Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

http://127.0.0.1:8080/proxy.pac PROBLEM persist


  • This topic is locked This topic is locked
20 replies to this topic

#1 eml

eml

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lisbon
  • Local time:11:12 AM

Posted 13 December 2015 - 01:46 PM

Hi there,

 

I see in the forum the solution to remove this proxy issue.

But still persist.

 

I use adwcleaner, fsrt, Malicious Software Removal Tool, junkware removel tool, Malwarebytes Anti-Malware, cleaning some registry entries, but after restar the machine the proxy problem persist.

 

i´ve seen the solution in this forum with the fsrt fixlist.txt, so I send my files to analyse.

 

thanks a lot for any solution!

 

eml

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,183 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 14 December 2015 - 11:45 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\VESWinlogon-x32: VESWinlogon.dll [X]
HKU\S-1-5-21-3986011960-3368532007-501841507-1001\...\Policies\Explorer: []
ShortcutTarget: 7249907A.lnk -> C:\Users\Emanuel\AppData\Local\Temp\nvvscv.exe (No File)
GroupPolicyUsers\S-1-5-21-3986011960-3368532007-501841507-1003\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @veetle.com/vbp;version=0.9.17 -> C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll [No File]
FF Plugin HKU\S-1-5-21-3986011960-3368532007-501841507-1001: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF HKU\S-1-5-21-3986011960-3368532007-501841507-1001\...\Firefox\Extensions: [acewebextension@acestream.org] - C:\Users\Emanuel\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension.xpi => not found
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Extension: (No Name) - C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mdebcffgnijbblbinknkbefciofebcda [2012-11-30]
CHR Extension: (AVG Secure Search) - C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2012-11-29]
CHR HKLM-x32\...\Chrome\Extension: [mdebcffgnijbblbinknkbefciofebcda] - <no Path/update_url>
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S2 NMSAccess; "C:\Program Files (x86)\Blaze Media Pro\NMSAccess32.exe"  [X]
S3 appliandMP; system32\DRIVERS\appliand.sys [X]
S3 BEHRINGER_2902; System32\Drivers\BUSB2902.sys [X]
S3 BUSB_AUDIO_WDM; system32\drivers\busbwdm.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{74F5CC00-49A9-11CF-A2F9-444553540000}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD LT 2013\en-US\acadltficn.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {04AD4AE8-CDC0-435A-96F1-A5EE3F677C37} - System32\Tasks\{B2E0D573-4E12-4532-A882-959BE119848C} => pcalua.exe -a C:\Users\Emanuel\AppData\Local\Temp\jre-8u60-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1
Task: {18D18C58-E398-42CA-BEA5-266A3E0830FD} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {87932EEC-B930-4896-8E5D-647CE046A548} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {8B0A5396-01C4-4BC1-B66C-6A3F573E538F} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {99437DBB-309D-4FF7-8912-BE9A72514D3C} - System32\Tasks\KMSpico Updater => Wscript.exe //nologo //E:jscript //B "C:\Program Files (x86)\KMSpico Updater\updater.ini"
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\KMSpico Updater.job => Wscript.exe N/nologo /E:jscript /B C:\Program Files (x86)\KMSpico Updater\updater.ini
AlternateDataStreams: C:\ProgramData\Microsoft:l9044YCNIdP7QN8OeZJZgCs
AlternateDataStreams: C:\ProgramData\Microsoft:zXilQYKRstzBXKmWnAMqbQ
AlternateDataStreams: C:\ProgramData\TEMP:A1EDB939
AlternateDataStreams: C:\Users\Emanuel\AppData\Local\Temporary Internet Files:peLsKpUUmC4cDgfi25s3Urcqlb
FirewallRules: [{4081DFBF-C6E7-406B-8DD0-4BA740713AFF}] => (Allow) C:\Users\Emanuel\AppData\Local\Temp\wmpscnfg.exe
FirewallRules: [{8C1F51AE-6A02-4EEF-A458-C02911975A6C}] => (Allow) C:\Users\Emanuel\AppData\Local\Temp\wmpscnfg.exe
C:\Windows\AutoKMS
C:\Program Files (x86)\KMSpico Updater
C:\Users\Emanuel\AppData\Local\Temp\wmpscnfg.exe
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

How is the computer running now?

#3 eml

eml
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lisbon
  • Local time:11:12 AM

Posted 14 December 2015 - 01:33 PM

Hi there,

 

First off all thanks for your reply nasdaq.

