Internet Options settings change on own--to custom settings

[Knat]

Hi I have been seeing settings change on their own and cannot nail down the cause. The thing I noticed that is ongoing lately is that Internet Options gain custom settings for Trusted Sites and Local Intranet (I am not on a domain, do not connect to work or school, do not manage my computer remotely, do not send print orders from a phone, etc.)

The system seems to run too many resources at times. And I get error messages that don't seem to match the environment (looks to me like an error from trying to connect to work etc)

Here are my logs. In the next post I will add 2 extra and explain why.

https://www.computerhope.com/cgi-bin/process.pl?o=1572815 says it can't understand my new update but there could be something wrong. "Detected potential protocol hijack" in a couple places and this would not surprise me. It also wouldn't surprise me if there were something with the way OneDrive is configured on my machine.

It also says it's safe to remove lms.exe ; I always thought there was part of the Intel ME that I could take off and it would be ok, and if this is true I'll be happy to see it go.

I'm not opposed to reinstalling Windows, but they don't give you reinstallation media any more with purchase, and I am not sure I can concentrate through the process without a lot of help.


[attachment deleted by admin to conserve space]

[Knat]

I guess I don't necessarily have to include more logs, just I thought some of the extensions shown in the logs (which don't actually show to me in the browser) seemed to not match up.

And because there seems to be something wrong with my imageres.dll files. If it's just that the Windows 7 sector (no I don't know what that is doing; it was already Windows 10 when I bought it) doesn't work it's not an issue, but I've in the past had Restore and Factory Reset stop working, and if this is happening again I need to work out how to fix it. (and prevent it).

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)
You have two AV's running on your computer: Windows Defender and Avira. WD is the resident AV that comes with Windows 10 and there's no need for another for another AV. Avira should be disabled/uninstalled.
What browser are you using?

Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator



•The tool will open and start scanning your system. At the Command Prompt, you’ll need to press any key to perform a scan.



•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.

[Knat]

Hi, I'm sorry; I didn't get a notice in my mail and I didn't know there was a reply. I will start to work on this but I realize it's a holiday week for some folks and it may take you (and me) some time to reply.

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)
You have two AV's running on your computer: Windows Defender and Avira. WD is the resident AV that comes with Windows 10 and there's no need for another for another AV. Avira should be disabled/uninstalled.
What browser are you using?

I'm sorry; I didn't know WD and Avira conflicted (although I was worried about the firewall, once I realized Avira had something that managed this).
I thought that Windows Defender doesn't have as robust a feature set, and I thought it was disabled all except the second opinion scan. Is it not? (it looks disabled to me, from settings, and Windows says it is.) I feel confused.

I have three browsers installed because I cannot decide which to use. If I make FRST say all the internet things, it says there are some extensions that don't actually show in the browsers (including some that doesn't seem to be built in). Edge is listed as the default, so usually things open in that if they want to open a browser window from some other program. 

The box is already unticked to the Windows Defender realtime protection, so if it is running I am not sure how to make it not. I can make Avira stop real time protection, though.

The link to JRT doesn't seem to work. It just loads a blank page that says "pageok".

[Knat]

the IP address that shows to me looks nothing like the one I was expecting

[SuperDave]

I will start to work on this but I realize it's a holiday week for some folks and it may take you (and me) some time to reply.

Take all the time you need. This is not a chat room.

I have three browsers installed because I cannot decide which to use. If I make FRST say all the internet things, it says there are some extensions that don't actually show in the browsers (including some that doesn't seem to be built in). Edge is listed as the default, so usually things open in that if they want to open a browser window from some other program.

Try setting one of the other browsers as your default browser to see how it works. You can always set it back afterwards.

I thought that Windows Defender doesn't have as robust a feature set,

I use WD all the time and it's just a good as any other free AV.

The box is already unticked to the Windows Defender realtime protection, so if it is running I am not sure how to make it not. I can make Avira stop real time protection, though.

You can disable either of these AV's by clicking the realtime protection.

The link to JRT doesn't seem to work. It just loads a blank page that says "pageok".

Yes, I forgot. I will have to fix that.

the IP address that shows to me looks nothing like the one I was expecting

I don't understand this. Please explain.

[Knat]

Take all the time you need. This is not a chat room.

Thanks

Try setting one of the other browsers as your default browser to see how it works. You can always set it back afterwards.

