Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy comes back at reboot


  • Please log in to reply
2 replies to this topic

#1 1sty

1sty

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 29 December 2014 - 07:23 PM

I have something on my machine that is causing the LAN settings of both windows and chrome to reset at reboot to enable a proxy server at 127.0.0.1:8000

I am running windows 7 X64.

I regularly run malewarebytes and CC cleaner along with Norton internet security/virus protection.

 

Initially I was getting update Java warnings but java's site would say I am up to date.

Later, Firefox started getting redirects so I swapped to chrome.

Eventually that started doing redirects and I was no longer able to log into my bank's billpay site.

At this point (Saturday) I got more invasive as the various scans were not finding anything.

Feeling Norton had failed I downloaded Kyspersky and removed Norton. Kespersky would not let me register my key. Tech support later told me I had to disable the proxy setting.

During that time I removed keyspersky and put back on Norton. Norton on first boot up put up a security warning about using a proxy.

I started looking into other posts about proxy issues.

After manually changing the registry and changing everything back to not use a proxy I rebooted adn the setting came back.

I changed them again and Java, Microsoft update, and Norton all were able to add more updates, even though it said I was up to date before.

After these updates, Norton found and removed a virus.

 

I then ran Malwarebytes and CC cleaner.

On a reboot the proxy settings came back but I was unable to access the internet.

This is still the situation.

After every reboot, I have to go into LAN settings for both Chrome and windows and turn off use a proxy.

 

From more digging I have run:

HitmanPro

ADWcleaner

Minitoolbox

Combofix

Nortons Poweliks removal

and Roguekiller.

None of the programs find anything any more except Roquekiller which is either two PUM.Proxy or a list of them all related to internet explorer.

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:31 PM

Posted 29 December 2014 - 07:51 PM

Hello having run ComboFix you will need to repost your question with the ComboFix log here.

Virus, Trojan, Spyware, and Malware Removal Logs
 
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 1sty

1sty
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 31 December 2014 - 09:17 PM

Here is the Combofix log:

 

