Windows 10: SppExtComObj.Exe

Yes that's what the IT guy told me about Spyhunter so I deleted it. When I got the Cryptolocker I downloaded all sort of programs and went to various websites to find out how to recover my files and remove it so I could easily have picked something up then. The IT guy said he cleaned up my machine up but I'm not that confident really.

I am working through the RKILL process then running the various programs.
Here is the current log:
Rkill 2.8.4 by Lawrence Abrams (Grinler)
BleepingComputer.com - News, Reviews, and Technical Support
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesnt - A brief introduction to the program - Anti-Virus, Anti-Malware, and Privacy Software

Program started at: 08/27/2016 11:32:45 AM in x64 mode.
Windows Version: Windows 10 Pro

Checking for Windows services to stop:
* No malware services found to stop.

Checking for processes to terminate:
* No malware processes found to kill.

Checking Registry for malware related settings:
* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:
* Windows Defender Disabled
[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:
* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:
* No issues found.

Checking HOSTS File:
* Cannot edit the HOSTS file.
* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:
127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com域名正在出售
127.0.0.1 008k.com
127.0.0.1 Pheenix - Buy this domain today. | 00HQ.com is for sale.
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com
127.0.0.1 0scan.com
127.0.0.1 0scan.com
127.0.0.1 http://www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 1001 Namen
127.0.0.1 100888290cs.com
127.0.0.1 http://www.100888290cs.com
127.0.0.1 http://www.100sexlinks.com
127.0.0.1 100sexlinks.com
20 out of 15593 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 08/27/2016 11:33:00 AM
Execution time: 0 hours(s), 0 minute(s), and 14 seconds(s)

Some of this looks dodgy to me. I don't go anywhere near sex sites!

MBAM didn't find anything. Panda found some things but nothing which was highlighted as a threat.

Superantispyware is still running as is ESET.

 

Please open Services (type services.msc in the search box) and look for Security Center. Make sure it is set to Automatic (Delayed Start), and that it is running. If it's not running, please Start the service. If you have problems starting the service, please let me know. You can do this while a scan is running.

Please only one scan at a time - it can cause troubles running more than one at the same time.

The HOSTS file appears to have been modified, perhaps by your IT guy. From what I see, all those sites are being blocked, by telling your machine to look at your machine when it wants to go there. I can't explain this very well, so here's a good article for you to read to understand the concept.

What are these 127.0.0.1 entries in my system hosts file?

The problem is, I can't see the entire HOSTS file from the RKILL report, so I have no idea what's in there. If you know your IT guy did this, then we'll let it go at that. If you're unsure, then what we have to do is navigate to the HOSTS file, copy it to the desktop, and then open it with Notepad, and paste it here in a code box (use the # icon in the toolbar).

MBAM - was that run with the ROOTKIT box checked? Posting the log, even if it found nothing, would answer that question for me.

 

I have no idea what the IT guy did except help get my files back. I don't think he was that experienced as when I started asking him questions he didn't seem to respond too well.
The security centre was already on auto delayed start and is "No Issues" now.
Here is the MBAM log and Rootkits was selected as you will see.
Code: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 27/08/2016 Scan Time: 11:34 AM Logfile: MBAM log.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.26.11 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 10 CPU: x64 File System: NTFS User: Paul Scan Type: Threat Scan Result: Completed Objects Scanned: 446047 Time Elapsed: 35 min, 16 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) [end)[/quote] There are a lot of files in the Host folder "etc" Mostly backups going back as far as 2009. Here is the latest. It's mostly been changed by Spybot which is a feature of the program when you "immunise". I have removed the massive number of Spybot adds so that it's not like 20 pages!

Code: Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost # Start of entries inserted by Spybot - Search & Destroy # This list is Copyright 2000-2015 Safer-Networking Ltd. # This list is Copyright 2000-2010 Safer-Networking Ltd. 127.0.0.1 www.007guard.com LOTS OF OTHER ENTRIES LIKE THIS I HAVE DELETED AND HAVE ALL BEEN ADDED BY SPYBOT inc 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com and the others in the Rkill report. # End of entries inserted by Spybot - Search & Destroy 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com 127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com 127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com 127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net[/quote] I had a look at a backup from a year ago and it looks very similar.

I am thinking of doing a repair install tomorrow as my machine I think needs a refresher, what do you think? I might bite the bullet and do a clean install at Christmas when I will have time to reinstall all of my programs.

 

Yes, thanks - that looks good.

Okay that's where all the entries came from - Spybot. No problem.

So security center is now "ON" and have you looked at it to make sure it's reporting properly? Please type security and maintenance in the search box. Expand the down arrow to the right of Security, and make sure it is reporting Firewall ON, ESET Virus protection ON, Internet security settings OK, UAC ON, Smart Screen ON.

I take it ESET is still running? I'd really like to see the ADWCleaner and JRT logs before you do the repair install.

When you are ready for the repair, do the repair install using an in-place upgrade:

Repair Install Windows 10 with an In-place Upgrade - Windows 10 Forums

Remove all drives except OS drive; remove all peripherals except keyboard, mouse and monitor; remove 3rd-party AV; remove Spybot; remove any hard drive monitoring software. Make sure you have a current image for restoration, just in case, but this procedure is pretty robust, and I've never had a problem with it.

 

Ok I'm out for a few hours so will get to it when I get back. I assume my second monitor should also be disconnected, would disabling the antivirus do? I will get the other logs over to u later.