 

After doing your suggestion no more appears the proxy problem after the reboot

 

here are the fixlog file

Fix result of Farbar Recovery Scan Tool (x64) Version:12-12-2015 01
Ran by Emanuel (2015-12-14 17:45:20) Run:1
Running from C:\Users\Emanuel\Downloads
Loaded Profiles: Emanuel (Available Profiles: Emanuel & Sara)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\VESWinlogon-x32: VESWinlogon.dll [X]
HKU\S-1-5-21-3986011960-3368532007-501841507-1001\...\Policies\Explorer: []
ShortcutTarget: 7249907A.lnk -> C:\Users\Emanuel\AppData\Local\Temp\nvvscv.exe (No File)
GroupPolicyUsers\S-1-5-21-3986011960-3368532007-501841507-1003\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @veetle.com/vbp;version=0.9.17 -> C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll [No File]
FF Plugin HKU\S-1-5-21-3986011960-3368532007-501841507-1001: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF HKU\S-1-5-21-3986011960-3368532007-501841507-1001\...\Firefox\Extensions: [acewebextension@acestream.org] - C:\Users\Emanuel\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension.xpi => not found
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Extension: (No Name) - C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mdebcffgnijbblbinknkbefciofebcda [2012-11-30]
CHR Extension: (AVG Secure Search) - C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2012-11-29]
CHR HKLM-x32\...\Chrome\Extension: [mdebcffgnijbblbinknkbefciofebcda] - <no Path/update_url>
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S2 NMSAccess; "C:\Program Files (x86)\Blaze Media Pro\NMSAccess32.exe"  [X]
S3 appliandMP; system32\DRIVERS\appliand.sys [X]
S3 BEHRINGER_2902; System32\Drivers\BUSB2902.sys [X]
S3 BUSB_AUDIO_WDM; system32\drivers\busbwdm.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{74F5CC00-49A9-11CF-A2F9-444553540000}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD LT 2013\en-US\acadltficn.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Emanuel\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {04AD4AE8-CDC0-435A-96F1-A5EE3F677C37} - System32\Tasks\{B2E0D573-4E12-4532-A882-959BE119848C} => pcalua.exe -a C:\Users\Emanuel\AppData\Local\Temp\jre-8u60-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1
Task: {18D18C58-E398-42CA-BEA5-266A3E0830FD} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {87932EEC-B930-4896-8E5D-647CE046A548} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {8B0A5396-01C4-4BC1-B66C-6A3F573E538F} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {99437DBB-309D-4FF7-8912-BE9A72514D3C} - System32\Tasks\KMSpico Updater => Wscript.exe //nologo //E:jscript //B "C:\Program Files (x86)\KMSpico Updater\updater.ini"
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\KMSpico Updater.job => Wscript.exe N/nologo /E:jscript /B C:\Program Files (x86)\KMSpico Updater\updater.ini
AlternateDataStreams: C:\ProgramData\Microsoft:l9044YCNIdP7QN8OeZJZgCs
AlternateDataStreams: C:\ProgramData\Microsoft:zXilQYKRstzBXKmWnAMqbQ
AlternateDataStreams: C:\ProgramData\TEMP:A1EDB939
AlternateDataStreams: C:\Users\Emanuel\AppData\Local\Temporary Internet Files:peLsKpUUmC4cDgfi25s3Urcqlb
FirewallRules: [{4081DFBF-C6E7-406B-8DD0-4BA740713AFF}] => (Allow) C:\Users\Emanuel\AppData\Local\Temp\wmpscnfg.exe
FirewallRules: [{8C1F51AE-6A02-4EEF-A458-C02911975A6C}] => (Allow) C:\Users\Emanuel\AppData\Local\Temp\wmpscnfg.exe
C:\Windows\AutoKMS
C:\Program Files (x86)\KMSpico Updater
C:\Users\Emanuel\AppData\Local\Temp\wmpscnfg.exe
End
*****************

Restore point was successfully created.
Processes closed successfully.

