Please check my computer for sny possible further infection

[Juliet]

When you see the error for Malwarebytes Anti-Malware
Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.

~~~

Hm I guess you don't know enough to tell me which of those processes from for/using Currports look suspicious...

I also tried running KIS 2016 last night to do a full scan but it appears it's now morning and is taking its sweet ass time to load because I can see the load mouse cursor, but where's KIS 2016?? Checking Task manager, I see that AVP.exe *32 has loaded, but where's the GUI?

I had no idea what I was looking at to give any kind of comments on what was displayed in the photo you took Currports. I cannot give you instructions to remove or stop what it located.

For problems with Kaspersky 2016, they have a help forum https://forum.kaspersky.com/ and http://support.kaspersky.com/
I've never used this product and would think your probably not the first user who has run into issues and there your more likely to get help much better then what I can suggest.

~~~~

As I was saying about ESET picking up said items and other's not pick jack(since I can't edit my previous post), assuming these aren't false positive, then ESET is the only program(that we've tried so far) to detect these new threats but for some reason or another, ESET fails to complete the scan and show us what it found......coincident that I happen to be scanning for malware/viruses and ESET fails, no? I will contact ESET now to see what the problem is, and also link them to this thread.

The settings I suggest will also show us items located in quarantine folders so don't be alarmed with this. If you still feel the need to contact Eset support they may be able to help, no idea.
Many people run into the same issue. Why it does this, first thought is security software but, just a thought.

You know, if at any time you feel you need a different or better malware tech, I can refer you to a different help forum or ask a different helper to try and step in, let me know.
~~~~

I have a question
Did you set a new group policy or allow software on the machine to set new Policy restriction on software:?

HKLM Group Policy restriction on software: *.JSE <====== ATTENTION
HKLM Group Policy restriction on software: *.JS <====== ATTENTION
HKLM Group Policy restriction on software: *.VBE <====== ATTENTION
HKLM Group Policy restriction on software: *.VBS <====== ATTENTION
HKLM Group Policy restriction on software: *.WSF <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile% <====== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\VSSAdmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata% <====== ATTENTION
HKLM Group Policy restriction on software: *.WSH <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\ProcessExplorer\ <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\Electrike\Desktop\Group Policy.msc <====== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\system32\cmd.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\system32\taskmgr.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Downloads <====== ATTENTION

Your newest FRST log shows these are now different from your originals.

****

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2798084944-1211984927-2140173799-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2798084944-1211984927-2140173799-1000 -> DefaultScope {B0C9ACC6-6B01-470F-B98A-DCC12B58795A} URL =
SearchScopes: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001 -> {B0C9ACC6-6B01-470F-B98A-DCC12B58795A} URL =
BHO: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
BHO-x32: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
C:\ProgramData\DP45977C.lfl
C:\Users\Electrike\AppData\Local\Temp\procexp64.exe
CustomCLSID: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Electrike\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\amd64\FileCoAuthLib64.dll => No File (the data entry has 3 more characters).
CustomCLSID: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Electrike\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\FileCoAuth.exe => No File
CMD: netsh winsock reset catalog
CMD: netsh int ip reset
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
EmptyTemp:
End

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~

[Nnewb]

Oh ok, according to Sharewatch(Another program that was referred to by from one of those Bleeping computers thread post you referred me to), I have no users connected to my laptop so i guess I don't have anyone remotely accessing this machine, which is good!

[Juliet]

I forgot to comment on this:

As you can see, AVP.exe, which is KIS 2016, is reporting to a site called www.xxokoriq.cn:53607? So is Firefox here: www.xxokoriq.cn:49156 but I haven't even been on that site before nor heard of it................why are either of them trying to report to that site? I didn't tell them to....looks like I'm still in this and not out yet....

However since the address is looped back to the host computer, that would presume Spybot(with its immunization) or Spyware Blaster has saved me for the time being...

"immunisation" of Spybot addresses is in my host file in the entries placed by spybot search and destroy
As far as I know the Immunize feature adds some websites to the restricted zone in Internet Explorer. That means that they're blocked.
means that connection to the sites listed will not be possible.

Oh ok, according to Sharewatch(Another program that was referred to by from one of those Bleeping computers thread post you referred me to), I have no users connected to my laptop so i guess I don't have anyone remotely accessing this machine, which is good!

yes

[Nnewb]

When you see the error for Malwarebytes Anti-Malware
Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.

Yes, that's the one, it looks like Malwarebytes error.png It doesn't seem to come back on Admin account, but on the limited account it keeps popping even after trying a few times, I thought Group Policy might be to blame but I've prerrty much allowed all the suspected paths and error still shows....

