Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy Server Malware, VPN_Privat


  • This topic is locked This topic is locked
5 replies to this topic

#1 mrcleanwell

mrcleanwell

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 28 January 2015 - 11:21 PM

Hi,

 

I'm trying to help out my parents and remove some malware that my mom accidentally downloaded to her laptop (Windows 8). My mom fell for a fake banner ad that claimed she needed to update java. Once she installed the malware, she got a popup for a fake anti-virus called Pro PC Cleaner. The malware also effected her internet browsers, both Mozilla & IE could not connect to the internet because the "Proxy Server isn't responding".

 

I ran Malwarebytes & AdwCleaner. After running those, the Pro PC Cleaner popups went away and Mozilla went back to normal. However, Internet Explorer is still having the proxy server issuer. Whenever I un-check the option "Use a proxy server for your LAN", it immediately reverts backed to the checked state.

Also, when I go to uninstall programs, I see three sketchy looking programs that I do not recognize. THey are: VPN_Privat version 2.01, sp-downloader version 2.01, & Extension Manager Version 4.18. Whenever I try to un-install one of those programs, I get a message saying that the file cannot be found.

 

Thank you in advance.

Nick

 

I ran Farber and got the following log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by patrick (administrator) on CHAUMPYS on 28-01-2015 22:42:16
Running from C:\Users\patrick\Desktop\scan
Loaded Profiles: patrick (Available profiles: patrick & christy)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Stardock Software, Inc) C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
() C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Toshiba Corporation) C:\Program Files\Toshiba\Teco\TecoService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
(Stardock Software, Inc) C:\Program Files (x86)\Stardock\Start8\Start8_64.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Hotkey\TCrdMain_Win8.exe
() C:\Program Files\Toshiba\Hotkey\Hotkey\TCrdKBB.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\System Setting\TssSrv.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Users\patrick\AppData\Local\Amazon Music\Amazon Music Helper.exe
() C:\Windows\SysWOW64\UMonit64.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.Reader_6.3.9654.17499_x64__8wekyb3d8bbwe\glcnd.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [894048 2013-01-11] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1647616 2012-06-13] (Conexant Systems, Inc.)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [178016 2013-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2556768 2013-08-17] (TOSHIBA Corporation)
HKLM\...\Run: [TSSSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSSSrv.exe [296520 2013-09-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] => C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [516512 2013-07-23] (TOSHIBA)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3753122320-3355655809-3298935369-1001\...\Run: [Amazon Music] => C:\Users\patrick\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-11-18] ()
HKU\S-1-5-21-3753122320-3355655809-3298935369-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7394584 2014-12-12] (Piriform Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\christy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\patrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:49171;https=127.0.0.1:49171
ProxyServer: [HKLM-x32] => http=127.0.0.1:49171;https=127.0.0.1:49171
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshiba13.msn.com/?pc=TNJB
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://toshiba13.msn.com/?pc=TNJB
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba13.msn.com/?pc=TNJB
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba13.msn.com/?pc=TNJB
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3753122320-3355655809-3298935369-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\2rvj63fb.default
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Search App - C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\2rvj63fb.default\Extensions\{1d33817b-02d7-4cfa-a618-2d2fe2f6add4}.xpi [2014-12-25]
FF Extension: Adblock Plus - C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\2rvj63fb.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-01-10]
FF HKU\S-1-5-21-3753122320-3355655809-3298935369-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: No Name - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\patrick\AppData\Local\Google\Chrome\User Data\Default

