PDA

View Full Version : Duplicate IP Address & Infected Browser



martinatm
2019-05-03, 06:50
Hello,

Received a duplicate IP address warning along with some browser issues. Also some consistent registry issues detected with Spybot scan & programs running in the background when shutting down.

Spybot log attached

FRST.txt logs - to large to upload

aswMBR Log - Yes for "Virtualization Technology" crashes the PC

Regards
m

Juliet
2019-05-03, 12:08
Don't worry about posting a aswMBR Log.

Since you have already run a Farbar Recovery Scan Tool (FRST) Scan, just copy and paste FRST.txt & Addition.txt in your next reply.

martinatm
2019-05-08, 19:14
Logs added, sorry for the delay

martinatm
2019-05-08, 20:01
Was able to run aswMBR but not sure the scan was complete - crashed my PC during scan, log attached

Juliet
2019-05-09, 02:00
Let's try this

Start Farbar Recovery Scan Tool with Administrator privileges
(Right click on the FRST icon and select Run as administrator)

highlight on the text below and select Copy.
beginning with Start:: and finishing with End::
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Highlight the entire content of the quote box below and select Copy.




Start::
CloseProcesses:
CreateRestorePoint:
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-264360123-2859139072-1872116722-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-264360123-2859139072-1872116722-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/
SearchScopes: HKU\S-1-5-21-264360123-2859139072-1872116722-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-11-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-11-27] (Oracle Corporation)
U3 idsvc; no ImagePath
S3 SBFWIMCL; \SystemRoot\system32\DRIVERS\sbfwim.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
U3 wpcsvc; no ImagePath
C:\Users\Martinat\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpnmycbw.dll
C:\Users\Martinat\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\Martinat\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\Martinat\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\Martinat\AppData\Local\Temp\tmp166C.exe
C:\Users\Martinat\AppData\Local\Temp\tmp283C.exe
C:\Users\Martinat\AppData\Local\Temp\tmp3CB8.exe
C:\Users\Martinat\AppData\Local\Temp\tmp5865.exe
C:\Users\Martinat\AppData\Local\Temp\tmpB0EA.exe
C:\Users\Martinat\AppData\Local\Temp\tmpC341.exe
CustomCLSID: HKU\S-1-5-21-264360123-2859139072-1872116722-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinat\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-264360123-2859139072-1872116722-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinat\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-264360123-2859139072-1872116722-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinat\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-264360123-2859139072-1872116722-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinat\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-264360123-2859139072-1872116722-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinat\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-264360123-2859139072-1872116722-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinat\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-264360123-2859139072-1872116722-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinat\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
CustomCLSID: HKU\S-1-5-21-264360123-2859139072-1872116722-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Martinat\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll => No File
Task: {220701C2-CA15-443E-854E-786AB323A05E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {3E647D8C-9B6D-4AFA-B243-AD7C23AAB7F8} - System32\Tasks\GPUpdateCheck => C:\Program Files (x86)\GetPrivate\gpup.exe <==== ATTENTION
Task: {3FBF4831-5399-4D5D-835A-F60688808619} - \ConfigFree Startup Programs -> No File <==== ATTENTION
Task: {5405F162-916C-42C7-BD83-E72FAFD129FD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {5C9BF4FB-1254-44F6-8651-14E7BDCD3EF6} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {75565697-7719-41DC-991D-668D4A5DA0FB} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {89B137EB-E78C-4A7F-AFFE-93B96CFFAB42} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {8FBB6CFC-9AE0-4317-AAC3-F1C01313089E} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B958B373-B742-46A5-B577-0EE76540D6E3} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {BEE555F5-CC84-4EFA-8D52-A87C7C449C45} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {E5B0101D-519B-44FA-9BC9-358C509108AF} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E8FEC769-1ED4-4F43-9F6A-0435EE3574E7} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {FCE6FC99-ACC9-4C61-B884-3BF4121D04B0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
C:\Windows\Temp\*.*
End::



Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file Fixlog.txt will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://i.imgur.com/zcMPezJ.pngAdwCleaner - Fix Mode

