Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent proxy 127.0.0.1:8800 following isearch.omiga-plus.com infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 Steve Evans

Steve Evans

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 23 January 2015 - 04:30 PM

Despite apparently being able to uninstall the isearch.omiga-plus.com search engine redirect malware I now find that my proxy settings are fixed as per the attached image. If I disable the proxy it is immediately reenabled. I've run malwarebytes and it reports no infections.

 

See below my FRST log.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by Syrene (administrator) on SYRENE-VAIO on 23-01-2015 21:24:59
Running from C:\Users\Syrene\Desktop
Loaded Profiles: UpdatusUser & Syrene (Available profiles: UpdatusUser & Syrene)
Platform: Windows 8.1 Pro (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files\Bacula\bacula-fd.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgr.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\BCMWLTRY.EXE
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\SUSSoundProxy.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.EXE
(Sony Corporation) C:\Program Files\Sony\VAIO Update\VUAgent.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.EXE
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe
(JRT Studio LLC) C:\Program Files (x86)\JRT Studio\iSyncr\iSyncr.exe
() C:\Users\Syrene\.thinkbuzan\imindmap7\preload\iMindMap7_Preloader.exe
(ThinkBuzan) C:\Program Files (x86)\ThinkBuzan\iMindMap 7\iMindMap 7.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(cyberlink) C:\Program Files (x86)\CyberLink\Shared files\brs.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkClient.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Intel Corporation) C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Update\VAIOUpdt.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCSystemTray.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCService.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCAgent.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCAdmin.exe
(iolo technologies, LLC) C:\Program Files\Sony\VAIO Care\Iolo\ioloTools.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\SnippingTool.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\livecomm.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1381744 2014-02-20] (Realtek Semiconductor)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe [10590208 2013-03-14] (Broadcom Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-06-16] (Adobe Systems Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3039984 2013-03-14] (Synaptics Incorporated)
HKLM\...\Run: [Bluetooth] => C:\Program Files\WIDCOMM\Bluetooth Software\bttray.exe [534232 2013-09-04] (Broadcom Corporation.)
HKLM-x32\...\Run: [PMBVolumeWatcher] => C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe [740376 2013-02-06] (Sony Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BDRegion] => C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [181208 2013-03-13] (cyberlink)
HKLM-x32\...\Run: [Intel AppUp® center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [156000 2013-02-19] (Intel Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: C:\WINDOWS\SYSTEM32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-167429394-3898297706-3148398425-1001\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2013-08-22] (Microsoft Corporation)
HKU\S-1-5-21-167429394-3898297706-3148398425-1002\...\RunOnce: [Application Restart #6] => C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe [493152 2013-02-20] (Sony Corporation)
HKU\S-1-5-21-167429394-3898297706-3148398425-1002\...\RunOnce: [Adobe Speed Launcher] => 1421958188
AppInit_DLLs-x32: c:\windows\syswow64\nvinit.dll => c:\windows\syswow64\nvinit.dll [326224 2013-09-24] (NVIDIA Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\iSyncr.lnk
ShortcutTarget: iSyncr.lnk -> C:\Windows\Installer\{2C99ED03-3FA1-42C7-A699-B4AB1A870ED0}\_9838CAEDA26D66DB156710.exe ()
Startup: C:\Users\Syrene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iMindMap7 Preloader.lnk
ShortcutTarget: iMindMap7 Preloader.lnk -> C:\Users\Syrene\.thinkbuzan\imindmap7\preload\iMindMap7_Preloader.exe ()
Startup: C:\Users\Syrene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8800;https=127.0.0.1:8800
ProxyServer: [HKLM-x32] => http=127.0.0.1:8800;https=127.0.0.1:8800
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKU\S-1-5-21-167429394-3898297706-3148398425-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sony13.msn.com
HKU\S-1-5-21-167429394-3898297706-3148398425-1001\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://vaioportal.sony.eu
HKU\S-1-5-21-167429394-3898297706-3148398425-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-167429394-3898297706-3148398425-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKU\S-1-5-21-167429394-3898297706-3148398425-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://vaioportal.sony.eu
HKU\S-1-5-21-167429394-3898297706-3148398425-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english/
HKU\S-1-5-21-167429394-3898297706-3148398425-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://vaioportal.sony.eu
HKU\S-1-5-21-167429394-3898297706-3148398425-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-167429394-3898297706-3148398425-1002\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://vaioportal.sony.eu
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM -> {4B3B2A04-675E-49FD-8BF4-6132BD35C4B0} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-167429394-3898297706-3148398425-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
SearchScopes: HKU\S-1-5-21-167429394-3898297706-3148398425-1001 -> {B11E8E70-2FEB-41F1-87FB-6CF16F3AABDF} URL = http://rover.ebay.com/rover/1/710-42480-16445-33/4?mpre=http://shop.ebay.co.uk/?oemInLn=ieSrch-&_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-167429394-3898297706-3148398425-1001 -> {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredimail.com/english/?search={searchTerms}&loc=search_box
BHO: Bing Bar Helper -> {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll (Microsoft Corporation.)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Bing Bar Helper -> {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.5.1.1

