Please check my computer for sny possible further infection

[Juliet]

When you see the error for Malwarebytes Anti-Malware
Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.

~~~

Hm I guess you don't know enough to tell me which of those processes from for/using Currports look suspicious...

I also tried running KIS 2016 last night to do a full scan but it appears it's now morning and is taking its sweet ass time to load because I can see the load mouse cursor, but where's KIS 2016?? Checking Task manager, I see that AVP.exe *32 has loaded, but where's the GUI?

I had no idea what I was looking at to give any kind of comments on what was displayed in the photo you took Currports. I cannot give you instructions to remove or stop what it located.

For problems with Kaspersky 2016, they have a help forum https://forum.kaspersky.com/ and http://support.kaspersky.com/
I've never used this product and would think your probably not the first user who has run into issues and there your more likely to get help much better then what I can suggest.

~~~~

As I was saying about ESET picking up said items and other's not pick jack(since I can't edit my previous post), assuming these aren't false positive, then ESET is the only program(that we've tried so far) to detect these new threats but for some reason or another, ESET fails to complete the scan and show us what it found......coincident that I happen to be scanning for malware/viruses and ESET fails, no? I will contact ESET now to see what the problem is, and also link them to this thread.

The settings I suggest will also show us items located in quarantine folders so don't be alarmed with this. If you still feel the need to contact Eset support they may be able to help, no idea.
Many people run into the same issue. Why it does this, first thought is security software but, just a thought.

You know, if at any time you feel you need a different or better malware tech, I can refer you to a different help forum or ask a different helper to try and step in, let me know.
~~~~

I have a question
Did you set a new group policy or allow software on the machine to set new Policy restriction on software:?

HKLM Group Policy restriction on software: *.JSE <====== ATTENTION
HKLM Group Policy restriction on software: *.JS <====== ATTENTION
HKLM Group Policy restriction on software: *.VBE <====== ATTENTION
HKLM Group Policy restriction on software: *.VBS <====== ATTENTION
HKLM Group Policy restriction on software: *.WSF <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile% <====== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\System32\VSSAdmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata% <====== ATTENTION
HKLM Group Policy restriction on software: *.WSH <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\ProcessExplorer\ <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\Electrike\Desktop\Group Policy.msc <====== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\system32\cmd.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Windows\system32\taskmgr.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Downloads <====== ATTENTION

Your newest FRST log shows these are now different from your originals.

****

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2798084944-1211984927-2140173799-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2798084944-1211984927-2140173799-1000 -> DefaultScope {B0C9ACC6-6B01-470F-B98A-DCC12B58795A} URL =
SearchScopes: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001 -> {B0C9ACC6-6B01-470F-B98A-DCC12B58795A} URL =
BHO: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
BHO-x32: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
C:\ProgramData\DP45977C.lfl
C:\Users\Electrike\AppData\Local\Temp\procexp64.exe
CustomCLSID: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Electrike\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\amd64\FileCoAuthLib64.dll => No File (the data entry has 3 more characters).
CustomCLSID: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Electrike\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\FileCoAuth.exe => No File
CMD: netsh winsock reset catalog
CMD: netsh int ip reset
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
EmptyTemp:
End

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~

 

[Nnewb]

Oh ok, according to Sharewatch(Another program that was referred to by from one of those Bleeping computers thread post you referred me to), I have no users connected to my laptop so i guess I don't have anyone remotely accessing this machine, which is good!

 

[Juliet]

I forgot to comment on this:

As you can see, AVP.exe, which is KIS 2016, is reporting to a site called www.xxokoriq.cn:53607? So is Firefox here: www.xxokoriq.cn:49156 but I haven't even been on that site before nor heard of it................why are either of them trying to report to that site? I didn't tell them to....looks like I'm still in this and not out yet....

However since the address is looped back to the host computer, that would presume Spybot(with its immunization) or Spyware Blaster has saved me for the time being...

"immunisation" of Spybot addresses is in my host file in the entries placed by spybot search and destroy
As far as I know the Immunize feature adds some websites to the restricted zone in Internet Explorer. That means that they're blocked.
means that connection to the sites listed will not be possible.

Oh ok, according to Sharewatch(Another program that was referred to by from one of those Bleeping computers thread post you referred me to), I have no users connected to my laptop so i guess I don't have anyone remotely accessing this machine, which is good!

yes

 

[Nnewb]

When you see the error for Malwarebytes Anti-Malware
Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.

Yes, that's the one, it looks like It doesn't seem to come back on Admin account, but on the limited account it keeps popping even after trying a few times, I thought Group Policy might be to blame but I've prerrty much allowed all the suspected paths and error still shows....

