Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes gives popup on blocking http://wpad.browsersecurity.info


  • This topic is locked This topic is locked
7 replies to this topic

#1 Zachariah

Zachariah

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 02 August 2016 - 01:38 AM

My Computer, Running Windows 7, started giving troubles with internet connection - The Proxy server Not responding. The device or resource (web proxy) is not set up to accept connections on port "8080". The issue gets fixed in Google Chrome when I ran a full scan in Malwarebytes (Other Ant-virus/malware like MS Security essential or 360 Total Security couldn't help). 
 
But whenever I am connected to internet, Malwarebytes keeps giving pop-up - Malicious website blocked - wpad.browsersecurity.info. When I disabled online protection of Malwarebytes, the Proxy error appeared again. And I could see the following entries in the registry:
 
Key -> HKEY_CURRENT_USER\software\microsoft\windows\CurrentVersion\Internet Settings\Wpad\<key value>\ 
Value Name -> WpadDetectedUrl
 
Key ->HKEY_USERS\S-1-5-21-2008440364-1844915008-329570366-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\software\microsoft\windows\CurrentVersion\Internet Settings\Wpad\<key value>\ 
Value Name -> WpadDetectedUrl
 
If I delete WpadDetectedUrl value, the browser gets connected to the internet via the router. 
But I can see (in Task manager) many instances of iexplorer/chrome is getting created and each time malware bytes (when enabled) gives pop-up saying Malicious website blocked - wpad.browsersecurity.info.
 
I tried with many anti-malwares like RogueKiller, Combofix, FRS, SUPERAntiSpyware etc . But nothing could help and detect/remove that malware.
Similar software is not found in control panel / browser extensions. 
 
