120 replies to this topic

[wilma1313]

good morning. only 1 log, I read back and directions indicated second log only generated on first use. At any rate the log I got is posted. Thanks!

[Tomk]

The only programs that ran between when you said things were "good" until you said things were "bad", was your task scheduler and an ESET file.  Did you run ESET online again?  If so, did it find anything?

 

Bottom line is that there is, in fact a new dropper showing in your log.  I don't know how it got there.  It appears you are connected to 3 skydrives.  Could you have something saved there that is infected?

 

Let's clean what we see:

 

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it  as fixlist.txt
 

SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR NewTab: "chrome-extension://bakijjialdiiboeaknfpmflphhmljfkd/content/newtab/newtab.html"
CHR DefaultSearchProvider: "name": "Speedial"

.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

 

[wilma1313]

ESET hung but there were three things. I ran ESET long after things went bad. It literally went from good to bad without either one of us using the computer. I don't get it.


What is a task scheduler and what is a sky drive?

Edited by wilma1313, 08 July 2014 - 08:09 AM.

[wilma1313]

good morning here is the log.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-07-2014 01
Ran by l at 2014-07-08 09:15:31 Run:2
Running from C:\Users\l\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR NewTab: "chrome-extension://bakijjialdiiboeaknfpmflphhmljfkd/content/newtab/newtab.html"
CHR DefaultSearchProvider: "name": "Speedial"
*****************

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
CHR NewTab: "chrome-extension://bakijjialdiiboeaknfpmflphhmljfkd/content/newtab/newtab.html" ==> The Chrome "Settings" can be used to fix the entry.
CHR DefaultSearchProvider: "name": "Speedial" ==> The Chrome "Settings" can be used to fix the entry.

==== End of Fixlog ====

[wilma1313]

Ok. I no longer can access internet with that computer. I googled sky drive to find out what you were talking about. I looked at my apps and saw we indeed have 3, which I don't use. One is a pay for service which is surely unused. I emailed my husband to ask if he saves or accesses files using those. I reinstalled mbam. It still doesn't run. Now ie doesn't work. I turned off the computer. I guess it's possible I have access via chrome, didn't think of it til now. I am really at a loss. Dropbox is a new addition to my apps, I have never used it. We hardly use the computer. It's basically to check emails, he reads a couple blogs and local newspapers. I used it to hammer out papers for school and used to manage bank and credit cards on it. I used it to apply to a job yesterday. I don't get it.

[Tomk]

Let's try what worked before.

 

Please run Windows Repair (All in One) - post #69 and see if things clear up again.

[wilma1313]

Hi, The fix ran all day and I knew that was not right so I started it again last night and it ran all night. It won't finish but it allows me to get online and get to your site. Avast has been disabled and I can't enable it so I am shutting down the computer again.

What next?

[Tomk]

Let's try this.  Would you please look and see if you have a restore point during the period when things were working correctly (I believe that would be July 3).  If you do, then roll back to that restore point and see if functions are restored.

 

If that doesn't work... and I believe you don't currently have access to the internet... then we need to work with what is onboard.  I think you still have combofix.  Please try to run that again.

[wilma1313]

Good morning, I had mentioned in my last post that my online access was restored but that the fix never finished. Anyway I tried to restore back to July 2 and was unable. I got a message it was unable to complete and to pick a new date which would not have helped. I ran combofix. During the running a box popped up stating interference was detected and to scan for rootkits. Combofix ran and afterwards I lost internet access again. I did system restore back to the last restore point and again it said it did not work, however, I have internet again and now can post the combofix log. I have a working AVAST again now which is good. Here is the log.

this is all very confusing, I have never had an infection like this one.