ComboFix 14-12-25.01 - Craig Gaming 12/29/2014  20:07:44.8.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8167.6750 [GMT -5:00]
Running from: c:\users\Craig Gaming\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {179979E8-273D-D14E-0543-2861940E4886}
FW: Kaspersky Internet Security *Disabled* {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}
SP: Kaspersky Internet Security *Disabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-11-28 to 2014-12-30  )))))))))))))))))))))))))))))))
.
.
2014-12-30 01:09 . 2014-12-30 01:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-12-30 01:09 . 2014-12-30 01:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-12-29 23:26 . 2014-12-29 23:26 -------- d-----w- c:\windows\ERUNT
2014-12-28 18:32 . 2014-09-05 02:11 6584320 ----a-w- c:\windows\system32\mstscax.dll
2014-12-28 18:32 . 2014-09-05 01:52 5703168 ----a-w- c:\windows\SysWow64\mstscax.dll
2014-12-28 18:28 . 2014-12-30 00:17 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-12-27 16:13 . 2014-08-29 02:07 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
2014-12-27 16:13 . 2014-05-08 09:32 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2014-12-27 16:00 . 2014-12-27 16:00 -------- d-----w- c:\programdata\RogueKiller
2014-12-27 03:50 . 2013-05-06 14:13 110176 ----a-w- c:\windows\system32\klfphc.dll
2014-12-27 03:50 . 2014-12-27 03:50 -------- d-----w- c:\windows\ELAMBKUP
2014-12-27 03:50 . 2014-12-27 03:50 -------- d-----w- c:\program files (x86)\Kaspersky Lab
2014-12-27 03:50 . 2014-08-12 23:33 246456 ----a-w- c:\windows\system32\drivers\klhk.sys
2014-12-27 03:37 . 2014-12-27 03:37 272184 ----a-w- c:\windows\system32\cc_20141226_223715.reg
2014-12-27 00:50 . 2014-12-27 00:50 -------- d-----w- c:\program files\HitmanPro
2014-12-27 00:50 . 2014-12-27 03:45 -------- d-----w- c:\programdata\HitmanPro
2014-12-26 22:59 . 2014-12-28 13:48 -------- d-----w- C:\AdwCleaner
2014-12-26 22:58 . 2014-12-28 18:38 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-26 22:57 . 2014-12-26 22:57 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-12-26 22:57 . 2014-11-21 11:14 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-12-26 22:57 . 2014-11-21 11:14 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-12-26 22:57 . 2014-11-21 11:14 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-12-26 22:30 . 2014-12-26 22:30 -------- d-----w- c:\program files\CCleaner
2014-12-26 22:25 . 2014-12-26 22:25 -------- d-----w- c:\windows\Sun
2014-12-26 22:20 . 2014-12-26 22:20 -------- d-----w- c:\programdata\Oracle
2014-12-26 21:40 . 2014-12-26 22:37 -------- d-----w- C:\NPE
2014-12-26 21:39 . 2014-12-26 22:38 -------- d-----w- c:\users\Craig Gaming\AppData\Local\NPE
2014-12-26 19:36 . 2014-12-26 19:36 -------- d-----w- c:\program files\McAfee
2014-12-26 19:23 . 2012-08-23 14:13 243200 ----a-w- c:\windows\system32\rdpudd.dll
2014-12-26 19:23 . 2012-08-23 14:10 19456 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2014-12-26 19:23 . 2012-08-23 14:08 30208 ----a-w- c:\windows\system32\drivers\TsUsbGD.sys
2014-12-26 19:23 . 2012-08-23 11:12 192000 ----a-w- c:\windows\SysWow64\rdpendp_winip.dll
2014-12-26 19:23 . 2012-08-23 10:51 228864 ----a-w- c:\windows\system32\rdpendp_winip.dll
2014-12-26 15:08 . 2014-12-30 00:00 -------- d-----w- c:\programdata\Kaspersky Lab
2014-12-26 14:36 . 2014-12-26 14:36 -------- d-----w- c:\programdata\FileTypeHelper
2014-12-17 21:28 . 2014-12-13 05:09 144384 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-17 21:28 . 2014-12-13 03:33 115712 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-12-11 00:56 . 2014-12-11 00:56 -------- d-----w- c:\windows\system32\appraiser
2014-12-10 20:05 . 2014-07-07 02:06 24576 ----a-w- c:\windows\system32\mfpmp.exe
2014-12-10 20:05 . 2014-07-07 02:02 2048 ----a-w- c:\windows\system32\mferror.dll
2014-12-10 20:05 . 2014-07-07 01:37 2048 ----a-w- c:\windows\SysWow64\mferror.dll
2014-12-10 20:05 . 2014-10-18 02:05 4121600 ----a-w- c:\windows\system32\mf.dll
2014-12-10 20:05 . 2014-10-18 01:33 3209728 ----a-w- c:\windows\SysWow64\mf.dll
2014-12-10 20:05 . 2014-07-07 02:06 206848 ----a-w- c:\windows\system32\mfps.dll
2014-12-10 20:05 . 2014-07-07 02:06 55808 ----a-w- c:\windows\system32\rrinstaller.exe
2014-12-10 20:05 . 2014-07-07 01:40 103424 ----a-w- c:\windows\SysWow64\mfps.dll
