Cannot enable malicious website protection in MBAM

[gizmomelb]

Hi all,

 

I cannot enable the Malicious Website Protection in MBAM 2.01.1004 - it keeps auto disabling itself.

 

I have activated MBAM, I have disabled Self Protection, ran a full scan using MBAM and Kaspersky, rebooted, uninstalled, ran the MBAM cleaner, re-installed, disabled SP again etc. etc. and still cannot enable realtime website protection, so here I am.

 

Hopefully someone can help me please.

 

here is my FRST.txt log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-04-2014

Ran by admin (administrator) on ANZ5K1GS1S on 15-04-2014 12:05:47

Running from C:\Documents and Settings\admin\My Documents\Downloads

Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Normal

 

The only official download link for FRST:

Download link for 32-Bit version: http://www.wireshark.org)

Wondershare MobileTrans ( Version 3.5.1 ) (HKLM\...\{18CDCEAA-A9E4-4A4C-AC0E-C15E87C30EA5}_is1) (Version: 3.5.1 - Wondershare)

WRSSMini (Version: 1.00.0000 - Your Company Name) Hidden

ZTE 3GPhone USB Driver 5.2066.1.6 (HKLM\...\{8472455A-0658-4A6A-98F8-EF3FF6163B59}_is1) (Version: 5.2066.1.6 - ZTE Corporation)

 

==================== Restore Points  =========================

 

27-03-2014 10:36:34 System Checkpoint

31-03-2014 06:46:18 System Checkpoint

01-04-2014 07:08:25 System Checkpoint

02-04-2014 07:56:40 System Checkpoint

03-04-2014 22:42:37 System Checkpoint

07-04-2014 02:29:20 System Checkpoint

08-04-2014 03:10:56 System Checkpoint

10-04-2014 01:36:24 System Checkpoint

14-04-2014 02:04:48 System Checkpoint

15-04-2014 00:12:45 Removed Kaspersky PURE 3.0.

15-04-2014 01:21:09 Removed Java 6 Update 38

15-04-2014 01:21:37 Installed Java 7 Update 51

 

==================== Hosts content: ==========================

 

2008-04-14 22:00 - 2014-03-27 09:24 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

 

==================== Scheduled Tasks (whitelisted) =============

 

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

 

==================== Loaded Modules (whitelisted) =============

 

2009-11-03 15:35 - 2009-11-03 15:35 - 00200704 _____ () C:\Program Files\Intel\WiFi\bin\IWMSPROV.DLL

2014-02-12 05:29 - 2014-02-12 05:29 - 00093696 _____ () C:\Program Files\FileZilla FTP Client\fzshellext.dll

2011-09-21 08:08 - 2001-10-28 17:42 - 00116224 _____ () C:\WINDOWS\system32\pdfcmnnt.dll

2013-04-21 21:44 - 2013-04-21 21:44 - 00087952 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

2013-04-21 21:44 - 2013-04-21 21:44 - 01242952 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

2010-03-23 13:26 - 2010-03-23 13:26 - 00201512 _____ () C:\WINDOWS\system32\vpnapi.dll

2014-01-09 14:00 - 2012-12-07 16:26 - 00167424 _____ () C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

2009-04-17 20:01 - 2009-04-17 20:01 - 00247152 _____ () C:\Program Files\CyberLink\Shared files\RichVideo.exe

2008-04-14 22:00 - 2013-01-02 16:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll

2012-11-07 15:56 - 2012-04-17 16:13 - 01738352 _____ () C:\Program Files\QNAP\Finder\iSCSIAgent.exe

2014-01-09 12:05 - 2013-07-24 08:24 - 00137728 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll

2009-11-03 15:35 - 2009-11-03 15:35 - 00200704 _____ () C:\Program Files\Intel\WiFi\bin\iWMSProv.dll

2014-01-09 12:17 - 2013-04-22 09:46 - 01054320 _____ () C:\Program Files\PdaNet for Android\PdaNetPC.exe

2014-04-14 09:19 - 2014-04-02 11:57 - 00065352 _____ () C:\Program Files\Google\Chrome\Application\34.0.1847.116\chrome_elf.dll

2014-04-14 09:19 - 2014-04-02 11:57 - 04081480 _____ () C:\Program Files\Google\Chrome\Application\34.0.1847.116\pdf.dll

2014-04-14 09:19 - 2014-04-02 11:58 - 00390472 _____ () C:\Program Files\Google\Chrome\Application\34.0.1847.116\ppGoogleNaClPluginChrome.dll

