Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware changing my proxy settings to http://wpad.com.gr/proxy.pac Please help


  • This topic is locked This topic is locked
35 replies to this topic

#1 saoul

saoul

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 26 February 2015 - 12:30 PM

I have been struggling with a malware changing my proxy settings to http://wpad.com.gr/proxy.pac.

 

This affects my system proxy settings in PC Settings - Networ - Proxy - Use Automatic Configuration Script (ON) - Acript Address http://wpad.com.gr/proxy.pac.

 

I have used TDSKill and it deleted a file "router.exe" from my windows folder. And Adware Cleaner removed some registry entries alongside some folder in Chrome that has something like "\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com"

 

Then after resetting my settings and manually turning off Automatic Configuration Script in PC Settings, everything was fine and my google searches were back to 2015. A day later it changed, I scanned with Adware cleaner and it found same stuffs, I cleaned, And it;s back again.

 

Please help me.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-02-2015 01
Ran by Xtian (administrator) on ASUS on 26-02-2015 07:21:27
Running from C:\Users\Xtian\Desktop
Loaded Profiles: Xtian (Available profiles: Xtian & Baux & Administrator)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Egis Technology Inc. ) C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Nitro PDF Software) C:\Program Files (x86)\Nitro\Pro 9\NitroPDFDriverService9x64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(ReviverSoft) C:\Program Files\ReviverSoft\Start Menu Reviver\StartMenuReviverService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Connectify) C:\Program Files (x86)\Connectify\ConnectifyService.exe
(Connectify) C:\Program Files (x86)\Connectify\Connectifyd.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnWMI.exe
(ReviverSoft) C:\Program Files\ReviverSoft\Start Menu Reviver\StartMenuReviver.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\viaaud.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Zhorn Software) C:\Program Files (x86)\Stickies\stickies.exe
(Fenrir Inc.) C:\Program Files (x86)\Fenrir Inc\SnapCrab for Windows\SnapCrab.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(ASUSTeK) C:\Windows\SysWOW64\ACEngSvr.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe
(Egis Technology Inc. ) C:\Program Files (x86)\EgisTec MyWinLocker\MWLTSR.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(The Pidgin developer community) C:\Program Files (x86)\Pidgin\pidgin.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Connectify) C:\Program Files (x86)\Connectify\Connectify.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunes.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
(TuneUp Media, Inc.) C:\Program Files (x86)\TuneUpMedia\TuneUpApp.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Macroplant, LLC) C:\Program Files (x86)\Sharepod\Sharepod.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Kaspersky Lab ZAO) C:\Users\Xtian\Desktop\TDSSKiller.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\regedit.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5292688 2012-09-17] (VIA)
HKLM\...\Run: [VIAAUD] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\viaaud.exe [2540176 2012-09-17] (VIA)
HKLM\...\Run: [ASUSQuickGesture(x86)] => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x86\QuickGesture.exe [20352 2012-09-11] (ASUSTeK Computer Inc.)
HKLM\...\Run: [ASUSTPLoader(x64)] => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe [169856 2012-09-11] (AsusTek)
HKLM\...\Run: [ASUSQuickGesture(x64)] => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe [22400 2012-09-11] (ASUSTeK Computer Inc.)
HKLM\...\Run: [ACMON] => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [107192 2012-08-24] (ASUS)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Connectify Hotspot] => C:\Program Files (x86)\Connectify\Connectify.exe [4144376 2015-02-04] (Connectify)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [418672 2011-06-22] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [202608 2011-06-22] (Egis Technology Inc.)
HKLM-x32\...\Run: [MWLTSR] => C:\Program Files (x86)\EgisTec MyWinLocker\MWLTSR.exe [126320 2011-07-22] (Egis Technology Inc. )
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [MemCheckBoxInRunDlg] 1
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-21-3593858388-4215303024-77723331-1004\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [479744 2014-10-28] (Microsoft Corporation)
HKU\S-1-5-21-3593858388-4215303024-77723331-1004\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7404312 2015-01-20] (Piriform Ltd)
HKU\S-1-5-21-3593858388-4215303024-77723331-1004\...\Run: [uTorrent] => C:\Users\Xtian\AppData\Roaming\uTorrent\uTorrent.exe [1378640 2014-12-17] (BitTorrent Inc.)
HKU\S-1-5-21-3593858388-4215303024-77723331-1004\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-3593858388-4215303024-77723331-1004\...\MountPoints2: {4d4823ac-c605-11e3-be80-50465d3b2103} - "C:\WINDOWS\system32\RunDLL32.EXE" Shell32.DLL,ShellExec_RunDLL E:\start.exe
HKU\S-1-5-21-3593858388-4215303024-77723331-1004\...\MountPoints2: {6668868f-b06f-11e4-bed3-50465d3b2103} - "C:\WINDOWS\system32\RunDLL32.EXE" Shell32.DLL,ShellExec_RunDLL E:\start.exe
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Stickies.lnk