FireFox:
========
FF ProfilePath: C:\Users\Syrene\AppData\Roaming\Mozilla\Firefox\Profiles\6vn84a5n.default
FF Homepage: hxxp://www.google.co.uk/
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_287.dll ()
FF Plugin: @java.com/DTPlugin,version=10.13.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.13.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_287.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.13.2 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.13.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/McAfeeMssPlugin -> C:\Program Files (x86)\Sony\MSS\3.8.130\npMcAfeeMss.dll No File
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-167429394-3898297706-3148398425-1002: intel.com/AppUp -> C:\Program Files (x86)\Intel\IntelAppStore\bin\npAppUp.dll (Intel)
FF Plugin HKU\S-1-5-21-167429394-3898297706-3148398425-1002: intel.com/AppUpx64 -> C:\Program Files (x86)\Intel\IntelAppStore\bin\npAppUp_x64.dll (Intel)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdobeActiveFileMonitor11.0; c:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171600 2012-09-23] (Adobe Systems Incorporated)
R2 Bacula-fd; C:\Program Files\Bacula\bacula-fd.exe [2301760 2012-06-28] () [File not signed]
S2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2252504 2013-09-04] (Broadcom Corporation.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
S2 CLKMSVC10_9EC60124; C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [247768 2013-02-01] (CyberLink)
S2 ESRV_SVC; C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe [377768 2013-11-19] (Intel Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-01-14] (WildTangent)
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2011-08-18] (Hewlett-Packard Co.) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129824 2013-01-23] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166688 2013-01-23] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S3 McComponentHostServiceSony; C:\Program Files (x86)\Sony\MSS\3.8.130\McCHSvc.exe [235216 2013-10-16] (McAfee, Inc.)
R2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
S3 NetworkSupport; C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkSupport.exe [629336 2013-09-28] (Sony Corporation)
R2 PMBDeviceInfoProvider; C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [483864 2013-02-06] (Sony Corporation)
R2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R3 USER_ESRV_SVC; C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe [377768 2013-11-19] (Intel Corporation)
S3 VCFw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [972000 2013-01-06] (Sony Corporation)
R3 VUAgent; C:\Program Files\Sony\VAIO Update\vuagent.exe [1642544 2014-02-28] (Sony Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe [6070272 2013-03-14] (Broadcom Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [170712 2013-09-04] (Broadcom Corporation.)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [7488176 2013-12-24] (Broadcom Corporation)
R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
R3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-09-25] (Windows ® Win 7 DDK provider)
R3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-09-25] (Windows ® Win 7 DDK provider)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-23] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2014-11-21] (Malwarebytes Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-08-10] (Corel Corporation)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [33008 2013-03-14] (Synaptics Incorporated)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-23 20:47 - 2015-01-23 21:25 - 00022846 _____ () C:\Users\Syrene\Desktop\FRST.txt
2015-01-22 21:15 - 2015-01-22 21:15 - 00496158 _____ () C:\Users\Syrene\Desktop\Data - types - discrete vs continuous.pptx
2015-01-22 21:13 - 2015-01-22 21:13 - 00116879 _____ () C:\Users\Syrene\Desktop\Data Collection and Surveys 7Ms.pptx
2015-01-22 21:11 - 2015-01-22 21:11 - 00219136 _____ () C:\Users\Syrene\Desktop\Questionnaires.ppt
2015-01-22 20:53 - 2015-01-22 20:53 - 00145760 _____ () C:\Users\Syrene\Desktop\Data Handling questionnaires.pptx
2015-01-20 21:53 - 2015-01-23 21:25 - 00000000 ____D () C:\FRST
2015-01-20 21:52 - 2015-01-20 21:52 - 02126848 _____ (Farbar) C:\Users\Syrene\Desktop\FRST64.exe
2015-01-20 21:21 - 2015-01-23 21:20 - 00000000 ____D () C:\ProgramData\Sophos
2015-01-20 21:15 - 2014-12-31 11:14 - 00298120 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2015-01-20 19:32 - 2015-01-20 19:32 - 00007168 ___SH () C:\Users\Syrene\Documents\Thumbs.db
2015-01-20 19:19 - 2015-01-20 19:19 - 00000000 ____D () C:\ProgramData\3e37e80000035b5
2015-01-20 19:16 - 2015-01-20 19:16 - 00003158 _____ () C:\WINDOWS\System32\Tasks\{D39D0178-3E7E-4A42-8AE9-C0120A8BD513}