2014-04-14 09:19 - 2014-04-02 11:57 - 01647432 _____ () C:\Program Files\Google\Chrome\Application\34.0.1847.116\ffmpegsumo.dll

 

==================== Alternate Data Streams (whitelisted) =========

 

AlternateDataStreams: C:\Documents and Settings\admin\Desktop\VNC-Viewer-5.0.3-Windows-32bit.exe:SummaryInformation

AlternateDataStreams: C:\Documents and Settings\admin\Desktop\VNC-Viewer-5.0.3-Windows-32bit.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

 

==================== Safe Mode (whitelisted) ===================

 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

 

==================== Disabled items from MSCONFIG ==============

 

 

==================== Faulty Device Manager Devices =============

 

Name: Cisco Systems VPN Adapter

Description: Cisco Systems VPN Adapter

Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}

Manufacturer: Cisco Systems

Service: CVirtA

Problem: : This device is disabled. (Code 22)

Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (04/15/2014 11:26:32 AM) (Source: AutoEnrollment) (User: )

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.

  Enrollment will not be performed.

 

Error: (04/15/2014 11:26:31 AM) (Source: Userenv) (User: NT AUTHORITY)

Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

 

Error: (04/15/2014 10:42:54 AM) (Source: AutoEnrollment) (User: )

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.

  Enrollment will not be performed.

 

Error: (04/15/2014 10:42:53 AM) (Source: Userenv) (User: NT AUTHORITY)

Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

 

Error: (04/15/2014 10:24:19 AM) (Source: AutoEnrollment) (User: )

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.

  Enrollment will not be performed.

 

Error: (04/15/2014 10:24:18 AM) (Source: Userenv) (User: NT AUTHORITY)

Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

 

Error: (04/15/2014 09:06:47 AM) (Source: AutoEnrollment) (User: )

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.

  Enrollment will not be performed.

 

Error: (04/15/2014 01:06:46 AM) (Source: AutoEnrollment) (User: )

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.

  Enrollment will not be performed.

 

Error: (04/14/2014 05:06:37 PM) (Source: AutoEnrollment) (User: )

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.

  Enrollment will not be performed.

 

Error: (04/14/2014 09:07:36 AM) (Source: AutoEnrollment) (User: )

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.

  Enrollment will not be performed.

 

 

System errors:

=============

Error: (04/15/2014 11:27:23 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

 

Error: (04/15/2014 11:27:23 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

 

Error: (04/15/2014 11:27:22 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

 

Error: (04/15/2014 11:26:32 AM) (Source: NETLOGON) (User: )

Description: No Domain Controller is available for domain TYCOFS due to the following: 

%%1311.

 

Make sure that the computer is connected to the network and try

again. If the problem persists, please contact your domain administrator.

 

Error: (04/15/2014 10:43:44 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

 

Error: (04/15/2014 10:43:44 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

 

Error: (04/15/2014 10:43:44 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

 

Error: (04/15/2014 10:42:52 AM) (Source: NETLOGON) (User: )

Description: No Domain Controller is available for domain TYCOFS due to the following: 

%%1311.

 

Make sure that the computer is connected to the network and try

again. If the problem persists, please contact your domain administrator.

 

Error: (04/15/2014 10:25:09 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

 

Error: (04/15/2014 10:25:09 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 

{A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

 

 

Microsoft Office Sessions:

=========================

 

==================== Memory info =========================== 

 

Percentage of memory in use: 34%

Total physical RAM: 3069.89 MB

Available physical RAM: 2015.62 MB

Total Pagefile: 4954.31 MB

Available Pagefile: 3972.24 MB

Total Virtual: 2047.88 MB

Available Virtual: 1955.53 MB

 

==================== Drives ================================

 

Drive c: (ANZ5K1GS1S) (Fixed) (Total:74.53 GB) (Free:29.18 GB) NTFS ==>[Drive with boot components (Windows XP)]

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: 84E184E1)

Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)

 

==================== End Of Log ============================

 

 

Thank you in advance.

 

 

[gizmomelb]

anyone, please?

[AdvancedSetup]

Hello and

Please read the following and then post back the logs when ready.

General P2P/Piracy Warning:
 

 

If you're using

Peer 2 Peer

software such as

uTorrent, BitTorrent

or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have

illegal/cracked software, cracks, keygens etc

. on the system, please remove or uninstall them now and read the policy on

Piracy

.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
  
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
    

  [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)
  

 
STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 

Link 1

Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.
  

 
STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
    

  [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
  

 
 
STEP 02
Please run a Quick Scan with Malwarebytes
Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.
Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post back the report.
Make sure that everything is checked, and click Remove Selected if anything is found.
 
