Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange entry in LAN proxy settings, too


  • This topic is locked This topic is locked
26 replies to this topic

#1 castor1

castor1

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 26 January 2016 - 06:40 PM

Hello, I´m Pablo from Argentina.

Weeks ago I noticed my browser went slower and a strange behavior.

A black "D.O.S. type" window appeared, named dnslookup for just a second, then closed, and then my browser (Chrome) ended instantly.

I started to connect the dots and I remembered that Google Instant/Google Maps don't work anymore (The last one said: server error). I couldn't do an image search either.

 

Then I started to run CCleaner, Spybot, AVG, but the problem still persisted.

 

So, like the user in this post ( http://www.bleepingcomputer.com/forums/t/600543/strange-entry-in-lan-proxy-settings-that-i-cannot-delete/) I also noticed that in my LAN settings I had (Use Automatic Configuration Script) actived and below, this ( http://ɴ.net/proxy.pac ) also actived.

 

I could deactivated both two times, but after a while, the same happens again, the problem still persist.

 

post-705616-0-72973100-1451200629.png

 

I'm going to do a search at the registry, to try to delete any entries I could find.

If any of you knows the solution to this, please, let me know.

Thanks in advance.

Pablo.



BC AdBot (Login to Remove)

 


#2 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 26 January 2016 - 07:46 PM

I only found this: http://xn--koa.net/proxy.pac (and deleted it, of course)


Edited by castor1, 26 January 2016 - 07:48 PM.


#3 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 27 January 2016 - 05:07 PM

I'm going to try this.

 

Ernesto Graterol Hey, I don't know if you found a solution to your problem, i was the same problem and Today the fix was:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
and edit the DefaultConnectionSettings and SavedLegacySettings and delete the direction, and done

 

(https://www.facebook.com/Malwarebytes/posts/10153861019588044)



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,173 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 28 January 2016 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

If you stiill need help.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Wait for further instructions.

#5 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 28 January 2016 - 08:17 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-01-2016
Ran by Usuario (administrator) on PC-DESKTOP (28-01-2016 22:02:04)
Running from C:\Descargas
Loaded Profiles: Usuario (Available Profiles: Usuario)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13213840 2012-10-26] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1804432 2015-11-10] (NVIDIA Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-16] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [3874216 2016-01-08] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Display] => C:\Program Files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe [284024 2012-01-24] (Schneider Electric)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirnx.exe [179624 2016-01-12] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-738111190-3401682069-2959590613-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8591272 2015-11-16] (Piriform Ltd)
HKU\S-1-5-21-738111190-3401682069-2959590613-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-738111190-3401682069-2959590613-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\APC UPS Status.lnk [2014-12-09]
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files (x86)\APC\PowerChute Personal Edition\Display.exe (Schneider Electric)
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 200.42.4.204 200.49.130.44
Tcpip\..\Interfaces\{3B1AEFE1-D1AE-4568-B0AE-5D18852F447A}: [DhcpNameServer] 200.42.4.204 200.49.130.44
 