2015-01-20 19:11 - 2015-01-23 21:22 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-20 19:11 - 2015-01-20 19:11 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-20 19:11 - 2015-01-20 19:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-20 19:11 - 2015-01-20 19:11 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-20 19:11 - 2015-01-20 19:11 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-20 19:11 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-20 19:11 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-01-20 19:11 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-01-20 19:10 - 2015-01-20 19:10 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Syrene\Downloads\mbam-setup-2.0.4.1028.exe
2015-01-20 19:00 - 2015-01-20 19:00 - 00000000 ___HD () C:\Users\Public\Temp
2015-01-20 18:58 - 2015-01-23 18:58 - 00001712 _____ () C:\WINDOWS\Tasks\PJPCRUG.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001368 _____ () C:\WINDOWS\Tasks\CEFDUET.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001366 _____ () C:\WINDOWS\Tasks\MLKPFB.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001360 _____ () C:\WINDOWS\Tasks\SJW.job
2015-01-18 00:52 - 2015-01-18 17:12 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2015-01-17 07:28 - 2015-01-17 07:28 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-14 03:03 - 2014-12-19 06:26 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2015-01-14 03:03 - 2014-12-12 02:04 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSWbPrxy.exe
2015-01-14 03:03 - 2014-12-12 00:51 - 00075776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ahcache.sys
2015-01-14 03:03 - 2014-12-09 01:50 - 00225280 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-01-14 03:03 - 2014-12-08 19:42 - 00535640 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2015-01-14 03:03 - 2014-12-08 19:42 - 00531616 _____ (Microsoft Corporation) C:\WINDOWS\system32\ci.dll
2015-01-14 03:03 - 2014-12-08 19:42 - 00448792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2015-01-14 03:03 - 2014-12-08 19:42 - 00413248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Faultrep.dll
2015-01-14 03:03 - 2014-12-08 19:42 - 00372408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Faultrep.dll
2015-01-14 03:03 - 2014-12-08 19:42 - 00108944 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDump.dll
2015-01-14 03:03 - 2014-12-08 19:42 - 00038264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFaultSecure.exe
2015-01-14 03:03 - 2014-12-08 19:42 - 00033584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFaultSecure.exe
2015-01-14 03:03 - 2014-12-06 03:17 - 00360448 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncsi.dll
2015-01-14 03:03 - 2014-12-06 01:41 - 00391680 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlasvc.dll
2015-01-14 03:03 - 2014-12-06 01:35 - 00229888 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2015-01-14 03:03 - 2014-10-29 04:00 - 00465320 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFault.exe
2015-01-14 03:03 - 2014-10-29 04:00 - 00139984 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
2015-01-14 03:03 - 2014-10-29 03:52 - 00500016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioSes.dll
2015-01-14 03:03 - 2014-10-29 03:52 - 00482872 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEng.dll
2015-01-14 03:03 - 2014-10-29 03:52 - 00394120 _____ (Microsoft Corporation) C:\WINDOWS\system32\AUDIOKSE.dll
2015-01-14 03:03 - 2014-10-29 03:52 - 00272248 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiodg.exe
2015-01-14 03:03 - 2014-10-29 03:12 - 00413136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFault.exe
2015-01-14 03:03 - 2014-10-29 03:12 - 00136296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
2015-01-14 03:03 - 2014-10-29 03:07 - 00424544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioEng.dll
2015-01-14 03:03 - 2014-10-29 03:07 - 00370424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
2015-01-14 03:03 - 2014-10-29 03:07 - 00344536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AUDIOKSE.dll
2015-01-14 03:03 - 2014-10-29 02:44 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\werdiagcontroller.dll
2015-01-14 03:03 - 2014-10-29 01:59 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werdiagcontroller.dll
2015-01-14 03:03 - 2014-10-29 01:24 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlaapi.dll
2015-01-14 03:03 - 2014-10-29 01:02 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-01-14 03:03 - 2014-10-29 01:01 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nlaapi.dll
2014-12-29 22:53 - 2014-12-29 22:53 - 00003138 _____ () C:\WINDOWS\System32\Tasks\USER_ESRV_SVC
2014-12-29 22:53 - 2014-12-29 22:53 - 00002060 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VAIO Care (Desktop).lnk
2014-12-29 22:53 - 2014-12-29 22:53 - 00001992 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VAIO Manual.lnk
2014-12-29 22:53 - 2014-12-29 22:53 - 00000000 __RHD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VAIO Care
2014-12-29 22:53 - 2014-04-30 15:57 - 00000426 _____ () C:\AVScanner.ini