 
STEP 03
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• RogueKiller 32-bit | RogueKiller 64-bit
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes Close the program > Don't Fix anything!
• Don't run any other options, they're not all bad!!
• Post back the report which should be located on your desktop.
  

 
Thanks
 

[gizmomelb]

hi

 

thanks for the reply.

 

step 2 report:

 

I'm running the newer MWB, so it was the Hyper scan.

 

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 17/04/2014

Scan Time: 6:12:01 PM

Logfile: 

Administrator: Yes

 

Version: 2.00.1.1004

Malware Database: v2014.04.17.02

Rootkit Database: v2014.03.27.01

License: Premium

Malware Protection: Enabled

Malicious Website Protection: Disabled

Chameleon: Disabled

 

OS: Windows XP Service Pack 3

CPU: x86

File System: NTFS

User: admin

 

Scan Type: Hyper Scan

Result: Completed

Objects Scanned: 285073

Time Elapsed: 17 min, 22 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Disabled

Archives: Enabled

Rootkits: Enabled

Shuriken: Enabled

PUP: Warn

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

[gizmomelb]

Report 3 results:

 

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : admin [Admin rights]

Mode : Scan -- Date : 04/17/2014 18:22:23

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 4 ¤¤¤

[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (proxy.clarkrubber.com.au:8080 [Country: (Private Address) (XX), City: (Private Address)]) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Browser Addons : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8ACFD158)

[Address] SSDT[41] : NtCreateKey @ 0x80624160 -> HOOKED (Unknown @ 0x8ACA5D80)

[Address] SSDT[47] : NtCreateProcess @ 0x805D1250 -> HOOKED (Unknown @ 0x8ACA5B70)

[Address] SSDT[48] : NtCreateProcessEx @ 0x805D119A -> HOOKED (Unknown @ 0x8ACBB238)

[Address] SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8AD0E3B0)

[Address] SSDT[63] : NtDeleteKey @ 0x806245FC -> HOOKED (Unknown @ 0x8AD02868)

[Address] SSDT[65] : NtDeleteValueKey @ 0x806247CC -> HOOKED (Unknown @ 0x8ACA5C50)

[Address] SSDT[180] : NtQueueApcThread @ 0x805D2756 -> HOOKED (Unknown @ 0x8ACFD1D0)

[Address] SSDT[186] : NtReadVirtualMemory @ 0x805B42CA -> HOOKED (Unknown @ 0x8ABE8510)

[Address] SSDT[192] : NtRenameKey @ 0x80623B82 -> HOOKED (Unknown @ 0x8AD01168)

[Address] SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8ACBC020)

[Address] SSDT[226] : NtSetInformationKey @ 0x80622E7A -> HOOKED (Unknown @ 0x8ACFA3F0)

[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8ACB9978)

[Address] SSDT[229] : NtSetInformationThread @ 0x805CC124 -> HOOKED (Unknown @ 0x8ACEA968)

[Address] SSDT[247] : NtSetValueKey @ 0x806226D2 -> HOOKED (Unknown @ 0x8AD09498)

[Address] SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8ACD0240)

[Address] SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8ACFD248)

[Address] SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8ACCF0B8)

[Address] SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (Unknown @ 0x8ACFAE90)

[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8ABE8588)

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS722080K9A300 +++++

--- User ---

[MBR] 7281d621448574652533f64b4f9a047c

[bSP] c588ad80a8ecfbecf50bd34d917bb106 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 MB

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_04172014_182223.txt >>

RKreport[0]_S_04152014_130432.txt

[AdvancedSetup]

Did you set this proxy on purpose ?

 

ProxyServer (proxy.clarkrubber.com.au:8080

 

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here:  C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
  

 

[gizmomelb]

Hi,

 

my apologies for the late reply (Easter Holiday period in Australia)

 

>>Did you set this proxy on purpose ?

>

>ProxyServer (proxy.clarkrubber.com.au:8080

 

Yes.

 

I will attach combofix.txt when it finishes running.

[AdvancedSetup]

Okay, thanks.  Late here so I'll check back on you sometime tomorrow.

[gizmomelb]

Hi,

 

my apology for the late reply, two weeks Easter holidays in Australia.

 

 

>Did you set this proxy on purpose ?

>

>ProxyServer (proxy.clarkrubber.com.au:8080

 

yes.

 

I have ranand attached my combofix.txt log file.

 

Thank you for your assistance.

 

ComboFix.txt

[AdvancedSetup]

Please run the program again but this time when it offers to install the Recovery Console for you please let it do so.

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

[gizmomelb]

Please run the program again but this time when it offers to install the Recovery Console for you please let it do so.