~~~

I had no idea what I was looking at to give any kind of comments on what was displayed in the photo you took Currports. I cannot give you instructions to remove or stop what it located.

So I am to presume you have no experience or knowledge about Currports or TCPView then...?

For problems with Kaspersky 2016, they have a help forum https://forum.kaspersky.com/ and http://support.kaspersky.com/
I've never used this product and would think your probably not the first user who has run into issues and there your more likely to get help much better then what I can suggest.

Well if you have no idea how to analyze Currports or TCPView, then I might just have to jump onto a different forum then... Do you at least know the term "DNS poisoning"(or DNS spoofing is what google comes back when I google that term) and how to combat it?

~~~~

The settings I suggest will also show us items located in quarantine folders so don't be alarmed with this. If you still feel the need to contact Eset support they may be able to help, no idea.
Many people run into the same issue. Why it does this, first thought is security software but, just a thought.

Yeah, ESET got back to me and they weren't any help "Sorry we don't offer free support for the free products we have such as the Online scanner, however we are interested in any bugs or feedbacks you have on it" is what I've paraphased.

Anyways, I think I might know what the cause of the freeze/black highlights and GUI turning invisible, it's because of GDI Objects and according to google, you are limited to 10k to any specific program and the max *theoretical* limit is 65k. I came upon this when I wanted to see if this was just my laptop(caused by a still linger virus or whatever) or if this is a bug in the program and lo and behold I booted up my Windows XP build launched the scanner and in no time I would see the same results, GUID looking un-responsive, text getting black highlighted, etc. Here's a photo: WP_20160821_001.jpg

Ok I thought, so tried to take a screenshot and it wouldn't let me, apparently I'm out of MEMORY! I thought, what?! That's impossible, this one tiny scanner could have not eaten up all 128GB of memory!! So I pulled out Process Explorer and yep, that confirmed my expression: WP_20160821_002.jpg -> As you can see it has only used up 8GB of memory so it was 120GB off the mark for such a window to appear.... Ok so I googled up the problem of the out of memory error and came across this:
https://stackoverflow.com/questions/...et-application and in one of the replies was a mention of GDI Objects and thought, hmm, this might not be the same program I'm running but it wouldn't hurt to see if this could be the case, so I gleamed over to Process Explorer and: WP_20160821_003.jpgWP_20160821_004.jpg (Aw really only five attachments per post??) Fine, I 'll continue this on my next post then so it's not out of place.

[Nnewb]

And here's the last photo:WP_20160821_005.jpg

As you can see, the GDI Objects of that scanner was reaching 10k!! And Guess what, it's not supposed to, and according to this:
http://www.robertwloch.net/2011/08/1...h-for-anybody/ it *should* be enough but not for some programs....

Now I could raise the GDI limit, but I'm not gonna bother....and yeah, that's the problem I found. Also, going back to ESET support, apparently they don't know or trust Spybot, I even gave them a link to this thread and they were like "Oh no I'm not gonna follow that for security reasons" Oh please, what could possibly happen following a legitimate thread link? It's like saying I don't want to deposit my money at this bank(even though you're like right in front of the branch and the branch is of course legit) for security reasons.

You know, if at any time you feel you need a different or better malware tech, I can refer you to a different help forum or ask a different helper to try and step in, let me know.

Well if you think another helper that steps in to help along with you that would save me the time of posting on more than one forum, that could help! For example, if you know anyone here who knows how to analyse Currports/TCPView(or maybe about those Group Policy settings which I've already started there as referred by you but by the looks of things, no seems to be interested in helping me out or are too busy to: https://forums.whatthetech.com/index...owtopic=130824 - I've had 51 views so I know at least people are reading, perhaps no one over there has any experience with GPS...?), then I don't need to ask on a different forum and just continue on with this thread.

~~~~

I have a question
Did you set a new group policy or allow software on the machine to set new Policy restriction on software:?