~~~

I had no idea what I was looking at to give any kind of comments on what was displayed in the photo you took Currports. I cannot give you instructions to remove or stop what it located.

So I am to presume you have no experience or knowledge about Currports or TCPView then...?

For problems with Kaspersky 2016, they have a help forum https://forum.kaspersky.com/ and http://support.kaspersky.com/
I've never used this product and would think your probably not the first user who has run into issues and there your more likely to get help much better then what I can suggest.

Well if you have no idea how to analyze Currports or TCPView, then I might just have to jump onto a different forum then... Do you at least know the term "DNS poisoning"(or DNS spoofing is what google comes back when I google that term) and how to combat it?

~~~~

The settings I suggest will also show us items located in quarantine folders so don't be alarmed with this. If you still feel the need to contact Eset support they may be able to help, no idea.
Many people run into the same issue. Why it does this, first thought is security software but, just a thought.

Yeah, ESET got back to me and they weren't any help "Sorry we don't offer free support for the free products we have such as the Online scanner, however we are interested in any bugs or feedbacks you have on it" is what I've paraphased.

Anyways, I think I might know what the cause of the freeze/black highlights and GUI turning invisible, it's because of GDI Objects and according to google, you are limited to 10k to any specific program and the max *theoretical* limit is 65k. I came upon this when I wanted to see if this was just my laptop(caused by a still linger virus or whatever) or if this is a bug in the program and lo and behold I booted up my Windows XP build launched the scanner and in no time I would see the same results, GUID looking un-responsive, text getting black highlighted, etc. Here's a photo:

Ok I thought, so tried to take a screenshot and it wouldn't let me, apparently I'm out of MEMORY! I thought, what?! That's impossible, this one tiny scanner could have not eaten up all 128GB of memory!! So I pulled out Process Explorer and yep, that confirmed my expression: -> As you can see it has only used up 8GB of memory so it was 120GB off the mark for such a window to appear.... Ok so I googled up the problem of the out of memory error and came across this:
https://stackoverflow.com/questions/17726092/outofmemoryexception-for-a-vb-net-application and in one of the replies was a mention of GDI Objects and thought, hmm, this might not be the same program I'm running but it wouldn't hurt to see if this could be the case, so I gleamed over to Process Explorer and: (Aw really only five attachments per post??) Fine, I 'll continue this on my next post then so it's not out of place.

 

[Nnewb]

And here's the last photo:

As you can see, the GDI Objects of that scanner was reaching 10k!! And Guess what, it's not supposed to, and according to this:
http://www.robertwloch.net/2011/08/10000-gdi-objects-ought-to-be-enough-for-anybody/ it *should* be enough but not for some programs....

Now I could raise the GDI limit, but I'm not gonna bother....and yeah, that's the problem I found. Also, going back to ESET support, apparently they don't know or trust Spybot, I even gave them a link to this thread and they were like "Oh no I'm not gonna follow that for security reasons" Oh please, what could possibly happen following a legitimate thread link? It's like saying I don't want to deposit my money at this bank(even though you're like right in front of the branch and the branch is of course legit) for security reasons.

You know, if at any time you feel you need a different or better malware tech, I can refer you to a different help forum or ask a different helper to try and step in, let me know.

Well if you think another helper that steps in to help along with you that would save me the time of posting on more than one forum, that could help! For example, if you know anyone here who knows how to analyse Currports/TCPView(or maybe about those Group Policy settings which I've already started there as referred by you but by the looks of things, no seems to be interested in helping me out or are too busy to: https://forums.whatthetech.com/index.php?showtopic=130824 - I've had 51 views so I know at least people are reading, perhaps no one over there has any experience with GPS...?), then I don't need to ask on a different forum and just continue on with this thread.