I can try that but I think this is unlikely to be the issue, as I have previously had Mozilla Firefox as default, and this particular setting has changed (and sometimes other settings, too, like fileshare settings--again to settings that would not be default and that I would not select--but this is the one that is changing currently: I thought it had stopped but then it changed again the other day).

You can disable either of these AV's by clicking the realtime protection.

Maybe a screenshot will help. This is how WD is set and was set when I collected logs:

the IP address that shows to me looks nothing like the one I was expecting

I don't understand this. Please explain.

I probably wasn't very specific. This BB shows me my logged IP address. I was expecting a residential ISP address, but it shows a CloudFlare address. Does one of my extensions do that? Why isn't it consistent (like, sometimes in gmail they can find my location and it matches whatismyip or someplace like that, and sometimes it doesn't match, and sometimes they can't work out my location at all--maybe they'll give a country, maybe not even that).

I still can't get your link to work so I went to Mbam's site to see if I could get it from there. They recommend transitioning to AdwCleaner, but support JRT a few more months. https://www.malwarebytes.com/junkwareremovaltool/
I can't get the hyperlink tool to work, but maybe visible link is better anyway. I downloaded it from there. Here are the results:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Home x64
Ran by [me] (Administrator) on Tue 11/21/2017 at 23:23:49.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/21/2017 at 23:24:37.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another problem I am having is that Windows Update tells me it failed on the last update, Update Troubleshoot tells me there is an update pending, but downloading the kb that matches the one marked as failed yields a message that this is already installed. Also there is never a restart/turn off to install message. I have this kind of trouble from time to time. I feel unsure whether or not my machine is updated.

[attachment deleted by admin to conserve space]

[Knat]

also, do you know what this is or why it's so weird?

oh, ok. I know what it is, but I don't know why it has such weird permissions.

[attachment deleted by admin to conserve space]

[SuperDave]

Maybe a screenshot will help. This is how WD is set and was set when I collected logs:

Could you please provide me with a screen shot of WD?
How to post screenshots or images

I probably wasn't very specific. This BB shows me my logged IP address. I was expecting a residential ISP address, but it shows a CloudFlare address. Does one of my extensions do that? Why isn't it consistent (like, sometimes in gmail they can find my location and it matches whatismyip or someplace like that, and sometimes it doesn't match, and sometimes they can't work out my location at all--maybe they'll give a country, maybe not even that).

A screenshot of this would perhaps help me understand.

I still can't get your link to work so I went to Mbam's site to see if I could get it from there. They recommend transitioning to AdwCleaner, but support JRT a few more months.

Thank you for that info. I was aware that the link wasn't working but now I know why.

ESET Online Scanner
Note : If you use Internet Explorer to get the ESET Online Scanner, you won't have to download, nor install the tool, as everything will be ran in a contextual (pop-up) window of Internet Explorer. However, for every other browsers, you will have to download and install ESET Online Scanner. In this set of instruction, I'll use Google Chrome to download it and run it (since a lot of people will do it), however, except for the download and installation procedure, the same instructions applies if you use Internet Explorer. Please note that two or three prompts will appear if you use Internet Explorer asking you to reload the page, authorize the application, execute it, etc. Accept all of them in order to run ESET Online Scanner.

    Download and execute ESET OnlineScan (on this window, click on ESET Smart Installer to trigger the download). People accessing this URL via Internet Explorer will start the integration process of ESET Online Scanner in their browser;
    Once the installation is done (it requires Admin Rights), check the following settings (two of them are under Advanced Settings, click on it to display them) :

        Enable detection of potentially unwanted applications;
        Scan archives;
        Scan for potentially unsafe applications;
        Optional : If you want to scan more drives, click on Change... and select the drives you want to include in the scan;

   

    After you're done checking these options, click on Start and ESET Online Scanner will download it's virus signature database before starting the scan;
   

    Once done, the scan will start automatically. Detections will appear at the bottom of the window. ESET Online Scanner can have an extremely long scan time that can last between 2 or 3 hours. So if you start the scan, do not interrupt it, let it complete until the end;
   

    After the scan is finished, a summary window will appear to give you the information about the scan. Then you'll have to the option to see what threads were found and to manage the threats that were quarantined;
   


    Click on List of found threats, it'll display every threat identified during that scan, their type and what action was taken against them. Click on Copy to clipboard to copy these results on our clipboard and post them in your next reply;
   


    Once you're done, click on the Back button;
    Check both checkboxes at the bottom: Uninstall application on close and Delete quarantined files before clicking on the Finish button;

[Knat]

Could you please provide me with a screen shot of WD?
How to post screenshots or images

Ok, I will try it like that, too.

