Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to Disable proxy server permanently


  • This topic is locked This topic is locked
11 replies to this topic

#1 kakashi3

kakashi3

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 21 March 2015 - 06:48 AM

Hello,

 

3 days back, I noticed a new process called "isupdate.exe" listed under processes using up network, in resource monitor. Around the same time, google chrome started acting weird. These are the things I noticed:

 

1) Google search results in my desktop are different from those in my laptop (which is working fine). For example, when I search for "calculator", in my Laptop I get an actual calculator in the results which I can use. Whereas in my desktop, I just get links for other websites.

 

2) Videos in websites other than youtube don't play, they get stuck at loading forever. When I play a video, "isupdate.exe" starts eating up the whole network.

 

3) When I do "end process" to this "isupdate.exe" in Resource monitor, I'm no longer able to access internet. In Chrome i get "Unable to connect to proxy server" error. the same with Internet Explorer.

 

I started searching the web for this issue and I found that it may be caused by a malware. I have tried the following things so far (as per various forums on this topic):

 

1) Going to safe mode and modifying the registry key value of "proxyEnable" under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings to "0".

But when I restart and go back to normal mode, in internet options, under Connections>LAN settings> the "Use a proxy server for your LAN"  box is checked and greyed out. I cannot uncheck this in normal mode. (attached image). and yet the registry value of "proxyEnable" is still 0.

 

2) scanned the system using adwcleaner and cleaned. No change even after that.

 

3) scanned the system using malwarebytes. No malware detected.

 

4) scanned the system using hitmanpro. a proxy server 127.0.0.1 comes up, but there is not delete option. only repair option is present. and nothing happens after that as well.

 

5) I came across this topic http://www.bleepingcomputer.com/forums/t/566411/google-web-search-compromised/?p=3630748, which talk about the same problems that I'm facing and tried the solution that was mentioned and yet no results.

 

6) Finally tried System restore to an earlier point (when everything was fine) and yet the system restore failed! tried 3 more time with 3 different point. Still failed!

 

I do not want to format my system and that's why I came here for help.

I have scanned my system using FRST and i have attached the log files.

 

Please help me out with this issue. I would greatly appreciate your help!

 

Thanks a lot in advance!

 

Attached Files



BC AdBot (Login to Remove)

 


#2 kakashi3

kakashi3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 21 March 2015 - 06:53 AM

I forgot to mention one other thing:

 

I use the same network (using wifi router) in my laptop and there is no such problem there. So i guess it rules out the problem being with the router?



#3 kakashi3

kakashi3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 21 March 2015 - 07:53 AM

Here are the log files of adwcleaner, malwarebytes (had enabled rootkit scan) and hitmanpro scans that I did freshly. after this i scanned again with FRST and attached are the log files.

 

# AdwCleaner v4.112 - Logfile created 21/03/2015 at 17:44:07
# Updated 09/03/2015 by Xplode
# Database : 2015-03-15.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x86)
# Username : Home - HOME-PC
# Running from : C:\Users\Home\Downloads\adwcleaner_4.112.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
 
-\\ Google Chrome v41.0.2272.101
 
*************************
 
AdwCleaner[R0].txt - [608 bytes] - [21/03/2015 17:44:07]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [666 bytes] ##########
 
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 21-03-2015
Scan Time: 17:46:43
Logfile: Malwarebytes_scan_log.txt
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.03.21.04
Rootkit Database: v2015.02.25.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Home
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 303944
Time Elapsed: 6 min, 21 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
HitmanPro 3.7.9.238
www.hitmanpro.com
 
   Computer name . . . . : HOME-PC
   Windows . . . . . . . : 6.1.1.7601.X86/2
   User name . . . . . . : Home-PC\Home
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free
 
   Scan date . . . . . . : 2015-03-21 18:05:00
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 49s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 12
 
   Objects scanned . . . : 644,719
   Files scanned . . . . : 9,497
   Remnants scanned  . . : 97,494 files / 537,728 keys
 
Suspicious files ____________________________________________________________
 
   C:\Users\Home\Downloads\FRST.exe
      Size . . . . . . . : 1,135,104 bytes
      Age  . . . . . . . : 0.2 days (2015-03-21 13:57:04)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 27600BC2D6D1CBBD1FA5BB7A9157ACCCF3A068A6800ED4B6DC50D24A747F6CAB
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
 
   F:\FRST\FRST.exe
      Size . . . . . . . : 1,135,104 bytes
      Age  . . . . . . . : 0.1 days (2015-03-21 16:03:50)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 27600BC2D6D1CBBD1FA5BB7A9157ACCCF3A068A6800ED4B6DC50D24A747F6CAB
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      References
         HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\F:\FRST\FRST.exe
 
 
Repairs _____________________________________________________________________
 
   Proxy server on this computer (All Users)
   127.0.0.1:8080
 
 
Cookies _____________________________________________________________________
 
   C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
   C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Cookies:kontera.com
   C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Cookies:server.cpmstar.com
   C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
 
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Home (administrator) on HOME-PC on 21-03-2015 18:08:41
Running from F:\FRST
Loaded Profiles: Home (Available profiles: Home)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\vsserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(InstallShield®) C:\Program Files\InstallShield\isupdate.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Safebox\safeboxservice.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdagent.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender\bdagent.exe [1918176 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2015-01-03] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5489944 2014-12-12] (Piriform Ltd)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Lync] => C:\Program Files\Microsoft Office\Office15\lync.exe [18621600 2013-07-10] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2015-01-03] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2015-01-04] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2015-01-04] (Bitdefender)
ShellIconOverlayIdentifiers: [MountOverlayIcon] -> {0F49CF41-FD97-4942-9F2A-35E8B489E7FB} => F:\WinMount\WinMTExt3.dll (WinMount International Inc.)
ShellIconOverlayIdentifiers: [__SafeBox1] -> {152C96EB-288E-4EDC-B7C6-D21F8250ADF3} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox2] -> {342DAA0B-D796-460D-8566-901E08A1CCAD} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox3] -> {57595DAE-1AE1-4D97-A49E-67CBB53B52DF} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox4] -> {33816773-98AE-4723-ADE0-EBE54C8B5A67} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Policy Restriction on ProxySettings)
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1273206656-1833614173-2895772615-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender\pmbxie.dll [2015-01-04] (Bitdefender)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-07-10] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-07-13] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll [2015-01-03] ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> F:\Picasa3\npPicasa3.dll [2014-08-13] (Google, Inc.)
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-07-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2010-07-29] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2010-07-29] (NVIDIA Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-21] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-21] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-07-10] (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [ffpwdman@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\ffpwdman
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender\ffpwdman [2015-01-03]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\bdtbext
FF Extension: bdToolbar - C:\Program Files\Bitdefender\Bitdefender\bdtbext [2015-01-03]
 
