Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM detected backdoor.bot


  • This topic is locked This topic is locked
20 replies to this topic

#1 Ervin T

Ervin T

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 06 January 2016 - 01:17 PM

Hello,

 

MBAM detected backdoor.bot and I'm only able to access the internet by unchecking the proxy server box in the LAN settings but seems to always come back when restarting my computer. Please help me get rid of this. TIA.

 

OS: Windows 7

System: 64-bit OS

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-12-2015
Ran by Bob (administrator) on BOB-PC (05-01-2016 11:25:57)
Running from C:\Users\Bob\Downloads
Loaded Profiles: Bob (Available Profiles: Bob)
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avp.exe
(Digital Market Research Apps Pty Ltd) C:\Program Files (x86)\MR APP\MRAPP.Event.Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Spotify Ltd) C:\Users\Bob\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Spotify Ltd) C:\Users\Bob\AppData\Roaming\Spotify\Spotify.exe
(Freecom) C:\Users\Bob\AppData\Local\Temp\Password 2.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(IOI) C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
() C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(ICBC OEM From Mingwah Technologies Co., Ltd) C:\Program Files (x86)\ICBCEbankTools\MingWah\MWREGICBC.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Digital Market Research Apps Pty Ltd) C:\Program Files (x86)\MR APP\MRAPP.Transfer.Service.exe
(Acer Group) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft) C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUI.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avpui.exe
(Microsoft) C:\Program Files (x86)\MR APP\MRAPP.UI.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Spotify Ltd) C:\Users\Bob\AppData\Roaming\Spotify\Spotify.exe
(Spotify Ltd) C:\Users\Bob\AppData\Roaming\Spotify\Spotify.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)
HKLM-x32\...\Run: [Gateway Photo Frame] => C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe [124416 2009-07-20] (IOI)
HKLM-x32\...\Run: [Hotkey Utility] => C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe [563744 2010-03-25] ()
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
HKLM-x32\...\Run: [BrMfcWnd] => C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] => C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [MWREGICBC.exe] => C:\Program Files (x86)\ICBCEbankTools\MingWah\MWREGICBC.exe [42440 2011-02-27] (ICBC OEM From Mingwah Technologies Co., Ltd)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-09-06] (Brother Industries, Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3883856 2009-07-26] (Microsoft Corporation)
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\Run: [eMuleAutoStart] => C:\Program Files (x86)\easyMule\eMule.exe -AutoStart
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\Run: [Spotify Web Helper] => C:\Users\Bob\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2346096 2015-12-15] (Spotify Ltd)
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\Run: [Spotify] => C:\Users\Bob\AppData\Roaming\Spotify\Spotify.exe [8387696 2015-12-15] (Spotify Ltd)
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\MountPoints2: H - H:\autorun.exe
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\MountPoints2: {291b4bd8-3a10-11e0-86c6-00262d3138b4} - H:\autorun.exe
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\...\MountPoints2: {7124710b-4283-11e1-b5e4-00262d3138b4} - H:\autorun.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Password 2.lnk [2012-11-27]
ShortcutTarget: Password 2.lnk -> C:\Users\Bob\AppData\Local\Temp\Password 2.exe (Freecom)
Startup: C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DealFinder.lnk [2014-05-02]
ShortcutTarget: DealFinder.lnk -> C:\Program Files (x86)\AA\DealFinder\DealFinder\DealFinder.exe ()
Startup: C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - .lnk [2014-07-11]
ShortcutTarget: Monitor Ink Alerts - .lnk -> C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3050A J611 series.lnk [2016-01-05]
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3050A J611 series.lnk -> C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-2896317678-674235471-4210084263-1001] => http=127.0.0.1:16110;https=127.0.0.1:16110
Hosts: 127.0.0.1    activate.adobe.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{1CBAB0AA-79D0-4329-8AF9-860295C7DEBB}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=sx2801&r=173609109107p0458v115k4561s29o
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=sx2801&r=173609109107p0458v115k4561s29o
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=sx2801&r=173609109107p0458v115k4561s29o
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKU\S-1-5-21-2896317678-674235471-4210084263-1001 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS397
SearchScopes: HKU\S-1-5-21-2896317678-674235471-4210084263-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2896317678-674235471-4210084263-1001 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS397
BHO: Virtual Keyboard Plugin -> {4A66AD60-A03D-4D01-86F0-5F0F7C0EF1AD} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO: Content Blocker Plugin -> {93BC2EA7-2F17-4729-948A-D2E03FFB2412} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO: Safe Money Plugin -> {AB379017-4C03-4E00-8EDF-E6D6AF7CCF82} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2013-05-08] (Adobe Systems Incorporated)
BHO-x32: Virtual Keyboard Plugin -> {4A66AD60-A03D-4D01-86F0-5F0F7C0EF1AD} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2010-07-27] (Microsoft Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: Content Blocker Plugin -> {93BC2EA7-2F17-4729-948A-D2E03FFB2412} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO-x32: Safe Money Plugin -> {AB379017-4C03-4E00-8EDF-E6D6AF7CCF82} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-05-08] (Adobe Systems Incorporated)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-10-10] (Skype Technologies S.A.)
BHO-x32: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll [2010-08-24] (Microsoft Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll [2010-08-24] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-2896317678-674235471-4210084263-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {0EB487C8-E9AC-43A6-8C4C-083999B0622F} hxxps://mybank.icbc.com.cn/icbc/newperbank/certInStall.dll
DPF: HKLM-x32 {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} hxxps://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cab
DPF: HKLM-x32 {93E730CA-32AA-4C56-B5FB-65932E954CFE} hxxps://mybank.icbc.com.cn/icbc/newperbank/ICBC_IE_FULL_SCREEN.CAB
DPF: HKLM-x32 {B1FBC1AD-5644-4084-882A-0F8BA85E7506} hxxps://mybank.icbc.com.cn/icbc/ICBC_NetSign.dll
DPF: HKLM-x32 {E4BFF825-2E50-4BCC-8497-6EFDFB6C9B3D} hxxps://mybank.icbc.com.cn/icbc/newperbank/USBKEY.cab
DPF: HKLM-x32 {E6C2DD02-CD38-41A1-9B69-3D7E3B64AF9A} hxxps://mybank.icbc.com.cn/icbc/icbc_mwdv.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-10-10] (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-13] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\up2ais8b.default-1447349307808
FF Homepage: hxxps://www.yahoo.com/
about:preferences
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_267.dll [2015-12-29] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_267.dll [2015-12-29] ()
FF Plugin-x32: @kaspersky.com/content_blocker_663BE84DBCC949E88C7600F63CA7F098 -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\content_blocker@kaspersky.com [2015-07-20] ()
FF Plugin-x32: @kaspersky.com/online_banking_08806E753BE44495B44E90AA2513BDC5 -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\online_banking@kaspersky.com [2015-07-20] ()
FF Plugin-x32: @kaspersky.com/virtual_keyboard_07402848C2F6470194F131B0F3DE025E -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com [2015-07-20] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2012-07-30] (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\up2ais8b.default-1447349307808\user.js [2015-11-12]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll [2010-10-06] (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll [2010-10-06] (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Extension: Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\content_blocker@kaspersky.com [2015-07-20] [not signed]
FF Extension: Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\online_banking@kaspersky.com [2015-07-20] [not signed]
FF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com [2015-07-20] [not signed]
FF Extension: Kaspersky URL Advisor - C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak [2015-12-23] [not signed]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-12-23] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [virtualKeyboard@kaspersky.ru] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\virtualKeyboard@kaspersky.ru => not found
FF HKLM-x32\...\Firefox\Extensions: [linkfilter@kaspersky.ru] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\linkfilter@kaspersky.ru => not found
FF HKLM-x32\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2012-03-16] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension
FF Extension: Default Manager - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension [2012-03-16] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [content_blocker_663BE84DBCC949E88C7600F63CA7F098@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\content_blocker@kaspersky.com
FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard_07402848C2F6470194F131B0F3DE025E@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com
FF HKLM-x32\...\Firefox\Extensions: [online_banking_08806E753BE44495B44E90AA2513BDC5@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\online_banking@kaspersky.com

Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.85\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.85\pdf.dll => No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.85\gears.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll => No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Profile: C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Skype Click to Call) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-09-15]
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - hxxps://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho
CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - hxxps://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2011-10-10]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVP15.0.2; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avp.exe [194000 2015-06-27] (Kaspersky Lab ZAO)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]
R2 EventService; C:\Program Files (x86)\MR APP\MRAPP.Event.Service.exe [34304 2015-07-06] (Digital Market Research Apps Pty Ltd) [File not signed]
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2010-09-23] (Macrovision Europe Ltd.) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
R2 TransferService; C:\Program Files (x86)\MR APP\MRAPP.Transfer.Service.exe [32256 2015-07-06] (Digital Market Research Apps Pty Ltd) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 cm_km_w; C:\Windows\System32\DRIVERS\cm_km_w.sys [247016 2015-06-27] (Kaspersky Lab UK Ltd)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 ISODrive; C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [104152 2006-11-25] (EZB Systems, Inc.)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [478392 2015-06-27] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [64368 2015-06-27] (Kaspersky Lab ZAO)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [159960 2015-06-27] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [225976 2015-06-27] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [831672 2015-10-09] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [39280 2015-06-27] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [40304 2015-06-27] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [39280 2015-06-27] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [24944 2015-06-27] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [65208 2015-06-27] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [85360 2015-06-27] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [190648 2015-10-09] (Kaspersky Lab ZAO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-05 11:26 - 2016-01-05 11:26 - 03735552 _____ C:\Users\Bob\Downloads\RogueKiller.exe.part
2016-01-05 11:26 - 2016-01-05 11:26 - 00000000 _____ C:\Users\Bob\Downloads\RogueKiller.exe
2016-01-05 11:25 - 2016-01-05 11:26 - 00026638 _____ C:\Users\Bob\Downloads\FRST.txt
2016-01-05 11:25 - 2016-01-05 11:25 - 00000000 ____D C:\FRST
2016-01-05 11:24 - 2016-01-05 11:25 - 02370560 _____ (Farbar) C:\Users\Bob\Downloads\FRST64.exe
2016-01-04 16:35 - 2016-01-05 11:21 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-04 16:35 - 2016-01-04 16:35 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-01-04 16:35 - 2016-01-04 16:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-04 16:35 - 2016-01-04 16:35 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-01-04 16:35 - 2016-01-04 16:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-01-04 16:35 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-01-04 16:35 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-01-04 16:35 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-01-04 16:34 - 2016-01-04 16:35 - 22908888 _____ (Malwarebytes ) C:\Users\Bob\Downloads\mbam-setup-2.2.0.1024.exe
2016-01-04 11:34 - 2016-01-04 12:05 - 00000000 ____D C:\Users\Bob\Documents\Herbal extract
2016-01-04 10:29 - 2016-01-04 10:30 - 00889416 _____ (Microsoft Corporation) C:\Users\Bob\Downloads\dotNetFx40_Full_setup.exe
2016-01-04 10:07 - 2016-01-04 10:07 - 00879096 _____ (Microsoft Corporation) C:\Users\Bob\Downloads\NetFxRepairTool.exe
2015-12-23 09:01 - 2015-12-23 10:12 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-09 13:55 - 2015-12-09 13:55 - 00298288 _____ C:\Windows\Minidump\120915-19671-01.dmp
2015-12-07 13:13 - 2015-12-07 13:13 - 00000000 ____D C:\Users\Bob\Documents\VPower