ShortcutTarget: Stickies.lnk -> C:\Program Files (x86)\Stickies\stickies.exe (Zhorn Software)
Startup: C:\Users\Xtian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SnapCrab.lnk
ShortcutTarget: SnapCrab.lnk -> C:\Program Files (x86)\Fenrir Inc\SnapCrab for Windows\SnapCrab.exe (Fenrir Inc.)
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\system32\CbFsMntNtf3.dll (EldoS Corporation)
SSODL-x32: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\WINDOWS\SysWow64\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\WINDOWS\system32\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\WINDOWS\SysWow64\CbFsMntNtf3.dll (EldoS Corporation)
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3593858388-4215303024-77723331-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyEnable: [HKLM-x32] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080
ProxyServer: [HKLM-x32] => http=127.0.0.1:8080;https=127.0.0.1:8080
AutoConfigURL: [S-1-5-21-3593858388-4215303024-77723331-1004] => http://wpad.com.gr/proxy.pac
HKU\S-1-5-21-3593858388-4215303024-77723331-1004\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: ASUS Browser Extension x64 -> {78234974-0C4B-4111-BDEB-D9A104418772} -> C:\Program Files (x86)\ASUS\ASUS Smart Gesture\install\x64\BrowserExtension64.dll (ASUSTeK Computer Inc.)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: ASUS Browser Extension x86 -> {78234974-0C4B-4111-BDEB-D9A104418771} -> C:\Program Files (x86)\ASUS\ASUS Smart Gesture\install\x86\BrowserExtension.dll (ASUSTeK Computer Inc.)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - &SnapCrab - {F0398615-9DF9-4A98-ADEC-8FEDECC14EB0} - C:\Program Files (x86)\Fenrir Inc\SnapCrab for IE\SnapCrabBand.dll (Fenrir Inc.)
Winsock: Catalog5 01 C:\WINDOWS\SysWOW64\PrxerNsp.dll [56424] ()
Winsock: Catalog5-x64 01 C:\Windows\system32\PrxerNsp.dll [57448] ()
Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Xtian\AppData\Roaming\Mozilla\Firefox\Profiles\fqbb739m.default-1421954387170
FF DefaultSearchEngine: Google
FF NetworkProxy: "socks", "127.0.0.1"
FF NetworkProxy: "socks_port", 6969
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 9\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.0-pre3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Users\Xtian\Downloads\Internet Download Manager IDM 6.21 Build 17 Final\Patcher\IDMGCExt.crx [Not Found]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ASUS InstantOn; C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe [277120 2012-04-13] (ASUS)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
R2 Connectify; C:\Program Files (x86)\Connectify\ConnectifyService.exe [217088 2015-02-04] (Connectify) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 NitroDriverReadSpool9; C:\Program Files (x86)\Nitro\Pro 9\NitroPDFDriverService9x64.exe [230920 2014-07-16] (Nitro PDF Software)
S4 NitroUpdateService; C:\Program Files (x86)\Nitro\Pro 9\Nitro_UpdateService.exe [417800 2014-07-16] ()
S3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [38200 2014-12-01] (The OpenVPN Project)
R2 StartMenuReviverService; C:\Program Files\ReviverSoft\Start Menu Reviver\StartMenuReviverService.exe [765048 2014-09-17] (ReviverSoft)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5436176 2015-02-17] (TeamViewer GmbH)
R2 UxTuneUp; C:\Windows\System32\uxtuneup.dll [42808 2014-07-14] (AVG)
R2 UxTuneUp; C:\Windows\SysWOW64\uxtuneup.dll [35640 2014-07-14] (AVG)
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27792 2012-09-14] (VIA Technologies, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
S2 DragonUpdater; D:\Comodo\Dragon\Comodo\Dragon\dragon_updater.exe [X]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U0 66679289; C:\Windows\System32\drivers\78953911.sys [248728 2015-02-26] (Kaspersky Lab, Yury Parshin)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-15] (Qualcomm Atheros Communications, Inc.)
R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [56704 2012-09-11] (ASUS Corporation)
R3 cbfs3; C:\Windows\System32\drivers\cbfs3.sys [352144 2012-04-09] (EldoS Corporation)
R1 cnnctfy3; C:\Windows\system32\DRIVERS\cnnctfy3.sys [42152 2015-02-20] (Connectify)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-01] ( )
R1 MpKsl53f5158b; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6FAC3CE1-F2C2-422F-94C4-5D4CD02CFD5F}\MpKsl53f5158b.sys [45352 2015-02-26] (Microsoft Corporation)
R2 plctrl; C:\Program Files\ASUS\P4G\plctrl.sys [13696 2012-09-17] (ASUSTek Computer Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
S3 usbrndis6; C:\Windows\system32\DRIVERS\usb80236.sys [20992 2013-08-22] (Microsoft Corporation)
R2 uxstyle; C:\WINDOWS\system32\Drivers\uxstyle.sys [31440 2013-09-23] (The Within Network, LLC)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S3 TuneUpUtilitiesDrv; \??\C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [X]
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-26 07:21 - 2015-02-26 07:21 - 00021403 _____ () C:\Users\Xtian\Desktop\FRST.txt
2015-02-26 07:17 - 2015-02-26 07:17 - 00248728 _____ (Kaspersky Lab, Yury Parshin) C:\WINDOWS\system32\Drivers\78953911.sys
2015-02-26 07:17 - 2015-02-26 07:17 - 00000000 ____D () C:\TDSSKiller_Quarantine
2015-02-26 07:16 - 2015-02-26 07:21 - 00000000 ____D () C:\FRST
2015-02-24 14:44 - 2015-02-26 06:27 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\.purple
2015-02-23 15:53 - 2015-02-23 15:53 - 00000077 _____ () C:\WINDOWS\setupact.log