Internet Explorer:
==================
HKU\S-1-5-21-738111190-3401682069-2959590613-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com.ar/
SearchScopes: HKLM -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-738111190-3401682069-2959590613-1000 -> DefaultScope {C31D1D69-A079-4897-89C7-928515687D2B} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_46&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutC0CyC0FyCyDtAyBtBtCyCzztBtAtD0EtN0D0Tzu0StCyEtCtAtN1L2XzutAtFtCyEtFtDtFtCtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyCtCtCtByBtA0FyCtGyEzyyDtAtG0F0AtByDtGtByBzzzytGyEyByBtCyD0AtCyDtB0DtAzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEtC0D0EyByE0DtGyDyB0AzytGyE0B0DyCtGzyzyzzzytGtAzyyDyD0AyCyCzytDyC0A0C2QtN0A0LzuyE%26cr%3D2097177588%26a%3Dwncy_gmmedply_15_46%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\S-1-5-21-738111190-3401682069-2959590613-1000 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-738111190-3401682069-2959590613-1000 -> {C31D1D69-A079-4897-89C7-928515687D2B} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_46&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutC0CyC0FyCyDtAyBtBtCyCzztBtAtD0EtN0D0Tzu0StCyEtCtAtN1L2XzutAtFtCyEtFtDtFtCtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyCtCtCtByBtA0FyCtGyEzyyDtAtG0F0AtByDtGtByBzzzytGyEyByBtCyD0AtCyDtB0DtAzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyEtC0D0EyByE0DtGyDyB0AzytGyE0B0DyCtGzyzyzzzytGtAzyyDyD0AyCyCzytDyC0A0C2QtN0A0LzuyE%26cr%3D2097177588%26a%3Dwncy_gmmedply_15_46%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-11-03] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-11-03] (Oracle Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_235.dll [2015-12-09] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-09] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-11-03] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-11-03] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-11-05] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-11-05] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-09-26] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com.ar/
CHR StartupUrls: Default -> "hxxp://www.google.com.ar/"
CHR Profile: C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Angry Birds) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2015-04-17]
CHR Extension: (YouTube) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Striker Manager) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\chmachfiimeggafocgeldapnchdnoiib [2015-04-17]
CHR Extension: (Empty New Tab Page) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpjamkmjmigaoobjbekmfgabipmfilij [2016-01-28]
CHR Extension: (GGOAL - Multiplayer Game) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\gchpchgegkdmbbhdikfmplpllehnfnmk [2015-04-17]
CHR Extension: (MagicScroll eBook Reader) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgnmgfdoiplfmhgghbmlphanpfmjble [2014-03-04]
CHR Extension: (WGT Baseball: MLB) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpbjopfokekaencoephlgdbnljhcflhm [2015-05-19]
CHR Extension: (Call of Atlantis) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpgkbfhlaaoamhakcfhcoonfgcaihnen [2015-04-17]
CHR Extension: (The Weather Channel for Chrome) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop [2015-04-17]
CHR Extension: (Cuevana Stream) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfdckejfnkaemompfjhecfmhjgnchmjg [2015-04-17]
CHR Extension: (Google Maps) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2015-09-17]
CHR Extension: (Hit The Jackpot 2) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpgfdedckkjdpmlapnndjncoogclaegk [2015-04-17]
CHR Extension: (Plants vs Zombies) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmcegpfdgcoclcdfkjahiimlikdpnina [2015-04-17]
CHR Extension: (WGT Golf Game) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpedbpkelbhcbkdaglillalioeeekbpb [2015-04-17]
CHR Extension: (Curling) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhalnajmigjnpjpdbpkpgfhekbjmolhp [2016-01-12]
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\Usuario\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-22]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [344064 2015-07-15] (Advanced Micro Devices, Inc.) [File not signed]
R2 APC Data Service; C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe [21880 2012-01-24] (Schneider Electric)
R2 APC UPS Service; C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe [705912 2012-01-24] (Schneider Electric)