I am running the trial version of malwarebytes where the real time protection ends after a few days then obviously again wpad proxy settings will be changed. As long as Malwarebytes blocks the access to http://wpad.browsersecurity.info my browser gets connected to the proxy/router. 
Please help me to remove this malware as this is becoming a blocking issue for me. Also advise me whether It is necessary to purchase the pro version of malware bytes. Microsoft security essential or 360 Total security real time protections cannot block these malicious web sites. As long as this malware exists in my computer, it will try to connect to http://wpad.browsersecurity.info and if access is not blocked, wpad proxy settings will be changed and the internet connection will be stopped. 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-07-2016
Ran by moncy (administrator) on MONCY-PC (01-08-2016 22:53:38)
Running from E:\sheba\2. downloads\MALWRES\Anti-Malwares\FRST
Loaded Profiles: moncy (Available Profiles: moncy & Classic .NET AppPool & WeSites & DefaultAppPool)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files\360\Total Security\safemon\QHActiveDefense.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Google Inc) C:\Program Files\Google\Google Input Tools\GoogleInputService.exe
() C:\ProgramData\DatacardService\HWDeviceService.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe
() C:\ProgramData\MobileBrServ\mbbService.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files\360\Total Security\safemon\QHWatchdog.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Google Inc.) C:\Program Files\Google\Google Input Tools\GoogleInputHandler.exe
(Huawei Technologies Co., Ltd.) C:\ProgramData\DatacardService\DCSHelper.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Primax Electronics Ltd.) C:\Windows\System32\ico.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
() C:\Windows\System32\FSRremoS.EXE
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApntEx.exe
(hxxp://tortoisesvn.net) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Hidfind.exe
(hxxp://tortoisesvn.net) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Dropbox, Inc.) C:\Users\moncy\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
() C:\Program Files\RogueKiller\RogueKiller.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3540 series\Bin\HPNetworkCommunicatorCom.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files\360\Total Security\safemon\QHSafeTray.exe
(ES-Computing) C:\Program Files\EditPlus 3\editplus.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1697064 2010-02-18] (Synaptics Incorporated)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [251248 2010-06-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [986872 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [Mouse Suite 98 Daemon] => C:\Windows\system32\ICO.EXE [57344 2004-07-14] (Primax Electronics Ltd.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [QHSafeTray] => C:\Program Files\360\Total Security\safemon\QHSafeTray.exe [1838504 2016-07-11] (QIHU 360 SOFTWARE CO. LIMITED)
HKU\S-1-5-21-2008440364-1844915008-329570366-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6602152 2015-11-16] (Piriform Ltd)
HKU\S-1-5-21-2008440364-1844915008-329570366-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6825888 2016-07-20] (SUPERAntiSpyware)
HKU\S-1-5-21-2008440364-1844915008-329570366-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [878592 2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\moncy\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\moncy\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\moncy\AppData\Roaming\Dropbox\bin\DropboxExt.34.dll [2016-07-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [SmartFTP Drop] -> {EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD} => C:\Program Files\SmartFTP Client\ShellTools.dll [2015-09-14] (SmartSoft Ltd.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2012-08-10]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\moncy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2016-07-25]
ShortcutTarget: Dropbox.lnk -> C:\Users\moncy\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\moncy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3540 series (Network).lnk [2016-08-01]
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3540 series (Network).lnk -> C:\Program Files\HP\HP Deskjet 3540 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Tcpip\..\Interfaces\{17767F5A-5DD8-4D45-8A03-E57C69016103}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{4E8F7494-8813-432B-AB2B-EF8FA8E4FD1F}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{C242324F-E53C-491A-BA7F-0E012435AFE6}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{F6A0DB1B-7F63-436A-BCC8-A7BC86EE8B16}: [DhcpNameServer] 10.0.0.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2008440364-1844915008-329570366-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-2008440364-1844915008-329570366-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-12-19] (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-06] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-06] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2013-10-08] (Adblock Plus)
Toolbar: HKU\S-1-5-21-2008440364-1844915008-329570366-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\moncy\AppData\Roaming\Mozilla\Firefox\Profiles\je0r4ssa.default-1469813790698
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-25] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2012-10-31] ()
FF Plugin: @itstructures.com/ffactivex -> C:\Program Files\Firefox ActiveX Plugin\npffax.dll [2011-12-28] ()
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-06] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-06] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2012-12-19] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [WebProtection@360safe.com] - C:\Program Files\360\Total Security\safemon\webprotection_firefox
FF Extension: 360 Internet Protection - C:\Program Files\360\Total Security\safemon\webprotection_firefox [2016-07-28]
 