2015-02-23 15:53 - 2015-02-23 15:53 - 00000000 _____ () C:\WINDOWS\setuperr.log
2015-02-23 10:22 - 2015-02-23 10:22 - 00003118 _____ () C:\WINDOWS\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2015-02-23 10:22 - 2015-02-23 10:22 - 00003092 _____ () C:\WINDOWS\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2015-02-23 10:22 - 2015-02-23 10:22 - 00003090 _____ () C:\WINDOWS\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2015-02-23 10:22 - 2015-02-23 10:22 - 00003062 _____ () C:\WINDOWS\System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe
2015-02-23 10:22 - 2015-02-23 10:22 - 00003060 _____ () C:\WINDOWS\System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe
2015-02-23 10:22 - 2015-02-23 10:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mouse and Keyboard Center
2015-02-23 10:21 - 2015-02-23 10:22 - 00000000 ____D () C:\Program Files\Microsoft Mouse and Keyboard Center
2015-02-22 14:53 - 2015-02-22 15:03 - 00000000 ____D () C:\Users\Xtian\VirtualBox VMs
2015-02-22 14:51 - 2015-02-22 16:48 - 00000000 ____D () C:\Users\Xtian\.VirtualBox
2015-02-22 14:50 - 2015-02-22 14:50 - 00001052 _____ () C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk
2015-02-22 14:50 - 2015-02-22 14:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox
2015-02-22 14:50 - 2015-02-22 14:50 - 00000000 ____D () C:\Program Files\Oracle
2015-02-22 14:50 - 2014-03-26 19:01 - 00254240 _____ (Oracle Corporation) C:\WINDOWS\system32\Drivers\VBoxDrv.sys
2015-02-22 14:50 - 2014-03-26 19:00 - 00128288 _____ (Oracle Corporation) C:\WINDOWS\system32\Drivers\VBoxUSBMon.sys
2015-02-22 14:09 - 2015-02-26 06:10 - 01077627 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-22 13:52 - 2015-02-22 13:52 - 00000207 _____ () C:\WINDOWS\tweaking.com-regbackup-ASUS-Microsoft-Windows-8.1-(64-bit).dat
2015-02-22 13:50 - 2015-02-22 13:50 - 00000000 ____D () C:\RegBackup
2015-02-22 13:49 - 2015-02-22 13:57 - 00000000 ____D () C:\Users\Xtian\Documents\TOOLS
2015-02-21 10:03 - 2015-02-21 10:04 - 00000000 ____D () C:\Users\Xtian\AppData\Local\PackageStaging
2015-02-21 09:30 - 2015-02-21 09:30 - 00001003 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pidgin.lnk
2015-02-21 09:30 - 2015-02-21 09:30 - 00000000 ____D () C:\Program Files (x86)\Pidgin
2015-02-20 15:43 - 2015-02-20 15:43 - 00042152 _____ (Connectify) C:\WINDOWS\system32\Drivers\cnnctfy3.sys
2015-02-20 15:43 - 2015-02-20 15:43 - 00000396 _____ () C:\Users\Public\Desktop\Connectify Hotspot 2015.lnk
2015-02-20 15:43 - 2015-02-20 15:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Connectify 2015
2015-02-20 14:20 - 2015-02-20 14:20 - 00001116 _____ () C:\Users\Xtian\Desktop\Internet Download Manager.lnk
2015-02-20 12:10 - 2015-02-20 12:11 - 00112572 _____ () C:\Users\Xtian\Downloads\cports-x64.zip
2015-02-19 15:19 - 2015-02-19 15:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN
2015-02-19 15:19 - 2015-02-19 15:19 - 00000884 _____ () C:\Users\Public\Desktop\OpenVPN GUI.lnk
2015-02-19 15:19 - 2015-02-19 15:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TAP-Windows
2015-02-15 07:25 - 2015-01-22 20:41 - 06041600 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-02-15 07:25 - 2015-01-22 19:17 - 04300800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-02-13 09:59 - 2015-02-13 09:59 - 00002420 _____ () C:\Users\Xtian\Documents\lecture notes.txt
2015-02-10 18:28 - 2015-01-15 14:43 - 00563504 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2015-02-10 18:28 - 2015-01-15 14:43 - 00177984 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2015-02-10 18:28 - 2015-01-13 20:22 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-02-10 18:28 - 2015-01-13 19:53 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-02-10 18:28 - 2015-01-13 14:11 - 01762840 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowsCodecs.dll
2015-02-10 18:28 - 2015-01-13 14:04 - 01489072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WindowsCodecs.dll
2015-02-10 18:28 - 2015-01-10 01:10 - 07472960 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-02-10 18:28 - 2015-01-10 01:10 - 01733440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-02-10 18:28 - 2015-01-10 00:28 - 01498360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-02-10 18:28 - 2015-01-09 23:00 - 00430080 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2015-02-10 18:28 - 2015-01-09 22:38 - 00359424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2015-02-10 18:28 - 2014-12-08 19:45 - 00393728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\scesrv.dll
2015-02-10 18:28 - 2014-12-08 17:56 - 00538624 _____ (Microsoft Corporation) C:\WINDOWS\system32\scesrv.dll
2015-02-10 18:27 - 2015-01-11 19:09 - 25056256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-02-10 18:27 - 2015-01-11 18:48 - 02885632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-02-10 18:27 - 2015-01-11 18:48 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-02-10 18:27 - 2015-01-11 18:47 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-02-10 18:27 - 2015-01-11 18:34 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-02-10 18:27 - 2015-01-11 18:25 - 19740160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-02-10 18:27 - 2015-01-11 18:21 - 00490496 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtmsft.dll