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [627544 2016-01-08] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagent.exe [3906568 2016-01-08] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1048488 2016-01-12] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [583936 2016-01-08] (AVG Technologies CZ, s.r.o.)
R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2011-03-04] (Hewlett-Packard Company) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5448976 2015-04-17] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AODDriver4.3; C:\Program Files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
S3 Apowersoft_AudioDevice; C:\Windows\System32\drivers\Apowersoft_AudioDevice.sys [31920 2013-06-02] (Wondershare)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [184240 2015-11-06] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [315312 2015-12-04] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [298416 2015-08-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [284080 2015-10-21] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [398256 2015-08-14] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [258480 2015-12-04] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [42416 2015-12-04] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [302000 2015-10-08] (AVG Technologies CZ, s.r.o.)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 motport; system32\DRIVERS\motport.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-28 20:26 - 2016-01-28 22:02 - 00000000 ____D C:\FRST
2016-01-26 22:16 - 2016-01-26 22:25 - 00000000 ___SD C:\ComboFix
2016-01-26 22:16 - 2016-01-26 22:16 - 00001547 _____ C:\Users\Usuario\Desktop\JRT.txt
2016-01-26 22:16 - 2011-06-26 03:45 - 00256000 _____ C:\Windows\PEV.exe
2016-01-26 22:16 - 2010-11-07 14:20 - 00208896 _____ C:\Windows\MBR.exe
2016-01-26 22:16 - 2009-04-20 01:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-01-26 22:16 - 2000-08-30 21:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-01-26 22:16 - 2000-08-30 21:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-01-26 22:16 - 2000-08-30 21:00 - 00098816 _____ C:\Windows\sed.exe
2016-01-26 22:16 - 2000-08-30 21:00 - 00080412 _____ C:\Windows\grep.exe
2016-01-26 22:16 - 2000-08-30 21:00 - 00068096 _____ C:\Windows\zip.exe
2016-01-26 22:13 - 2016-01-26 22:13 - 00000000 ____D C:\Windows\erdnt
2016-01-06 13:59 - 2016-01-06 13:59 - 00000862 _____ C:\Users\Public\Desktop\AVG.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-28 22:02 - 2013-11-19 17:34 - 00000000 ____D C:\Temp
2016-01-28 21:59 - 2013-11-19 17:37 - 00000000 ____D C:\Descargas
2016-01-28 21:54 - 2009-07-14 01:45 - 00026768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-28 21:54 - 2009-07-14 01:45 - 00026768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-28 21:45 - 2015-11-13 10:39 - 00000000 ____D C:\ProgramData\NVIDIA
2016-01-28 21:45 - 2013-11-19 17:41 - 00000000 ____D C:\ProgramData\MFAData
2016-01-28 21:45 - 2009-07-14 02:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-28 21:44 - 2014-01-05 03:46 - 00000000 ____D C:\AdwCleaner
2016-01-28 18:00 - 2015-12-27 22:01 - 00000380 _____ C:\Windows\Tasks\WinRAR Update.job
2016-01-27 20:06 - 2014-12-31 04:59 - 00021201 _____ C:\Windows\SysWOW64\PCPELog.txt
2016-01-27 18:23 - 2013-11-19 18:00 - 00000000 ____D C:\Users\Usuario\AppData\Roaming\uTorrent
2016-01-27 18:23 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\inf
2016-01-26 22:35 - 2013-11-19 20:42 - 00001209 _____ C:\Users\Usuario\AppData\Roaming\Microsoft\Windows\Start Menu\GOM Player.lnk
2016-01-26 22:35 - 2013-11-19 20:42 - 00001185 _____ C:\Users\Public\Desktop\GOM Player.lnk
2016-01-26 22:24 - 2013-11-19 15:23 - 00000000 ____D C:\Users\Usuario
2016-01-26 05:00 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\system32\NDF
2016-01-22 14:52 - 2014-03-26 16:22 - 00000000 ____D C:\Users\Usuario\Desktop\My Shared Folder
2016-01-21 02:50 - 2015-12-03 08:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-01-21 02:49 - 2013-11-19 17:50 - 00000000 ___HD C:\$AVG
2016-01-17 18:35 - 2015-05-25 13:01 - 00000000 ____D C:\Program Files (x86)\Motorola Mobility
2016-01-17 18:35 - 2013-11-19 18:34 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-01-14 21:09 - 2015-12-27 18:59 - 00000000 ____D C:\Comics
2016-01-06 13:59 - 2015-12-03 08:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2016-01-06 11:32 - 2015-03-08 13:06 - 00000521 _____ C:\Users\Usuario\Desktop\aMule.lnk
2016-01-06 11:20 - 2009-07-14 02:08 - 00032630 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-01-03 04:16 - 2015-12-21 10:21 - 00002214 _____ C:\Users\Usuario\Desktop\x11.txt
2015-12-29 16:47 - 2013-11-19 18:03 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
 
