Reputation

0 Neutral
  1. i ran all the tests and seems that my system is clean. Thank you for your assistance. BTW, I do recall there is a program that some users use after cleaning computer. I believe it is called DelFix. Should I run this now?
  2. I was traveling over the weekend, I am now making sure I have no issues. I am doing a full scan to check for any rootkits/malware/viruses. Will report back when done.
  3. I am getting an error stating "An error occurred while loading library AxBrowsers.dll::Browser Manager. It may have been removed. Please reinstall the application. If the problem persists, contact technical support." I don't know what the application is, I am assuming Chrome Web browser. How do I fix this?
  4. I just fixed the issue, I did two things: Downloaded EasyBCD and erased and rebuilt the boot manager. I used the following article, https://fixedit.itxpress.biz/2013/10/11/fixing-the-f8-repair-your-computer-recovery-option/. Seems as if the windows bootloader might have got corrupted and I had to re-associate the correct GUID to it. Am just testing some functionality that was acting strange previously and then will run FRST, MalwareBytes and Avast anti-virus to make sure I don't see any issues.
  5. I had found an article on the web, https://www.terabyteunlimited.com/kb/article.php?id=587, and was following the steps to restore the winre.wim. I did that and now do see the "Repair your computer" option, but it still gives me the error i referenced earlier: "Windows failed to start. A recent hardware or software change might be the cause." Status: 0xc000000f Info: The boot selection failed because a required device is inaccessible. It tells you to insert you windows installation disc and restart computer and then use "Repair your computer" from there.
  6. When I run reagentc /disable it says "REAGENTC.EXE: Operation failed: 2 The system cannot find the file specified."
  7. I tried that and I get an error stating "Operation Failed: 64e Product is uninstalled". So it seems that the recovery console in uninstalled and I need to reinstall it. Haven't found a way to do it
  8. I attached the file with the results of reagentc /info reagentc.txt
  9. I am about to restart to see if the issues have gone away. But I still have the issue of when I tried to go into Recovery console after reboot, I get the error "Windows failed to start. A recent hardware or software change might be the cause." Status: 0xc000000f Info: The boot selection failed because a required device is inaccessible. It tells you to insert you windows installation disc and restart computer and then use "Repair your computer" from there. I was able to get to the recovery console from there and then followed your instructions. Only issue is now I don't have the "Repair your computer" option after hitting the F8 key. I would like to know how to add the option back?
  10. Also, I was able to run PowerTools x64 and am attaching the results. notify.csv
  11. autokms has been running for some years, but this infection just started on 12/5/17. Can I delete all the other registry entries that rogue killer found?
  12. This think took forever to run. The results are below: RogueKiller V12.11.28.0 (x64) [Dec 11 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : smills [Administrator] Started from : C:\Users\smills\Desktop\RogueKiller_portable64.exe Mode : Scan -- Date : 12/13/2017 02:36:39 (Duration : 09:13:40) ¤¤¤ Processes : 1 ¤¤¤ [PUP.HackTool|VT.Detected] AutoKMS.exe(1460) -- C:\Windows\AutoKMS\AutoKMS.exe[-] -> Found ¤¤¤ Registry : 16 ¤¤¤ [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found [Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{E86236DE-9BD2-42b7-86F6-A829D8EC768C} (C:\Users\smills\AppData\Local\DIRECTV Player\win64\npPlayerPlugin64.dll) -> Found [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found [PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F9B35118-A546-432D-9E27-9DC8DBCD128E} | NameServer : 10.24.16.45,10.68.100.13 ([][]) -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F9B35118-A546-432D-9E27-9DC8DBCD128E} | NameServer : 10.24.16.45,10.68.100.13 ([][]) -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {725EE339-FA8E-415A-B00C-F722DBDA4BC7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\smills\AppData\Local\Programs\Fiddler\Fiddler.exe|Name=FiddlerProxy|Desc=Permit inbound connections to Fiddler|Defer=User| [7] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {725EE339-FA8E-415A-B00C-F722DBDA4BC7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\smills\AppData\Local\Programs\Fiddler\Fiddler.exe|Name=FiddlerProxy|Desc=Permit inbound connections to Fiddler|Defer=User| [7] -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found ¤¤¤ Tasks : 1 ¤¤¤ [PUP.HackTool|VT.Detected] \AutoKMS -- C:\Windows\AutoKMS\AutoKMS.exe -> Found ¤¤¤ Files : 4 ¤¤¤ [PUP.Gen1][Folder] C:\ProgramData\Partner -> Found [PUP.HackTool][Folder] C:\Windows\AutoKMS -> Found [PUP.uTorrentAds][File] C:\Users\smills\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found [PUP.Gen1][Folder] C:\ProgramData\Partner -> Found ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 3 ¤¤¤ [PUP.Gen2][Firefox:Addon] wz1ox6y2.default : Amazon Assistant for Firefox [abb@amazon.com] -> Found [PUP.Gen0][Chrome:Addon] Default : JSONView [chklaanhfefbnpoihckbnefhakgolnmc] -> Found [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [https://webmd.okta.com] -> Found ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: Hitachi HTS725050A9A360 +++++ --- User --- [MBR] db89b7c60f30281ca2303db91f8cb6f3 [BSP] cd04164ecd9b320d630b54c6990d9a36 : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10297 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21090304 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 21295104 | Size: 466541 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK
  13. I went into safe mode to get the report from Malwarebytes scan. The results are below: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/12/17 Scan Time: 6:10 PM Log File: a1aba4e0-df91-11e7-a58e-00ff5b286276.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3476 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: FLASH\smills -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 612874 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 2 hr, 28 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Generic.Malware/Suspicious, C:\USERS\SMILLS\DESKTOP\ESYSPLUS2.8.ZIP, Quarantined, [0], [392686],1.0.3476 Physical Sector: 0 (No malicious items detected) (end)
  14. I ran the Malwarebytes Anti-Rootkit process and it didn't report any malware, but a suspicious file, which is a file I know isn't infected, it is a data file for an automotive program. It said it will need to reboot to complete process and I did that, but now I can not go back into Malwarebytes to get results. Also, there is a process called nvvsvc.exe in the windows task manager and when I try to end the process it says 'Access is denied' I believe this is the process stopping me from running Malwarebytes, PowerTools and FRST64. What should I do now?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.