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-05 11:25 - 2007-07-11 17:48 - 00000000 ____D C:\Windows
2016-01-05 11:07 - 2012-01-05 20:38 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Spotify
2016-01-05 11:01 - 2012-03-16 13:16 - 00000252 _____ C:\Windows\Tasks\HP Photo Creations Messager.job
2016-01-05 10:58 - 2012-10-20 00:07 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-01-05 10:50 - 2010-10-11 07:08 - 00000000 ____D C:\Users\Bob\AppData\Local\CrashDumps
2016-01-05 10:44 - 2013-01-15 21:14 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2016-01-05 10:43 - 2010-10-26 21:59 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-01-05 10:37 - 2009-07-13 20:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-05 10:37 - 2009-07-13 20:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-05 10:35 - 2010-10-26 21:58 - 00000000 ____D C:\Users\Bob\AppData\Roaming\Skype
2016-01-05 10:19 - 2012-01-05 20:39 - 00000000 ____D C:\Users\Bob\AppData\Local\Spotify
2016-01-05 10:19 - 2010-09-17 15:20 - 00000000 ____D C:\Users\Bob\Tracing
2016-01-05 10:18 - 2010-10-26 21:59 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-01-05 10:17 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-05 09:49 - 2013-05-09 14:37 - 00000000 ____D C:\Users\Bob\Documents\Sea Hawk
2016-01-05 08:46 - 2010-12-22 08:13 - 00000000 ____D C:\Users\Bob\Documents\K-BEST
2016-01-04 10:42 - 2010-10-01 16:21 - 00767774 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-01-04 10:41 - 2009-07-13 21:13 - 00767774 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-04 10:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-30 14:05 - 2010-12-20 08:05 - 00000000 ____D C:\Users\Bob\Documents\PT Indo
2015-12-30 08:59 - 2013-02-26 16:44 - 00000000 ____D C:\Users\Bob\Documents\CODY
2015-12-29 10:26 - 2011-05-22 20:57 - 00000000 ____D C:\Users\Bob\Documents\United Pharm
2015-12-29 10:05 - 2012-10-20 00:07 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-29 10:05 - 2012-10-20 00:07 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-29 10:05 - 2012-10-20 00:07 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-24 11:11 - 2012-04-24 14:30 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-12-23 09:59 - 2015-03-31 13:35 - 00000000 ____D C:\Users\Bob\Documents\RICHARD YEH
2015-12-16 13:44 - 2010-10-26 21:59 - 00002190 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-12-16 13:28 - 2010-09-17 16:23 - 00000000 ____D C:\ProgramData\FLEXnet
2015-12-15 10:34 - 2011-07-18 20:32 - 00000000 ____D C:\Users\Bob\Documents\WIL
2015-12-15 10:32 - 2012-10-26 06:41 - 00000000 ____D C:\Users\Bob\Documents\Yeh
2015-12-09 13:55 - 2011-04-01 14:52 - 538349120 _____ C:\Windows\MEMORY.DMP
2015-12-09 13:55 - 2011-04-01 14:52 - 00000000 ____D C:\Windows\Minidump
2015-12-09 09:25 - 2011-04-15 16:28 - 00000000 ____D C:\Users\Bob\Documents\Optimum