~~~~

I have a question
Did you set a new group policy or allow software on the machine to set new Policy restriction on software:?

If this is the screenshot you're referring to, then yes I setted(not a word?) the Group Policy myself: This was the previous config I've given up on trying to find cmd to run so I've remove that path because I rarely even touch cmd for my everyday laptop use. As for Process Explorer, I'm still seeking out a way to load that properly(waiting for a reply on that What the tech forum, but not luck)......as I prefer that over the default Windows Task Manager...

Your newest FRST log shows these are now different from your originals.

****

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~

Yes, would you still like me to do this? I'm presuming this is because of the Group Policy setting I've placed...?

I forgot to comment on this:

"immunisation" of Spybot addresses is in my host file in the entries placed by spybot search and destroy
As far as I know the Immunize feature adds some websites to the restricted zone in Internet Explorer. That means that they're blocked.
means that connection to the sites listed will not be possible.

Ah yes, but the question is *why* are they connecting to these blocked sites? It's good that they're blocked for whatever malicious reason, but why are my programs accessing it is the question?

 

[Nnewb]

Hmmm, I have a question unrelated to this thread post and thought you might be able to answer this for me, so when you reach the 10k limit for GDI Objects, the UI of whatever progam becomes screwed up yeah? So what causes this: (The Process Explorer picture is probably a better illustration as with ESET scanner, we now know obviously that's caused by reaching the GDI objects limit but I added it there for additional illustrations) If GDI Objects limit is not reach? What cause the black highlights? It happens on notepad too with pure text and you would see a row of black highlighted text.... As you can see, in this case the GDI Objects' limit aren't reached yet text is black highlighted.

Oh yeah I forgot to add this onto my last post:
I did another re-run of ESET to confirm this is also the case for my laptop and low and behold: It is!! As you can see with Windows Task Manager....

 

[Juliet]

sorry it took so long to get back, I have a 7 year old.

So I am to presume you have no experience or knowledge about Currports or TCPView then...?

correct

Well if you have no idea how to analyze Currports or TCPView, then I might just have to jump onto a different forum then... Do you at least know the term "DNS poisoning"(or DNS spoofing is what google comes back when I google that term) and how to combat it?

from tools run and logs posted, including rootkit scanners, there was nothing to try to eradicate from your machine.

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~
Yes, would you still like me to do this? I'm presuming this is because of the Group Policy setting I've placed...?

it was also a restriction policy for IE, not needed if you wish not to.

Well if you think another helper that steps in to help along with you that would save me the time of posting on more than one forum, that could help!

I can look and post at other forums, no idea how long or who can help since we all work multiple help forums.

 

[Nnewb]

sorry it took so long to get back, I have a 7 year old.

All good, as long as you reply back.

correct

Oh.....:sad:

from tools run and logs posted, including rootkit scanners, there was nothing to try to eradicate from your machine.

Oh ok, then explain to me why some of these processes are attempting to access those blocked addresses...? Ok just checked CurrPorts and it no longer appears to be accessing the blocked address(perhaps a one off?), however it is still looping itself to host for some reason....at various ports from 49000 to 49900....

it was also a restriction policy for IE, not needed if you wish not to.

Oh if it fixes up more things, yeah sure I'll run it.

I can look and post at other forums, no idea how long or who can help since we all work multiple help forums.

Hmmm, well I suppose seeing how my laptop is not displaying any strange behaviors(besides processes looping to host for some reason that I would like explained to me), I suppose I can wait...