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-23 21:01 - 2013-09-07 16:23 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-23 21:00 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-01-23 19:26 - 2013-11-26 19:40 - 00003942 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{D0382B20-E1E2-4F74-AFD5-820908BC6ADB}
2015-01-23 03:52 - 2013-11-25 20:40 - 01267765 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-23 03:52 - 2012-07-26 07:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-01-22 21:23 - 2013-09-06 18:42 - 00000000 ____D () C:\Users\Syrene\AppData\Local\Packages
2015-01-22 21:15 - 2013-09-09 04:43 - 00751104 ___SH () C:\Users\Syrene\Desktop\Thumbs.db
2015-01-22 20:08 - 2013-09-06 18:49 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-167429394-3898297706-3148398425-1002
2015-01-22 19:38 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-01-22 19:28 - 2014-07-22 16:08 - 00000000 ____D () C:\Users\Syrene\.thinkbuzan
2015-01-22 19:28 - 2014-07-22 16:08 - 00000000 ____D () C:\ProgramData\ThinkBuzan
2015-01-22 19:28 - 2014-07-22 16:08 - 00000000 ____D () C:\ProgramData\JSoft
2015-01-22 19:28 - 2014-01-01 12:29 - 00000000 ____D () C:\Users\Syrene\Documents\JRT Studio
2015-01-22 19:01 - 2013-09-07 16:23 - 00003718 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-01-20 22:28 - 2013-09-30 04:04 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-20 22:23 - 2013-08-22 14:46 - 00349912 _____ () C:\WINDOWS\setupact.log
2015-01-20 22:23 - 2013-08-22 14:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-20 22:23 - 2013-08-22 13:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
2015-01-20 21:20 - 2013-08-22 13:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2015-01-20 20:07 - 2013-09-30 03:55 - 00215174 _____ () C:\WINDOWS\PFRO.log
2015-01-20 19:20 - 2013-09-07 12:04 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-20 19:20 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\addins
2015-01-20 19:18 - 2013-11-25 21:02 - 00001442 _____ () C:\Users\Syrene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-01-20 19:18 - 2013-09-07 12:04 - 00001159 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-20 19:18 - 2013-09-07 12:04 - 00001147 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-20 18:58 - 2013-09-07 12:58 - 00000000 ____D () C:\Program Files (x86)\Google
2015-01-17 16:47 - 2013-09-12 22:47 - 00000000 ____D () C:\Users\Syrene\AppData\Roaming\HpUpdate
2015-01-17 16:47 - 2013-09-12 22:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2015-01-17 16:47 - 2013-09-12 22:45 - 00000000 ____D () C:\Program Files (x86)\HP
2015-01-14 17:27 - 2013-09-07 16:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 17:25 - 2013-09-07 16:37 - 113365784 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-13 21:11 - 2013-08-29 22:17 - 00002457 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-10 13:47 - 2013-09-07 12:08 - 00000000 ____D () C:\Users\Syrene\AppData\Local\Thunderbird
2015-01-06 00:08 - 2013-08-22 15:38 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-01-06 00:08 - 2013-08-22 15:38 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-29 22:54 - 2007-08-26 20:53 - 00000000 ____D () C:\Update
2014-12-29 22:53 - 2014-04-16 08:42 - 00013792 _____ () C:\WINDOWS\system32\Drivers\semav6thermal64ro.sys
2014-12-29 22:53 - 2013-08-29 22:30 - 00000000 ____D () C:\Program Files\Sony
2014-12-29 22:53 - 2013-08-29 22:23 - 00000000 ____D () C:\ProgramData\Sony
2014-12-29 22:53 - 2013-08-29 22:01 - 00000000 ____D () C:\Program Files (x86)\Sony
2014-12-28 17:49 - 2013-11-23 14:21 - 00000000 ____D () C:\Users\Syrene\Desktop\Christmas Ideas
2014-12-28 05:16 - 2013-09-09 19:40 - 00000000 ____D () C:\Program Files\Microsoft Office 15