==================== Files in the root of some directories =======
 
2015-04-02 14:51 - 2015-08-06 02:18 - 0001099 _____ () C:\Users\Usuario\AppData\Roaming\burnaware.ini
2013-12-22 18:12 - 2013-12-22 18:32 - 0000166 _____ () C:\Users\Usuario\AppData\Roaming\PLGComp.ini
2015-11-14 10:30 - 2015-11-14 10:30 - 0000041 _____ () C:\Users\Usuario\AppData\Roaming\WB.CFG
2013-11-27 02:45 - 2016-01-27 00:31 - 0031744 _____ () C:\Users\Usuario\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-12-22 18:13 - 2013-12-22 18:13 - 0002185 _____ () C:\Users\Usuario\AppData\Local\recently-used.xbel
2014-10-11 03:04 - 2014-10-11 03:04 - 0000020 _____ () C:\ProgramData\bc.ini
 
Files to move or delete:
====================
C:\Users\Usuario\en_res.dll
C:\Users\Usuario\es_res.dll
C:\Users\Usuario\fr_res.dll
C:\Users\Usuario\grm_res.dll
C:\Users\Usuario\it_res.dll
C:\Users\Usuario\jp_res.dll
C:\Users\Usuario\mfc80u.dll
C:\Users\Usuario\msvcr80.dll
C:\Users\Usuario\PCPE Setup.exe
C:\Users\Usuario\pt_res.dll
C:\Users\Usuario\ru_res.dll
C:\Users\Usuario\zh_res.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-01-19 03:12
 
==================== End of FRST.txt ============================

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,173 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 29 January 2016 - 08:32 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-738111190-3401682069-2959590613-1000\...\Run: [AdobeBridge] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-738111190-3401682069-2959590613-1000 -> DefaultScope {C31D1D69-A079-4897-89C7-928515687D2B} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_46&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutC0CyC0FyCyDtAyBtBtCyCzztBtAtD0EtN0D0Tzu0StCyEtCtAtN1L2XzutAtFtCyEtFtDtFtCtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyCtCtCtByBtA0FyCtGyEzyyDtAtG0F0AtByDtGtByBzzzytGyEyByBtCyD0AtCyDtB0Dt... (long line)
SearchScopes: HKU\S-1-5-21-738111190-3401682069-2959590613-1000 -> {C31D1D69-A079-4897-89C7-928515687D2B} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_46&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutC0CyC0FyCyDtAyBtBtCyCzztBtAtD0EtN0D0Tzu0StCyEtCtAtN1L2XzutAtFtCyEtFtDtFtCtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyCtCtCtByBtA0FyCtGyEzyyDtAtG0F0AtByDtGtByBzzzytGyEyByBtCyD0AtCyDtB0DtAzy2QtN1M1F1B... (long line)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 motport; system32\DRIVERS\motport.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-738111190-3401682069-2959590613-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\wdigest.dll => No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)

===

Please post the logs and let me know if the problem persists.

#7 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 29 January 2016 - 09:50 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by Usuario (2016-01-29 11:40:53) Run:1
Running from C:\Descargas
Loaded Profiles: Usuario (Available Profiles: Usuario)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
 
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-738111190-3401682069-2959590613-1000\...\Run: [AdobeBridge] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-738111190-3401682069-2959590613-1000 -> DefaultScope {C31D1D69-A079-4897-89C7-928515687D2B} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_46&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutC0CyC0FyCyDtAyBtBtCyCzztBtAtD0EtN0D0Tzu0StCyEtCtAtN1L2XzutAtFtCyEtFtDtFtCtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyCtCtCtByBtA0FyCtGyEzyyDtAtG0F0AtByDtGtByBzzzytGyEyByBtCyD0AtCyDtB0Dt... (long line)
SearchScopes: HKU\S-1-5-21-738111190-3401682069-2959590613-1000 -> {C31D1D69-A079-4897-89C7-928515687D2B} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_46&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutC0CyC0FyCyDtAyBtBtCyCzztBtAtD0EtN0D0Tzu0StCyEtCtAtN1L2XzutAtFtCyEtFtDtFtCtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyCtCtCtByBtA0FyCtGyEzyyDtAtG0F0AtByDtGtByBzzzytGyEyByBtCyD0AtCyDtB0DtAzy2QtN1M1F1B... (long line)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 motport; system32\DRIVERS\motport.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-738111190-3401682069-2959590613-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\wdigest.dll => No File <==== ATTENTION
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
HKU\S-1-5-21-738111190-3401682069-2959590613-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKU\S-1-5-21-738111190-3401682069-2959590613-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-738111190-3401682069-2959590613-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C31D1D69-A079-4897-89C7-928515687D2B}" => key removed successfully
HKCR\CLSID\{C31D1D69-A079-4897-89C7-928515687D2B} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
catchme => service removed successfully
motandroidusb => service removed successfully
motmodem => service removed successfully
motport => service removed successfully
VGPU => service removed successfully
"HKU\S-1-5-21-738111190-3401682069-2959590613-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}" => key removed successfully
EmptyTemp: => 368.6 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 11:41:42 ====


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,173 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 29 January 2016 - 11:36 AM

Did you run the Malwarebytes tool?