ComboFix 14-07-11.04 - l 07/11/2014 8:42.1.4 - x64
Microsoft Windows 8 6.2.9200.0.1252.1.1033.18.12207.10614 [GMT -5:00]
Running from: c:\users\l\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: avast! Antivirus *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-06-11 to 2014-07-11 )))))))))))))))))))))))))))))))
.
.
2014-07-11 13:47 . 2014-07-11 13:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-07-11 13:47 . 2014-07-11 13:47 -------- d-----w- c:\users\l\AppData\Local\temp
2014-07-11 13:47 . 2014-07-11 13:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-07-06 20:19 . 2014-07-11 13:33 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2014-07-06 20:19 . 2014-07-11 13:33 -------- d-----w- c:\program files\Microsoft Silverlight
2014-07-04 23:44 . 2014-07-04 23:44 -------- d-----w- c:\program files (x86)\ESET
2014-07-04 19:02 . 2014-07-04 19:02 -------- d-----w- C:\RegBackup
2014-07-03 20:37 . 2014-07-03 20:37 -------- d-----w- c:\users\l\AppData\Roaming\SUPERAntiSpyware.com
2014-07-03 20:37 . 2014-07-11 13:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2014-07-03 20:37 . 2014-07-03 20:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2014-07-02 15:00 . 2014-07-02 15:00 257704 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10243.bin
2014-07-01 22:17 . 2014-07-11 13:34 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-07-01 22:17 . 2014-05-12 12:26 64216 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-07-01 22:17 . 2014-05-12 12:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-01 22:17 . 2014-05-12 12:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-06-30 20:19 . 2014-06-30 20:19 -------- d-----w- c:\users\l\AppData\Local\HPConnectedMusic
2014-06-30 13:22 . 2014-07-01 00:52 -------- d-----w- C:\FRST
2014-06-20 21:34 . 2014-06-20 21:34 -------- d-----w- c:\users\l\AppData\Roaming\GARMIN
2014-06-20 21:34 . 2014-06-20 21:34 -------- d-----w- c:\programdata\GARMIN
2014-06-20 21:03 . 2014-06-20 21:03 -------- d-----w- c:\program files\DIFX
2014-06-17 21:55 . 2014-06-17 21:55 -------- d-----w- c:\users\l\AppData\Roaming\WebApp
2014-06-17 19:51 . 2014-06-17 19:51 -------- d-----w- c:\users\l\AppData\Local\Cyberlink
2014-06-16 03:07 . 2014-06-16 03:07 -------- d-----w- c:\users\l\AppData\Local\HP Quick Start
2014-06-14 13:03 . 2014-06-14 13:03 -------- d-----w- c:\users\l\AppData\Local\Adobe
2014-06-11 16:05 . 2014-04-03 11:19 328024 ----a-w- c:\windows\system32\drivers\Classpnp.sys
2014-06-11 16:05 . 2014-04-03 03:44 619008 ----a-w- c:\windows\system32\drivers\srv2.sys
2014-06-11 16:05 . 2014-03-24 23:42 305152 ----a-w- c:\windows\SysWow64\wusa.exe
2014-06-11 16:05 . 2014-03-24 22:56 309760 ----a-w- c:\windows\system32\wusa.exe
2014-06-11 16:05 . 2014-04-29 22:32 1301504 ----a-w- c:\windows\system32\gdi32.dll
2014-06-11 16:05 . 2014-04-29 22:22 1023488 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-06-11 16:00 . 2010-08-30 13:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll
2014-06-11 16:00 . 2014-07-02 14:54 -------- d-----w- C:\AdwCleaner
2014-06-11 15:36 . 2014-04-03 11:22 2233176 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-06-11 15:36 . 2014-03-07 00:47 1419264 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-06-11 15:36 . 2014-03-07 00:08 1845760 ----a-w- c:\windows\system32\msxml3.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-11 13:41 . 2014-05-04 21:19 85328 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-07-11 13:41 . 2014-05-04 21:19 423240 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-07-11 13:41 . 2014-05-04 21:19 1039096 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-07-07 03:01 . 2014-04-19 21:20 50784 ----a-w- c:\programdata\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2014-06-20 15:09 . 2014-04-20 22:44 588496 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-06-12 08:00 . 2014-04-20 23:10 95414520 ----a-w- c:\windows\system32\MRT.exe
2014-06-09 17:24 . 2014-06-10 14:37 61016 ----a-w- c:\windows\system32\drivers\{a3f28269-ad17-41a8-b032-3e0313ef8979}Gw64.sys
2014-05-31 05:16 . 2012-07-26 08:14 703992 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-31 05:16 . 2012-07-26 08:14 105464 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-28 13:54 . 2014-05-28 13:01 181064 ----a-w- c:\windows\PSEXESVC.EXE
2014-05-12 08:27 . 2012-07-26 02:26 199680 ----a-w- c:\windows\system32\cdd.dll
2014-05-04 21:19 . 2014-05-04 21:19 93568 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-05-04 21:19 . 2014-05-04 21:19 79184 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-05-04 21:19 . 2014-05-04 21:19 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-05-04 21:19 . 2014-05-04 21:19 29208 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-05-04 21:19 . 2014-05-04 21:19 208416 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-05-04 21:19 . 2014-05-04 21:19 334648 ----a-w- c:\windows\system32\aswBoot.exe
2014-05-04 21:19 . 2014-05-04 21:19 43152 ----a-w- c:\windows\avastSS.scr
2014-05-04 21:19 . 2014-05-04 21:19 28184 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2014-05-04 20:34 . 2014-04-19 21:20 17536 ----a-w- c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2014-04-30 23:20 . 2014-05-21 15:29 10702536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2BD6D99F-127A-4C60-B25F-0D402985F0DA}\mpengine.dll
2014-04-23 16:50 . 2014-05-17 13:08 1031560 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DBFDA6F8-C9CE-4B93-95AC-772234B75B61}\gapaengine.dll
2014-04-19 15:13 . 2012-07-26 08:13 23264 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-04-19 09:39 . 2014-05-12 09:07 628024 ----a-w- c:\windows\system32\NotificationUI.exe
2014-04-19 08:45 . 2014-05-12 09:07 693760 ----a-w- c:\windows\system32\WSShared.dll
2014-04-19 08:45 . 2014-05-12 09:07 163840 ----a-w- c:\windows\system32\Windows.ApplicationModel.Store.TestingFramework.dll
2014-04-19 06:57 . 2014-05-12 09:07 566784 ----a-w- c:\windows\SysWow64\WSShared.dll
2014-04-19 06:57 . 2014-05-12 09:07 124928 ----a-w- c:\windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-20 22:46 220632 ----a-w- c:\users\l\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-20 22:46 220632 ----a-w- c:\users\l\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-20 22:46 220632 ----a-w- c:\users\l\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2014-04-27 39408]
"gStart"="c:\garmin\gStart.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BtTray"="c:\program files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe" [2013-01-10 379904]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-06-08 3890208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys;c:\windows\SYSNATIVE\drivers\aswKbd.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
apphost REG_MULTI_SZ apphostsvc
iissvcs REG_MULTI_SZ w3svc was
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-06-14 12:42 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-27 14:23]
.
2014-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-27 14:23]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-20 22:46 244696 ----a-w- c:\users\l\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-20 22:46 244696 ----a-w- c:\users\l\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-20 22:46 244696 ----a-w- c:\users\l\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-06-20 15:10 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-06-20 15:10 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-06-20 15:10 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-05-04 21:19 290888 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BeatsOSDApp"="c:\program files\IDT\WDM\beats64.exe" [2012-08-22 41664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-11-13 1664000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-03-26 164848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-03-26 406512]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-03-26 439792]
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = https://www.yahoo.co...t&type=avastbcl
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE} - c:\program files (x86)\InstallShield Installation Information\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
Completion time: 2014-07-11 08:50:18
ComboFix-quarantined-files.txt 2014-07-11 13:50
ComboFix2.txt 2014-07-02 21:08
.
Pre-Run: 1,928,420,233,216 bytes free
Post-Run: 1,927,983,628,288 bytes free
.
- - End Of File - - D5BB535E50AB6E461D41111F7C6F8578
5FB38429D5D77768867C76DCBDB35194