Chrome: 
=======
CHR HomePage: Default -> https://www.google.co.uk/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-21]
CHR Extension: (Magic Actions for YouTube™) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\abjcfabbhafbcdfjoecdgepllmpfceif [2015-03-21]
CHR Extension: (Google Docs) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-21]
CHR Extension: (Google Drive) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-21]
CHR Extension: (YouTube) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-03-21]
CHR Extension: (Bitdefender Wallet) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccahoghmggldkcdjiebjkidpfongdfbl [2015-03-21]
CHR Extension: (Google Search) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-21]
CHR Extension: (Google Sheets) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-21]
CHR Extension: (部分強制メイリオちゃん) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmjcmncjhdnaealenhoohllicfkdojpb [2015-03-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-21]
CHR Extension: (Google Wallet) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-21]
CHR Extension: (Click&Clean App) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdabfienifkbhoihedcgeogidfmibmhp [2015-03-21]
CHR Extension: (Gmail) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-21]
CHR HKLM\...\Chrome\Extension: [ccahoghmggldkcdjiebjkidpfongdfbl] - C:\Program Files\Bitdefender\Bitdefender\pmbxcr.crx [2015-01-03]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender\bdparentalservice.exe [69880 2015-01-04] (Bitdefender)
R2 isupdate.exe; C:\Program Files\InstallShield\isupdate.exe [43008 2015-01-22] (InstallShield®) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 SafeBox; C:\Program Files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe [81704 2013-07-08] (Bitdefender)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe [54424 2015-01-04] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [1302784 2015-01-04] (Bitdefender)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1073160 2015-01-04] (BitDefender)
R3 avchv; C:\Windows\System32\DRIVERS\avchv.sys [242504 2012-11-02] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [528248 2015-01-03] (BitDefender)
S3 BazisVirtualCDBus; C:\Windows\System32\DRIVERS\BazisVirtualCDBus.sys [117584 2011-08-08] (SysProgs.org)
R1 BdfNdisf; c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [77632 2015-02-01] (BitDefender LLC)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [90704 2011-11-14] (BitDefender LLC)
S3 bdfwfpf_pc; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [108008 2015-01-04] (Bitdefender SRL)
S3 BDSandBox; C:\Windows\system32\drivers\bdsandbox.sys [66832 2015-01-04] (BitDefender SRL)
R1 bdselfpr; C:\Program Files\Bitdefender\Bitdefender\bdselfpr.sys [135600 2015-01-04] (BitDefender LLC)
R1 BDVEDISK; C:\Windows\System32\DRIVERS\bdvedisk.sys [72704 2012-04-17] (BitDefender)
R0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-04] () [File not signed]
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [165744 2015-01-04] (BitDefender LLC)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-03-21] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R1 networx; C:\Windows\System32\drivers\networx.sys [55288 2014-08-01] (NetFilterSDK.com)
R0 speedfan; C:\Windows\System32\speedfan.sys [24184 2012-12-30] (Almico Software)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [408280 2015-01-04] (BitDefender S.R.L.)
R2 WMDrive; C:\Windows\system32\drivers\WMDrive.sys [46176 2015-01-03] (WinMount International Inc) [File not signed]
S3 MSICDSetup; \??\D:\CDriver.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-21 17:57 - 2015-03-21 17:57 - 225306604 _____ () C:\Windows\MEMORY.DMP
2015-03-21 17:57 - 2015-03-21 17:57 - 00156232 _____ () C:\Windows\Minidump\032115-14211-01.dmp
2015-03-21 17:43 - 2015-03-21 17:45 - 00000000 ____D () C:\AdwCleaner
2015-03-21 16:56 - 2015-03-21 16:57 - 02171392 _____ () C:\Users\Home\Downloads\adwcleaner_4.112.exe
2015-03-21 15:09 - 2015-03-21 15:13 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-03-21 15:09 - 2015-03-21 15:09 - 10085648 _____ (SurfRight B.V.) C:\Users\Home\Downloads\HitmanPro.exe
2015-03-21 14:31 - 2015-03-21 17:58 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-21 14:30 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-21 14:30 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-21 14:30 - 2015-03-21 14:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-21 14:30 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-21 14:30 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-21 14:30 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-21 14:10 - 2015-03-21 14:10 - 00020453 _____ () C:\Users\Home\Downloads\Addition.txt
2015-03-21 14:09 - 2015-03-21 14:10 - 00020357 _____ () C:\Users\Home\Downloads\FRST.txt
2015-03-21 13:57 - 2015-03-21 18:08 - 00000000 ____D () C:\FRST
2015-03-21 13:57 - 2015-03-21 13:57 - 01135104 _____ (Farbar) C:\Users\Home\Downloads\FRST.exe
2015-03-21 13:46 - 2015-03-21 13:46 - 17523384 _____ (Malwarebytes Corporation ) C:\Users\Home\Downloads\mb3-setup-1878.1878-3.5.1.2522.exe
2015-03-21 13:23 - 2015-03-21 13:23 - 00111520 _____ () C:\Users\Home\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-21 13:22 - 2015-03-21 17:57 - 00000560 _____ () C:\Windows\setupact.log
2015-03-21 13:22 - 2015-03-21 13:22 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-21 13:16 - 2015-03-21 13:17 - 00434504 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-21 13:16 - 2015-03-21 13:16 - 00000808 _____ () C:\Windows\PFRO.log
2015-03-21 12:12 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-03-21 12:12 - 2015-03-21 12:12 - 00002205 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-21 12:06 - 2015-03-21 17:58 - 00000878 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-21 12:06 - 2015-03-21 16:11 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-01 20:40 - 2015-03-01 20:40 - 00000000 ____D () C:\ProgramData\Microsoft Toolkit
2015-03-01 20:25 - 2015-03-01 20:35 - 70087104 _____ (Microsoft Corporation) C:\Users\Home\Downloads\NDP451-KB2858728-x86-x64-AllOS-ENU.exe
2015-03-01 20:23 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\InstallShield
2015-03-01 20:23 - 2015-03-21 12:00 - 00000456 _____ () C:\Windows\Tasks\InstallShield Update Task.job
2015-03-01 20:03 - 2014-05-15 11:24 - 00330240 _____ (Microsoft Corporation) C:\Windows\system32\mscoree.dll
2015-03-01 20:02 - 2015-03-01 20:02 - 00161591 _____ () C:\Users\Home\Downloads\mscoree.zip
2015-03-01 19:56 - 2015-03-01 19:56 - 00000000 ____D () C:\ProgramData\TEMP
2015-03-01 19:55 - 2015-03-01 19:55 - 05366440 _____ (Dll-Files.com ) C:\Users\Home\Downloads\dffsetup-mscoree.exe
2015-03-01 19:51 - 2015-03-01 19:51 - 00000622 _____ () C:\Users\Home\Downloads\TakeOwnership.zip
2015-03-01 19:37 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-03-01 19:35 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-03-01 19:35 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2015-03-01 19:34 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Microsoft.NET
2015-03-01 19:34 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Microsoft SQL Server
2015-03-01 19:34 - 2015-03-01 19:34 - 00000000 ____D () C:\Windows\PCHEALTH
2015-03-01 19:32 - 2015-03-01 19:34 - 00000000 ____D () C:\Program Files\Microsoft Office
2015-03-01 19:32 - 2015-03-01 19:32 - 00000000 ____D () C:\Users\Home\AppData\Local\Microsoft Help
2015-03-01 19:32 - 2015-03-01 19:32 - 00000000 ____D () C:\Program Files\Microsoft Analysis Services
2015-03-01 19:31 - 2015-03-01 19:40 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-01 19:31 - 2015-03-01 19:31 - 00000000 __RHD () C:\MSOCache
2015-03-01 08:50 - 2015-03-01 08:50 - 00000286 _____ () C:\Users\Home\Desktop\internet settings.txt
2015-02-19 22:08 - 2015-02-19 22:08 - 00000000 ____D () C:\Users\Home\AppData\Temp
2015-02-19 21:20 - 2015-03-21 17:57 - 00000000 ____D () C:\Windows\Minidump
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-21 18:08 - 2015-01-03 15:39 - 01817112 _____ () C:\Windows\WindowsUpdate.log
2015-03-21 18:05 - 2009-07-14 10:04 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-21 18:05 - 2009-07-14 10:04 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-21 18:02 - 2010-11-21 02:31 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-21 17:58 - 2015-01-03 15:40 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-03-21 17:58 - 2009-07-14 10:23 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-21 17:42 - 2015-01-06 14:05 - 00000000 ____D () C:\Users\Home\AppData\Roaming\CodeBlocks
2015-03-21 16:01 - 2015-01-25 14:43 - 00000000 ____D () C:\Program Files\K-Lite Codec Pack
2015-03-21 16:01 - 2015-01-06 10:37 - 00000000 ____D () C:\Program Files\NetWorx
2015-03-21 16:01 - 2015-01-04 15:49 - 00000000 ____D () C:\Program Files\Apple Software Update
2015-03-21 16:01 - 2015-01-03 19:23 - 00000000 ____D () C:\Users\Home\AppData\Roaming\WinMount
2015-03-21 16:01 - 2015-01-03 19:19 - 00000000 ____D () C:\Users\Home\AppData\Roaming\uTorrent
2015-03-21 16:01 - 2015-01-03 17:59 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-21 16:01 - 2015-01-03 16:18 - 00000000 ____D () C:\Program Files\Google
2015-03-21 16:01 - 2015-01-03 15:41 - 00000000 ____D () C:\Program Files\MSI Afterburner
2015-03-21 16:01 - 2015-01-03 15:37 - 00000000 ____D () C:\Users\Home
2015-03-21 16:01 - 2011-04-12 07:54 - 00000000 ___RD () C:\Users\Public\Recorded TV
2015-03-21 16:01 - 2011-04-12 07:54 - 00000000 ____D () C:\Program Files\Windows Journal
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Sidebar
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Defender
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\DVD Maker
2015-03-21 16:01 - 2009-07-14 08:07 - 00000000 ____D () C:\Program Files\Common Files\System
2015-03-21 16:01 - 2009-07-14 08:07 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-03-21 16:00 - 2011-04-12 07:54 - 00000000 ____D () C:\Windows\ShellNew
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\Speech
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\com
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\AdvancedInstallers
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\registration
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-21 15:54 - 2015-01-04 13:53 - 00007615 _____ () C:\Users\Home\AppData\Local\resmon.resmoncfg
2015-03-21 12:12 - 2015-01-03 16:18 - 00000000 ____D () C:\Users\Home\AppData\Local\Google
2015-03-21 12:06 - 2015-01-03 16:17 - 00000000 ____D () C:\Users\Home\AppData\Local\Deployment
2015-03-01 19:39 - 2009-07-14 07:34 - 00000478 _____ () C:\Windows\win.ini
2015-02-19 21:27 - 2015-01-03 18:22 - 00000000 ____D () C:\Users\Home\Documents\Reg Backup
 