2015-02-10 18:27 - 2015-01-11 18:08 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-02-10 18:27 - 2015-01-11 18:07 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-02-10 18:27 - 2015-01-11 18:05 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-02-10 18:27 - 2015-01-11 18:02 - 02277888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-02-10 18:27 - 2015-01-11 17:58 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-02-10 18:27 - 2015-01-11 17:55 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-02-10 18:27 - 2015-01-11 17:51 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-02-10 18:27 - 2015-01-11 17:48 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-02-10 18:27 - 2015-01-11 17:48 - 00718848 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-02-10 18:27 - 2015-01-11 17:48 - 00374272 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-02-10 18:27 - 2015-01-11 17:46 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-02-10 18:27 - 2015-01-11 17:45 - 00418304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtmsft.dll
2015-02-10 18:27 - 2015-01-11 17:43 - 14401024 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-02-10 18:27 - 2015-01-11 17:34 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-02-10 18:27 - 2015-01-11 17:30 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-02-10 18:27 - 2015-01-11 17:27 - 02865152 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2015-02-10 18:27 - 2015-01-11 17:27 - 02358272 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-02-10 18:27 - 2015-01-11 17:25 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-02-10 18:27 - 2015-01-11 17:23 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-02-10 18:27 - 2015-01-11 17:23 - 00688640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-02-10 18:27 - 2015-01-11 17:23 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-02-10 18:27 - 2015-01-11 17:14 - 12829184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-02-10 18:27 - 2015-01-11 17:14 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-02-10 18:27 - 2015-01-11 17:02 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-02-10 18:27 - 2015-01-11 17:00 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-02-10 18:27 - 2015-01-11 16:56 - 01307136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-02-10 18:27 - 2015-01-11 16:55 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-02-10 18:27 - 2014-12-19 00:57 - 00788680 _____ (Microsoft Corporation) C:\WINDOWS\system32\oleaut32.dll
2015-02-10 18:27 - 2014-12-19 00:25 - 00602776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\oleaut32.dll
2015-02-10 18:27 - 2014-12-08 15:12 - 00391526 _____ () C:\WINDOWS\system32\ApnDatabase.xml
2015-02-10 18:26 - 2015-02-03 15:38 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll
2015-02-10 18:26 - 2015-02-03 15:08 - 00761856 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-02-10 18:26 - 2015-02-03 15:08 - 00414208 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-02-10 18:26 - 2015-02-02 15:11 - 01098752 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-02-10 18:26 - 2015-02-02 15:11 - 00894464 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-02-10 18:26 - 2015-02-02 15:11 - 00609280 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-02-10 18:26 - 2015-01-19 10:42 - 01487976 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2015-02-10 18:26 - 2015-01-10 00:22 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-02-10 15:26 - 2015-02-10 15:26 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\akmwj
2015-02-10 11:58 - 2015-02-10 11:58 - 00018753 _____ () C:\Users\Xtian\Desktop\config.zip
2015-02-09 07:18 - 2015-02-09 07:18 - 00000000 ____D () C:\Users\Xtian\AppData\Local\TeamViewer
2015-02-03 05:04 - 2015-02-03 15:08 - 00000000 _RSHD () C:\Users\Xtian\v23ev185z5
2015-02-02 14:30 - 2015-02-02 14:50 - 00000000 _RSHD () C:\Users\Xtian\sg7g8l4jd22c
2015-01-30 03:31 - 2015-02-19 09:05 - 00002275 _____ () C:\Users\Xtian\Desktop\First user - Chrome.lnk
2015-01-30 03:25 - 2015-02-26 06:53 - 00000902 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-30 03:25 - 2015-02-26 06:30 - 00000906 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-30 03:25 - 2015-01-30 03:25 - 41175632 ____T (Google Inc.) C:\Users\Xtian\Desktop\chrome_installer.exe
2015-01-30 03:25 - 2015-01-30 03:25 - 00003878 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-01-30 03:25 - 2015-01-30 03:25 - 00003642 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-28 23:51 - 2015-01-28 23:51 - 01063160 _____ (Bleeping Computer, LLC) C:\Users\Xtian\Desktop\rkill64.com
2015-01-28 14:48 - 2015-01-28 14:48 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-27 14:07 - 2015-02-13 10:04 - 00000247 _____ () C:\Users\Xtian\Desktop\mode.txt
2015-01-27 12:49 - 2015-01-27 12:49 - 00000000 ____D () C:\WINDOWS\ERUNT
2015-01-27 12:13 - 2015-02-19 12:12 - 02086912 _____ (Farbar) C:\Users\Xtian\Desktop\FRST64.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-26 07:05 - 2015-01-18 09:49 - 00000000 ____D () C:\AdwCleaner
2015-02-26 06:38 - 2014-05-30 00:16 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-26 03:34 - 2014-03-23 14:34 - 00003910 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8AF09259-92D0-4146-9C57-D338039AB55E}
2015-02-26 00:43 - 2014-03-12 00:24 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\TuneUpMedia
2015-02-26 00:40 - 2012-07-25 23:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-02-25 18:00 - 2014-12-12 06:22 - 00000488 _____ () C:\WINDOWS\Tasks\Connectify Update.job