2014-12-10 20:05 . 2014-07-07 01:39 50176 ----a-w- c:\windows\SysWow64\rrinstaller.exe
2014-12-10 20:05 . 2014-07-07 01:39 23040 ----a-w- c:\windows\SysWow64\mfpmp.exe
2014-12-10 13:13 . 2014-10-03 02:12 310272 ----a-w- c:\windows\system32\WsmWmiPl.dll
2014-12-10 13:13 . 2014-10-03 02:12 2020352 ----a-w- c:\windows\system32\WsmSvc.dll
2014-12-10 13:13 . 2014-10-03 02:12 346624 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2014-12-10 13:13 . 2014-10-03 02:12 181248 ----a-w- c:\windows\system32\WsmAuto.dll
2014-12-10 13:13 . 2014-10-03 02:11 266240 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2014-12-10 13:13 . 2014-10-03 01:45 248832 ----a-w- c:\windows\SysWow64\WSManMigrationPlugin.dll
2014-12-10 13:13 . 2014-10-03 01:45 214016 ----a-w- c:\windows\SysWow64\WsmWmiPl.dll
2014-12-10 13:13 . 2014-10-03 01:45 145920 ----a-w- c:\windows\SysWow64\WsmAuto.dll
2014-12-10 13:13 . 2014-10-03 01:45 1177088 ----a-w- c:\windows\SysWow64\WsmSvc.dll
2014-12-10 13:13 . 2014-10-03 01:44 198656 ----a-w- c:\windows\SysWow64\WSManHTTPConfig.exe
2014-12-10 13:13 . 2014-11-08 03:16 2048 ----a-w- c:\windows\system32\tzres.dll
2014-12-10 13:13 . 2014-11-08 02:45 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-12-10 02:33 . 2014-12-10 02:33 -------- d-----w- c:\users\Craig Gaming\AppData\Local\Logitech
2014-12-10 02:33 . 2014-12-10 02:33 -------- d-----w- c:\program files\Logitech
2014-12-10 02:33 . 2014-12-10 02:33 -------- d-----w- c:\program files\Common Files\Logitech
2014-11-30 03:43 . 2014-12-02 16:24 -------- d-----w- c:\users\Craig Gaming\AppData\Local\Battle.net
2014-11-30 03:43 . 2014-11-30 03:44 -------- d-----w- c:\users\Craig Gaming\AppData\Roaming\Battle.net
2014-11-30 03:43 . 2014-11-30 03:43 -------- d-----w- c:\program files (x86)\Battle.net
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-27 03:55 . 2014-08-14 00:34 77512 ----a-w- c:\windows\system32\drivers\klwtp.sys
2014-12-27 03:55 . 2014-08-20 23:04 818888 ----a-w- c:\windows\system32\drivers\klif.sys
2014-12-27 03:55 . 2014-08-18 19:43 150536 ----a-w- c:\windows\system32\drivers\klflt.sys
2014-12-10 20:06 . 2012-02-14 01:23 112710672 ----a-w- c:\windows\system32\MRT.exe
2014-12-10 04:07 . 2012-04-25 01:46 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-10 04:07 . 2012-04-25 01:46 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-18 19:56 . 2014-11-18 19:56 1202848 ----a-w- c:\windows\SysWow64\FM20.DLL
2014-11-11 03:08 . 2014-11-19 12:47 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-11 03:08 . 2014-11-19 12:47 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-11 02:44 . 2014-11-19 12:47 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-11 02:44 . 2014-11-19 12:47 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-10-25 01:57 . 2014-11-14 15:41 77824 ----a-w- c:\windows\system32\packager.dll
2014-10-25 01:32 . 2014-11-14 15:41 67584 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-18 02:05 . 2014-11-14 15:41 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-10-18 01:33 . 2014-11-14 15:41 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-10-14 02:16 . 2014-11-14 15:42 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 02:13 . 2014-11-14 15:42 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-10-14 02:13 . 2014-11-14 15:41 3241984 ----a-w- c:\windows\system32\msi.dll
2014-10-14 02:12 . 2014-11-14 15:42 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-14 02:09 . 2014-11-14 15:42 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-10-14 02:07 . 2014-11-14 15:42 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-10-14 01:50 . 2014-11-14 15:42 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-10-14 01:50 . 2014-11-14 15:41 2363904 ----a-w- c:\windows\SysWow64\msi.dll
2014-10-14 01:49 . 2014-11-14 15:42 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-10-14 01:47 . 2014-11-14 15:42 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-10-14 01:46 . 2014-11-14 15:42 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-10-10 00:57 . 2014-11-14 15:41 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-10-03 02:12 . 2014-11-14 15:41 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-10-03 02:11 . 2014-11-14 15:41 284672 ----a-w- c:\windows\system32\EncDump.dll
2014-10-03 02:11 . 2014-11-14 15:41 680960 ----a-w- c:\windows\system32\audiosrv.dll