A screenshot of this would perhaps help me understand.

This one could I send to your messages?

    Download and execute ESET OnlineScan (on this window, click on ESET Smart Installer to trigger the download). People accessing this URL via Internet Explorer will start the integration process of ESET Online Scanner in their browser;
    Once the installation is done (it requires Admin Rights), check the following settings (two of them are under Advanced Settings, click on it to display them) :

        Enable detection of potentially unwanted applications;
        Scan archives;
        Scan for potentially unsafe applications;
        Optional : If you want to scan more drives, click on Change... and select the drives you want to include in the scan;

   

    After you're done checking these options, click on Start and ESET Online Scanner will download it's virus signature database before starting the scan;
   

    Once done, the scan will start automatically. Detections will appear at the bottom of the window. ESET Online Scanner can have an extremely long scan time that can last between 2 or 3 hours. So if you start the scan, do not interrupt it, let it complete until the end;
   

    After the scan is finished, a summary window will appear to give you the information about the scan. Then you'll have to the option to see what threads were found and to manage the threats that were quarantined;
   


    Click on List of found threats, it'll display every threat identified during that scan, their type and what action was taken against them. Click on Copy to clipboard to copy these results on our clipboard and post them in your next reply;
   


    Once you're done, click on the Back button;
    Check both checkboxes at the bottom: Uninstall application on close and Delete quarantined files before clicking on the Finish button;

ok, I'll work on that. It doesn't usually take that long on my machine (as I don't have tons of stuff to scan), but it does seem longer than some of the other scans IIRC.
Meantime here is the one on WD:
https://image.frl/i/46laqc0ymzmim294.png


and here is the one of the file with the weird permissions (some other files have similarly weird permissions):

https://image.frl/i/j8x1bmy1yjqz8dw4.png
(I use the "public" folder to store things I can access between my admin profile that I use typically only when something insists on being accessed from that type of profile [as compared with "run as administrator" and use the correct admin pw], and my standard profile that I generally use). I haven't actually tried to use that program yet.

See also the lack of https here:

https://image.frl/i/8tly1o21dqhcas7x.png

[Knat]

Is "remove files from quarantine" the same as "delete files from quarantine"?


Also someone answered me about the insecure notice. Chrome explains the reasons for the insecure icon better than Edge.

I think the log from ESET must have saved in my admin profile. Sometimes things do that when running with an elevated prompt. (is that expected?) I'll edit with that shortly.

Edit: attachment

[attachment deleted by admin to conserve space]

[SuperDave]

This one could I send to your messages?

Sure. Send it as a pm.
I need a screenshot of when you open the WD security center.

Is "remove files from quarantine" the same as "delete files from quarantine"?

I seems like it would be the same thing.
How is the computer running now?

[Knat]

After removing the whatever came with CCLeaner, some ads in my broswer are gone I think. I installed that following some directions from a help page somewhere (I forget, now) trying to fix the update issue I mentioned. This happened after I posted here (my message went to spam for some reason and I thought no one would answer, so trying to fix on my own).

So I have these issues that I have mentioned:

1) Settings change on their own. Firewall settings most recently. Internet options is the same at the moment. No telling how short or long this will last.
2) I can't work out the conflicting messages with Windows Update. One of them is inaccurate but I can't tell which one. (may not be a malware issue)
3) I still can't work out the meaning of the weird "file permissions".
4) We are working on deciding if the way WD runs in W10 when there is other antimalware software installed, conflicts with other antimalware software.
5) I was wondering if you could tell me anything about the inaccurate way my IP address shows up.

4 and 5 I will send to pm. Each will be a separate message.

[SuperDave]

We are working on deciding if the way WD runs in W10 when there is other antimalware software installed, conflicts with other antimalware software.

No, it doesn't interfere with other malware programs

I was wondering if you could tell me anything about the inaccurate way my IP address shows up.

I will move this thread to the Windows 10 forum in the hope that someone there will help with these existing problems. Good Luck.

[Knat]

Ok, thanks.

Hopefully someone knows what to do.