2015-02-25 16:21 - 2014-03-12 00:24 - 00000000 ____D () C:\ProgramData\TuneUpMedia
2015-02-25 15:16 - 2014-03-11 00:57 - 00003596 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3593858388-4215303024-77723331-1004
2015-02-25 15:04 - 2014-04-11 00:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sharepod
2015-02-25 15:04 - 2014-04-11 00:08 - 00000000 ____D () C:\Program Files (x86)\Sharepod
2015-02-24 14:56 - 2015-01-18 11:59 - 00000000 ____D () C:\Users\Xtian\AppData\Local\CrashDumps
2015-02-24 14:44 - 2014-03-11 04:55 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\IDM
2015-02-24 14:14 - 2014-05-10 11:40 - 01133056 ___SH () C:\Users\Xtian\Desktop\Thumbs.db
2015-02-24 12:32 - 2014-04-14 20:50 - 00000000 ___DO () C:\Users\Xtian\OneDrive
2015-02-24 12:10 - 2014-07-13 17:57 - 00099840 ___SH () C:\Users\Xtian\Downloads\Thumbs.db
2015-02-24 12:10 - 2014-03-11 04:55 - 00000000 ____D () C:\Users\Xtian\Downloads\Compressed
2015-02-24 12:02 - 2014-12-10 07:19 - 00000000 ____D () C:\Users\Xtian\Documents\JUNK MISC
2015-02-24 11:57 - 2014-12-10 07:20 - 00000000 ____D () C:\Users\Xtian\Documents\CORPORATE
2015-02-24 11:56 - 2014-03-11 00:51 - 00000000 ____D () C:\Users\Xtian\AppData\Local\Packages
2015-02-23 16:06 - 2013-11-13 23:28 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-02-23 15:55 - 2014-03-11 00:52 - 00000416 _____ () C:\Users\Xtian\AppData\Roaming\sp_data.sys
2015-02-23 15:53 - 2013-08-22 06:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-23 15:52 - 2013-08-22 06:44 - 05197720 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-02-23 14:42 - 2014-03-11 04:55 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\DMCache
2015-02-22 20:03 - 2014-12-10 09:01 - 00001456 _____ () C:\Users\Xtian\AppData\Local\Adobe Save for Web 13.0 Prefs
2015-02-22 17:31 - 2014-03-15 13:42 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\vlc
2015-02-22 14:53 - 2014-03-11 00:51 - 00000000 ____D () C:\Users\Xtian
2015-02-22 14:09 - 2014-08-26 05:27 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\stickies
2015-02-22 14:03 - 2013-08-22 05:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
2015-02-22 14:00 - 2013-08-22 07:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-02-22 13:47 - 2014-06-16 10:47 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\VMware
2015-02-22 05:08 - 2014-03-13 00:44 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\Nitro PDF
2015-02-21 11:22 - 2013-08-22 07:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-02-20 16:39 - 2014-03-16 02:08 - 00000000 ____D () C:\Program Files (x86)\MusicBee
2015-02-20 16:11 - 2014-12-19 06:15 - 00000000 ____D () C:\Program Files (x86)\Connectify
2015-02-20 13:27 - 2014-07-06 18:39 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\TweetAdder3
2015-02-20 12:40 - 2013-08-22 05:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2015-02-20 12:40 - 2012-07-26 00:12 - 00000000 ___HD () C:\WINDOWS\ELAMBKUP
2015-02-19 09:53 - 2014-03-10 23:31 - 00000794 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-02-19 09:53 - 2014-03-10 23:31 - 00000000 ____D () C:\Program Files\CCleaner
2015-02-19 08:41 - 2014-03-11 04:44 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\TeamViewer
2015-02-19 08:31 - 2014-03-11 04:44 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2015-02-18 04:43 - 2015-01-09 13:35 - 00000983 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-02-18 04:24 - 2014-09-25 16:19 - 07564792 _____ (深圳创想天空科技有限公司) C:\Users\Xtian\Desktop\iTools.exe
2015-02-17 14:59 - 2014-03-10 23:01 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-02-17 14:55 - 2014-03-10 22:54 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-15 15:53 - 2014-04-08 13:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iExplorer
2015-02-15 15:53 - 2014-04-08 13:25 - 00000000 ____D () C:\Program Files (x86)\iExplorer
2015-02-14 14:27 - 2014-12-12 02:14 - 00000000 ____D () C:\WINDOWS\rescache
2015-02-12 17:50 - 2013-08-22 05:25 - 00000167 _____ () C:\WINDOWS\win.ini
2015-02-12 17:35 - 2014-03-10 23:33 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-12 17:13 - 2014-03-10 23:33 - 116773704 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-12 16:56 - 2014-12-12 01:14 - 00000000 ____D () C:\WINDOWS\system32\appraiser
2015-02-12 16:56 - 2014-07-11 08:05 - 00000000 ___SD () C:\WINDOWS\system32\CompatTel
2015-02-09 07:46 - 2014-03-14 07:09 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\uTorrent
2015-02-06 17:40 - 2014-04-13 09:18 - 00482816 ___SH () C:\Users\Xtian\Documents\Thumbs.db
2015-02-04 14:49 - 2014-05-20 02:18 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\Nitro
2015-02-04 14:42 - 2014-05-30 00:16 - 00003718 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-02-03 16:31 - 2014-09-27 07:37 - 00000000 ____D () C:\Program Files (x86)\Sky Email Extractor
2015-02-03 11:31 - 2014-12-12 01:22 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-02-03 11:31 - 2014-12-12 01:22 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-30 03:43 - 2013-08-22 07:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
2015-01-29 10:50 - 2015-01-22 13:36 - 00000000 ____D () C:\WINDOWS\Minidump
2015-01-29 00:14 - 2014-03-10 23:37 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-27 14:29 - 2014-03-13 00:36 - 00000000 ____D () C:\Users\Xtian\AppData\Roaming\Downloaded Installations