I found out where Process Explorer keeps its 64-bit image, here: %userprofile%\AppData\Local\Temp\procexp64.exe - I allowed this and Process Explorer runs now! Yay!

 

[Nnewb]

My god, what did you do to my laptop(or maybe it was me that stupidly removed the entry of "C:\windows"(or rather it was registry string but was still pointing to C:\windows) that was set to unblock(ie Unrestricted), but I removed it thinking nothing will happen and wanted to clear up some clutter on Group Policy setting)?! It's completely bricked!!! I followed this yeah from the previous posts to fix some stuff up:

start
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2798084944-1211984927-2140173799-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2798084944-1211984927-2140173799-1000 -> DefaultScope {B0C9ACC6-6B01-470F-B98A-DCC12B58795A} URL =
SearchScopes: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001 -> {B0C9ACC6-6B01-470F-B98A-DCC12B58795A} URL =
BHO: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
BHO-x32: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
C:\ProgramData\DP45977C.lfl
C:\Users\Electrike\AppData\Local\Temp\procexp64.exe
CustomCLSID: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Electrike\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\amd64\FileCoAuthLib64.dll => No File (the data entry has 3 more characters).
CustomCLSID: HKU\S-1-5-21-2798084944-1211984927-2140173799-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Electrike\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\FileCoAuth.exe => No File
CMD: netsh winsock reset catalog
CMD: netsh int ip reset
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
EmptyTemp:
End

Pasted that in notepad, saved the file as fixlist.txt next to FRST64.exe on the desktop, executed FRST64.exe, left everything on default and clicked on fix. Next second tells me to reboot and I reboot into windows, login, my mouse seems to have stopped functioning, though on the taskbar it said it was installing some driver(I couldn't click on it to see what it was installing drivers for, as obviously my mouse was frozen) Then my screens turn black. A few minutes later, it goes into 640x480 @ 8 bit colour, or maybe not even that, probably 4-bit colour space and then says Windows is shutting down. And I'm like what?! Then it boots back and then tries to load windows but fails with BSOD error code 7B which means something is wrong with the system drive....

What exactly did you do to it? I tried to use recovery console to bring it back to life. First I tried its automatic startup repair thingy but it apparently failed....I took a couple of photos of it before sending the error report to Microsoft. Here, check it out: So according to that, it would appear the cause of the problem is a driver? Well that could be the same driver that tried to install but failed maybe? And then the screens turned Black and then it was somehow told to auto rest?

Then I went into commandline to fix my Group Policy settings up with this guide and using the last method as obviously I can't even get into windows. All worked, reset laptop and still BSOD with error 7B.... Ok, maybe the Group Policy wasn't rest properly yet and still blocking access, so I tried it again, but this time with quotes(I tried without quotes as well) from here and this time it says "The system cannot find this file specified." Aw oh, where did it go...? Here's a photo:

So here I'm now probably thinking said driver that tried to install but probably failed half way was the ACHI driver for the SATA controller, it has to be that or something relating to that because windows 7 only has the generic ACHI driver but that doesn't always work with all and any motherboards with custom SATA controllers....now how would I go about installing the ACHI driver from a borked windows....?

Wait a second.....if it were the ACHI drivers then the recovery console wouldn't even find the drive to load......so I guess their generic driver works here fine... ...or it could be completely something else as I just tried to boot into Linux Mint and Puppy Linux and both failed to get into GUI mode..... Perhaps they are using those cheap optical drives that only work with windows discs? I don't know and I can't remember the last time I tried to boot Linux from this laptop. I think I'll go and try the USB boot method and see if it'll boot off there.....

 

[Nnewb]

Oh and I can't use system restore to restore it back before I applied your FRST64 fix because there was none to be found!! - Which is obvious because I disabled System Restore of course to save space....heh.:laugh:

Oh ...I just managed to revert the change, I think using "Last known Good configuration"....as soon as I booted into windows, it started with that driver instllation crap and then gave me a window saying oh you have two minutes before auto log off and restart and I was like oh crap. must google how to cancel auto shutdown(because I don't remember what the code was as I did it a long time ago) and it was "shutdown -a" to Run and it cancelled the scheduled logoff and I was sighing with relief! Phhhheeeeeeewwwwwww, that was close....

