Unable to access winpatrol

Started by SuperValuRx, March 04, 2016, 01:44:55 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

Corrine

#15
March 11, 2016, 05:21:39 PM
Hi, Bill.  Thank you for getting all of the very long logs posted!  Not a lot but a few things to take care of.

Please do the following to run FRST:

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Open Notepad (Start =>All Programs => Accessories => Notepad).
  • Copy/Paste the entire contents of the code box below into Notepad.
Code Select

start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
R1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DE070B0.02A\ccSetx64.sys [162392 2013-09-27] (Symantec Corporation)
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
2016-03-04 20:50 - 2016-03-10 15:29 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2016-03-04 20:50 - 2016-03-04 20:50 - 04054184 _____ C:\Users\William\Downloads\MyPCBackup_WebInstaller.exe
EmptyTemp:
end

  • Click Format and ensure Wordwrap is unchecked.
  • Important:  Save the code to the same folder/directory that FRST.exe is located in, naming it as fixlist.txt
  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post the log in your next reply.
Regarding WinPatrol, there are several files shown in your logs, particularly in your Downloads folder which certainly isn't the correct location.   I didn't add the files for removal but find the location rather strange.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Bret Lowry

#16
March 11, 2016, 10:07:01 PM
Hi,

Our servers recently suffered a denial of service attack from IPs' originating at Cincinnati Bell. The IP's were automatically blocked from accessing our site.
I'm wondering if maybe the malware that was installed on your computer was resulting in that attack or if you unfortunately ended up with the IP address post-rebuild.

Please respond to the email I sent to you and if that IP is being blocked I will open it back up again.

Thanks,
Bret.

SuperValuRx

#17
March 11, 2016, 11:18:44 PM
Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by William (2016-03-11 17:47:35) Run:1
Running from C:\Users\William\Desktop
Loaded Profiles: William (Available Profiles: William)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
R1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DE070B0.02A\ccSetx64.sys [162392 2013-09-27] (Symantec Corporation)
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
2016-03-04 20:50 - 2016-03-10 15:29 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2016-03-04 20:50 - 2016-03-04 20:50 - 04054184 _____ C:\Users\William\Downloads\MyPCBackup_WebInstaller.exe
EmptyTemp:
end
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => key removed successfully
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => key not found.
ccSet_NST => Unable to stop service.
ccSet_NST => service removed successfully
idsvc => service removed successfully
wpcsvc => service removed successfully
C:\Program Files (x86)\MyPC Backup => moved successfully
C:\Users\William\Downloads\MyPCBackup_WebInstaller.exe => moved successfully
EmptyTemp: => 1006.3 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:49:11 ====

I see that Bret posted here and sent an email to me while I was reading your reply. I did reboot the system, but the Forbidden message still appears. After I post this message I will reply to Mr. Lowry's email.

Corrine

#18
March 12, 2016, 02:58:26 PM
Hi, Bill.

I didn't expect that the script I provided would solve the "Forbidden" message.  Please let me know how your computer is after Bret whitelists your IP address and I'll provide instructions for cleanup of the tools used.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

SuperValuRx

#19
March 12, 2016, 04:11:24 PM
Will do.

SuperValuRx

#20
March 16, 2016, 03:39:57 PM
Corrine, I want to thank you for all of your expertise assistance. Everything is running fine now. After Bret whitelisted my IP address, I only had one minor problem. When I tried to register Win Privacy, it would crash. A redownload of the program corrected this. Thank You Bill.
Print
Go Up Pages 1 2
User actions