==================== Files in the root of some directories =======

2014-07-02 19:02 - 2014-07-02 19:02 - 0000048 _____ () C:\Users\Xtian\AppData\Roaming\cached.bat
2014-07-07 18:57 - 2014-07-07 18:57 - 0000021 _____ () C:\Users\Xtian\AppData\Roaming\my_intel.sys
2015-01-22 12:29 - 2015-01-22 12:33 - 0001652 _____ () C:\Users\Xtian\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2014-03-11 00:52 - 2015-02-23 15:55 - 0000416 _____ () C:\Users\Xtian\AppData\Roaming\sp_data.sys
2014-12-10 09:01 - 2015-02-22 20:03 - 0001456 _____ () C:\Users\Xtian\AppData\Local\Adobe Save for Web 13.0 Prefs
2014-09-03 22:57 - 2014-09-03 22:57 - 0000729 _____ () C:\Users\Xtian\AppData\Local\recently-used.xbel
2014-08-06 08:58 - 2014-08-06 08:58 - 0007609 _____ () C:\Users\Xtian\AppData\Local\Resmon.ResmonCfg
2014-04-05 05:54 - 2014-04-05 05:54 - 0000057 _____ () C:\ProgramData\Ament.ini
2012-08-21 21:06 - 2012-07-29 22:03 - 0000217 _____ () C:\ProgramData\SetStretch.cmd
2012-08-21 21:06 - 2009-07-22 02:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe

Files to move or delete:
====================
C:\ProgramData\SetStretch.exe
C:\ProgramData\StartMenuReviver.exe


Some content of TEMP:
====================
C:\Users\Xtian\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe
C:\Users\Xtian\AppData\Local\Temp\Sharepod_Setup_4020.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-24 05:47

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 BrianDrab

BrianDrab

  • Malware Response Team
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 26 February 2015 - 03:36 PM

Hi. My name is Brian, and I would be happy to look into your issue.
 


- General Instructions -

  • Please read all instructions and fixes thoroughly. Read the ENTIRE post BEFORE performing any steps so you understand all that needs to be done.
  • I would advise printing any instructions for easy reference as some of the fixes may require you to boot in Safe mode. Access to these instructions may not be available in Safe Mode.
  • Any fixes provided by myself are for this log file only and should not be used on any other systems.
  • Do not run any other removal software or perform updates other than the ones I provide, as it will complicate the cleaning process.
  • It's very likely that part of our cleanup will include emptying your recycle bin. If you use your recycle bin as an archive and do not wish this to be emptied, please let me know.
  • You have 4 days to reply to each post or the topic will be closed.
  • Please feel free to ask any questions, especially if you are having problems with my instructions.


- Save ALL Tools to your Desktop-

 

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.
 
Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

- Finally Before We Start-

 
Removing malware is a complicated multiple step process, Please stay with me until I have declared your system clean. I strongly recommend you backup your personal files and folders. Although rare, attempting to remove malware can render your machine unbootable or cause data loss. Having backups of your data is your responsibility. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

 

 

 

OK, let's get started. Please do the following.

 

Step#1 - Warnings

CCleaner
I see that you have CCleaner installed. This is indeed a good product but I wanted to caution you on running the registry cleaning functionality of the tool. Please avoid this as it can do more harm than good.

 

The Dangers of P2P Programs

IMPORTANT: I noticed that you have a P2P (Peer to Peer) file sharing program on your computer. I cannot stress highly enough the danger in using these types of programs. P2P programs are one of the major avenues of infection these days. The files downloaded with these programs are more than likely infected with trojans, malware, rootkits, etc.

You run the risk of getting an infection that can compromise your sensitive data, such as financial records, personal information, etc. That is just the infection aspect of using P2P programs. You also run the risk of possible arrest, fines, or in severe cases, jail time for illegal downloading of copyrighted material.

Here are some information sources about the dangers of P2P programs:

 

FBI - Peer to Peer Scams
USA Today Artticle on P2P Programs
File Sharing Infects 500,000 Computers

 

I very much recommend you uninstall this program from your machine. If not, you will likely be back needing help with your machine again. The risks of infections from content downloaded with P2P programs far outweigh any benefit of using them.

It is, of course, your choice as to whether or not you remove the program from your machine. It is my duty though, to point out how dangerous it is to use these programs. However, I must request that you do not use it while we are cleaning your machine.

Please uninstall the following Peer-to-Peer program(s): uTorrent

 

Antivirus is Disabled

Your Antivirus, Windows Defender is disabled. If you did this intentionally while running our tools that's fine. I just wanted to make sure you were aware of this and remind you to re-enable it so you are protected.

 

 

Step#2 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

1. Download this file and save it to your Desktop. Note: Right-click on the link and select Save target as... in order to save to your desktop.
2. Download attached file and save it to the Desktop.  Attached File  fixlist.txt   1.91KB   14 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
3. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
4. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
5. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

Step#3 - JRT
1. Download Junkware Removal Tool to your desktop.
1. Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
2. The tool will open and start scanning your system.
3. Please be patient as this can take a while to complete depending on your system's specifications.
4. On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
5. Close the text file and reboot your machine.
6. Post the contents of JRT.txt into your next message.

 

 

 

Items for your next post

1. FRST Fix Log

2. Junkware log



#3 saoul

saoul
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 26 February 2015 - 06:31 PM

Thanks Brian.

 

I have done as you instructed, attached is the log.

 

Thanks for the advice, I never installed the P2P myself, guess smeone else did, but i'm getting rid of it as it is of no use to me.

 

I have checked my settings in Iexplorer and Pc Settings and the settings seems to be gone. I'd be reinstalling Chrome as i earlier uninstalled it.

 

Thanks for your highly appreciated help.