==================== Files in the root of some directories =======
2014-04-16 08:41 - 2014-04-16 08:41 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2013-09-12 22:45 - 2013-12-02 17:32 - 0001759 _____ () C:\ProgramData\hpzinstall.log

Files to move or delete:
====================
C:\Users\Public\ntuser (1).dat


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-20 22:34

==================== End Of Log ============================

 

Your assistance would be much appreciated.

 

Thanks,

 

Steve

 

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 24 January 2015 - 10:56 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I have given you the ìAll clear.î  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

HKLM-x32\...\Run: [] => [X]
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8800;https=127.0.0.1:8800
ProxyServer: [HKLM-x32] => http=127.0.0.1:8800;https=127.0.0.1:8800
2015-01-20 19:16 - 2015-01-20 19:16 - 00003158 _____ () C:\WINDOWS\System32\Tasks\{D39D0178-3E7E-4A42-8AE9-C0120A8BD513}
2015-01-20 18:58 - 2015-01-23 18:58 - 00001712 _____ () C:\WINDOWS\Tasks\PJPCRUG.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001368 _____ () C:\WINDOWS\Tasks\CEFDUET.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001366 _____ () C:\WINDOWS\Tasks\MLKPFB.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001360 _____ () C:\WINDOWS\Tasks\SJW.job
C:\Users\Public\ntuser (1).dat
Task: {A122A20C-2CDA-4392-AEC4-B32C41F68005} - \CEFDUET No Task File <==== ATTENTION
Task: {C1D1BA2A-5604-4C1C-BD8B-4C8F5A0AC979} - System32\Tasks\{D39D0178-3E7E-4A42-8AE9-C0120A8BD513} => pcalua.exe -a C:\Users\Syrene\AppData\Roaming\omiga-plus\UninstallManager.exe -c  -ptid=tugs <==== ATTENTION
Task: {DEF50F0C-DABA-4FA6-95A9-D837530FF60C} - \DonutQuotes No Task File <==== ATTENTION
Task: {EE516154-C8EC-4098-A49C-0A20EF82D5A6} - \MLKPFB No Task File <==== ATTENTION
Task: {F1A55077-F2B9-47BE-B3E6-53EC8BEDC1AE} - \SJW No Task File <==== ATTENTION
Task: C:\WINDOWS\Tasks\CEFDUET.job => C:\Users\Syrene\AppData\Roaming\CEFDUET.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\MLKPFB.job => C:\Users\Syrene\AppData\Roaming\MLKPFB.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\PJPCRUG.job => C:\Users\Syrene\AppData\Roaming\PJPCRUG.exe <==== ATTENTION
C:\Users\Syrene\AppData\Roaming\CEFDUET.exe
C:\Users\Syrene\AppData\Roaming\MLKPFB.exe
C:\Users\Syrene\AppData\Roaming\PJPCRUG.exe
C:\Users\Syrene\AppData\Roaming\SJW.exe
Task: C:\WINDOWS\Tasks\SJW.job => C:\Users\Syrene\AppData\Roaming\SJW.exe <==== ATTENTION
EmptyTemp:
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Edited by RPMcMurphy, 24 January 2015 - 10:59 AM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Steve Evans

Steve Evans
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 25 January 2015 - 07:28 AM

This appears to have cured the issue. The proxy box is now unchecked.