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
R2 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [19792 2013-09-10] ()
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-03] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2013-07-29] ()
R2 Start8; C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe [142960 2013-03-19] (Stardock Software, Inc)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3668208 2013-07-29] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
U5 GeneStor; C:\Windows\System32\Drivers\GeneStor.sys [105704 2013-08-16] (GenesysLogic)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [117192 2013-08-29] (Intel Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-10] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-03] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3589600 2013-09-25] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
S3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [1936088 2013-07-31] (Realtek Semiconductor Corporation                           )
R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [32624 2013-08-19] (Windows ® Win 7 DDK provider)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [X]
S3 ETDSMBus; \SystemRoot\system32\DRIVERS\ETDSMBus.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 22:41 - 2015-01-28 22:42 - 00000000 ____D () C:\Users\patrick\Desktop\scan
2015-01-28 22:40 - 2015-01-28 22:42 - 00000000 ____D () C:\FRST
2015-01-25 13:13 - 2015-01-28 22:37 - 00062863 _____ () C:\Windows\WindowsUpdate.log
2015-01-25 10:54 - 2014-12-11 21:04 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-10 17:47 - 2015-01-10 17:51 - 00000000 ____D () C:\AdwCleaner
2015-01-10 17:46 - 2015-01-10 17:47 - 02191360 _____ () C:\Users\patrick\Downloads\adwcleaner_4.107.exe
2015-01-10 17:35 - 2015-01-10 17:35 - 00000000 ____D () C:\Users\patrick\AppData\Roaming\WildTangent
2015-01-10 17:35 - 2013-08-07 12:29 - 02214216 _____ (ELAN Microelectronics Corp.) C:\Windows\ETDUninst.dll
2015-01-06 23:10 - 2015-01-06 23:10 - 00002776 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-01-06 23:10 - 2015-01-06 23:10 - 00000845 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-01-06 23:10 - 2015-01-06 23:10 - 00000000 ____D () C:\Program Files\CCleaner
2015-01-06 23:09 - 2015-01-06 23:09 - 05317104 _____ (Piriform Ltd) C:\Users\patrick\Downloads\ccsetup501.exe
2015-01-04 15:18 - 2015-01-10 17:55 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-04 15:14 - 2015-01-04 15:14 - 00001129 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-04 15:14 - 2015-01-04 15:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-04 15:14 - 2015-01-04 15:14 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-04 15:14 - 2015-01-04 15:14 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-04 15:14 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-04 15:14 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-04 15:14 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-04 15:13 - 2015-01-04 15:13 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\patrick\Downloads\mbam-setup-2.0.4.1028.exe
2015-01-04 14:08 - 2015-01-04 14:08 - 00000000 ____D () C:\Users\patrick\AppData\Local\tmp15289
2015-01-04 13:35 - 2015-01-04 13:35 - 00366380 _____ () C:\Windows\shost.bin
2015-01-03 11:59 - 2015-01-03 11:59 - 00628496 _____ (CMI Limited) C:\Users\patrick\AppData\Local\nshAEFA.tmp
2015-01-03 11:58 - 2015-01-04 13:33 - 00000000 ____D () C:\Program Files (x86)\sp-downloader
2015-01-03 11:58 - 2015-01-03 11:58 - 00000000 ____D () C:\Users\patrick\AppData\Local\4158C61D-8D77-034B-B33F-8CB5458B7709
2015-01-03 11:58 - 2015-01-03 11:58 - 00000000 ____D () C:\Program Files (x86)\download Manager
2015-01-03 11:57 - 2015-01-04 13:33 - 00000000 ____D () C:\Program Files (x86)\VPN_Privat
2015-01-03 10:58 - 2015-01-28 22:34 - 00001362 _____ () C:\Windows\Tasks\TQHIB.job
2015-01-03 10:58 - 2015-01-03 10:58 - 00004372 _____ () C:\Windows\System32\Tasks\TQHIB
2015-01-03 10:56 - 2015-01-28 22:34 - 00001360 _____ () C:\Windows\Tasks\LTZV.job
2015-01-03 10:56 - 2015-01-03 10:57 - 00004370 _____ () C:\Windows\System32\Tasks\LTZV
2015-01-03 10:50 - 2015-01-04 15:49 - 00000000 ____D () C:\Users\patrick\Documents\ProPCCleaner
2015-01-03 10:50 - 2015-01-04 13:33 - 00000000 ____D () C:\Program Files (x86)\Extension Manager
2015-01-03 10:50 - 2015-01-03 10:50 - 00000000 ____D () C:\Users\patrick\AppData\Local\Pro_PC_Cleaner
2015-01-03 10:47 - 2015-01-04 13:27 - 00000000 ____D () C:\ProgramData\COMODO
2015-01-03 10:46 - 2015-01-04 13:27 - 00000000 ____D () C:\Program Files\COMODO
2015-01-03 10:46 - 2015-01-03 10:46 - 00000000 ____D () C:\Users\patrick\AppData\Local\Zeoinsight
2015-01-03 10:46 - 2015-01-03 10:46 - 00000000 ____D () C:\Users\patrick\AppData\Local\ZBAnalyticsCore
2015-01-03 10:44 - 2015-01-03 11:40 - 00000000 ____D () C:\Users\patrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Glarysoft
2015-01-03 10:44 - 2015-01-03 11:40 - 00000000 ____D () C:\Program Files (x86)\Glarysoft
2015-01-03 10:43 - 2015-01-03 10:43 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\patrick\AppData\Local\Comodo
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Google
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\HomeGroupUser$\AppData\Local\Comodo
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\HomeGroupUser$
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\Guest\AppData\Local\Comodo
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\Guest
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\christy\AppData\Local\Comodo
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Comodo
2015-01-03 10:42 - 2015-01-03 10:42 - 00000000 ____D () C:\Users\Administrator
2015-01-03 10:41 - 2015-01-03 10:41 - 00002333 _____ () C:\Windows\patsearch.bin