If this is the screenshot you're referring to, then yes I setted(not a word?) the Group Policy myself: My Group Policy settings1.png This was the previous configMy Group Policy settings.png I've given up on trying to find cmd to run so I've remove that path because I rarely even touch cmd for my everyday laptop use. As for Process Explorer, I'm still seeking out a way to load that properly(waiting for a reply on that What the tech forum, but not luck)......as I prefer that over the default Windows Task Manager...

Your newest FRST log shows these are now different from your originals.

****

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)







Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~

Yes, would you still like me to do this? I'm presuming this is because of the Group Policy setting I've placed...?

I forgot to comment on this:

"immunisation" of Spybot addresses is in my host file in the entries placed by spybot search and destroy
As far as I know the Immunize feature adds some websites to the restricted zone in Internet Explorer. That means that they're blocked.
means that connection to the sites listed will not be possible.

Ah yes, but the question is *why* are they connecting to these blocked sites? It's good that they're blocked for whatever malicious reason, but why are my programs accessing it is the question?

[Nnewb]

Hmmm, I have a question unrelated to this thread post and thought you might be able to answer this for me, so when you reach the 10k limit for GDI Objects, the UI of whatever progam becomes screwed up yeah? So what causes this: 1.PNGuntitled.PNG(The Process Explorer picture is probably a better illustration as with ESET scanner, we now know obviously that's caused by reaching the GDI objects limit but I added it there for additional illustrations) If GDI Objects limit is not reach? What cause the black highlights? It happens on notepad too with pure text and you would see a row of black highlighted text.... As you can see, in this case the GDI Objects' limit aren't reached yet text is black highlighted.

Oh yeah I forgot to add this onto my last post:
I did another re-run of ESET to confirm this is also the case for my laptop and low and behold: Capture.jpgCapture1.PNG It is!! As you can see with Windows Task Manager....

[Juliet]

sorry it took so long to get back, I have a 7 year old.

So I am to presume you have no experience or knowledge about Currports or TCPView then...?

correct

Well if you have no idea how to analyze Currports or TCPView, then I might just have to jump onto a different forum then... Do you at least know the term "DNS poisoning"(or DNS spoofing is what google comes back when I google that term) and how to combat it?

from tools run and logs posted, including rootkit scanners, there was nothing to try to eradicate from your machine.

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~
Yes, would you still like me to do this? I'm presuming this is because of the Group Policy setting I've placed...?

it was also a restriction policy for IE, not needed if you wish not to.

Well if you think another helper that steps in to help along with you that would save me the time of posting on more than one forum, that could help!

I can look and post at other forums, no idea how long or who can help since we all work multiple help forums.

[Nnewb]

sorry it took so long to get back, I have a 7 year old.

All good, as long as you reply back.

correct

Oh.....

from tools run and logs posted, including rootkit scanners, there was nothing to try to eradicate from your machine.

Oh ok, then explain to me why some of these processes are attempting to access those blocked addresses...? Ok just checked CurrPorts and it no longer appears to be accessing the blocked address(perhaps a one off?), however it is still looping itself to host for some reason....at various ports from 49000 to 49900....

it was also a restriction policy for IE, not needed if you wish not to.

Oh if it fixes up more things, yeah sure I'll run it.

I can look and post at other forums, no idea how long or who can help since we all work multiple help forums.

Hmmm, well I suppose seeing how my laptop is not displaying any strange behaviors(besides processes looping to host for some reason that I would like explained to me), I suppose I can wait...

I found out where Process Explorer keeps its 64-bit image, here: %userprofile%\AppData\Local\Temp\procexp64.exe - I allowed this and Process Explorer runs now! Yay!

[Nnewb]

My god, what did you do to my laptop(or maybe it was me that stupidly removed the entry of "C:\windows"(or rather it was registry string but was still pointing to C:\windows) that was set to unblock(ie Unrestricted), but I removed it thinking nothing will happen and wanted to clear up some clutter on Group Policy setting)?! It's completely bricked!!! I followed this yeah from the previous posts to fix some stuff up:

start
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2798084944-1211984927-2140173799-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2798084944-1211984927-2140173799-1000 -> DefaultScope {B0C9ACC6-6B01-470F-B98A-DCC12B58795A} URL =
SearchScopes: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001 -> {B0C9ACC6-6B01-470F-B98A-DCC12B58795A} URL =
BHO: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
BHO-x32: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
C:\ProgramData\DP45977C.lfl
C:\Users\Electrike\AppData\Local\Temp\procexp64.exe
CustomCLSID: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Electrike\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\amd64\FileCoAuthLib64.dll => No File (the data entry has 3 more characters).
CustomCLSID: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Electrike\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\FileCoAuth.exe => No File
CMD: netsh winsock reset catalog
CMD: netsh int ip reset
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
EmptyTemp:
End