Chrome: 
=======
CHR Profile: C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-01-26]
CHR Extension: (Google Docs) - C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-01-26]
CHR Extension: (Google Sheets) - C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-01-26]
CHR Extension: (Google Docs Offline) - C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-21]
CHR Extension: (360 Internet Protection) - C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default\Extensions\glcimepnljoholdmjchkloafkggfoijh [2016-07-29]
CHR Extension: (Furniture Guru) - C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lopcjmbilgeapfldddijpgpahphngjdk [2016-07-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR HKLM\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [glcimepnljoholdmjchkloafkggfoijh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pgoackgjjkpbkjoomkklkofbhpkbeboc] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pgoackgjjkpbkjoomkklkofbhpkbeboc] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-23] (SUPERAntiSpyware.com)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [279000 2014-01-29] (Intel Corporation)
S3 fussvc; C:\Program Files\Windows Kits\8.1\App Certification Kit\fussvc.exe [140800 2014-02-19] (Microsoft Corporation) [File not signed]
R2 GoogleInputService; C:\Program Files\Google\Google Input Tools\GoogleInputService.exe [164888 2015-01-26] (Google Inc)
R2 HWDeviceService.exe; C:\ProgramData\DatacardService\HWDeviceService.exe [264704 2010-11-16] () [File not signed]
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [13824 2009-07-14] (Microsoft Corporation)
R2 IpOverUsbSvc; C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe [22744 2014-10-15] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.334\McCHSvc.exe [239880 2016-05-31] (McAfee, Inc.)
S3 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
R2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [239184 2014-02-15] ()
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2016-01-29] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
S4 msvsmon90; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [3201024 2008-07-29] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [292816 2016-01-29] (Microsoft Corporation)
R2 QHActiveDefense; C:\Program Files\360\Total Security\safemon\QHActiveDefense.exe [913832 2016-07-11] (QIHU 360 SOFTWARE CO. LIMITED)
S4 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [272024 2007-05-14] ()
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [797352 2016-08-01] (Enigma Software Group USA, LLC.)
S3 Te.Service; C:\Program Files\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [91136 2013-08-21] (Microsoft Corporation) [File not signed]
S4 UDisk Monitor; C:\Program Files\ZTE High Speed Data MODEM\bin\MonServiceUDisk.exe [262144 2009-01-09] () [File not signed]
S3 VsEtwService120; C:\Program Files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [73360 2014-07-23] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker.sys [135400 2016-07-11] (360.cn)
R3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [66128 2016-07-11] (360.cn)
R1 360Box; C:\Windows\System32\DRIVERS\360Box.sys [212712 2016-07-11] (360.cn)
R1 360Camera; C:\Windows\System32\Drivers\360Camera.sys [34888 2016-07-11] (360.cn)
R1 360SelfProtection; C:\Windows\System32\drivers\360SelfProtection.sys [189160 2016-07-11] (360安全中心)
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV.sys [177232 2016-07-11] (360.cn)
S3 BTWAMPFL; C:\Windows\System32\DRIVERS\btwampfl.sys [302120 2011-02-08] (Broadcom Corporation.)
R1 EfiMon; C:\Windows\System32\Drivers\Efimon.sys [23248 2016-07-11] (360.cn)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [16432 2016-08-01] (Enigma Software Group USA, LLC.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [19984 2016-08-01] ()
R0 HookPort; C:\Windows\System32\Drivers\Hookport.sys [72936 2016-07-11] (360安全中心)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-08-01] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [253704 2015-11-13] (Microsoft Corporation)
S3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16384 2003-01-10] (Primax Electronics Ltd.)
S3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [9216 2003-02-11] (Primax Electronics Ltd.)
R1 qutmdserv; C:\Windows\System32\DRIVERS\qutmdrv.sys [313448 2016-07-11] (360.cn)
R1 qutmipc; C:\Windows\system32\drivers\qutmipc.sys [64872 2016-07-11] (360.cn)
S3 rimvndis; C:\Windows\System32\Drivers\rimvndis6.sys [14336 2014-06-23] (Research in Motion Limited)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-08-01] ()