[Tomk]

Hmm... It is indeed interesting that you keep losing your internet access... and then get it back.  In the CF log you provided, CF didn't remove anything accept for an entry that pointed to a file that didn't exist.

 

The good news is you have internet access so I'd like to look for a rootkit.

 

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

•  
• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
  
   
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
   
• Click the Start Scan button.
   
  
   
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
   
  
   
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

 
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
 

 

[wilma1313]

Hi again,

Nothing found. It is interesting IE would not allow me to go to the link you provided. I was able to get there using chrome. Something is still messing with me.

What next?

[Tomk]

Let's retry another tool.

 

 

• Download RogueKiller and save it to your desktop.
• Quit all other programs
• Start RogueKiller.exe
• Wait until the Prescan has finished ...
• Click on Scan
  
• Wait for the end of the scan
• A report will be created on your desktop.
• Click on the Delete button
  
• Next click on the ShortcutsFix
  
• another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.
 
 
 

 

[wilma1313]

Good grief I wasn't allowed to post from my computer, it kept saying the post was empty. Had to copy and paste in an email to myself and post from my iPad. What next, is this thing gonna drink all the beer in my fridge? Lol


ok I hAVE Completely different tabs than what you show. I do not have a shortcut
fix. What exactly am I hitting delete on, I have lots of stuff that could be deleted
under the registry tab, one thing in hosts, lots of things under antirootkit, and lots of
things under browsers. I will post the report I got (which I had to hit the report
button to get it does not just pop up on the desktop) I will await clear deleting
instructions from you. This reminds me I meant to mention that the steps are also very
different from the directions you give on the newer versions of Tweaking Windows as well.
THanks.

RogueKiller V9.2.2.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : l [Admin rights]
Mode : Scan -- Date : 07/11/2014 19:46:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters |
DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63F6AE22
-B6DD-4476-A864-3652DE675725} | DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D9443B57
-4010-4CB8-8171-44BCB8CF3513} | DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64)
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{63F6AE22-B6D
D-4476-A864-3652DE675725} | DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64)
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D9443B57-401
0-4CB8-8171-44BCB8CF3513} | DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.DesktopIcons] (X86)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\New
StartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\New
StartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST2000DM001-1CH164 +++++
--- User ---
[MBR] fb2c3fc65261573874936bf2118697dc
[BSP] dcfc9110a497e768fae04a96b60f49a8 : Unknown MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- MS/MS-PRO USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
____________________________________________________________
The #1 Worst Carb Ever?
Click to Learn #1 Carb that Kills Your Blood Sugar (Don't Eat This!)
http://thirdpartyoff...d8482975st04duc

[Tomk]

Most everything is related to the Time Warner DNS.  This is not a "bad" entry... though many people have had problems with them so have used public DNS servers like Google or OpenDNS.  I, personally, use OpenDNS.  I suggest that you go ahead and fix all of the entries... and then you will need to manually set a new DNS.  Directions for doing that to OpenDNS can be found here: https://support.open...8-Configuration

 

Please give that a try and then let me know how things are operating.

[wilma1313]

OK, so I didn't even know what a DNS is but briefly looked up. So does this mean this whole mess is coming down to that whole issue of the strange purple network that we went back and forth on from the beginning?

ARe there any consequences to changing this? Like am I going to have to figure it all out again when I get a new computer and/or router? I am NOT tech savvy.