==================== Files in the root of some directories =======
 
2015-01-04 13:53 - 2015-03-21 15:54 - 0007615 _____ () C:\Users\Home\AppData\Local\resmon.resmoncfg
2015-01-03 16:01 - 2015-01-03 16:01 - 1499762 _____ () C:\ProgramData\1420280906.bdinstall.bin
 
Some content of TEMP:
====================
C:\Users\Home\AppData\Local\Temp\Quarantine.exe
C:\Users\Home\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-20 19:26
 
==================== End Of Log ============================


#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:08 PM

Posted 21 March 2015 - 07:58 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 
    ProxyEnable: [HKLM] => ProxyEnable is set.
    ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    RemoveProxy:
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.

After the Reboot:

Step 2

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste the log in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 kakashi3

kakashi3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 21 March 2015 - 08:16 AM

Hi Jürgen,

 

Thanks a lot for quick reply! I really appreciate it. I did as you suggested and below are the logs. The problem still exists.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Home at 2015-03-21 18:37:36 Run:2
Running from F:\FRST
Loaded Profiles: Home (Available profiles: Home)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
RemoveProxy:
*****************
 
Processes closed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
 
========= RemoveProxy: =========
 
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.
 
 
========= End of RemoveProxy: =========
 
 
 
The system needed a reboot. 
 
==== End of Fixlog 18:37:37 ====
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Home (administrator) on HOME-PC on 21-03-2015 18:42:46
Running from F:\FRST
Loaded Profiles: Home (Available profiles: Home)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\vsserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdagent.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe
(InstallShield®) C:\Program Files\InstallShield\isupdate.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Safebox\safeboxservice.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender\bdagent.exe [1918176 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2015-01-03] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5489944 2014-12-12] (Piriform Ltd)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Lync] => C:\Program Files\Microsoft Office\Office15\lync.exe [18621600 2013-07-10] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2015-01-03] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2015-01-04] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2015-01-04] (Bitdefender)
ShellIconOverlayIdentifiers: [MountOverlayIcon] -> {0F49CF41-FD97-4942-9F2A-35E8B489E7FB} => F:\WinMount\WinMTExt3.dll (WinMount International Inc.)
ShellIconOverlayIdentifiers: [__SafeBox1] -> {152C96EB-288E-4EDC-B7C6-D21F8250ADF3} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox2] -> {342DAA0B-D796-460D-8566-901E08A1CCAD} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox3] -> {57595DAE-1AE1-4D97-A49E-67CBB53B52DF} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox4] -> {33816773-98AE-4723-ADE0-EBE54C8B5A67} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Policy Restriction on ProxySettings)
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
SearchScopes: HKU\S-1-5-21-1273206656-1833614173-2895772615-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender\pmbxie.dll [2015-01-04] (Bitdefender)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-07-10] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-07-13] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll [2015-01-03] ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> F:\Picasa3\npPicasa3.dll [2014-08-13] (Google, Inc.)
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-07-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2010-07-29] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2010-07-29] (NVIDIA Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-21] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-21] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-07-10] (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [ffpwdman@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\ffpwdman
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender\ffpwdman [2015-01-03]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\bdtbext
FF Extension: bdToolbar - C:\Program Files\Bitdefender\Bitdefender\bdtbext [2015-01-03]
 