 

See below the requested log.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by Syrene at 2015-01-25 12:22:55 Run:1
Running from C:\Users\Syrene\Desktop
Loaded Profiles: UpdatusUser & Syrene (Available profiles: UpdatusUser & Syrene)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [] => [X]
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8800;https=127.0.0.1:8800
ProxyServer: [HKLM-x32] => http=127.0.0.1:8800;https=127.0.0.1:8800
2015-01-20 19:16 - 2015-01-20 19:16 - 00003158 _____ () C:\WINDOWS\System32\Tasks\{D39D0178-3E7E-4A42-8AE9-C0120A8BD513}
2015-01-20 18:58 - 2015-01-23 18:58 - 00001712 _____ () C:\WINDOWS\Tasks\PJPCRUG.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001368 _____ () C:\WINDOWS\Tasks\CEFDUET.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001366 _____ () C:\WINDOWS\Tasks\MLKPFB.job
2015-01-20 18:58 - 2015-01-23 18:58 - 00001360 _____ () C:\WINDOWS\Tasks\SJW.job
C:\Users\Public\ntuser (1).dat
Task: {A122A20C-2CDA-4392-AEC4-B32C41F68005} - \CEFDUET No Task File <==== ATTENTION
Task: {C1D1BA2A-5604-4C1C-BD8B-4C8F5A0AC979} - System32\Tasks\{D39D0178-3E7E-4A42-8AE9-C0120A8BD513} => pcalua.exe -a C:\Users\Syrene\AppData\Roaming\omiga-plus\UninstallManager.exe -c  -ptid=tugs <==== ATTENTION
Task: {DEF50F0C-DABA-4FA6-95A9-D837530FF60C} - \DonutQuotes No Task File <==== ATTENTION
Task: {EE516154-C8EC-4098-A49C-0A20EF82D5A6} - \MLKPFB No Task File <==== ATTENTION
Task: {F1A55077-F2B9-47BE-B3E6-53EC8BEDC1AE} - \SJW No Task File <==== ATTENTION
Task: C:\WINDOWS\Tasks\CEFDUET.job => C:\Users\Syrene\AppData\Roaming\CEFDUET.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\MLKPFB.job => C:\Users\Syrene\AppData\Roaming\MLKPFB.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\PJPCRUG.job => C:\Users\Syrene\AppData\Roaming\PJPCRUG.exe <==== ATTENTION
C:\Users\Syrene\AppData\Roaming\CEFDUET.exe
C:\Users\Syrene\AppData\Roaming\MLKPFB.exe
C:\Users\Syrene\AppData\Roaming\PJPCRUG.exe
C:\Users\Syrene\AppData\Roaming\SJW.exe
Task: C:\WINDOWS\Tasks\SJW.job => C:\Users\Syrene\AppData\Roaming\SJW.exe <==== ATTENTION
EmptyTemp:
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
C:\WINDOWS\System32\Tasks\{D39D0178-3E7E-4A42-8AE9-C0120A8BD513} => Moved successfully.
C:\WINDOWS\Tasks\PJPCRUG.job => Moved successfully.
C:\WINDOWS\Tasks\CEFDUET.job => Moved successfully.
C:\WINDOWS\Tasks\MLKPFB.job => Moved successfully.
C:\WINDOWS\Tasks\SJW.job => Moved successfully.
C:\Users\Public\ntuser (1).dat => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A122A20C-2CDA-4392-AEC4-B32C41F68005}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A122A20C-2CDA-4392-AEC4-B32C41F68005}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CEFDUET" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C1D1BA2A-5604-4C1C-BD8B-4C8F5A0AC979}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C1D1BA2A-5604-4C1C-BD8B-4C8F5A0AC979}" => Key deleted successfully.
C:\Windows\System32\Tasks\{D39D0178-3E7E-4A42-8AE9-C0120A8BD513} not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D39D0178-3E7E-4A42-8AE9-C0120A8BD513}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DEF50F0C-DABA-4FA6-95A9-D837530FF60C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DEF50F0C-DABA-4FA6-95A9-D837530FF60C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DonutQuotes" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EE516154-C8EC-4098-A49C-0A20EF82D5A6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE516154-C8EC-4098-A49C-0A20EF82D5A6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MLKPFB" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F1A55077-F2B9-47BE-B3E6-53EC8BEDC1AE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F1A55077-F2B9-47BE-B3E6-53EC8BEDC1AE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SJW" => Key deleted successfully.
C:\WINDOWS\Tasks\CEFDUET.job not found.
C:\WINDOWS\Tasks\MLKPFB.job not found.
C:\WINDOWS\Tasks\PJPCRUG.job not found.
"C:\Users\Syrene\AppData\Roaming\CEFDUET.exe" => File/Directory not found.
"C:\Users\Syrene\AppData\Roaming\MLKPFB.exe" => File/Directory not found.
"C:\Users\Syrene\AppData\Roaming\PJPCRUG.exe" => File/Directory not found.
"C:\Users\Syrene\AppData\Roaming\SJW.exe" => File/Directory not found.
C:\WINDOWS\Tasks\SJW.job not found.
EmptyTemp: => Removed 1.6 GB temporary data.