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 22:37 - 2013-11-27 07:20 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{0A6E9638-A6C8-4865-848B-999F437FD18D}
2015-01-28 22:34 - 2014-04-30 16:42 - 00000000 ___RD () C:\Users\patrick\OneDrive
2015-01-28 22:34 - 2013-10-21 04:30 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 22:34 - 2013-08-22 10:36 - 00000000 ____D () C:\Windows\system32\sru
2015-01-25 16:59 - 2013-10-21 04:27 - 06892980 _____ () C:\Users\Public\CAFADEBUG.log
2015-01-25 16:55 - 2013-10-21 04:30 - 00000924 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-25 16:31 - 2014-08-16 19:03 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-25 13:20 - 2013-11-27 06:31 - 00003600 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3753122320-3355655809-3298935369-1001
2015-01-25 13:04 - 2014-03-23 15:13 - 00130560 ___SH () C:\Users\patrick\Desktop\Thumbs.db
2015-01-25 12:41 - 2013-08-22 10:36 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-25 12:38 - 2014-07-15 11:03 - 00000000 ____D () C:\Users\christy\Desktop\health
2015-01-25 12:37 - 2013-11-30 09:36 - 00003600 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3753122320-3355655809-3298935369-1004
2015-01-25 12:27 - 2014-08-10 11:30 - 00000000 ____D () C:\Users\christy\Desktop\ant hi
2015-01-25 12:26 - 2014-05-04 08:13 - 00000000 ___RD () C:\Users\christy\OneDrive
2015-01-25 12:13 - 2013-08-22 10:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-01-25 12:12 - 2013-08-22 10:20 - 00000000 ____D () C:\Windows\CbsTemp
2015-01-25 12:11 - 2013-11-29 09:31 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-25 12:07 - 2013-11-29 09:31 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-25 11:31 - 2014-08-16 19:03 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-19 16:32 - 2014-05-17 07:30 - 00714720 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-19 16:32 - 2014-05-17 07:30 - 00106976 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-10 18:27 - 2013-08-22 09:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-10 17:35 - 2013-09-13 23:33 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-01-10 17:35 - 2013-09-13 23:33 - 00000000 ____D () C:\ProgramData\WildTangent
2015-01-10 17:35 - 2013-09-13 23:33 - 00000000 ____D () C:\Program Files (x86)\WildTangent Games
2015-01-10 17:33 - 2013-12-14 13:55 - 00000000 ____D () C:\ProgramData\Stardock
2015-01-10 16:50 - 2013-08-22 08:25 - 00524288 ___SH () C:\Windows\system32\config\BBI
2015-01-08 16:24 - 2013-11-27 06:23 - 00000000 ____D () C:\Users\patrick
2015-01-06 23:15 - 2013-12-10 19:30 - 00000000 ____D () C:\Users\patrick\AppData\Local\CrashDumps
2015-01-06 23:15 - 2013-09-14 15:28 - 00000000 ____D () C:\Windows\Panther
2015-01-04 15:15 - 2014-02-02 14:25 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-04 13:33 - 2013-11-30 09:27 - 00000000 ____D () C:\Users\christy
2015-01-04 13:33 - 2013-08-22 08:36 - 00000000 ____D () C:\Windows\system32\Sysprep
2015-01-04 13:28 - 2013-08-22 10:36 - 00000000 ____D () C:\Windows\registration
2015-01-03 10:59 - 2013-08-22 08:25 - 00000194 _____ () C:\Windows\win.ini
2015-01-03 10:51 - 2013-10-21 04:30 - 00000000 ____D () C:\Program Files (x86)\Google
2015-01-03 10:43 - 2013-08-22 10:36 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2015-01-03 10:43 - 2013-08-22 10:36 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
2015-01-03 10:42 - 2013-11-30 09:27 - 00000000 ____D () C:\Users\christy\AppData\Local\Google
2015-01-03 10:42 - 2013-11-27 06:23 - 00000000 ____D () C:\Users\patrick\AppData\Local\Google
2014-12-31 06:14 - 2013-11-29 09:00 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-30 14:23 - 2014-03-29 09:32 - 00000000 ____D () C:\Users\christy\AppData\Local\CrashDumps
2014-12-30 14:23 - 2013-11-30 09:37 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{E403AFD8-60DC-43E4-951F-A828B1AC7685}
2014-12-29 10:34 - 2013-11-30 14:15 - 00000000 ____D () C:\Users\christy\Desktop\bill payments

==================== Files in the root of some directories =======

2014-09-01 03:18 - 2014-09-01 03:18 - 0001248 _____ () C:\Users\patrick\AppData\Roaming\LTZV
2014-09-01 03:18 - 2014-09-01 03:18 - 0002086 _____ () C:\Users\patrick\AppData\Roaming\TQHIB
2015-01-03 11:59 - 2015-01-03 11:59 - 0628496 _____ (CMI Limited) C:\Users\patrick\AppData\Local\nshAEFA.tmp
2014-06-12 14:35 - 2014-06-12 14:35 - 0000057 _____ () C:\ProgramData\Ament.ini