Chrome: 
=======
CHR HomePage: Default -> https://www.google.co.uk/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-21]
CHR Extension: (Magic Actions for YouTube™) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\abjcfabbhafbcdfjoecdgepllmpfceif [2015-03-21]
CHR Extension: (Google Docs) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-21]
CHR Extension: (Google Drive) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-21]
CHR Extension: (YouTube) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-03-21]
CHR Extension: (Bitdefender Wallet) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccahoghmggldkcdjiebjkidpfongdfbl [2015-03-21]
CHR Extension: (Google Search) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-21]
CHR Extension: (Google Sheets) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-21]
CHR Extension: (部分強制メイリオちゃん) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmjcmncjhdnaealenhoohllicfkdojpb [2015-03-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-21]
CHR Extension: (Google Wallet) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-21]
CHR Extension: (Super Animes - Fate Zero - Gilgamesh) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\oognmonpaoinecfdapeejfoplomfokce [2015-03-21]
CHR Extension: (Click&Clean App) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdabfienifkbhoihedcgeogidfmibmhp [2015-03-21]
CHR Extension: (Gmail) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-21]
CHR HKLM\...\Chrome\Extension: [ccahoghmggldkcdjiebjkidpfongdfbl] - C:\Program Files\Bitdefender\Bitdefender\pmbxcr.crx [2015-01-03]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender\bdparentalservice.exe [69880 2015-01-04] (Bitdefender)
R2 isupdate.exe; C:\Program Files\InstallShield\isupdate.exe [43008 2015-01-22] (InstallShield®) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 SafeBox; C:\Program Files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe [81704 2013-07-08] (Bitdefender)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe [54424 2015-01-04] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [1302784 2015-01-04] (Bitdefender)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1073160 2015-01-04] (BitDefender)
R3 avchv; C:\Windows\System32\DRIVERS\avchv.sys [242504 2012-11-02] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [528248 2015-01-03] (BitDefender)
S3 BazisVirtualCDBus; C:\Windows\System32\DRIVERS\BazisVirtualCDBus.sys [117584 2011-08-08] (SysProgs.org)
R1 BdfNdisf; c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [77632 2015-02-01] (BitDefender LLC)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [90704 2011-11-14] (BitDefender LLC)
S3 bdfwfpf_pc; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [108008 2015-01-04] (Bitdefender SRL)
S3 BDSandBox; C:\Windows\system32\drivers\bdsandbox.sys [66832 2015-01-04] (BitDefender SRL)
R1 bdselfpr; C:\Program Files\Bitdefender\Bitdefender\bdselfpr.sys [135600 2015-01-04] (BitDefender LLC)
R1 BDVEDISK; C:\Windows\System32\DRIVERS\bdvedisk.sys [72704 2012-04-17] (BitDefender)
R0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-04] () [File not signed]
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [165744 2015-01-04] (BitDefender LLC)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-03-21] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R1 networx; C:\Windows\System32\drivers\networx.sys [55288 2014-08-01] (NetFilterSDK.com)
R0 speedfan; C:\Windows\System32\speedfan.sys [24184 2012-12-30] (Almico Software)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [408280 2015-01-04] (BitDefender S.R.L.)
R2 WMDrive; C:\Windows\system32\drivers\WMDrive.sys [46176 2015-01-03] (WinMount International Inc) [File not signed]
S3 MSICDSetup; \??\D:\CDriver.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-21 17:57 - 2015-03-21 17:57 - 225306604 _____ () C:\Windows\MEMORY.DMP
2015-03-21 17:57 - 2015-03-21 17:57 - 00156232 _____ () C:\Windows\Minidump\032115-14211-01.dmp
2015-03-21 17:43 - 2015-03-21 17:45 - 00000000 ____D () C:\AdwCleaner
2015-03-21 16:56 - 2015-03-21 16:57 - 02171392 _____ () C:\Users\Home\Downloads\adwcleaner_4.112.exe
2015-03-21 15:09 - 2015-03-21 15:13 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-03-21 15:09 - 2015-03-21 15:09 - 10085648 _____ (SurfRight B.V.) C:\Users\Home\Downloads\HitmanPro.exe
2015-03-21 14:31 - 2015-03-21 18:40 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-21 14:30 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-21 14:30 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-21 14:30 - 2015-03-21 14:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-21 14:30 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-21 14:30 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-21 14:30 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-21 14:10 - 2015-03-21 14:10 - 00020453 _____ () C:\Users\Home\Downloads\Addition.txt
2015-03-21 14:09 - 2015-03-21 14:10 - 00020357 _____ () C:\Users\Home\Downloads\FRST.txt
2015-03-21 13:57 - 2015-03-21 18:42 - 00000000 ____D () C:\FRST
2015-03-21 13:57 - 2015-03-21 13:57 - 01135104 _____ (Farbar) C:\Users\Home\Downloads\FRST.exe
2015-03-21 13:46 - 2015-03-21 13:46 - 17523384 _____ (Malwarebytes Corporation ) C:\Users\Home\Downloads\mb3-setup-1878.1878-3.5.1.2522.exe
2015-03-21 13:23 - 2015-03-21 13:23 - 00111520 _____ () C:\Users\Home\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-21 13:22 - 2015-03-21 18:38 - 00000616 _____ () C:\Windows\setupact.log
2015-03-21 13:22 - 2015-03-21 13:22 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-21 13:16 - 2015-03-21 13:17 - 00434504 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-21 13:16 - 2015-03-21 13:16 - 00000808 _____ () C:\Windows\PFRO.log
2015-03-21 12:12 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-03-21 12:12 - 2015-03-21 12:12 - 00002205 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-21 12:06 - 2015-03-21 18:39 - 00000878 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-21 12:06 - 2015-03-21 18:11 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-01 20:40 - 2015-03-01 20:40 - 00000000 ____D () C:\ProgramData\Microsoft Toolkit
2015-03-01 20:25 - 2015-03-01 20:35 - 70087104 _____ (Microsoft Corporation) C:\Users\Home\Downloads\NDP451-KB2858728-x86-x64-AllOS-ENU.exe
2015-03-01 20:23 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\InstallShield
2015-03-01 20:23 - 2015-03-21 12:00 - 00000456 _____ () C:\Windows\Tasks\InstallShield Update Task.job
2015-03-01 20:03 - 2014-05-15 11:24 - 00330240 _____ (Microsoft Corporation) C:\Windows\system32\mscoree.dll
2015-03-01 20:02 - 2015-03-01 20:02 - 00161591 _____ () C:\Users\Home\Downloads\mscoree.zip
2015-03-01 19:56 - 2015-03-01 19:56 - 00000000 ____D () C:\ProgramData\TEMP
2015-03-01 19:55 - 2015-03-01 19:55 - 05366440 _____ (Dll-Files.com ) C:\Users\Home\Downloads\dffsetup-mscoree.exe
2015-03-01 19:51 - 2015-03-01 19:51 - 00000622 _____ () C:\Users\Home\Downloads\TakeOwnership.zip
2015-03-01 19:37 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-03-01 19:35 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-03-01 19:35 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2015-03-01 19:34 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Microsoft.NET
2015-03-01 19:34 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Microsoft SQL Server
2015-03-01 19:34 - 2015-03-01 19:34 - 00000000 ____D () C:\Windows\PCHEALTH
2015-03-01 19:32 - 2015-03-01 19:34 - 00000000 ____D () C:\Program Files\Microsoft Office
2015-03-01 19:32 - 2015-03-01 19:32 - 00000000 ____D () C:\Users\Home\AppData\Local\Microsoft Help
2015-03-01 19:32 - 2015-03-01 19:32 - 00000000 ____D () C:\Program Files\Microsoft Analysis Services
2015-03-01 19:31 - 2015-03-01 19:40 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-01 19:31 - 2015-03-01 19:31 - 00000000 __RHD () C:\MSOCache
2015-03-01 08:50 - 2015-03-01 08:50 - 00000286 _____ () C:\Users\Home\Desktop\internet settings.txt
2015-02-19 22:08 - 2015-02-19 22:08 - 00000000 ____D () C:\Users\Home\AppData\Temp
2015-02-19 21:20 - 2015-03-21 17:57 - 00000000 ____D () C:\Windows\Minidump
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-21 18:39 - 2015-01-03 15:40 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-03-21 18:38 - 2009-07-14 10:23 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-21 18:37 - 2015-01-03 15:39 - 01822592 _____ () C:\Windows\WindowsUpdate.log
2015-03-21 18:05 - 2009-07-14 10:04 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-21 18:05 - 2009-07-14 10:04 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-21 18:02 - 2010-11-21 02:31 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-21 17:42 - 2015-01-06 14:05 - 00000000 ____D () C:\Users\Home\AppData\Roaming\CodeBlocks
2015-03-21 16:01 - 2015-01-25 14:43 - 00000000 ____D () C:\Program Files\K-Lite Codec Pack
2015-03-21 16:01 - 2015-01-06 10:37 - 00000000 ____D () C:\Program Files\NetWorx
2015-03-21 16:01 - 2015-01-04 15:49 - 00000000 ____D () C:\Program Files\Apple Software Update
2015-03-21 16:01 - 2015-01-03 19:23 - 00000000 ____D () C:\Users\Home\AppData\Roaming\WinMount
2015-03-21 16:01 - 2015-01-03 19:19 - 00000000 ____D () C:\Users\Home\AppData\Roaming\uTorrent
2015-03-21 16:01 - 2015-01-03 17:59 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-21 16:01 - 2015-01-03 16:18 - 00000000 ____D () C:\Program Files\Google
2015-03-21 16:01 - 2015-01-03 15:41 - 00000000 ____D () C:\Program Files\MSI Afterburner
2015-03-21 16:01 - 2015-01-03 15:37 - 00000000 ____D () C:\Users\Home
2015-03-21 16:01 - 2011-04-12 07:54 - 00000000 ___RD () C:\Users\Public\Recorded TV
2015-03-21 16:01 - 2011-04-12 07:54 - 00000000 ____D () C:\Program Files\Windows Journal
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Sidebar
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Defender
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\DVD Maker
2015-03-21 16:01 - 2009-07-14 08:07 - 00000000 ____D () C:\Program Files\Common Files\System
2015-03-21 16:01 - 2009-07-14 08:07 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-03-21 16:00 - 2011-04-12 07:54 - 00000000 ____D () C:\Windows\ShellNew
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\Speech
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\com
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\AdvancedInstallers
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\registration
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-21 15:54 - 2015-01-04 13:53 - 00007615 _____ () C:\Users\Home\AppData\Local\resmon.resmoncfg
2015-03-21 12:12 - 2015-01-03 16:18 - 00000000 ____D () C:\Users\Home\AppData\Local\Google
2015-03-21 12:06 - 2015-01-03 16:17 - 00000000 ____D () C:\Users\Home\AppData\Local\Deployment
2015-03-01 19:39 - 2009-07-14 07:34 - 00000478 _____ () C:\Windows\win.ini
2015-02-19 21:27 - 2015-01-03 18:22 - 00000000 ____D () C:\Users\Home\Documents\Reg Backup
 