Is the problem persisting?

#9 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 29 January 2016 - 11:40 AM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Fecha del análisis: 29/01/2016
Hora del análisis: 12:40 p.m.
Archivo de registro: lo que habia.txt
Administrador: Sí
 
Versión: 2.2.0.1024
Base de datos de malwares: v2016.01.29.04
Base de datos de rootkits: v2016.01.20.01
Licencia: Prueba
Protección contra el malware: Activado
Protección contra sitios web maliciosos: Activado
Autoprotección: Desactivado
 
SO: Windows 7 Service Pack 1
CPU: x64
Sistema de archivos: NTFS
Usuario: Usuario
 
Tipo de análisis: Análisis de amenazas
Resultado: Completado
Objetos analizados: 377341
Tiempo transcurrido: 38 min, 35 seg
 
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Activado
Heurística: Activado
PUP: Activado
PUM: Activado
 
Procesos: 0
(No hay elementos maliciosos detectados)
 
Módulos: 0
(No hay elementos maliciosos detectados)
 
Claves del registro: 2
PUP.Optional.MultiPlug, HKU\S-1-5-21-738111190-3401682069-2959590613-1000_Classes\TYPELIB\{157B1AA6-3E5C-404A-9118-C1D91F537040}, , [284076c91d7c1a1c9a93be4871932cd4], 
PUP.Optional.MultiPlug, HKU\S-1-5-21-738111190-3401682069-2959590613-1000_Classes\INTERFACE\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}, , [284076c91d7c1a1c9a93be4871932cd4], 
 
Valores del registro: 1
Hijack.AutoConfigURL, HKU\S-1-5-21-738111190-3401682069-2959590613-1000\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/proxy.pac, , [8fd9c37c7d1c3204ed8c934c52b0ed13]
 
Datos del registro: 0
(No hay elementos maliciosos detectados)
 
Carpetas: 2
PUP.Optional.ShoppingSuggestion, C:\Program Files (x86)\Shopping Suggestion, , [0e5ae45bfa9f0a2c4670d21a0af95fa1], 
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}, , [0f59f54aadec8fa71526a407639f22de], 
 
Archivos: 7
PUP.Optional.ShoppingSuggestion, C:\Program Files (x86)\Shopping Suggestion\Shopping Suggestion.dll, , [ca9ec8777e1b72c4faf3e2564db436ca], 
PUP.Optional.APNToolBar, C:\Users\Usuario\Downloads\SFInstaller_ASG_aresgalaxy_11015365_.exe, , [1e4ab48b9ffa0333bd6388ab699803fd], 
PUP.Optional.RKN, C:\Users\Usuario\Downloads\CoolDATToFLVConverterSetup.exe, , [5513a59ac2d7f44253ef90d716eb8c74], 
PUP.Optional.ShoppingSuggestion, C:\Program Files (x86)\Shopping Suggestion\Microsoft.mshtml.dll, , [0e5ae45bfa9f0a2c4670d21a0af95fa1], 
PUP.Optional.ShoppingSuggestion, C:\Program Files (x86)\Shopping Suggestion\Interop.SHDocVw.dll, , [0e5ae45bfa9f0a2c4670d21a0af95fa1], 
PUP.Optional.ShoppingSuggestion, C:\Program Files (x86)\Shopping Suggestion\{D394D188-BAC7-4e03-8FAF-389A4D7EC6F4}.xpi, , [0e5ae45bfa9f0a2c4670d21a0af95fa1], 
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a, , [0f59f54aadec8fa71526a407639f22de], 
 
Sectores físicos: 0
(No hay elementos maliciosos detectados)
 
 
(end)


#10 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 29 January 2016 - 11:43 AM

Did you run the Malwarebytes tool?