========= RemoveProxy: =========

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3986011960-3368532007-501841507-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\VESWinlogon" => key removed successfully
HKU\S-1-5-21-3986011960-3368532007-501841507-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => value removed successfully
C:\Users\Emanuel\AppData\Local\Temp\nvvscv.exe => not found.
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-3986011960-3368532007-501841507-1003\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value not found.
"HKCR\PROTOCOLS\Handler\linkscanner" => key removed successfully
HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@veetle.com/vbp;version=0.9.17" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001\Software\MozillaPlugins\wacom.com/WacomTabletPlugin" => key removed successfully
C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll => not found.
HKU\S-1-5-21-3986011960-3368532007-501841507-1001\Software\Mozilla\Firefox\Extensions\\acewebextension@acestream.org => value removed successfully
C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mdebcffgnijbblbinknkbefciofebcda => moved successfully
C:\Users\Emanuel\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mdebcffgnijbblbinknkbefciofebcda" => key removed successfully
ACDaemon => service removed successfully
NMSAccess => service removed successfully
appliandMP => service removed successfully
BEHRINGER_2902 => service removed successfully
BUSB_AUDIO_WDM => service removed successfully
Synth3dVsc => service removed successfully
tsusbhub => service removed successfully
VGPU => service removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{74F5CC00-49A9-11CF-A2F9-444553540000}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => key removed successfully
"HKU\S-1-5-21-3986011960-3368532007-501841507-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{04AD4AE8-CDC0-435A-96F1-A5EE3F677C37}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04AD4AE8-CDC0-435A-96F1-A5EE3F677C37}" => key removed successfully
C:\Windows\System32\Tasks\{B2E0D573-4E12-4532-A882-959BE119848C} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{B2E0D573-4E12-4532-A882-959BE119848C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{18D18C58-E398-42CA-BEA5-266A3E0830FD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{18D18C58-E398-42CA-BEA5-266A3E0830FD}" => key removed successfully
C:\Windows\System32\Tasks\AutoKMS => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87932EEC-B930-4896-8E5D-647CE046A548}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87932EEC-B930-4896-8E5D-647CE046A548}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8B0A5396-01C4-4BC1-B66C-6A3F573E538F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8B0A5396-01C4-4BC1-B66C-6A3F573E538F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{99437DBB-309D-4FF7-8912-BE9A72514D3C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{99437DBB-309D-4FF7-8912-BE9A72514D3C}" => key removed successfully
C:\Windows\System32\Tasks\KMSpico Updater => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KMSpico Updater" => key removed successfully
C:\Windows\Tasks\AutoKMS.job => moved successfully
C:\Windows\Tasks\KMSpico Updater.job => moved successfully
C:\ProgramData\Microsoft => ":l9044YCNIdP7QN8OeZJZgCs" ADS removed successfully.
C:\ProgramData\Microsoft => ":zXilQYKRstzBXKmWnAMqbQ" ADS removed successfully.
C:\ProgramData\TEMP => ":A1EDB939" ADS removed successfully.
"C:\Users\Emanuel\AppData\Local\Temporary Internet Files" => ":peLsKpUUmC4cDgfi25s3Urcqlb" ADS not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4081DFBF-C6E7-406B-8DD0-4BA740713AFF} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8C1F51AE-6A02-4EEF-A458-C02911975A6C} => value removed successfully
C:\Windows\AutoKMS => moved successfully
C:\Program Files (x86)\KMSpico Updater => moved successfully
"C:\Users\Emanuel\AppData\Local\Temp\wmpscnfg.exe" => not found.
EmptyTemp: => 7.1 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:54:31 ====

and the adwcleaner log

 

 

# AdwCleaner v5.025 - Logfile created 14/12/2015 at 18:22:24

# Updated 13/12/2015 by Xplode
# Database : 2015-12-13.2 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Emanuel - MOITA_SONY
# Running from : C:\Users\Emanuel\Downloads\adwcleaner_5.025.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\_acestream_cache_
Folder Found : C:\Users\Emanuel\AppData\LocalLow\.acestream
Folder Found : C:\Users\Emanuel\AppData\Roaming\acestream
Folder Found : C:\Users\Emanuel\AppData\Roaming\.acestream
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\SOFTWARE\Clients\Media\AceStream
Key Found : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
Key Found : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
Key Found : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
Key Found : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tslive
Key Found : HKCU\SOFTWARE\Classes\.acelive
Key Found : HKCU\SOFTWARE\Classes\.acemedia
Key Found : HKCU\SOFTWARE\Classes\.acestream
Key Found : HKCU\SOFTWARE\Classes\.tslive
Key Found : HKCU\SOFTWARE\Classes\acestream
Key Found : HKCU\SOFTWARE\Classes\AceStream.file
Key Found : HKCU\SOFTWARE\Classes\Applications\ace_player.exe
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayCDAudioOnArrival
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayDVDAudioOnArrival
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayDVDMovieOnArrival
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayMusicFilesOnArrival
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlaySVCDMovieOnArrival
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayVCDMovieOnArrival
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayVideoFilesOnArrival
Key Found : HKCU\Software\Classes\ACEStream.CDAudio
Key Found : HKCU\Software\Classes\ACEStream.DVDMovie
Key Found : HKCU\Software\Classes\ACEStream.OPENFolder
Key Found : HKCU\Software\Classes\ACEStream.SVCDMovie
Key Found : HKCU\Software\Classes\ACEStream.VCDMovie
Key Found : HKCU\Software\Classes\AudioCD\shell\PlayWithACEStream
Key Found : HKCU\Software\Classes\DVD\shell\PlayWithACEStream
Key Found : HKLM\SOFTWARE\Classes\CLSID\{79690976-ED6E-403C-BBBA-F8928B5EDE17}
Key Found : HKCU\Software\AceStream
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
 
***** [ Web browsers ] *****
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [3031 bytes] ##########
 

 

thanks a lot

 

emanuel



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,183 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 14 December 2015 - 01:42 PM

Make sure to remove everything that the AdwCleaner found.