Download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and move it to your Desktop
Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
Accept the EULA (I accept), then click on Scan
Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean & Repair button. This will kill all the active processes
Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply



~~~~~~~~~~~`
http://i.imgur.com/RQKuhw1.pngRogueKiller

Download the right version of RogueKiller (http://www.adlice.com/download/roguekiller/#download) for your Windows version (32 or 64-bit)
Once done, move the executable file to your Desktop, right-click on it and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
Wait for the scan to complete
On completion, the results will be displayed
Check every single entry (threat found), and click on the Remove Selected button
On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
This will open the report in Notepad. Copy/paste its content in your next reply
created by Aura

Please post these 3 logs when finished.

martinatm
2019-05-14, 19:42
Here are the latest logs

Juliet
2019-05-15, 00:39
Hope the computer is running better now.

Let's check for remnants

Please download the Malwarebytes Anti-Malware (https://downloads.malwarebytes.org/file/mbam) setup file to your Desktop.

OR from this location Here (https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/)

Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.
Windows Vista, Windows 7 , 8, 8.1 and 10 : Right click and select "Run as Administrator"
After the installation IS complete let it update if it asks.
Under SETTINGS.....APPLICATIONS leave everything at default
Under SETTINGS.....PROTECTION make sure AUTOMATIC QUARANTINE is on.
Then go to the Dashboard and click on SCAN NOW
If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
Upon completion of the scan (or after the reboot), click the Reports tab.
Double-click the Scan Log.
At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

You can access the logs by going in the "Reports" tab, clicking on the latest "Scan" entry (the one with detections), then clicking on the "Export" button in the bottom-left corner and select "Copy to clipboard". After that, all you have to do is paste it here
Then click on POST
Exit Malwarebytes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Emsisoft Emergency Kit - Fix Mode
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.

Download the Emsisoft Emergency Kit (https://www.emsisoft.com/en/software/eek/download/) and execute it. From there, click on the Install button to extract the program in the EEK folder;
Once the extraction is complete, the EEK folder will open. Right-click on start emergency kit scanner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
EEK will suggest that you run an online update before using the program. Click on Yes to launch it.
After the update, click on Malware Scan under 2. Scan and accept to let EEK detect PUPs (click on Yes).
Once the scan is complete, make sure that every item in the list is checked, and click on the Quarantine selected button;
If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
After the restart, open EEK again (in the C:\EEK folder);
This time, click on Logs;
From there, go under the Quarantine Log tab, and click on the Export button;
Save the log on your desktop, then open it, and copy/paste its content in your next reply;

Please post these 2 logs when finished.

Also, tell me how the computer is now.

martinatm
2019-05-15, 23:13
PC seems to be running better, my web browser is still a little glitchy but better.


Emsisoft Log

Emsisoft Emergency Kit 2018.6.0.8742 stable [en-us]
OS: Windows 10 (Version 10.0, Build 17134, 64-bit Edition)

Forensics log

Date Component Action Details
5/15/2019 2:17:24 AM Scanner Scan finished Scanned 56614 objects and found nothing.
5/15/2019 1:07:28 AM User MARTINAT-PC\Martinat Scan started Malware Scan
5/15/2019 1:07:22 AM User MARTINAT-PC\Martinat Setting modified "Detect PUPs" has been changed to "Enabled".
5/15/2019 1:05:53 AM User MARTINAT-PC\Martinat Setting modified "Recommended readings & news" has been changed to "Enabled".
5/15/2019 1:05:52 AM User Update Downloaded and installed 45 files (2800 kb) (50 sec.).
5/15/2019 1:05:11 AM User MARTINAT-PC\Martinat Setting modified "Recommended readings & news" has been changed to "Disabled".
5/15/2019 1:05:02 AM Core Notification "Recommended Reading:There is no malware on my PC, so why does Google redirect me to dodgy websites?".
5/15/2019 1:04:56 AM User Update Failed with error "Server returned error" (0 sec.).

Juliet
2019-05-16, 00:46
Which browser do you mainly use. Could be we can reset all browsers back to default and it would help.

As for finding malware, not really.

Sometimes just using the machine for a bit helps with a few glitches.

martinatm
2019-05-16, 19:35
Using Microsoft Edge, cleared the history again & a little better. Its seems to double load sometimes, loads them instantly does a refresh & loads again?


Rest to default might help?

Juliet
2019-05-17, 02:17
Rest to default might help?
Try that and see if it helps.
I'm reading many people have had this same problem and resulted in using a different browser.