==================== Files in the root of some directories =======
 
2015-01-04 13:53 - 2015-03-21 15:54 - 0007615 _____ () C:\Users\Home\AppData\Local\resmon.resmoncfg
2015-01-03 16:01 - 2015-01-03 16:01 - 1499762 _____ () C:\ProgramData\1420280906.bdinstall.bin
 
Some content of TEMP:
====================
C:\Users\Home\AppData\Local\Temp\Quarantine.exe
C:\Users\Home\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-20 19:26
 
==================== End Of Log ============================


#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:08 PM

Posted 21 March 2015 - 08:52 AM

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    R2 isupdate.exe; C:\Program Files\InstallShield\isupdate.exe [43008 2015-01-22] (InstallShield®) [File not signed]
    Task: {673907B3-A9E9-45DD-8A5C-258FE6F364BE} - System32\Tasks\InstallShield Update Task => Wscript.exe //nologo //E:jscript //B "C:\Program Files\InstallShield\isupdate.ini"
    Task: C:\Windows\Tasks\InstallShield Update Task.job => Wscript.exe G/nologo /E:jscript /B C:\Program Files\InstallShield\isupdate.ini
    C:\Program Files\InstallShield
    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 
    ProxyEnable: [HKLM] => ProxyEnable is set.
    ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    RemoveProxy:
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.

After the Reboot:

Step 2

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste the log in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 kakashi3

kakashi3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 21 March 2015 - 09:27 AM

This time it worked!!  :lol:  isupdate.exe is no longer there! and google search results are also back as they were before!

 

May I know what caused this problem? Was that Installshield program? I don't remember downloading/using it recently though.