Attached Files



#4 BrianDrab

BrianDrab

  • Malware Response Team
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 26 February 2015 - 06:52 PM

Excellent. Let's make sure it's not going to come back. Please do the following.

 

Step#1 - Security Check
1. Download Security Check from here or here or here.
2. Save it to your Desktop.
3. Right-click SecurityCheck.exe and select Run as administrator. Follow the onscreen instructions inside of the black box.
4. A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: Don't be alarmed if the process runs for 10 to 15 minutes before completing. If it runs for over 30 minutes, just close the program and try running it again.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.

 

Step#2 - ESET Online Scanner and Post Results
Before running this scan, please temporarily disable your antivirus software to avoid conflicts. You can re-enable once it's done. Instructions for doing this on many AVs are here. This scan can take hours to run but is necessary to ensure we don't miss anything. Plan accordingly.

 

  • Please go here and click on 1.JPG
  • Note: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (esetsmartinstaller_enu.exe). Go ahead and download and run this file.
  • Please accept the ESET Online Scanner EULA and click Start.
  • If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
  • Make sure Enable detection of potentially unwanted applications is selected.
  • Click the Advanced Settings link.
  • Make sure Remove found threats is NOT checked.
  • Make sure Scan archives IS checked.
  • Make sure Scan for potentially unsafe applications IS checked.
  • Make sure Enable Anti-Stealth technology IS checked
  • 2.JPG
     
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed, if anything was detected please click the List of found threats link.
  • ThreatsFound.JPG
     
  • Then click the Copy to Clipboard link and paste this information into your next reply.
  • CopyToClipboard.JPG

     

     

  • Then you may click the Back button.
  • Check Uninstall Application on Close before clicking finish.

 
Items for your next post

1. Security Check Log
2. Contents of the ESET log file

 



#5 saoul

saoul
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 26 February 2015 - 11:08 PM

Here are the logs:-

 

C:\FRST\Quarantine\C\Users\Xtian\sg7g8l4jd22c\wcnsebh.vbs    VBS/Runner.NBV trojan
C:\Users\Xtian\Downloads\Compressed\SkinPack_Auto_UXStylePatcher_4.0.zip    Win32/Somoto.L potentially unwanted application
C:\Users\Xtian\Downloads\Compressed\SkinPack_Windows10_V1.0.zip    Win32/Somoto.L potentially unwanted application
C:\Users\Xtian\Downloads\Compressed\SkinPack_Windows10_V1.0_2.zip    Win32/Somoto.L potentially unwanted application
C:\Users\Xtian\Downloads\Compressed\SkinPack_Windows10_V2.0.zip    Win32/Somoto.L potentially unwanted application
C:\Users\Xtian\Downloads\Compressed\SkinPack_Yosemite_2.0.zip    Win32/Somoto.L potentially unwanted application
C:\Users\Xtian\Downloads\Programs\ccsetup502pro.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Xtian\Downloads\Programs\disk-defrag-setup.exe    MSIL/MyPCBackup.B potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI4585.tmp    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSIE745.tmp    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\Smartbar.Installer.CustomActions.dll    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\Smartbar.Resources.LanguageSettings.resources.dll    a variant of MSIL/Toolbar.Linkury.E potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\spbe.dll    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\spbl.dll    a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\sppsm.dll    a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\spusm.dll    a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\srbs.dll    a variant of MSIL/Toolbar.Linkury.C potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\srbu.dll    a variant of MSIL/Toolbar.Linkury.F potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\srptc.dll    a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\srpu.dll    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI37C8.tmp-\srut.dll    a variant of MSIL/Toolbar.Linkury.M.gen potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\Smartbar.Installer.CustomActions.dll    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\Smartbar.Resources.LanguageSettings.resources.dll    a variant of MSIL/Toolbar.Linkury.E potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\spbe.dll    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\spbl.dll    a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\sppsm.dll    a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\spusm.dll    a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\srbs.dll    a variant of MSIL/Toolbar.Linkury.C potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\srbu.dll    a variant of MSIL/Toolbar.Linkury.F potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\srptc.dll    a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\srpu.dll    a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\Installer\MSI4585.tmp-\srut.dll    a variant of MSIL/Toolbar.Linkury.M.gen potentially unwanted application
 

Attached Files



#6 BrianDrab

BrianDrab

  • Malware Response Team
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 27 February 2015 - 08:05 AM

Nice Job. Your machine is malware free. Now let's plug a couple holes that are avenues for infection. Please do the following and let me know when done. Thanks.

 

1. Keeping Java Updated
If you don't use Java or don't know if you use Java my recommendation is going to be to uninstall it. If you do use it please follow the instructions below.

 

WARNING: Java is one of the most exploited programs at this time. The Department of Homeland Security recommends that computer users disable Java. You can read more about this here.
I would recommend that you completely uninstall Java unless you need it to run an important software. If you need it or are unsure or uncomfortable with removing it then I would recommend that you disable Java in your browsers until you need it and then enable it at that time. (See How to disable Java in your web browser and How to unplug Java from the browser). If you don't uninstall it, it's also important that you follow the directions below to update to the latest version of Java.
 