2014-10-03 02:11 . 2014-11-14 15:41 440832 ----a-w- c:\windows\system32\AudioEng.dll
2014-10-03 02:11 . 2014-11-14 15:41 296448 ----a-w- c:\windows\system32\AudioSes.dll
2014-10-03 01:44 . 2014-11-14 15:41 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44 . 2014-11-14 15:41 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll
2014-10-03 01:44 . 2014-11-14 15:41 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\Craig Gaming\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\Craig Gaming\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\Craig Gaming\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 AVP15.0.1;Kaspersky Anti-Virus Service 15.0.1;c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe;c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys;c:\windows\SYSNATIVE\DRIVERS\lvbflt64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys;c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C525(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 cm_km_w;Kaspersky Lab Crypto Module (FDE PDK);c:\windows\system32\DRIVERS\cm_km_w.sys;c:\windows\SYSNATIVE\DRIVERS\cm_km_w.sys [x]
S1 klhk;klhk;c:\windows\system32\DRIVERS\klhk.sys;c:\windows\SYSNATIVE\DRIVERS\klhk.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys [x]
S1 klpd;klpd;c:\windows\system32\DRIVERS\klpd.sys;c:\windows\SYSNATIVE\DRIVERS\klpd.sys [x]
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys [x]
S1 Klwtp;Klwtp;c:\windows\system32\DRIVERS\klwtp.sys;c:\windows\SYSNATIVE\DRIVERS\klwtp.sys [x]
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz135_x64.sys [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe;c:\program files\HitmanPro\hmpsched.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 kldisk;kldisk;c:\windows\system32\DRIVERS\kldisk.sys;c:\windows\SYSNATIVE\DRIVERS\kldisk.sys [x]
S3 athur;Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athurx.sys;c:\windows\SYSNATIVE\DRIVERS\athurx.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 klflt;Kaspersky Lab Kernel DLL;c:\windows\system32\DRIVERS\klflt.sys;c:\windows\SYSNATIVE\DRIVERS\klflt.sys [x]
S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys;c:\windows\SYSNATIVE\DRIVERS\klkbdflt.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys;c:\windows\SYSNATIVE\DRIVERS\klmouflt.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-12-28 14:20 1087816 ----a-w- c:\program files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-25 04:07]
.
2014-12-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1622598253-4236459528-2712280225-1000Core.job
- c:\users\Craig Gaming\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-12-26 04:06]
.
2014-12-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1622598253-4236459528-2712280225-1000UA.job
- c:\users\Craig Gaming\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-12-26 04:06]
.
2014-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-12-28 14:20]
.
2014-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-12-28 14:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 164760 ----a-w- c:\users\Craig Gaming\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 164760 ----a-w- c:\users\Craig Gaming\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 164760 ----a-w- c:\users\Craig Gaming\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 164760 ----a-w- c:\users\Craig Gaming\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <-loopback>
IE: {{09A10376-994C-4BBF-9121-F50CF7BA237E} - {F2A56BFE-7911-451A-BC74-A9C3C2E95126} - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\IEExt\ie_plugin.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_246_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_246_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_246_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_246_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-29  20:10:17
ComboFix-quarantined-files.txt  2014-12-30 01:10
ComboFix2.txt  2014-12-29 23:38
ComboFix3.txt  2014-12-28 14:51
ComboFix4.txt  2014-12-26 20:38
ComboFix5.txt  2014-12-30 01:07
.
Pre-Run: 47,116,939,264 bytes free
Post-Run: 47,049,498,624 bytes free
.
- - End Of File - - 636C8FB8E7591F8ABB12003E4D9EED51
A36C5E4F47E84449FF07ED3517B43A31





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users