Is the problem persisting

 

Thank you very much for your guidance.

I'm going to check the next hours if it's ok and then I will post the results.

Now, I'm going to update Java.



#11 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 29 January 2016 - 04:05 PM

The address http://ɴ.net/proxy.pac continues.

It didn´t work.

Thanks for everything.



#12 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 29 January 2016 - 04:36 PM

Running Ccleaner, at C:/Users/User/Appdata/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5 I see there's a file named counters.dat that I cannot delete and also inside Content.IE5 once I deleted everything, two folders regenerates automatically (6H9TBOM3 and GTBI1MVK), both folders have the file clients[1].txt inside. This file deletes itself, and regenerates over and over. Inside the .txt there's a number one.

 

I never use IE browser. Today I opened it to update Java to the last verson like the message said.


Edited by castor1, 29 January 2016 - 04:47 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,173 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 30 January 2016 - 07:57 AM


Did you run the MBAm tool and clean everything.
The proxy.pac should have been removed.

Valores del registro: 1
Hijack.AutoConfigURL, HKU\S-1-5-21-738111190-3401682069-2959590613-1000\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://xn--koa.net/proxy.pac, , [8fd9c37c7d1c3204ed8c934c52b0ed13]

Restart the computer normally after cleaning everything with MBAM.

If the problem persists.

Continue.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings /sub
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • [/b]
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===


Post the SystemLook.txt file for my review.

#14 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 30 January 2016 - 08:21 AM

Yes, I did all the reboots in time.

After I ran the Spybot, deleted all, and rebooting again the problem stopped (for now).

Thank you very much.



#15 castor1

castor1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  

Posted 30 January 2016 - 08:24 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 10:24 on 30/01/2016 by Usuario
Administrator - Elevation successful
 
========== reg ==========
 
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
(No values found)
 
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
(No values found)
 
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"IE5_UA_Backup_Flag"="5.0"
"User Agent"="Mozilla/4.0 (compatible; MSIE; Win32)"
"EmailName"="IEUser@"
"PrivDiscUiShown"= 0x0000000001 (1)
"EnableHttp1_1"= 0x0000000001 (1)
"WarnOnIntranet"= 0x0000000001 (1)
"MimeExclusionListForCache"="multipart/mixed multipart/x-mixed-replace multipart/x-byteranges "
"AutoConfigProxy"="wininet.dll"
"UseSchannelDirectly"=01 00 00 00  (REG_BINARY)
"WarnOnPost"=01 00 00 00  (REG_BINARY)
"UrlEncoding"= 0x0000000000 (0)
"SecureProtocols"= 0x0000000a80 (2688)
"PrivacyAdvanced"= 0x0000000000 (0)
"ZonesSecurityUpgrade"=3a 99 6d 13 c3 e5 ce 01  (REG_BINARY)
"DisableCachingOfSSLPages"= 0x0000000000 (0)
"WarnonZoneCrossing"= 0x0000000000 (0)
"CertificateRevocation"= 0x0000000001 (1)
"EnableNegotiate"= 0x0000000001 (1)
"MigrateProxy"= 0x0000000001 (1)
"ProxyEnable"= 0x0000000000 (0)
"ProxyHttp1.1"= 0x0000000001 (1)
"EnablePunycode"= 0x0000000001 (1)
"DisableIDNPrompt"= 0x0000000000 (0)
"ShowPunycode"= 0x0000000000 (0)
"WarnOnPostRedirect"= 0x0000000001 (1)
"WarnonBadCertRecving"= 0x0000000001 (1)
"EnableAutodial"= 0x0000000000 (0)
"NoNetAutodial"= 0x0000000000 (0)
"EnableSPDY3_0"= 0x0000000000 (0)
"BackgroundConnections"= 0x0000000001 (1)
"CreateUriCacheSize"= 0x0000000050 (80)
"CoInternetCombineIUriCacheSize"= 0x0000000050 (80)
"SecurityIdIUriCacheSize"= 0x000000001e (30)
"SpecialFoldersCacheSize"= 0x0000000008 (8)
"SyncMode5"= 0x0000000004 (4)
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Activities]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CACHE]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WebSocket]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
 
 
-= EOF =-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users