==================== Files in the root of some directories =======

2012-02-11 22:03 - 2013-10-16 11:13 - 0007619 _____ () C:\Users\Bob\AppData\Local\resmon.resmoncfg
2008-02-05 13:28 - 2008-02-05 13:28 - 0000051 _____ () C:\Users\Bob\AppData\Local\setup.txt
2012-03-16 13:14 - 2012-03-16 13:14 - 0000057 _____ () C:\ProgramData\Ament.ini

Files to move or delete:
====================
C:\Windows\SysWOW64\ntshrui.dll


Some files in TEMP:
====================
C:\Users\Bob\AppData\Local\Temp\COMAP.EXE
C:\Users\Bob\AppData\Local\Temp\contentDATs.exe
C:\Users\Bob\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
C:\Users\Bob\AppData\Local\Temp\GLF46B4.EXE
C:\Users\Bob\AppData\Local\Temp\GoogleChromeInstaller.exe
C:\Users\Bob\AppData\Local\Temp\ICBC_MW_USHIELD2_INSTALL.EXE
C:\Users\Bob\AppData\Local\Temp\o1vw_vca.dll
C:\Users\Bob\AppData\Local\Temp\ose00001.exe
C:\Users\Bob\AppData\Local\Temp\Password .exe
C:\Users\Bob\AppData\Local\Temp\Password 2.exe
C:\Users\Bob\AppData\Local\Temp\Password.exe
C:\Users\Bob\AppData\Local\Temp\Patch.exe
C:\Users\Bob\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Bob\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Bob\AppData\Local\Temp\_is64F3.exe
C:\Users\Bob\AppData\Local\Temp\_isF86B.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-10 23:06

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 07 January 2016 - 09:30 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

My research revealed that this Proxy is used by Digital Market Research apps ply ltd.

If you wish to remove it let me know and I will provide you with a fix.

#3 Ervin T

Ervin T
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 07 January 2016 - 10:25 AM

Yes, Please help. Thank you

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 08 January 2016 - 08:30 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:
RemoveProxy:

(Digital Market Research Apps Pty Ltd) C:\Program Files (x86)\MR APP\MRAPP.Event.Service.exe
(Digital Market Research Apps Pty Ltd) C:\Program Files (x86)\MR APP\MRAPP.Transfer.Service.exe
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-2896317678-674235471-4210084263-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF user.js: detected! => C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\up2ais8b.default-1447349307808\user.js [2015-11-12]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll [2010-10-06] (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll [2010-10-06] (Coupons, Inc.)
FF HKLM-x32\...\Firefox\Extensions: [virtualKeyboard@kaspersky.ru] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\virtualKeyboard@kaspersky.ru => not found
FF HKLM-x32\...\Firefox\Extensions: [linkfilter@kaspersky.ru] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\FFExt\linkfilter@kaspersky.ru => not found
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.85\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.85\pdf.dll => No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.85\gears.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll => No File
R2 EventService; C:\Program Files (x86)\MR APP\MRAPP.Event.Service.exe [34304 2015-07-06] (Digital Market Research Apps Pty Ltd) [File not signed]
R2 TransferService; C:\Program Files (x86)\MR APP\MRAPP.Transfer.Service.exe [32256 2015-07-06] (Digital Market Research Apps Pty Ltd) [File not signed]
C:\Program Files (x86)\MR APP

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===


How is the computer running now?