 

Thanks a lot!!  :bowdown: I really appreciate your help! This was my first time posting my problem on online forums. I decided to give it a try in this forum seeing all the other posts here. This really is a wonderful platform where layman like me can really have a hope to solve complicated problems with the help of your expertise. I will surely remember to donate if I get a credit card and i will definitely spread the word.  :)

 

Here are the logs:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Home at 2015-03-21 19:35:33 Run:3
Running from F:\FRST
Loaded Profiles: Home (Available profiles: Home)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
CloseProcesses:
R2 isupdate.exe; C:\Program Files\InstallShield\isupdate.exe [43008 2015-01-22] (InstallShield®) [File not signed]
Task: {673907B3-A9E9-45DD-8A5C-258FE6F364BE} - System32\Tasks\InstallShield Update Task => Wscript.exe //nologo //E:jscript //B "C:\Program Files\InstallShield\isupdate.ini"
Task: C:\Windows\Tasks\InstallShield Update Task.job => Wscript.exe G/nologo /E:jscript /B C:\Program Files\InstallShield\isupdate.ini
C:\Program Files\InstallShield
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:8080;https=127.0.0.1:8080;
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
RemoveProxy:
*****************
 
Processes closed successfully.
isupdate.exe => Service stopped successfully.
isupdate.exe => Service deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{673907B3-A9E9-45DD-8A5C-258FE6F364BE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{673907B3-A9E9-45DD-8A5C-258FE6F364BE}" => Key deleted successfully.
C:\Windows\System32\Tasks\InstallShield Update Task => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\InstallShield Update Task" => Key deleted successfully.
C:\Windows\Tasks\InstallShield Update Task.job => Moved successfully.
C:\Program Files\InstallShield => Moved successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
 
========= RemoveProxy: =========
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.
 
 
========= End of RemoveProxy: =========
 
 
 
The system needed a reboot. 
 
==== End of Fixlog 19:35:36 ====
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Home (administrator) on HOME-PC on 21-03-2015 19:39:13
Running from F:\FRST
Loaded Profiles: Home (Available profiles: Home)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\vsserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdagent.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Safebox\safeboxservice.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender\bdagent.exe [1918176 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2015-01-03] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2015-01-04] (Bitdefender)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5489944 2014-12-12] (Piriform Ltd)
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\...\Run: [Lync] => C:\Program Files\Microsoft Office\Office15\lync.exe [18621600 2013-07-10] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2015-01-03] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2015-01-04] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2015-01-04] (Bitdefender)
ShellIconOverlayIdentifiers: [MountOverlayIcon] -> {0F49CF41-FD97-4942-9F2A-35E8B489E7FB} => F:\WinMount\WinMTExt3.dll (WinMount International Inc.)
ShellIconOverlayIdentifiers: [__SafeBox1] -> {152C96EB-288E-4EDC-B7C6-D21F8250ADF3} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox2] -> {342DAA0B-D796-460D-8566-901E08A1CCAD} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox3] -> {57595DAE-1AE1-4D97-A49E-67CBB53B52DF} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
ShellIconOverlayIdentifiers: [__SafeBox4] -> {33816773-98AE-4723-ADE0-EBE54C8B5A67} => C:\Program Files\Bitdefender\Bitdefender SafeBox\SafeBoxShell.dll (Bitdefender)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1273206656-1833614173-2895772615-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
SearchScopes: HKU\S-1-5-21-1273206656-1833614173-2895772615-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender\pmbxie.dll [2015-01-04] (Bitdefender)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-07-10] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-07-13] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll [2015-01-03] ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> F:\Picasa3\npPicasa3.dll [2014-08-13] (Google, Inc.)
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-07-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2010-07-29] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2010-07-29] (NVIDIA Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-21] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-21] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-07-10] (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [ffpwdman@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\ffpwdman
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender\ffpwdman [2015-01-03]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\bdtbext
FF Extension: bdToolbar - C:\Program Files\Bitdefender\Bitdefender\bdtbext [2015-01-03]
 