S3 ztemtusbser; C:\Windows\System32\DRIVERS\CT_ZTEMT_U_USBSER.sys [104576 2008-12-31] (ZTEMT Incorporated)
S3 catchme; \??\C:\Users\moncy\AppData\Local\Temp\catchme.sys [X]
S1 ehrrdmzs; \??\C:\Windows\system32\drivers\ehrrdmzs.sys [X]
S1 ejvmqxuy; \??\C:\Windows\system32\drivers\ejvmqxuy.sys [X]
S1 ijnittge; \??\C:\Windows\system32\drivers\ijnittge.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-01 14:30 - 2016-08-01 14:30 - 00001200 _____ C:\Users\moncy\Desktop\SpyHunter.lnk
2016-08-01 14:30 - 2016-08-01 14:30 - 00000000 ____D C:\Users\moncy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2016-08-01 14:30 - 2016-08-01 14:30 - 00000000 ____D C:\Users\moncy\AppData\Roaming\Enigma Software Group
2016-08-01 14:30 - 2016-08-01 14:30 - 00000000 ____D C:\sh4ldr
2016-08-01 14:29 - 2016-08-01 14:29 - 00019984 _____ C:\Windows\system32\Drivers\EsgScanner.sys
2016-08-01 14:29 - 2016-08-01 14:29 - 00000000 ____D C:\Program Files\Enigma Software Group
2016-08-01 13:15 - 2016-08-01 13:15 - 00000000 ____D C:\SUPERDelete
2016-08-01 12:34 - 2016-08-01 20:34 - 00000510 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 63bc5948-df28-4b98-b7f8-6722d0722994.job
2016-08-01 12:34 - 2016-08-01 13:57 - 00000510 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task bd8212b5-3fb4-4ea1-be13-a3ec3679f271.job
2016-08-01 12:34 - 2016-08-01 12:34 - 00000000 ____D C:\Users\moncy\AppData\Roaming\SUPERAntiSpyware.com
2016-08-01 12:33 - 2016-08-01 12:34 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-08-01 12:33 - 2016-08-01 12:33 - 00001921 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2016-08-01 12:33 - 2016-08-01 12:33 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-08-01 12:33 - 2016-08-01 12:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-08-01 12:11 - 2016-08-01 12:12 - 00226426 _____ C:\TDSSKiller.3.1.0.9_01.08.2016_12.11.37_log.txt
2016-08-01 11:52 - 2016-07-31 23:43 - 00388608 _____ (Trend Micro Inc.) C:\Users\moncy\Desktop\HijackThis.exe
2016-08-01 10:21 - 2016-08-01 10:21 - 00000925 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-08-01 10:21 - 2016-08-01 10:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-08-01 10:21 - 2016-08-01 10:21 - 00000000 ____D C:\Program Files\CCleaner
2016-08-01 07:13 - 2016-08-01 07:13 - 00027729 _____ C:\ComboFix.txt
2016-08-01 07:00 - 2016-08-01 00:11 - 05659746 ____R (Swearware) C:\Users\moncy\Desktop\ComboFix.exe
2016-08-01 00:41 - 2011-06-26 12:15 - 00256000 _____ C:\Windows\PEV.exe
2016-08-01 00:41 - 2010-11-07 22:50 - 00208896 _____ C:\Windows\MBR.exe
2016-08-01 00:41 - 2009-04-20 10:26 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-08-01 00:41 - 2000-08-31 05:30 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-08-01 00:41 - 2000-08-31 05:30 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-08-01 00:41 - 2000-08-31 05:30 - 00098816 _____ C:\Windows\sed.exe
2016-08-01 00:41 - 2000-08-31 05:30 - 00080412 _____ C:\Windows\grep.exe
2016-08-01 00:41 - 2000-08-31 05:30 - 00068096 _____ C:\Windows\zip.exe
2016-08-01 00:34 - 2016-08-01 07:13 - 00000000 ____D C:\Qoobox
2016-08-01 00:34 - 2016-08-01 06:48 - 00000000 ____D C:\Windows\erdnt
2016-07-31 23:46 - 2016-08-01 22:53 - 00000000 ____D C:\FRST
2016-07-30 17:36 - 2016-07-30 17:36 - 00001210 _____ C:\Users\moncy\Desktop\JRT.txt
2016-07-30 17:27 - 2016-07-30 17:29 - 00444690 _____ C:\TDSSKiller.3.1.0.9_30.07.2016_17.27.48_log.txt
2016-07-30 13:41 - 2016-07-30 14:47 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-07-30 13:32 - 2016-07-30 14:47 - 00000000 ____D C:\Users\moncy\Desktop\mbar
2016-07-30 12:05 - 2016-07-30 12:05 - 00002173 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-07-30 12:05 - 2016-07-30 12:05 - 00002161 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-07-30 11:17 - 2016-08-01 17:01 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-07-30 11:15 - 2016-07-30 11:15 - 00000961 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2016-07-30 11:15 - 2016-07-30 11:15 - 00000000 ____D C:\ProgramData\RogueKiller
2016-07-30 11:15 - 2016-07-30 11:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-07-30 11:15 - 2016-07-30 11:15 - 00000000 ____D C:\Program Files\RogueKiller
2016-07-30 00:19 - 2016-07-30 10:09 - 00063522 ____H C:\Users\moncy\Desktop\~WRL2396.tmp
2016-07-29 23:06 - 2016-07-29 23:06 - 00000000 ____D C:\Users\moncy\Desktop\Old Firefox Data
2016-07-29 21:55 - 2016-07-29 21:55 - 00435488 _____ C:\Windows\system32\FNTCACHE.DAT