Yes, according to this, it was indeed blocked by a Policy(), but now that it's all resetted(), it shouldn't give me this reasoning......ok now I'm afraid to restart my machine on the account of it going into a fit and BSOD with error 7B and for all I know, this "Last Known Good configuration" could be a one use item....hahahaa

Oh yeah, that rule I was talking about earlier where I deleted was actually both them lol:laugh:, but the Programs one didn't seem to make the machine go into a fit, but the top one where it says "%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%" I deleted eventually(just a couple of hours ago actually) and threw a fit! Hahaha Didn't know deleting this rule would brick the machine.....

I guess I don't need to go looking into making a bootable USB Linux drive now that I am able to boot into(oh well not sure if it'll throw a fit the next but by the looks of it and that it forcing a auto restart could mean the same thing.....)...?

Some help here would be nice....

 

[Nnewb]

I'll just leave my laptop on until you get back to me.....

 

[Nnewb]

So yeah, right now I actually do need someone who knows their way around Group Policy settings(and not just for preventing virus/malware) and know a way to fix what I borked(that spelling is intentional ) up.....

 

[Nnewb]

Wait, I think I just found the solution! We shall see after a restart....

 

[Nnewb]

It works!, I had to go into Device Manager and update the driver for each one that had a problem thanks to said policy. Restarted and laptop seems to be functioning like it should.

Sorry for the dramatic scene....heehee....

Anyways, now I know NOT to delete that rule if I am to continue and use Group Policy Settings as a measure of defense......

 

[Juliet]

So very glad you were able to locate what was wrong with your computer. Sometimes the person who is on the computer everyday is the best at diagnosing the problems. Also, sorry it took so long and that I had no knowledge in tech details to help expedite your time here.
I suppose all in all it was a learning process and that you gained in research skills and computer repair.

I would like to comment on something

So Juliet was wrong then to have referred me to a forum that has absolutely no knowledge of GPS? Perhaps he just googled for forums and happen to find this on the first page and thought this pace might know a thing or two about it... Actually, does anyone here even know Juliet from that Spybot forum...? Or is this really some random forum the guy picked from a google search? Heh

First, Juliet is a SHE and I did not do anything wrong in extending out and asking other techs in trying to help locate your problem on your machine. This is something all malware techs do to help all victims in need. While unsuccessful in reaching my goal in getting you help from someone who might have an idea what was wrong, who took the time trying to research anything that could cause this, LDTate gave you the best suggestions found to help.

WE were trained and certified in malware removal. While I think there might be other training facilities or schools that teach or help in the internals of computers, I didn't take that course. Therefor, I reached out seeking help for YOU.

And if you would, and you don't have to of course, please check my profile at WTT of which I help in malware removal at this forum too. (Yes they know me)
https://forums.whatthetech.com/index.php?showuser=52436

And if need be or if it matters
MS - MVP Consumer Security 2009 - 2016
http://blogs.msmvps.com/insiders/mvp-listing/juliet-ewing/

Now, for the tools we used and corresponding quarantine folder removal

DelFix

• Please download DelFix or from Here and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
• Activate UAC
• Remove disinfection tools
• Click the Run button.
• -- This will remove the specialized tools we used to disinfect your system.
  Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

************************************

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malware by quietman7, MVP

• AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
• 
  CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
• 
  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
• 
  Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
• 
  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
• Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
• 
  Secunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
• 
  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
• 
  Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
• 
  Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
  

 

[Nnewb]

Ooops, I just remembered I forgot to attach the fixlog.txt, well here it is: View attachment Fixlog.txt

First, Juliet is a SHE

You're a she?! Sorry, I always presume any person I talk to on the internet is a guy until said 'guy' comes out and tell us he is actually a she or something else. Heh. :

WE were trained and certified in malware removal. While I think there might be other training facilities or schools that teach or help in the internals of computers, I didn't take that course. Therefor, I reached out seeking help for YOU.

