Recent Posts

Pages: [1] 2 3 ... 10
1
After some hiccups, I now have the Knoppix OS burned correctly to disk.

When I try installing it, the process has barely begun before the machine spontaneously restarts.

So, a hardware problem?
2
California's state legislature last month unanimously passed the nation's toughest bill yet to protect the personal data of kindergarten through 12th grade (K-12) students.

California Governor Brown hasn't taken a public stance on this and a related bill that addresses contracts with tech vendors. But if he doesn't sign, they automatically become law at the end of the month.

The senate bill would stop online services from selling or disclosing data they're now chowing down like kids in a candy store.

There's a lot at stake: think student records that cover attendance, grades, discipline, health, academics, intimate details about family members, parent and student contact information, biometrics, and sometimes even a child's geolocation.

Continued:
https://nakedsecurity.sophos.com/2014/09/17/california-passes-landmark-bill-to-protect-students-personal-data/
3
Here is the JRT results
4
RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Dan [Admin rights]
Mode : Scan -- Date : 09/16/2014  19:10:07

Bad processes : 0

Registry Entries : 19
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6CF627A7-D30E-40A9-A20B-5A867D03E565} | DhcpNameServer : 172.20.10.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C553182D-B1D8-4C61-A369-24D891835C5A} | DhcpNameServer : 10.10.5.8  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF627A7-D30E-40A9-A20B-5A867D03E565} | DhcpNameServer : 172.20.10.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C553182D-B1D8-4C61-A369-24D891835C5A} | DhcpNameServer : 10.10.5.8  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6CF627A7-D30E-40A9-A20B-5A867D03E565} | DhcpNameServer : 172.20.10.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C553182D-B1D8-4C61-A369-24D891835C5A} | DhcpNameServer : 10.10.5.8  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[ZeroAccess] (X64) HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 |  : C:\Users\Dan\AppData\Local\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\n.  -> FOUND
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.trovi.com/?gd=&ctid=CT3320048&octid=EB_ORIGINAL_CTID&ISID=M04A75850-2474-489D-8A52-7A9DF1FCB2E5&SearchSource=55&CUI=&UM=5&UP=SPB9936C4E-8258-4DCB-AD50-009D9F9500F1&SSPV=TBannersA_sp_ie  -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.trovi.com/?gd=&ctid=CT3320048&octid=EB_ORIGINAL_CTID&ISID=M04A75850-2474-489D-8A52-7A9DF1FCB2E5&SearchSource=55&CUI=&UM=5&UP=SPB9936C4E-8258-4DCB-AD50-009D9F9500F1&SSPV=TBannersA_sp_ie  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Internet Explorer\Main | Search Page :   -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Internet Explorer\Main | Search Page :   -> FOUND

Scheduled tasks : 1
[Suspicious.Path] \\ActiveMail Updater -- C:\ProgramData\ActivePath\ActiveMail\UpdateClient.exe -> FOUND

Files : 4
[ZeroAccess][Folder] L -- C:\Windows\Installer\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\L -> FOUND
[ZeroAccess][Folder] U -- C:\Windows\Installer\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\U -> FOUND
[ZeroAccess][Folder] L -- C:\Users\Dan\AppData\Local\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\L -> FOUND
[ZeroAccess][Folder] U -- C:\Users\Dan\AppData\Local\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\U -> FOUND

HOSTS File : 0

Antirootkit : 0 (Driver: NOT LOADED [0xc000036b])

Web browsers : 3
[PUP][FIREFX:Addon] ns7j8qmp.default : Wajam [{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}] -> FOUND
[PUP][FIREFX:Addon] ns7j8qmp.default : LessTabs [lesstabs@lesstabs.com] -> FOUND
[PUM.HomePage][FIREFX:Config] ns7j8qmp.default : user_pref("browser.startup.homepage", "http://www.trovi.com/?gd=&ctid=CT3320048&octid=EB_ORIGINAL_CTID&ISID=M04A75850-2474-489D-8A52-7A9DF1FCB2E5&SearchSource=55&CUI=&UM=5&UP=SPB9936C4E-8258-4DCB-AD50-009D9F9500F1&SSPV=TBannersA_sp_ff"); -> FOUND

MBR Check :
+++++ PhysicalDrive0: WDC WD10 EADS-65M2B0 SCSI Disk Device +++++
--- User ---
[MBR] 26289efda882da43a4788d6b6641de70
[BSP] 95f116dca4ccc6cf156fcb91f8421266 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 942735 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1930928128 | Size: 11032 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Geek Squad USB Device +++++
--- User ---
[MBR] dc19d769e97d18f1087fed557da9a590
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 48 | Size: 3855 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
5
RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Dan [Admin rights]
Mode : Scan -- Date : 09/16/2014  19:10:07

