TaxSleuth

Working fine.

Okay, so when I ran the repair you recommended. My computer became non-functional. It lost access to internet and printers etc. I therefore did a System Restore, and now it is back to working. It is working so much better now, but I realize I am not out of the woods. I understand this is not your procedure (doing a restore) , but in this instance, the cure was too 'brute force'. I am uploading the fixlog. I have glanced thru it and I can see the many 'attention' indicators, can we work through the issues it flagged? I hope you aren't offended, I know to do this wonderful work you do, you need to be systematic about this. You also suggested I run malwarebytes and adwcleaner. I ran adwcleaner. I have malwarebytes installed but it will not launch. (?) Should I delete and re-install it? Charles AdwCleaner[C01].txt AdwCleaner[S01].txt Fixlog.txt

Hi, I here are the two log files. Thank you! FRST.txt Addition.txt

PC is Windows 10. Today it re-booted while I was sitting here. When I went to log back into the desktop. It said my PIN had been lost. Then, it wouldn't let me reset the PIN. Eventually, I was locked out of my own PC because only my login had adminstrator rights and without administrator rights I couldn't log in. EVENTUALLY, I found something called "PassFab" by 4Winkey and was able to break into my locked computer. But that was only the beginning of the weirdness. Malwarebytes would not run (and it still doesn't). I had definitely established RESTORE POINTS a few weeks ago. Those can't be found. I have not upgraded Windows 10 recently. (by this I mean in last couple of weeks). I wound up launching services.msc and many services that should be running were now disabled. For example, Malwarebytes services were now disabled. I re-started them but MalwareBytes still did not work. Anyway, I am still hoping that I am not affected, but that a file somewhere is corrupted. However, I cannot run SFC /Scannow and I did a deep check on my computer a few weeks back. Ran all sorts of special Antivirus, SFC, the other things--all this without any hitches a few weeks ago. So, help me, Obi-wan.... I have gone ahead and generated the logs and have attached them here. mbst-grab-results.zip

So, all the sudden, this computer just starts moving in ultra-slow motion. I do have anti-virus, firewall, etc. So I run ESET online and it finds a Trojan and deletes it. Yuck! But the computer is still acting weird. I hit control-alt-delete which takes forever to open up if at all, and there are like a zillion chrome.exe files even though I only have like a few windows upon. I shut down chrome completely. Still a bunch of these chrome.exe files and they are consuming lots and lots of memory. Not sure what gives and I am now at the limits of this type of computer knowledge. I hand it over to the masters. I tried to copy and paste the logs but was unable to, am attaching as text docs. Thank you, Chas. FRST.txt Addition.txt

All done. Thanks.

Results of screen317's Security Check version 0.99.77 Windows 7 Service Pack 1 x64 (UAC is enabled) ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` SpywareBlaster 5.0 Malwarebytes Anti-Malware version 1.75.0.1300 JavaFX 2.1.1 Java 7 Update 45 Adobe Reader 10.1.6 Adobe Reader out of Date! Google Chrome 30.0.1599.101 Google Chrome 31.0.1650.57 Google Chrome Plugins... ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Tall Emu Online Armor OAcat.exe Tall Emu Online Armor oasrv.exe Tall Emu Online Armor oaui.exe Tall Emu Online Armor OAhlp.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log``````````````````````

# AdwCleaner v3.013 - Report created 30/11/2013 at 14:06:48 # Updated 24/11/2013 by Xplode # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : Installer - WIN7 # Running from : C:\Users\Installer\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_0beb79c1 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_magic-pack-wallpaper_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_magic-pack-wallpaper_RASMANCS Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7697BC38-D0FA-454B-AC75-968B4CCABFCE} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{7697BC38-D0FA-454B-AC75-968B4CCABFCE} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} Key Deleted : HKCU\Software\anchorfree Key Deleted : HKCU\Software\APN PIP Key Deleted : HKCU\Software\PIP Key Deleted : HKCU\Software\Softonic Key Deleted : HKLM\Software\PIP Key Deleted : HKLM\Software\SP Global Key Deleted : HKLM\Software\SProtector ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.7601.17514 -\\ Google Chrome v31.0.1650.57 THIS IS THE AdwCleaner REPORT Post-Cleanup ********************************************************************************************************************************************* [ File : C:\Users\Installer\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [2809 octets] - [30/11/2013 11:03:46] AdwCleaner[R1].txt - [2811 octets] - [30/11/2013 14:05:36] AdwCleaner[s0].txt - [2604 octets] - [30/11/2013 14:06:48] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2664 octets] ########## ***************************************************************************************************************************** HERE IS THE MALWAREBYTE REPORT Malwarebytes Anti-Malware (Corporate) 1.75.0.1300 www.malwarebytes.org Database version: v2013.11.30.04 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 Installer :: WIN7 [administrator] Protection: Enabled 11/30/13 2:17:25 PM mbam-log-2013-11-30 (14-17-25).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 225976 Time elapsed: 9 minute(s), 54 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) ******************************************************************************************************* Computer seems to be running fine now.