Chrome: 
=======
CHR HomePage: Default -> https://www.google.co.uk/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-21]
CHR Extension: (Magic Actions for YouTube™) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\abjcfabbhafbcdfjoecdgepllmpfceif [2015-03-21]
CHR Extension: (Google Docs) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-21]
CHR Extension: (Google Drive) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-21]
CHR Extension: (YouTube) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-03-21]
CHR Extension: (Bitdefender Wallet) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccahoghmggldkcdjiebjkidpfongdfbl [2015-03-21]
CHR Extension: (Google Search) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-21]
CHR Extension: (Google Sheets) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-21]
CHR Extension: (部分強制メイリオちゃん) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmjcmncjhdnaealenhoohllicfkdojpb [2015-03-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-21]
CHR Extension: (Google Wallet) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-21]
CHR Extension: (Super Animes - Fate Zero - Gilgamesh) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\oognmonpaoinecfdapeejfoplomfokce [2015-03-21]
CHR Extension: (Click&Clean App) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdabfienifkbhoihedcgeogidfmibmhp [2015-03-21]
CHR Extension: (Gmail) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-21]
CHR HKLM\...\Chrome\Extension: [ccahoghmggldkcdjiebjkidpfongdfbl] - C:\Program Files\Bitdefender\Bitdefender\pmbxcr.crx [2015-01-03]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender\bdparentalservice.exe [69880 2015-01-04] (Bitdefender)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 SafeBox; C:\Program Files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe [81704 2013-07-08] (Bitdefender)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe [54424 2015-01-04] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [1302784 2015-01-04] (Bitdefender)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1073160 2015-01-04] (BitDefender)
R3 avchv; C:\Windows\System32\DRIVERS\avchv.sys [242504 2012-11-02] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [528248 2015-01-03] (BitDefender)
S3 BazisVirtualCDBus; C:\Windows\System32\DRIVERS\BazisVirtualCDBus.sys [117584 2011-08-08] (SysProgs.org)
R1 BdfNdisf; c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [77632 2015-02-01] (BitDefender LLC)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [90704 2011-11-14] (BitDefender LLC)
S3 bdfwfpf_pc; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [108008 2015-01-04] (Bitdefender SRL)
S3 BDSandBox; C:\Windows\system32\drivers\bdsandbox.sys [66832 2015-01-04] (BitDefender SRL)
R1 bdselfpr; C:\Program Files\Bitdefender\Bitdefender\bdselfpr.sys [135600 2015-01-04] (BitDefender LLC)
R1 BDVEDISK; C:\Windows\System32\DRIVERS\bdvedisk.sys [72704 2012-04-17] (BitDefender)
R0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-04] () [File not signed]
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [165744 2015-01-04] (BitDefender LLC)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-03-21] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R1 networx; C:\Windows\System32\drivers\networx.sys [55288 2014-08-01] (NetFilterSDK.com)
R0 speedfan; C:\Windows\System32\speedfan.sys [24184 2012-12-30] (Almico Software)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [408280 2015-01-04] (BitDefender S.R.L.)
R2 WMDrive; C:\Windows\system32\drivers\WMDrive.sys [46176 2015-01-03] (WinMount International Inc) [File not signed]
S3 MSICDSetup; \??\D:\CDriver.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-21 17:57 - 2015-03-21 17:57 - 225306604 _____ () C:\Windows\MEMORY.DMP
2015-03-21 17:57 - 2015-03-21 17:57 - 00156232 _____ () C:\Windows\Minidump\032115-14211-01.dmp
2015-03-21 17:43 - 2015-03-21 17:45 - 00000000 ____D () C:\AdwCleaner
2015-03-21 16:56 - 2015-03-21 16:57 - 02171392 _____ () C:\Users\Home\Downloads\adwcleaner_4.112.exe
2015-03-21 15:09 - 2015-03-21 15:13 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-03-21 15:09 - 2015-03-21 15:09 - 10085648 _____ (SurfRight B.V.) C:\Users\Home\Downloads\HitmanPro.exe
2015-03-21 14:31 - 2015-03-21 19:37 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-21 14:30 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-21 14:30 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-21 14:30 - 2015-03-21 14:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-21 14:30 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-21 14:30 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-21 14:30 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-21 14:10 - 2015-03-21 14:10 - 00020453 _____ () C:\Users\Home\Downloads\Addition.txt
2015-03-21 14:09 - 2015-03-21 14:10 - 00020357 _____ () C:\Users\Home\Downloads\FRST.txt
2015-03-21 13:57 - 2015-03-21 19:39 - 00000000 ____D () C:\FRST
2015-03-21 13:57 - 2015-03-21 13:57 - 01135104 _____ (Farbar) C:\Users\Home\Downloads\FRST.exe
2015-03-21 13:46 - 2015-03-21 13:46 - 17523384 _____ (Malwarebytes Corporation ) C:\Users\Home\Downloads\mb3-setup-1878.1878-3.5.1.2522.exe
2015-03-21 13:23 - 2015-03-21 13:23 - 00111520 _____ () C:\Users\Home\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-21 13:22 - 2015-03-21 19:36 - 00000672 _____ () C:\Windows\setupact.log
2015-03-21 13:22 - 2015-03-21 13:22 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-21 13:16 - 2015-03-21 13:17 - 00434504 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-21 13:16 - 2015-03-21 13:16 - 00000808 _____ () C:\Windows\PFRO.log
2015-03-21 12:12 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-03-21 12:12 - 2015-03-21 12:12 - 00002205 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-21 12:06 - 2015-03-21 19:36 - 00000878 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-21 12:06 - 2015-03-21 19:32 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-01 20:40 - 2015-03-01 20:40 - 00000000 ____D () C:\ProgramData\Microsoft Toolkit
2015-03-01 20:25 - 2015-03-01 20:35 - 70087104 _____ (Microsoft Corporation) C:\Users\Home\Downloads\NDP451-KB2858728-x86-x64-AllOS-ENU.exe
2015-03-01 20:03 - 2014-05-15 11:24 - 00330240 _____ (Microsoft Corporation) C:\Windows\system32\mscoree.dll
2015-03-01 20:02 - 2015-03-01 20:02 - 00161591 _____ () C:\Users\Home\Downloads\mscoree.zip
2015-03-01 19:56 - 2015-03-01 19:56 - 00000000 ____D () C:\ProgramData\TEMP
2015-03-01 19:55 - 2015-03-01 19:55 - 05366440 _____ (Dll-Files.com ) C:\Users\Home\Downloads\dffsetup-mscoree.exe
2015-03-01 19:51 - 2015-03-01 19:51 - 00000622 _____ () C:\Users\Home\Downloads\TakeOwnership.zip
2015-03-01 19:37 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-03-01 19:35 - 2015-03-21 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-03-01 19:35 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2015-03-01 19:34 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Microsoft.NET
2015-03-01 19:34 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\Microsoft SQL Server
2015-03-01 19:34 - 2015-03-01 19:34 - 00000000 ____D () C:\Windows\PCHEALTH
2015-03-01 19:32 - 2015-03-01 19:34 - 00000000 ____D () C:\Program Files\Microsoft Office
2015-03-01 19:32 - 2015-03-01 19:32 - 00000000 ____D () C:\Users\Home\AppData\Local\Microsoft Help
2015-03-01 19:32 - 2015-03-01 19:32 - 00000000 ____D () C:\Program Files\Microsoft Analysis Services
2015-03-01 19:31 - 2015-03-01 19:40 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-01 19:31 - 2015-03-01 19:31 - 00000000 __RHD () C:\MSOCache
2015-03-01 08:50 - 2015-03-01 08:50 - 00000286 _____ () C:\Users\Home\Desktop\internet settings.txt
2015-02-19 22:08 - 2015-02-19 22:08 - 00000000 ____D () C:\Users\Home\AppData\Temp
2015-02-19 21:20 - 2015-03-21 17:57 - 00000000 ____D () C:\Windows\Minidump
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-21 19:37 - 2015-01-03 15:40 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-03-21 19:36 - 2009-07-14 10:23 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-21 19:35 - 2015-01-03 15:39 - 01824313 _____ () C:\Windows\WindowsUpdate.log
2015-03-21 18:46 - 2009-07-14 10:04 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-21 18:46 - 2009-07-14 10:04 - 00026544 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-21 18:44 - 2010-11-21 02:31 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-21 17:42 - 2015-01-06 14:05 - 00000000 ____D () C:\Users\Home\AppData\Roaming\CodeBlocks
2015-03-21 16:01 - 2015-01-25 14:43 - 00000000 ____D () C:\Program Files\K-Lite Codec Pack
2015-03-21 16:01 - 2015-01-06 10:37 - 00000000 ____D () C:\Program Files\NetWorx
2015-03-21 16:01 - 2015-01-04 15:49 - 00000000 ____D () C:\Program Files\Apple Software Update
2015-03-21 16:01 - 2015-01-03 19:23 - 00000000 ____D () C:\Users\Home\AppData\Roaming\WinMount
2015-03-21 16:01 - 2015-01-03 19:19 - 00000000 ____D () C:\Users\Home\AppData\Roaming\uTorrent
2015-03-21 16:01 - 2015-01-03 17:59 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-21 16:01 - 2015-01-03 16:18 - 00000000 ____D () C:\Program Files\Google
2015-03-21 16:01 - 2015-01-03 15:41 - 00000000 ____D () C:\Program Files\MSI Afterburner
2015-03-21 16:01 - 2015-01-03 15:37 - 00000000 ____D () C:\Users\Home
2015-03-21 16:01 - 2011-04-12 07:54 - 00000000 ___RD () C:\Users\Public\Recorded TV
2015-03-21 16:01 - 2011-04-12 07:54 - 00000000 ____D () C:\Program Files\Windows Journal
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Sidebar
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\Windows Defender
2015-03-21 16:01 - 2009-07-14 10:22 - 00000000 ____D () C:\Program Files\DVD Maker
2015-03-21 16:01 - 2009-07-14 08:07 - 00000000 ____D () C:\Program Files\Common Files\System
2015-03-21 16:01 - 2009-07-14 08:07 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-03-21 16:00 - 2011-04-12 07:54 - 00000000 ____D () C:\Windows\ShellNew
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\Speech
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\com
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\AdvancedInstallers
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\registration
2015-03-21 16:00 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-21 15:54 - 2015-01-04 13:53 - 00007615 _____ () C:\Users\Home\AppData\Local\resmon.resmoncfg
2015-03-21 12:12 - 2015-01-03 16:18 - 00000000 ____D () C:\Users\Home\AppData\Local\Google
2015-03-21 12:06 - 2015-01-03 16:17 - 00000000 ____D () C:\Users\Home\AppData\Local\Deployment
2015-03-01 19:39 - 2009-07-14 07:34 - 00000478 _____ () C:\Windows\win.ini
2015-02-19 21:27 - 2015-01-03 18:22 - 00000000 ____D () C:\Users\Home\Documents\Reg Backup
 