The system needed a reboot.

==== End of Fixlog 12:23:30 ====



#4 Steve Evans

Steve Evans
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 25 January 2015 - 07:38 AM

Apologies if the above response was a little brief... this issue is on my wife's computer and she's really keen to be able to use it, so now, back on my own laptop I can firstly say a big "thank you" for your help, and also ask, what was the mechanism by which the proxy config was continually being set? I presume this was one of the scheduled tasks?

 

Thanks,

 

Steve



#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 25 January 2015 - 11:48 AM

It was more than likely a freeware application that caused the issue.  Even though the primary symptoms are resolved, I’d still like you to do a few more steps just to make sure we have all the malicious software off her laptop.  Please do this next:

icon11.gif  Open Malwarebytes AntiMalware (MBAM)

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Please include the following in your next post:
  • MBAM log
  • adwCleaner log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 Steve Evans

Steve Evans
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 25 January 2015 - 06:29 PM

Hi,

 

AdwCleaner log below has one seemingly relevent entry. MBAM log is attached.

 

Thanks,

 

Steve

 

# AdwCleaner v4.109 - Report created 25/01/2015 at 23:17:11
# Updated 24/01/2015 by Xplode
# Database : 2015-01-25.1 [Live]
# Operating System : Windows 8.1 Pro  (64 bits)
# Username : Syrene - SYRENE-VAIO
# Running from : C:\Users\Syrene\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v35.0 (x86 en-US)


*************************

AdwCleaner[R1].txt - [701 octets] - [25/01/2015 23:17:11]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [760 octets] ##########
 

Attached Files



#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 25 January 2015 - 06:50 PM

Please do this next (We are almost done):

icon11.gif  Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.  Please go to www.java.com and press the "Free Java Download" button near the center of the page.  Follow the prompts to install the latest version and remove any older, insecure versions.

icon11.gif  Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now?
  • adwCleaner log
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 Steve Evans

Steve Evans
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 28 January 2015 - 11:26 AM

Java updated.

 

# AdwCleaner v4.109 - Report created 27/01/2015 at 13:01:38
# Updated 24/01/2015 by Xplode
# Database : 2015-01-26.1 [Live]
# Operating System : Windows 8.1 Pro  (64 bits)
# Username : Syrene - SYRENE-VAIO
# Running from : C:\Users\Syrene\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v35.0 (x86 en-US)


*************************

AdwCleaner[R1].txt - [839 octets] - [25/01/2015 23:17:11]
AdwCleaner[R2].txt - [898 octets] - [27/01/2015 12:59:51]
AdwCleaner[S1].txt - [822 octets] - [27/01/2015 13:01:38]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [881 octets] ##########
 

ESET reported no threats found.

 

All appears fine. Thank you so much for your assistance... PayPal button has been hit. :)

 

Thanks,

 

Steve



#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 28 January 2015 - 01:42 PM

Thanks, Steve!  All I have left for you is some important cleanup:

icon11.gif  Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run.  Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

 

 

icon11.gif  Double click on AdwCleaner.exe to run the tool again.

  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.

icon11.gif  Download OTC to your desktop and run it

  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
  • Manually delete any remaining logs or tools from our fixes

icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:


  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.
  • Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

 


Edited by RPMcMurphy, 28 January 2015 - 01:44 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 Steve Evans

Steve Evans
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 28 January 2015 - 02:35 PM

At no point did I install Combofix, so I'll skip that step. :)

 

Thanks. Despite running squidguard on my firewall which blocked a number of blacklisted nasties within minutes of the infection, one got through. It's rare for anything to get through. Thanks again for your help.

 

Steve



#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 29 January 2015 - 06:47 PM

You're welcome, Steve.  Take care.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 31 January 2015 - 10:46 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users