Bad processes : 0

Registry Entries : 19
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6CF627A7-D30E-40A9-A20B-5A867D03E565} | DhcpNameServer : 172.20.10.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C553182D-B1D8-4C61-A369-24D891835C5A} | DhcpNameServer : 10.10.5.8  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF627A7-D30E-40A9-A20B-5A867D03E565} | DhcpNameServer : 172.20.10.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C553182D-B1D8-4C61-A369-24D891835C5A} | DhcpNameServer : 10.10.5.8  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6CF627A7-D30E-40A9-A20B-5A867D03E565} | DhcpNameServer : 172.20.10.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C553182D-B1D8-4C61-A369-24D891835C5A} | DhcpNameServer : 10.10.5.8  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[ZeroAccess] (X64) HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 |  : C:\Users\Dan\AppData\Local\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\n.  -> FOUND
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.trovi.com/?gd=&ctid=CT3320048&octid=EB_ORIGINAL_CTID&ISID=M04A75850-2474-489D-8A52-7A9DF1FCB2E5&SearchSource=55&CUI=&UM=5&UP=SPB9936C4E-8258-4DCB-AD50-009D9F9500F1&SSPV=TBannersA_sp_ie  -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.trovi.com/?gd=&ctid=CT3320048&octid=EB_ORIGINAL_CTID&ISID=M04A75850-2474-489D-8A52-7A9DF1FCB2E5&SearchSource=55&CUI=&UM=5&UP=SPB9936C4E-8258-4DCB-AD50-009D9F9500F1&SSPV=TBannersA_sp_ie  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Internet Explorer\Main | Search Page :   -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-546844294-1726968143-3334648640-1000\Software\Microsoft\Internet Explorer\Main | Search Page :   -> FOUND

Scheduled tasks : 1
[Suspicious.Path] \\ActiveMail Updater -- C:\ProgramData\ActivePath\ActiveMail\UpdateClient.exe -> FOUND

Files : 4
[ZeroAccess][Folder] L -- C:\Windows\Installer\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\L -> FOUND
[ZeroAccess][Folder] U -- C:\Windows\Installer\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\U -> FOUND
[ZeroAccess][Folder] L -- C:\Users\Dan\AppData\Local\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\L -> FOUND
[ZeroAccess][Folder] U -- C:\Users\Dan\AppData\Local\{6bf3aa50-d931-69e4-65ca-4e4b1bfc1b58}\U -> FOUND

HOSTS File : 0

Antirootkit : 0 (Driver: NOT LOADED [0xc000036b])

Web browsers : 3
[PUP][FIREFX:Addon] ns7j8qmp.default : Wajam [{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}] -> FOUND
[PUP][FIREFX:Addon] ns7j8qmp.default : LessTabs [lesstabs@lesstabs.com] -> FOUND
[PUM.HomePage][FIREFX:Config] ns7j8qmp.default : user_pref("browser.startup.homepage", "http://www.trovi.com/?gd=&ctid=CT3320048&octid=EB_ORIGINAL_CTID&ISID=M04A75850-2474-489D-8A52-7A9DF1FCB2E5&SearchSource=55&CUI=&UM=5&UP=SPB9936C4E-8258-4DCB-AD50-009D9F9500F1&SSPV=TBannersA_sp_ff"); -> FOUND

MBR Check :
+++++ PhysicalDrive0: WDC WD10 EADS-65M2B0 SCSI Disk Device +++++
--- User ---
[MBR] 26289efda882da43a4788d6b6641de70
[BSP] 95f116dca4ccc6cf156fcb91f8421266 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 942735 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1930928128 | Size: 11032 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Geek Squad USB Device +++++
--- User ---
[MBR] dc19d769e97d18f1087fed557da9a590
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 48 | Size: 3855 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
6
      To access the alwarebytes log:

  • Open Malwarebytes
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

Next,

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Try to run the two following steps from Normal mode, or Safe mode with Networking if normal mode fails....

Next,

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link
When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.


Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.


In most cases, a restart will be required.


Wait for the prompt to restart the computer to appear, then click on Yes.


Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Next,

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report" save to desktop. Close the program > Don't Fix anything!
  • Post back the report which should be located on your desktop.

Kevin..

7
Was able to run Farbar, but only in safe mode with networking. Unable to locate scanlog from Malware scan. Should I run it again in safe mode and attach the log?
Attached are the logs from Farbar.
8
Post Here for Malware Removal ... / Re: [In Progress] Hotmail repeatedly hijacked
« Last post by Hoov on Yesterday at 03:33:27 pm »
The bad problem is, those folders might be malware, or they might be part of windows. There is one more thing we can do to make sure before you contact hotmail to try and reactivate your account.

This needs to be done on a clean computer with a CD burner. If you don't have one, let me know. There are other instructions you can use with a thumbdrive.


Please download the Avira Rescue system on the clean computer. Then go here and there are instructions on how to burn the CD, how to run the scan with it, and how to save the log.

You need these instructions, because this scan is actually done after having booted to the CD which runs a Distro of Linux, so it is a little different from windows.
9
I tried clearing browser history and all cookies, then using private browsing.  Then I tried other browsers: IE and installed Opera, but still the same problem.  Is there some other way they can blacklist me?  IP address or MAC address or some hidden id number in my CPU? (intel i7 740qm)

I have read that people have had their accounts blocked when they tried to log in abroad so that indicates that Outlook/Hotmail monitor IP addresses.  They also have the feature that you can link your account with your 'machine name' for security so that you can only log in from a specific device.   I tried a different USB modem with a different SIM card - still the same problem.  There are a lot of cases on other forums of people having their account hacked and then having problems using the reactivation code.  Perhaps they have the same problem?

Did you see anything in the logs?  What about the strange folders on F: and C:?
10
Post Here for Malware Removal ... / Re: [In Progress] Hotmail repeatedly hijacked
« Last post by Hoov on Yesterday at 01:00:03 pm »
Are you using the webmail part of hotmail? If you are, then it is probably a cookie being set on your computer that lets hotmail recognize you.

Try logging in on your hotmail and see what happens.
Pages: [1] 2 3 ... 10