Edited by nasdaq, 08 January 2016 - 08:32 AM.


#5 Ervin T

Ervin T
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 10 January 2016 - 03:29 AM

I'm out of town but will be back on Monday and will let you know. Thank you.

#6 Ervin T

Ervin T
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 11 January 2016 - 12:46 PM

Will post logs shortly. Thank you.

#7 Ervin T

Ervin T
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 11 January 2016 - 12:57 PM

When I press the post more options to put an attachment, the proxy error came up and I had to uncheck the proxy box under internet settings. I'm not sure why that happened when I already completed the fix with FRST. Here are the requested logs.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 12 January 2016 - 09:27 AM

Did you install this program.
My concern is that it's located in a Temporary folder.
Should you used a tool to empty your temporary folders the application will be removed.
 

(Freecom) C:\Users\Bob\AppData\Local\Temp\Password 2.exe
ShortcutTarget: Password 2.lnk -> C:\Users\Bob\AppData\Local\Temp\Password 2.exe (Freecom)
C:\Users\Bob\AppData\Local\Temp\Password .exe
C:\Users\Bob\AppData\Local\Temp\Password 2.exe

===


I now strongly suspect that the proxy is set by the DealFinder application.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
RemoveProxy:


ProxyEnable: [S-1-5-21-2896317678-674235471-4210084263-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-2896317678-674235471-4210084263-1001] => http=127.0.0.1:16110;https=127.0.0.1:16110;
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\pdf.dll => No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\gears.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll => No File
C:\Users\Bob\AppData\Local\Temp\COMAP.EXE
C:\Users\Bob\AppData\Local\Temp\contentDATs.exe
C:\Users\Bob\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Bob\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
C:\Users\Bob\AppData\Local\Temp\GLF46B4.EXE
C:\Users\Bob\AppData\Local\Temp\GoogleChromeInstaller.exe
C:\Users\Bob\AppData\Local\Temp\ICBC_MW_USHIELD2_INSTALL.EXE
C:\Users\Bob\AppData\Local\Temp\o1vw_vca.dll
C:\Users\Bob\AppData\Local\Temp\ose00001.exe
C:\Users\Bob\AppData\Local\Temp\Patch.exe
C:\Users\Bob\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Bob\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Bob\AppData\Local\Temp\_is64F3.exe
C:\Users\Bob\AppData\Local\Temp\_isF86B.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Keep me posted.

Edited by nasdaq, 12 January 2016 - 10:47 AM.
Fixlist.txt edited.


#9 Ervin T

Ervin T
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 January 2016 - 09:46 AM

Dealfinder is a paid program. As for password file, it shows its from Microsoft when searching on Google. Is it safe to remove?

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 12 January 2016 - 10:51 AM

I have edited my fixlist.
Dealfinder will no longer be removed.

Please run the fix and see if the proxy problem is solved.

If not then I will give you a fix to remove the password programs.

#11 Ervin T

Ervin T
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 January 2016 - 12:56 PM

Here is the requested log. I will continue to check on the proxy issue today and will keep you posted. Thank you.

Attached Files



#12 Ervin T

Ervin T
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 January 2016 - 03:27 PM

No changes to the proxy setting so far.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:31-12-2015
Ran by Bob (2016-01-12 09:44:57) Run:2
Running from C:\Users\Bob\Downloads
Loaded Profiles: Bob (Available Profiles: Bob)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
RemoveProxy:


ProxyEnable: [S-1-5-21-2896317678-674235471-4210084263-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-2896317678-674235471-4210084263-1001] => http=127.0.0.1:16110;https=127.0.0.1:16110;
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\pdf.dll => No File
CHR Plugin: (Google Gears 0.5.33.0) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\gears.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll => No File
C:\Users\Bob\AppData\Local\Temp\COMAP.EXE
C:\Users\Bob\AppData\Local\Temp\contentDATs.exe
C:\Users\Bob\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Bob\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
C:\Users\Bob\AppData\Local\Temp\GLF46B4.EXE
C:\Users\Bob\AppData\Local\Temp\GoogleChromeInstaller.exe
C:\Users\Bob\AppData\Local\Temp\ICBC_MW_USHIELD2_INSTALL.EXE
C:\Users\Bob\AppData\Local\Temp\o1vw_vca.dll
C:\Users\Bob\AppData\Local\Temp\ose00001.exe
C:\Users\Bob\AppData\Local\Temp\Patch.exe
C:\Users\Bob\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Bob\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Bob\AppData\Local\Temp\_is64F3.exe
C:\Users\Bob\AppData\Local\Temp\_isF86B.exe

End
*****************

Restore point was successfully created.
Processes closed successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  ipconfig /release =========


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::e5f6:84cb:1d0f:1004%14
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.domain.actdsltmp:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:5cf2:8c15:2c6e:db2:3f57:fef0
   Link-local IPv6 Address . . . . . : fe80::2c6e:db2:3f57:fef0%12
   Default Gateway . . . . . . . . . : ::

========= End of CMD: =========


=========  ipconfig /renew =========


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : domain.actdsltmp
   Link-local IPv6 Address . . . . . : fe80::e5f6:84cb:1d0f:1004%14
   IPv4 Address. . . . . . . . . . . : 192.168.1.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Tunnel adapter isatap.domain.actdsltmp:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:5cf2:8c15:3cd7:25c:3f57:fef0
   Link-local IPv6 Address . . . . . : fe80::3cd7:25c:3f57:fef0%12
   Default Gateway . . . . . . . . . : ::

========= End of CMD: =========


========= RemoveProxy: =========

HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

HKU\S-1-5-21-2896317678-674235471-4210084263-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-21-2896317678-674235471-4210084263-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\gcswf32.dll => not found.
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\pdf.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.106\gears.dll => not found.
C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll => not found.
C:\Users\Bob\AppData\Local\Temp\COMAP.EXE => moved successfully
C:\Users\Bob\AppData\Local\Temp\contentDATs.exe => moved successfully
C:\Users\Bob\AppData\Local\Temp\dllnt_dump.dll => moved successfully
C:\Users\Bob\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe => moved successfully
C:\Users\Bob\AppData\Local\Temp\GLF46B4.EXE => moved successfully
C:\Users\Bob\AppData\Local\Temp\GoogleChromeInstaller.exe => moved successfully
C:\Users\Bob\AppData\Local\Temp\ICBC_MW_USHIELD2_INSTALL.EXE => moved successfully
C:\Users\Bob\AppData\Local\Temp\o1vw_vca.dll => moved successfully
C:\Users\Bob\AppData\Local\Temp\ose00001.exe => moved successfully
C:\Users\Bob\AppData\Local\Temp\Patch.exe => moved successfully
C:\Users\Bob\AppData\Local\Temp\SecurityScan_Release.exe => moved successfully
C:\Users\Bob\AppData\Local\Temp\SkypeSetup.exe => moved successfully
C:\Users\Bob\AppData\Local\Temp\_is64F3.exe => moved successfully
C:\Users\Bob\AppData\Local\Temp\_isF86B.exe => moved successfully
EmptyTemp: => 11.6 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 09:47:23 ====


Edited by Ervin T, 12 January 2016 - 04:41 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 13 January 2016 - 08:46 AM

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • •Internet access
    •Windows Update
    •Windows Firewall
9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.

If you have any problems running either one come back and let me know.
===

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

Please post the logs and let me know if the problem persists.

#14 Ervin T

Ervin T
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 13 January 2016 - 02:31 PM

No cleanup required on Malwarebytes Anti Rootkit. Unable to post the contents of Combofix as I received an error from here saying that I don't have authorization for this action.

 

 

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 14 January 2016 - 09:23 AM

Combofix remove the Dealfinder program.

Is the problem with the proxy resolved?


If that did not solve your proxy problems you can restore it.
==


If you did not remove ComboxFix or it's folders then the file may still be quarantined.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:
 

DeQuarantine::
c:\program files (x86)\AA\DealFinder\DealFinder\DealFinder.exe
Quit::


Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.

Enable your Anti virus and malware programs.


===

If the problem persists:


You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.
 

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Recently created
Auto Clean


Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.

===

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users