==================== Files in the root of some directories =======
 
2015-01-04 13:53 - 2015-03-21 15:54 - 0007615 _____ () C:\Users\Home\AppData\Local\resmon.resmoncfg
2015-01-03 16:01 - 2015-01-03 16:01 - 1499762 _____ () C:\ProgramData\1420280906.bdinstall.bin
 
Some content of TEMP:
====================
C:\Users\Home\AppData\Local\Temp\Quarantine.exe
C:\Users\Home\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-20 19:26
 
==================== End Of Log ============================

Edited by kakashi3, 21 March 2015 - 09:42 AM.


#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:08 PM

Posted 21 March 2015 - 09:46 AM

Yes, it was the isupdate service (no malware per se). The service is running as a LAN Proxy Server.

2015-03-01 20:23 - 2015-03-21 16:01 - 00000000 ____D () C:\Program Files\InstallShield
2015-03-01 20:23 - 2015-03-21 12:00 - 00000456 _____ () C:\Windows\Tasks\InstallShield Update Task.job
2015-03-01 20:03 - 2014-05-15 11:24 - 00330240 _____ (Microsoft Corporation) C:\Windows\system32\mscoree.dll
2015-03-01 20:02 - 2015-03-01 20:02 - 00161591 _____ () C:\Users\Home\Downloads\mscoree.zip
2015-03-01 19:56 - 2015-03-01 19:56 - 00000000 ____D () C:\ProgramData\TEMP
2015-03-01 19:55 - 2015-03-01 19:55 - 05366440 _____ (Dll-Files.com ) C:\Users\Home\Downloads\dffsetup-mscoree.exe
2015-03-01 19:51 - 2015-03-01 19:51 - 00000622 _____ () C:\Users\Home\Downloads\TakeOwnership.zip

Let's do a final check up:

Step 1


Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:

settings.png

  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.

esetlog.png
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 kakashi3

kakashi3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 21 March 2015 - 10:55 AM

I ran the ESET online scanner as instructed and it identified 7 treat files. Can I delete them?

Here is the log:

 

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=04b90d20383a744aa16a61c3ea3d4619
# engine=23016
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-03-21 03:52:06
# local_time=2015-03-21 09:22:06 (+0530, India Standard Time)
# country="India"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Bitdefender Antivirus'
# compatibility_mode=2064 16777213 100 100 769 105672906 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 66 85 21065 178582517 0 0
# scanned=92634
# found=7
# cleaned=0
# scan_time=2028
sh=A8C8651D376D7B9CC9248D3E27DD4B703091777F ft=1 fh=90ec45b2c206b24d vn="a variant of Win32/NetFilter.A potentially unsafe application" ac=I fn="C:\Program Files\NetWorx\nfapi.dll"
sh=0425E4105267F3CAC86067EC67F356B3EFD6F4BC ft=1 fh=45afef6521a2aedc vn="a variant of Win32/Systweak potentially unwanted application" ac=I fn="C:\Users\Home\Downloads\dffsetup-mscoree.exe"
sh=E3C3C648F3783E1918A71EE73561B6DFD9E0C6FF ft=1 fh=031add60de2b5a8f vn="a variant of Win32/Hao123.A potentially unwanted application" ac=I fn="C:\Users\Home\Downloads\FFSetup3.5.0.0.exe"
sh=F9E76FF3CC179C2A9CC1AEB182784085D1ED27EB ft=1 fh=b69be68dfaa5dbdf vn="a variant of Win32/NetFilter.A potentially unsafe application" ac=I fn="C:\Users\Home\Downloads\networx_setup (1).exe"
sh=B77E5FC3C268E3372F0829644259814880E3A5CA ft=1 fh=2f4b47732a177206 vn="a variant of Win32/NetFilter.A potentially unsafe application" ac=I fn="C:\Windows\System32\drivers\networx.sys"
sh=D5F81E940DF0CA88EE270E1B9A597FEFFCABAE81 ft=1 fh=a38c288313053c89 vn="a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application" ac=I fn="F:\FormatFactory\FFModules\Package\Ask\AskPIP_FF_.exe"
sh=E5A3C100D2D0FD94482783AF2B2FF94CDFC9923F ft=1 fh=a0ddd0619a504a2e vn="a variant of Win32/Hao123.A potentially unwanted application" ac=I fn="F:\FormatFactory\FFModules\Package\BaiDu\hao123inst.exe"


#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:08 PM

Posted 21 March 2015 - 11:17 AM

Can I delete them?


Yes. Please run the fix.

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.

  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    R1 networx; C:\Windows\System32\drivers\networx.sys [55288 2014-08-01] (NetFilterSDK.com)
    C:\Windows\System32\drivers\networx.sys 
    C:\Program Files\NetWorx
    C:\Users\Home\Downloads\dffsetup-mscoree.exe
    C:\Users\Home\Downloads\FFSetup3.5.0.0.exe
    C:\Users\Home\Downloads\networx_setup (1).exe
    F:\FormatFactory\FFModules\Package\Ask\AskPIP_FF_.exe
    F:\FormatFactory\FFModules\Package\BaiDu\hao123inst.exe
    EmptyTemp:
    
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

That's it! abklatsch.gif
Your logs look clean to me at the moment. :thumbup2:
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or appreciate the assistance you received, then you can consider a donation: btn_donate_SM.gif
Thank you!


Clean Upcleanupm.PNG

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download delfix.pngDelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:
 


Internet Explorer Version 8
Adobe Flash Player 16 NPAPI

 
Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 kakashi3

kakashi3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 22 March 2015 - 03:11 AM

Done! Thanks a lot again!  :)  I really appreciate it.

I don't have a credit card, but if I get it I'll surely make a donation in future.  :)

Thanks again!



#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:08 PM

Posted 22 March 2015 - 03:44 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users