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

ok, done.

 

thank you.

ComboFix.txt

[AdvancedSetup]

The log is now missing information indicating that it was either modified before posting or is somehow being blocked from completion

 

The computer also appears to be running a product or service from Brickstream that is not common as your computer is the only one that shows that entry in a log.

S3 clpx_serv;BS Clarity Proxy Server;c:\program files\Brickstream\Validator\bin\iuserv2.exe "c:\program files\Brickstream\Validator\Resources\ServicesInfoClarityProxy.properties" --> c:\program files\Brickstream\Validator\bin\iuserv2.exe c:\program files\Brickstream\Validator\Resources\ServicesInfoClarityProxy.properties [?]

Do you know about that software?

Did you install it yourself or your work maybe?

http://kb.sensourceinc.com/kb/entry/22/

 

 

Please restart the computer and try running Combofix again and post back the new log.

[gizmomelb]

Yes, that software is installed as part of work, it is almost unique software so I'm not surprised I'm the only entry with it listed

 

I will run and attach the log again in a few minutes.

 

Thank you.

[gizmomelb]

latest combofix.txt attached

ComboFix.txt

[AdvancedSetup]

• Please try the following and let us know if this corrects your issue or not, when installing use the latest beta below.  -  MBAM Clean Removal Process 2x
• Please try installing the new beta which has corrected some previously reported issues:  -  Malwarebytes Anti-Malware 2.0.2 Public Beta

 

Then let me know if you're able to enable the Web blocker now or not.

[gizmomelb]

 

• Please try the following and let us know if this corrects your issue or not, when installing use the latest beta below.  -  MBAM Clean Removal Process 2x
• Please try installing the new beta which has corrected some previously reported issues:  -  Malwarebytes Anti-Malware 2.0.2 Public Beta

 

Then let me know if you're able to enable the Web blocker now or not.

 

 

Hi,

 

I followed the above steps and I am still unable to enable the Web Blocker.

 

regards,

Craig

[AdvancedSetup]

Okay, let me have you run the following please.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
    

  [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply.
  

 

[gizmomelb]

done, thank you for your assistance.

 

 

Result.txt

FSS.txt

[AdvancedSetup]

The computer appears to be having some networking issues that may or may not be part of the issue you're having.  You may want to ask your Network/Desktop Administrator to look at this computer and see if they can fix the networking errors.

 

 

Error: (04/29/2014 05:52:44 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

Error: (04/29/2014 03:58:41 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (05/01/2014 09:37:34 AM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain TYCOFS due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

 

[gizmomelb]

The computer appears to be having some networking issues that may or may not be part of the issue you're having.  You may want to ask your Network/Desktop Administrator to look at this computer and see if they can fix the networking errors.

 

 

Error: (04/29/2014 05:52:44 PM) (Source: AutoEnrollment) (User: )

Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.

  Enrollment will not be performed.

Error: (04/29/2014 03:58:41 PM) (Source: crypt32) (User: )

Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (05/01/2014 09:37:34 AM) (Source: NETLOGON) (User: )

Description: No Domain Controller is available for domain TYCOFS due to the following:

%%1311.

Make sure that the computer is connected to the network and try

again. If the problem persists, please contact your domain administrator.

 

 

Hi,

 

yeah that's fine - the laptop was on the domain previously, but has been removed as it's used only as a standalone now, on it's own dedicated ADSL line.

 

regards,

Craig

[AdvancedSetup]

Actually it has not been removed from the domain otherwise it would not be looking for the domain.

Please try again to remove using the following information

http://www.ehow.com/how_5833684_delete-domain-computer.html

 

Once done then reboot a 2nd time and run the same scans from post 17 again please.

[gizmomelb]

Hi,

 

I removed the laptop from the domain but I still cannot enable website protection.

 

BUT, when I took the laptop home with me last night and it wasn't connected to either wired or wireless network the website protection was enabled.  I connected it back to the wired connection this morning and it is disabled and cannot be enabled.

 

So the issue only seems to be occuring when there is a network connection.  I wonder if this is something all the other people experiencing this issue also have in common?

[AdvancedSetup]

Please go ahead and run new scans with FRST and post back both logs

[gizmomelb]

I did some testing and if the laptop booted with a network cable attached, the realtime maleware protection could not be enabled.

 

So I removed the driver, then manually deleted the driver files from the \windows\drivercache and \windows\inf directories.

 

Rebooted, the drivers were automatically added, BUT I can now enable and disable the realtime protection module.

 

I'll scan and post the logs as soon as I can.

[AdvancedSetup]

Okay, please do.  Thanks