AV blocking address constantly

[MrCharlie]

Please re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

MrC

[Yippee38]

Re-scanned with FRST.  Here are the two logs.

FRST.txt

Addition.txt

[Yippee38]

BTW, I've noticed something else last time and this time too.  After I close down Firefox with more than one tab open, when I open it later. the tab I was on will instead load my homepage (facebook).  I can hit the back button and get to the previous page. 

[MrCharlie]

Download and run this tool on every user twice:

http://kb.eset.com/esetkb/index?page=content&id=SOLN3587 <---Poweliks

Then........Download, update and run Malwarebytes Anti-Rookit:

https://malwarebytes.app.box.com/s/xiaxsbl4cjdyyqx5wp8q <-----MBAR

Let me know.....MrC

[Yippee38]

I ran the ESET software on all three accounts and it said, "No threat found" on all of them.

 

I then ran the Malwarebytes Rootkit tool and it said, "Congratulation!  No threats found".

[MrCharlie]

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Yippee38]

Ok.  I finally got ComboFix to run.  Here is the report.

ComboFix.txt

[MrCharlie]

Is there any difference????

MrC

[Yippee38]

I'm not getting the message any more, and my browser's weird behavior seems to be fixed.  The sound card control panel was still causing me problems, until I ran ComboFix.  Now everything seems to be running correctly.

[MrCharlie]

OK..keep an eye on it and report back in a day or so.

MrC

[Yippee38]

Will do.

[Yippee38]

I seem to have lost, not only my folder options (stuff like "Show hidden files, folders, and drives"), but also all of my file associations.  That's not a huge deal as I can fix that easily enough.  Just a bit of an annoyance.  I'm not sure if ComboFix did that, or the malware did.

 

Other than that, so far, so good.

[MrCharlie]

Run rkill, should restore some of it.

Download and run rkill (post the log):

http://www.bleepingcomputer.com/download/rkill/dl/132/

MrC

[Yippee38]

Ok.  Here it is.

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/11/2014 01:47:01 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\SysWOW64\HsMgr.exe (PID: 2872) [WD-HEUR]
 * C:\Windows\system\HsMgr64.exe (PID: 3000) [WD-HEUR]
 * C:\Windows\Samsung\PanelMgr\SSMMgr.exe (PID: 4504) [WD-HEUR]
 * C:\Windows\Samsung\PanelMgr\caller64.exe (PID: 4656) [WD-HEUR]

4 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

 * WSearch [Missing Service]

Searching for Missing Digital Signatures:

 * C:\Windows\System32\UxTheme.dll : 332,288 : 01/18/2013 03:56 PM : 8bf20c54ffb37cfb960f708ffa813fa7 [NoSig]
 +-> C:\Windows\SysWOW64\uxtheme.dll : 245,760 : 07/13/2009 07:11 PM : 43964fa89ccf97ba6be34d69455ac65f [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-uxtheme_31bf3856ad364e35_6.1.7600.16385_none_01d98c7b2040a1b9\uxtheme.dll : 332,288 : 07/13/2009 07:41 PM : d29e998e8277666982b4f0303bf4e7af [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-uxtheme_31bf3856ad364e35_6.1.7600.16385_none_0c2e36cd54a163b4\uxtheme.dll : 245,760 : 07/13/2009 07:11 PM : 43964fa89ccf97ba6be34d69455ac65f [Pos Repl]

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 11/11/2014 01:47:18 PM
Execution time: 0 hours(s), 0 minute(s), and 16 seconds(s)

[MrCharlie]

I'm not sure if ComboFix did that, or the malware did.

Malware would have done that...CF would have fixed some of it.

What problems remain???

MrC

[Yippee38]

Besides that stuff, it appears I am again having the problem where the active tab in Firefox is loading to my homepage when I open Firefox..  Everything else seems normal.

[MrCharlie]

If you're good at navigating the registry...this is what it should look like:
 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001
"SuperHidden"=dword:00000001
"Hidden"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden]
"CheckedValue"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"CheckedValue"=dword:00000002
"DefaultValue"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
"DefaultValue"=dword:00000002

 

=========================================

If FireFox isn't working correctly, I suggest you reset it:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

=========================================

rkill should have fixes the file associations

MrC

[Yippee38]

If you're good at navigating the registry...this is what it should look like:

 

I've already manually reset all of that stuff.  I know which things to change by heart by now.

 

File associations do seem to be fixed!

 

I'll do that.  No other problems at all.

[MrCharlie]

So we're all good now????

 

MrC

[Yippee38]

Yes sir!  All seems fine.

 

Thank you again!

[MrCharlie]

OK...Take Care MrC

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!