1. Go to this page to download the latest version of Java SE Runtime Environment JRE 8 Update 31.
2. When you click this link you will need to click the "Accept License Agreement" radio button and then click on the "Windows x86 Offline" installer link. You will notice that there is also a Windows x64 link option, however even if you are using a 64-bit operating system, it's very likely you aren't running a 64-bit browser and should only download the "Windows x86 Offline" installer. To determine if you are using a 64-bit browser you can follow these instructions. If you find that you ARE using a 64-bit browser then you can download the "Windows x64" one.
8u31.JPG

3. Once you click on the appropriate link, please download this to your Desktop like we have with all of our tools.
4. Close any programs you may have running - especially your web browser.
5. Now we need to uninstall all versions of Java that are currently on your machine before we install the newest version. Go to Add/Remove programs (instructions are here) and uninstall any item that appears in the list that has the following as part of the name: Java 7 Update 51 (64-bit) & Java 7 Update 51
6. Reboot your computer once all Java components are removed.
7. Then from your desktop, right click on the file that was downloaded (jre-8u31-windows-i586.exe or jre-8u31-windows-x64.exe) and select Run as an Administrator to install the latest version. Accept all the defaults and you're good to go.
Note: Java has been notorious for installing foistware (software downloaded without the users knowledge). If you follow the instructions I provided no foistware will be installed but that doesn't mean it won't in the future. While performing the install of this software or any software for that matter, pay attention to each screen and ensure you uncheck any extra software that you don't want installed (i.e. Ask Toolbar, Chrome Browser, etc.).

 

 

2. Update Firefox

I do see that Firefox is outdated so you should either uninstall it if you don't use it or update that to the current version.

 

 



#7 saoul

saoul
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 27 February 2015 - 09:57 AM

Thanks.

 

I have uninstalled Java, because I don't think I need it.

Meanwhile I have deleted those folders and files Eset marked as "a variant of MSIL/Toolbar.Linkury.G potentially unwanted application" Because I think they may be responsible for reoccurrence of infection.

 

I have reinstalled Chrome too. Will update firefox.

 

Then to double check, I searched for "http://wpad.com.gr/proxy.pac" in the registry and it still popped up in the locations its entries always pop up. See Image http://i.imgur.com/cEJDU7L.png.

 

What should i do?.



#8 BrianDrab

BrianDrab

  • Malware Response Team
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 27 February 2015 - 11:12 AM

Let me see a fresh set of logs.

 

Step#1 - Fresh Set of Logs
 
1. Right click on FRST64.exe and select Run as administrator. When the tool opens click Yes to disclaimer.
2. Please ensure you place a check mark in the Addition.txt check box at the bottom of the form before running.
3. Press Scan button.
4. It will produce a log called FRST.txt in the same directory the tool is run from (which should now be the desktop)
5. Please copy and paste log back here.
6. Because you selected the Addition.txt check box this log will be created as well. Please copy and paste this log as well.
 
 
 
Items for your next post
1. FRST and Addition logs



#9 saoul

saoul
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 28 February 2015 - 07:03 AM

Hi Brian,

 

I ensured to delete every instance of the files Eset Scan identified as "a variant of MSIL/Toolbar.Linkury.I potentially unwanted application" (I felt the reinfection was coming from there) After that, I manually deleted about 5 entries in my registry with http://wpad.com.gr/proxy.pac > Rebooted my pc severally and searched my registry again, but no instance of it showed up again.

 

I have run FRST again attached are files.

 

Thanks.

Attached Files



#10 BrianDrab

BrianDrab

  • Malware Response Team
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 28 February 2015 - 09:18 AM

I ensured to delete every instance of the files Eset Scan identified as "a variant of MSIL/Toolbar.Linkury.I potentially unwanted application" (I felt the reinfection was coming from there) After that, I manually deleted about 5 entries in my registry with http://wpad.com.gr/proxy.pac > Rebooted my pc severally and searched my registry again, but no instance of it showed up again.

 

 

Good job but let's use the machine for a day or two and then check the proxy settings again to see if they came back. They are notorious for resisting removal.

 

Did you install the Chrome Extension Proxy SwitchyOmega?

 

Please do the following fix.

 

Step#1 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   80bytes   5 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 



#11 saoul

saoul
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 28 February 2015 - 09:34 AM

Here is the fixlog.

 

Yes I Installed the extension.

 

I think those stuffs in C:\Windows\Installer\MSI37C8.tmp-\ were responsible for repeated reoccurence of infection. I will use it for two days under normal conditions and report

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Xtian at 2015-02-28 06:25:23 Run:3
Running from C:\Users\Xtian\Desktop
Loaded Profiles: Xtian (Available profiles: Xtian & Baux & Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
cmd: move C:\Users\Xtian\Desktop\hosts.txt c:\windows\system32\drivers\etc\hosts
*****************


=========  move C:\Users\Xtian\Desktop\hosts.txt c:\windows\system32\drivers\etc\hosts =========

        1 file(s) moved.

========= End of CMD: =========


==== End of Fixlog 06:25:24 ====

 

Thanks for your help so far, You've been amazingly helpful.



#12 saoul

saoul
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 01 March 2015 - 02:01 AM

This morning I checked my PC and the infection is back. My system and browser proxy settings back to http://wpad.com.gr/proxy.pac, I searched through my registry and those entries are also back.

 

Attached are files. This is depressing.

Attached Files



#13 BrianDrab

BrianDrab

  • Malware Response Team
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 01 March 2015 - 11:13 AM

No problem. That's what I expected. I'll review the logs and get back to you with next steps.



#14 BrianDrab

BrianDrab

  • Malware Response Team
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 01 March 2015 - 02:06 PM

Can you run the following fix and post the results? This won't fix the proxy. I'm just gathering information.

 

Step#1 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   101bytes   8 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.



#15 saoul

saoul
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 01 March 2015 - 02:50 PM

Here it is.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users