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-25 12:05

==================== End Of Log ============================

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 29 January 2015 - 11:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:49171;https=127.0.0.1:49171
ProxyServer: [HKLM-x32] => http=127.0.0.1:49171;https=127.0.0.1:49171
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3753122320-3355655809-3298935369-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
FF NetworkProxy: "type", 0
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
CHR dev: Chrome dev build detected! <======= ATTENTION
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [X]
S3 ETDSMBus; \SystemRoot\system32\DRIVERS\ETDSMBus.sys [X]
Task: {2CD7774D-7A35-48E0-85FA-3710C8AE5985} - \Driver Booster SkipUAC (SHARRON) No Task File <==== ATTENTION

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Remove the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:49171 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".

If required press the Apply button.
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.
===

Restart the computer normally to reset the registry.

====

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 mrcleanwell

mrcleanwell
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 29 January 2015 - 10:48 PM

Hi nasdaq, thanks for taking the time to help me out.

 

After running the FRST fixlist & AdwCleaner I am no longer getting the Proxy Server message. However, when I go to Uninstall Programs, I am still seeing three questionable programs. They are VPN_Privat version 2.01, sp-downloader version 2.01, & Extension Manager Version 4.18. When I try to remove them, I get a message saying that the file cannot be found. Is this something I should be concerned about?

 

Also, this computer has two accounts on it. As of right now, the Proxy Server error is gone on one accout. I will have to talk to my mother tomorrow in order to get the password for the other account. Not sure if this makes a different but I figured it may be relevant.

 

Here is the FRST log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-01-2015
Ran by patrick at 2015-01-29 22:16:44 Run:1
Running from C:\Users\patrick\Desktop\scan
Loaded Profiles: patrick (Available profiles: patrick & christy)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:49171;https=127.0.0.1:49171
ProxyServer: [HKLM-x32] => http=127.0.0.1:49171;https=127.0.0.1:49171
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3753122320-3355655809-3298935369-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
FF NetworkProxy: "type", 0
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
CHR dev: Chrome dev build detected! <======= ATTENTION
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [X]
S3 ETDSMBus; \SystemRoot\system32\DRIVERS\ETDSMBus.sys [X]
Task: {2CD7774D-7A35-48E0-85FA-3710C8AE5985} - \Driver Booster SkipUAC (SHARRON) No Task File <==== ATTENTION

End
*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-3753122320-3355655809-3298935369-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => Key deleted successfully.
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => Key not found.
Firefox Proxy settings were reset.
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9" => Key deleted successfully.
CHR dev: Chrome dev build detected! <======= ATTENTION => Error: No automatic fix found for this entry.
AntiLog32 => Service deleted successfully.
ETDSMBus => Service deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2CD7774D-7A35-48E0-85FA-3710C8AE5985} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Booster SkipUAC (SHARRON) => Key not found.


The system needed a reboot.

==== End of Fixlog 22:16:46 ====

 

And here is the AdwCleaner report

# AdwCleaner v4.107 - Report created 29/01/2015 at 22:27:46
# Updated 07/01/2015 by Xplode
# Database : 2015-01-26.1 [Live]
# Operating System : Windows 8.1  (64 bits)
# Username : patrick - CHAUMPYS
# Running from : C:\Users\patrick\Desktop\scan\adwcleaner_4.107.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\patrick\AppData\Local\Pro_PC_Cleaner
Folder Deleted : C:\Users\patrick\Documents\ProPCCleaner
File Deleted : C:\Windows\patsearch.bin

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Super Optimizer
Key Deleted : HKCU\Software\ProPCCleanerLanguage
Key Deleted : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v34.0.5 (x86 en-US)


-\\ Google Chrome v


-\\ Comodo Dragon v


*************************

AdwCleaner[R0].txt - [8259 octets] - [10/01/2015 17:47:29]
AdwCleaner[R1].txt - [1474 octets] - [29/01/2015 22:25:30]
AdwCleaner[S0].txt - [8217 octets] - [10/01/2015 17:51:08]
AdwCleaner[S1].txt - [1308 octets] - [29/01/2015 22:27:46]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1368 octets] ##########
 

 

Thanks for your help


Edited by mrcleanwell, 29 January 2015 - 10:50 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 30 January 2015 - 09:48 AM


However, when I go to Uninstall Programs, I am still seeing three questionable programs. They are VPN_Privat version 2.01, sp-downloader version 2.01, & Extension Manager Version 4.18. When I try to remove them, I get a message saying that the file cannot be found. Is this something I should be concerned about?

No. They are just remnant items, these programs were removed by an other mean.

===

Let me know if you have any other issues with this computer.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 04 February 2015 - 09:39 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 10 February 2015 - 09:37 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users