Glad we could help.


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,183 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 19 December 2015 - 09:15 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,183 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 21 December 2015 - 02:04 PM

This topic has been re-opened at the request of the person who originally posted.

#7 eml

eml
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lisbon
  • Local time:11:12 AM

Posted 21 December 2015 - 02:28 PM

thanks nasdaq

 

here are the file for your analyze.

since last post i used adwcleaner again and clean everithing and run the fixlist on the farbar again.

 

i reset in safe mode on regedit the proxy settings and the internet settings but nothing. the problem its still presents

 

 

 

Attached Files

  • Attached File  FRST.txt   44.85KB   2 downloads


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,183 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 22 December 2015 - 08:43 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
process;
ipconfig /flushdns;b
resetieproxy;
chrdefaults;
emptyCHRcache;
reset chrome;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.

Let me know if the problem persists.

#9 eml

eml
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lisbon
  • Local time:11:12 AM

Posted 22 December 2015 - 10:57 AM

Hello again.

 

Ok I did it all but after reboot the problem its still there.

 

 

I put the http://127.0.0.1:8080/proxy.pac on browser address bar and return me a file "proxi.pac". I open it with the notepad. I attached also.

 

I know that this machine is from other person years ago and have some illegal software but already uninstal all. 

Any suggestion?

Attached Files



#10 eml

eml
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lisbon
  • Local time:11:12 AM

Posted 22 December 2015 - 11:22 AM

I only notice this issue because when i open a browser and do a search on google the search returns me a google "fake" webpage

 

i notice because google logo is the older version

Attached File  proxyproblem3.jpg   81.4KB   0 downloads

 

and in the low left corner appears to redirect to a certain webpage www.googleapis.com

Attached File  proxyproblem2.jpg   75.94KB   0 downloads

 

and the same webpage with the proxy disable 

Attached File  proxyproblem4.jpg   79.14KB   0 downloads

 

 

 



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,183 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 22 December 2015 - 11:55 AM


On the image on page 9 select Detectar....

Remove the .pac entry in the box.

Make sure you click the apply button.

Restart the computer normally.

How is the computer running now?

#12 eml

eml
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lisbon
  • Local time:11:12 AM

Posted 22 December 2015 - 12:22 PM

done

 

... but after restart its change again to the same situation.  :smash:  :wacko:

 

damm

 

thanks to your patience anyway



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,183 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 23 December 2015 - 08:16 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

Folder: C:\Users\Emanuel\AppData\Roaming\InstallShield

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

RThe tool will create a log (Fixlog.txt) please post it to your reply.
===


Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter proxy.pac in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#14 eml

eml
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lisbon
  • Local time:11:12 AM

Posted 23 December 2015 - 08:51 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:20-12-2015
Ran by Emanuel (2015-12-23 13:35:15) Run:4
Running from C:\Users\Emanuel\Downloads
Loaded Profiles: Emanuel (Available Profiles: Emanuel & Sara)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

Folder: C:\Users\Emanuel\AppData\Roaming\InstallShield

End
*****************


========================= Folder: C:\Users\Emanuel\AppData\Roaming\InstallShield ========================

2010-04-13 16:48 - 2010-04-13 16:48 - 0000000 ____D () C:\Users\Emanuel\AppData\Roaming\InstallShield\ISEngine12.0

====== End of Folder: ======


==== End of Fixlog 13:35:15 ====
Farbar Recovery Scan Tool (x64) Version:20-12-2015
Ran by Emanuel (2015-12-23 13:49:45)
Running from C:\Users\Emanuel\Downloads
Boot Mode: Normal

================== Search Registry: "proxy.pac" ===========


====== End of Search ======


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,183 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 23 December 2015 - 11:43 AM

Please Open your Task Manager hit these key simultaneoursly (CRTR+ALT+DEL)
Select the Service tab.

Right click on the services in bold. Select "Stop Service)

S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 updatesvc.exe; C:\Program Files (x86)\Common Files\InstallShield\Update\updatesvc.exe [346624 2015-12-07] (InstallShield®) [File not signed]

Close the windows.

Restart the the computer normally.

Is the problem persisting?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users