Pasted that in notepad, saved the file as fixlist.txt next to FRST64.exe on the desktop, executed FRST64.exe, left everything on default and clicked on fix. Next second tells me to reboot and I reboot into windows, login, my mouse seems to have stopped functioning, though on the taskbar it said it was installing some driver(I couldn't click on it to see what it was installing drivers for, as obviously my mouse was frozen) Then my screens turn black. A few minutes later, it goes into 640x480 @ 8 bit colour, or maybe not even that, probably 4-bit colour space and then says Windows is shutting down. And I'm like what?! Then it boots back and then tries to load windows but fails with BSOD error code 7B which means something is wrong with the system drive....

What exactly did you do to it? I tried to use recovery console to bring it back to life. First I tried its automatic startup repair thingy but it apparently failed....I took a couple of photos of it before sending the error report to Microsoft. Here, check it out: WP_20160825_003.jpgWP_20160825_002.jpg So according to that, it would appear the cause of the problem is a driver? Well that could be the same driver that tried to install but failed maybe? And then the screens turned Black and then it was somehow told to auto rest?

Then I went into commandline to fix my Group Policy settings up with this guide and using the last method as obviously I can't even get into windows. All worked, reset laptop and still BSOD with error 7B.... Ok, maybe the Group Policy wasn't rest properly yet and still blocking access, so I tried it again, but this time with quotes(I tried without quotes as well) from here and this time it says "The system cannot find this file specified." Aw oh, where did it go...? Here's a photo: WP_20160825_004.jpg

So here I'm now probably thinking said driver that tried to install but probably failed half way was the ACHI driver for the SATA controller, it has to be that or something relating to that because windows 7 only has the generic ACHI driver but that doesn't always work with all and any motherboards with custom SATA controllers....now how would I go about installing the ACHI driver from a borked windows....?

Wait a second.....if it were the ACHI drivers then the recovery console wouldn't even find the drive to load......so I guess their generic driver works here fine... ...or it could be completely something else as I just tried to boot into Linux Mint and Puppy Linux and both failed to get into GUI mode..... Perhaps they are using those cheap optical drives that only work with windows discs? I don't know and I can't remember the last time I tried to boot Linux from this laptop. I think I'll go and try the USB boot method and see if it'll boot off there.....

[Nnewb]

Oh and I can't use system restore to restore it back before I applied your FRST64 fix because there was none to be found!! - Which is obvious because I disabled System Restore of course to save space....heh.

Oh ...I just managed to revert the change, I think using "Last known Good configuration"....as soon as I booted into windows, it started with that driver instllation crap and then gave me a window saying oh you have two minutes before auto log off and restart and I was like oh crap. must google how to cancel auto shutdown(because I don't remember what the code was as I did it a long time ago) and it was "shutdown -a" to Run and it cancelled the scheduled logoff and I was sighing with relief! Phhhheeeeeeewwwwwww, that was close....

Yes, according to this, it was indeed blocked by a Policy(WP_20160825_005.jpg), but now that it's all resetted(WP_20160825_006.jpg), it shouldn't give me this reasoning......ok now I'm afraid to restart my machine on the account of it going into a fit and BSOD with error 7B and for all I know, this "Last Known Good configuration" could be a one use item....hahahaa

Oh yeah, that rule I was talking about earlier where I deleted was actually both them lol, but the Programs one didn't seem to make the machine go into a fit, but the top one where it says "%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%" I deleted eventually(just a couple of hours ago actually) and threw a fit! Hahaha Didn't know deleting this rule would brick the machine.....

I guess I don't need to go looking into making a bootable USB Linux drive now that I am able to boot into(oh well not sure if it'll throw a fit the next but by the looks of it and that it forcing a auto restart could mean the same thing.....)...?

Some help here would be nice....