 

Just chiming in to say that the Cryptoprevent link provided by Majorgeeks seems to be outdated...

Cryptoprevent download.

 

OK, here is the ADWCleaner Log:

Code: AdwCleaner v6.010 - Logfile created 27/08/2016 at 11:09:34 # Updated on 12/08/2016 by ToolsLib # Database : 2016-08-26.1 [Server] # Operating System : Windows 10 Pro (X64) # Username : Paul - PAUL1 # Running from : C:\Users\Paul\Desktop\adwcleaner_6.010.exe # Mode: Scan # Support : ToolsLib ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** Folder Found: C:\Program Files (x86)\nicenfreaE Folder Found: C:\Program Files (x86)\1ClickDownload Folder Found: C:\Program Files (x86)\SectionDouble ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** Key Found: HKCU\Software\584d98bbc68bf46 Key Found: HKLM\SOFTWARE\3f74aedd-9dd0-ebef-5721-2156c5605700 Key Found: HKU\S-1-5-21-3973668099-4131815052-1200373551-1000\Software\Classes\AppXrh6feys59dqfzsv9p3s9p6aep0hwtb23 Key Found: HKU\S-1-5-21-3973668099-4131815052-1200373551-1000\Software\Classes\DWGTrueViewToolCatalog Key Found: HKCU\Software\Classes\AppXrh6feys59dqfzsv9p3s9p6aep0hwtb23 Key Found: HKCU\Software\Classes\DWGTrueViewToolCatalog Key Found: HKLM\SOFTWARE\Classes\AVSAsyncBuffer.AVSVideoTimeShift Key Found: HKLM\SOFTWARE\Classes\AVSAsyncBuffer.AVSVideoTimeShift.1 Key Found: HKLM\SOFTWARE\Classes\AVSAsyncBuffer.UVideoTimeShift Key Found: HKLM\SOFTWARE\Classes\AVSAsyncBuffer.UVideoTimeShift.1 Key Found: HKLM\SOFTWARE\Classes\protector_dll.Protector Key Found: HKLM\SOFTWARE\Classes\protector_dll.Protector.1 Key Found: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib Key Found: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1 Key Found: [x64] HKLM\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814} Key Found: [x64] HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270} Key Found: [x64] HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A} Key Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814} Key Found: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{91EE0830-B539-45AB-83F2-741FED0B0E2F} Key Found: HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96} Key Found: HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270} Key Found: HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A} Key Found: HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552} Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2974C985-8151-4DE5-B23C-B875F0A8522F} Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814} Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2974C985-8151-4DE5-B23C-B875F0A8522F} Key Found: HKU\S-1-5-21-3973668099-4131815052-1200373551-1000\Software\AppDataLow\Toolbar Key Found: HKCU\Software\AppDataLow\Toolbar Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D01A33E2-0A34-4659-82AA-8A90C51C0D21} Value Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [MalwareProtectionLive] ***** [ Web browsers ] ***** No malicious Firefox based browser items found. No malicious Chromium based browser items found. ************************* C:\AdwCleaner\AdwCleaner[S0].txt - [3570 Bytes] - [27/08/2016 11:09:34] ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3643 Bytes] ##########[/quote] and here is the JRT log file:

Code: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.0.7 (07.03.2016) Operating System: Windows 10 Pro x64 Ran by Paul (Administrator) on Sat 27/08/2016 at 20:04:25.64 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 0 Registry: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Sat 27/08/2016 at 20:07:38.82 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[/quote] BTW, I am still getting the AppExtComObj blocked contact.

 

I also checked the security as suggest and security center is now "ON", Firewall ON, ESET Virus protection ON, Internet security settings OK, UAC ON, Smart Screen ON.

 

I also checked out a macrium image and you are right, it's easy to get a backup file again so I think I will ditch SC8 and just use macrium and see how I go.

 

They say disabling is enough (especially for upgrades from W7/W8 to W10), but to be safe, I prefer to uninstall and put Defender on the job temporarily.

Thanks! *Smile

 

Correct.

Okay, you've got some issues that ADWCleaner has identified. (Adware/PUPs/Trojs)
Please run the scan and then run CLEAN. Make sure everything else is closed, as it will ask you to reboot to finish cleaning. Then run the scan again and post the log (it will be log [S1]).
Thanks.

 

Good!

Yes. I think it will work well. It's a great program.


Question: without reading back, have you run TDSSKiller? If not, after ADWCleaner cleaning, run TDSSKiller, checking all the boxes - it will ask you to reboot so it can run the scan properly, select YES. That "blocking" could be a rootkit of some sort.

I have some errands as well myself. Will be back later. *Smile

 

OK that was stressful! I suffer from the occasional Blue Screen with a page_fault_in_nonpaged_area" fault. The second attempt usually works so I haven't bothered sorting it out but today it took 4 times to get it going. Now for some reason I can't copy and paste to here.

Good news though, I ran and cleaned with AdwCleaner and there was nothing to report on the second run after the clean.
I also ran TDSS killer and it also detected nothing.
Looks like I am clean now, am I good to go re the windows repair?
Anything else first you would recommend?
Cheers

 

I think it's time for the repair, yes. *Smile

Looks good to me. Not sure why the block went away - we didn't really do anything! *Confused

 

Please be sure to download the most recent ISO from Microsoft for the in-place repair.