Well I appreciate the help, thanks.

And if you would, and you don't have to of course, please check my profile at WTT of which I help in malware removal at this forum too. (Yes they know me)
https://forums.whatthetech.com/index.php?showuser=52436

And if need be or if it matters
MS - MVP Consumer Security 2009 - 2016
http://blogs.msmvps.com/insiders/mvp-listing/juliet-ewing/

Hm okay....

Now, for the tools we used and corresponding quarantine folder removal

DelFix

• Please download DelFix or from Here and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
• Activate UAC
• Remove disinfection tools
• Click the Run button.
• -- This will remove the specialized tools we used to disinfect your system.
  Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

************************************

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malware by quietman7, MVP

• AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
• 
  CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
• 
  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
• 
  Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
• 
  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
• Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
• 
  Secunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
• 
  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
• 
  Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
• 
  Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
  

Done

Here's a log if you wanna see it:

# DelFix v1.010 - Logfile created 26/08/2016 at 12:30:47
# Updated 26/04/2015 by Xplode
# Username : Manectric - RAIKOU
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : \FRST
Deleted : \RegBackup
Deleted : \TDSSKiller.3.1.0.11_20.08.2016_10.32.30_log.txt
Deleted : C:\Users\Manectric\Desktop\Rkill.txt

########## - EOF - ##########

 

[Nnewb]

Oh the Delfix deleted itself Is that suppose to happen?

I'm guessing you don't know what GDI Objects are either or and have no experiences/knowledge about them?

Also:

Hmmm, I have a question unrelated to this thread post and thought you might be able to answer this for me, so when you reach the 10k limit for GDI Objects, the UI of whatever progam becomes screwed up yeah? So what causes this: View attachment 12663View attachment 12664(The Process Explorer picture is probably a better illustration as with ESET scanner, we now know obviously that's caused by reaching the GDI objects limit but I added it there for additional illustrations) If GDI Objects limit is not reach? What cause the black highlights? It happens on notepad too with pure text and you would see a row of black highlighted text.... As you can see, in this case the GDI Objects' limit aren't reached yet text is black highlighted.

Oh ok, then explain to me why some of these processes are attempting to access those blocked addresses...? Ok just checked CurrPorts and it no longer appears to be accessing the blocked address(perhaps a one off?), however it is still looping itself to host for some reason....at various ports from 49000 to 49900....

So have you asked other techies of this or haven't yet? Otherwise I guess I'll just go post on another forum and ask these questions....along with the other questions before this that you don't seem to have the knowledge to answer.

Wow gee, you must have a lot of time on your hands to kill if you're volunteering your time to help others! Wish I had lost of time to kill so I can do it too(to further improve my knowledge/experiences of virus/malware fighting) as well as doing IRL stuff to play video games and watch stuff.....ahhh if only I could pause time........or at least somehow extend my time whilst I'm awake(and sleeping too I guess because I sometimes have nice dreams that I don't want to be awaken from....:laugh...:sad:

 

[Nnewb]

So I don't waste more of your time on me that could have been better spent on helping more important matters like other people who need more help than me because they're seriously infected or something and you helping me on probably tricial matters that I can look into myself is one person down....

That was suppose to be amended to the last post but of course I cannot edit my posts.... -.-

 

[Juliet]

So have you asked other techies of this or haven't yet? Otherwise I guess I'll just go post on another forum and ask these questions....along with the other questions before this that you don't seem to have the knowledge to answer.

I have asked like I said I would. One person did reply back and that it would have to wait till after he was back from vacation.

If you wish, below are 2 other help forums designated specifically to windows 7

http://www.sevenforums.com/
http://www.bleepingcomputer.com/forums/f/167/windows-7/

 

[tashi]

Thank you Juliet for all the assistance you kindly provided.

This thread is now archived.