I am not what to check/uncheck so I am going to post the report for your advise. (I am going to be uninstalling Spyhunter) # AdwCleaner v3.013 - Report created 30/11/2013 at 11:03:46# Updated 24/11/2013 by Xplode# Operating System : Windows 7 Professional Service Pack 1 (64 bits)# Username : Installer - WIN7# Running from : C:\Users\Installer\Desktop\AdwCleaner.exe# Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** File Found : C:\Windows\System32\Tasks\SpyHunter4Startup ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\anchorfreeKey Found : HKCU\Software\APN PIPKey Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}Key Found : HKCU\Software\PIPKey Found : HKCU\Software\SoftonicKey Found : [x64] HKCU\Software\anchorfreeKey Found : [x64] HKCU\Software\APN PIPKey Found : [x64] HKCU\Software\PIPKey Found : [x64] HKCU\Software\SoftonicKey Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}Key Found : HKLM\SOFTWARE\Classes\AppID\secman.DLLKey Found : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}Key Found : HKLM\SOFTWARE\Classes\Interface\{7697BC38-D0FA-454B-AC75-968B4CCABFCE}Key Found : HKLM\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCSKey Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancsKey Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_magic-pack-wallpaper_RASAPI32Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_magic-pack-wallpaper_RASMANCSKey Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_0beb79c1Key Found : HKLM\Software\PIPKey Found : HKLM\Software\SP GlobalKey Found : HKLM\Software\SProtectorKey Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{7697BC38-D0FA-454B-AC75-968B4CCABFCE}Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.7601.17514 -\\ Google Chrome v31.0.1650.57 [ File : C:\Users\Installer\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [2637 octets] - [30/11/2013 11:03:46] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2697 octets] ##########

I think I managed to not attach COMBOFIX.TXT In the Microsoft Security Essentials it also says: Items: file:C\Program Files (x86)\Access Denied XP\uninst.dll Thanks again ComboFix.txt

Okay, well first off, I am looking over this print out myself and it looks like I managed to not turn off Malware Bytes. (It is still listed as a process that's running at the bottom.) I have attached Combofix.txt as a file. Secondly, when I was going through and turning off the anti-virus stuff and I found the following in the History of Microsoft Security Essentials: Detected Item: Trojan:Win32/Comisproc Alert level: Severe Date: 11/29/13 5:15 PM Action taken: Quarantined ****************************************************************************************************************************************************************************** There's a Remove all button. I am thinking I should select it?

Oops...sorry,...I hit the post button by accident. Anyway, I pressed "No" when the anti- rootkit said that. Let me know if I should say "yes" ******************************************************************************************************* At the end of the scan, it said: "Congratulation: no cleanup is required! Scan finished: No malware found! ******************************************************************************************************** I am having trouble finding the logs. Am going to do a search for them and post them in my next post. Sorry for dragging this out.

Thanks again. First off, the computer is still trying to access that IP address--every ten minutes or so. I ran the rootkit as requested. First off, when I was installing it. I got the following message: Registry value "appInit_Dlls" has been found, which may be caused by rootkit activity. Note: Press "No" button if you're not sure...

Thank you for picking up this thread. Happy Thanksgiving. Here is the report from RogueKiller ********************************************************************************************************************************************** ********************************************************************************************************************************************** ********************************************************************************************************************************************* RogueKiller V8.7.9 _x64_ [Nov 25 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Installer [Admin rights]Mode : Scan -- Date : 11/28/2013 14:10:59| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 1 ¤¤¤[V2][sUSP PATH] {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} : "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" - /silent [7] -> FOUND ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost::1 localhost #[iPv6]127.0.0.1 fr.a2dfp.net127.0.0.1 m.fr.a2dfp.net127.0.0.1 ad.a8.net127.0.0.1 asy.a8ww.net127.0.0.1 abcstats.com127.0.0.1 a.abv.bg127.0.0.1 adserver.abv.bg127.0.0.1 adv.abv.bg127.0.0.1 bimg.abv.bg127.0.0.1 ca.abv.bg127.0.0.1 www2.a-counter.kiev.ua127.0.0.1 track.acclaimnetwork.com127.0.0.1 accuserveadsystem.com127.0.0.1 www.accuserveadsystem.com127.0.0.1 achmedia.com127.0.0.1 aconti.net127.0.0.1 secure.aconti.net127.0.0.1 www.aconti.net #[Dialer.Aconti][...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721010CLA332 ATA Device +++++--- User ---[MBR] b04550b93932001b859d4459a7de2c08[bSP] 89c5121ceb2252c70da10d29dbe61be1 : Windows 7/8 MBR CodePartition table:0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 169993 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 356080720 | Size: 400000 Mo3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 1175283649 | Size: 75000 MoUser = LL1 ... OK!User = LL2 ... OK! +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Generic USB SD Reader USB Device +++++Error reading User MBR! ([0x15] The device is not ready. )User = LL1 ... OK!Error reading LL2 MBR! ([0x32] The request is not supported. ) +++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) Generic USB CF Reader USB Device +++++Error reading User MBR! ([0x15] The device is not ready. )User = LL1 ... OK!Error reading LL2 MBR! ([0x32] The request is not supported. ) +++++ PhysicalDrive3: (\\.\PHYSICALDRIVE4 @ USB) Generic USB MS Reader USB Device +++++Error reading User MBR! ([0x15] The device is not ready. )User = LL1 ... OK!Error reading LL2 MBR! ([0x32] The request is not supported. ) Finished : << RKreport[0]_S_11282013_141059.txt >> ****************************************************************************************************************************************************************************************************************************************************