2016-07-29 21:07 - 2016-07-29 21:07 - 00115240 _____ C:\Users\moncy\AppData\Local\GDIPFONTCACHEV1.DAT
2016-07-29 09:51 - 2016-06-11 10:18 - 00346320 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-07-29 09:51 - 2016-06-11 00:39 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-07-29 09:51 - 2016-06-11 00:39 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-07-29 09:51 - 2016-06-11 00:24 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-07-29 09:51 - 2016-06-11 00:23 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-07-29 09:51 - 2016-06-11 00:23 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-07-29 09:51 - 2016-06-11 00:23 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-07-29 09:51 - 2016-06-11 00:22 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-07-29 09:51 - 2016-06-11 00:17 - 02287104 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-07-29 09:51 - 2016-06-11 00:16 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-07-29 09:51 - 2016-06-11 00:15 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-07-29 09:51 - 2016-06-11 00:12 - 20348928 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-07-29 09:51 - 2016-06-11 00:12 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-07-29 09:51 - 2016-06-11 00:11 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-07-29 09:51 - 2016-06-11 00:11 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-07-29 09:51 - 2016-06-11 00:11 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-07-29 09:51 - 2016-06-11 00:11 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-07-29 09:51 - 2016-06-11 00:05 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-07-29 09:51 - 2016-06-11 00:02 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-07-29 09:51 - 2016-06-10 23:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-07-29 09:51 - 2016-06-10 23:56 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-07-29 09:51 - 2016-06-10 23:54 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-07-29 09:51 - 2016-06-10 23:53 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-07-29 09:51 - 2016-06-10 23:51 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-07-29 09:51 - 2016-06-10 23:49 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-07-29 09:51 - 2016-06-10 23:44 - 04608000 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-07-29 09:51 - 2016-06-10 23:42 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-07-29 09:51 - 2016-06-10 23:40 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-07-29 09:51 - 2016-06-10 23:40 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-07-29 09:51 - 2016-06-10 23:39 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-07-29 09:51 - 2016-06-10 23:15 - 02392576 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-07-29 09:51 - 2016-06-10 23:12 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-07-29 09:51 - 2016-06-10 23:11 - 01315840 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-07-29 09:47 - 2016-06-14 20:27 - 02398208 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-07-29 09:12 - 2016-05-18 21:40 - 00306688 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-07-29 00:56 - 2016-08-01 20:50 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-07-29 00:56 - 2016-07-30 13:33 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-07-29 00:56 - 2016-07-29 00:56 - 00001020 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-07-29 00:56 - 2016-07-29 00:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-07-29 00:56 - 2016-07-29 00:56 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-07-29 00:56 - 2016-07-29 00:56 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-07-29 00:56 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-07-29 00:56 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-07-28 23:57 - 2016-08-01 22:50 - 00000000 ____D C:\$360Section
2016-07-28 21:19 - 2016-07-29 21:51 - 00000000 ____D C:\Windows\Tasks\360Disabled
2016-07-28 21:00 - 2016-08-01 22:50 - 00000000 ____D C:\ProgramData\360Quarant
2016-07-28 20:56 - 2016-08-01 20:25 - 00000000 ____D C:\Users\moncy\AppData\LocalLow\360WD
2016-07-28 20:56 - 2016-08-01 10:00 - 00000000 ____D C:\Users\moncy\AppData\Roaming\360safe
2016-07-28 20:56 - 2016-07-29 12:57 - 00000000 _RSHD C:\360SANDBOX
2016-07-28 20:56 - 2016-07-29 01:08 - 00000000 ____D C:\ProgramData\360safe
2016-07-28 20:56 - 2016-07-28 20:59 - 00000000 ____D C:\ProgramData\360TotalSecurity
2016-07-28 20:56 - 2016-07-28 20:58 - 00001067 _____ C:\Users\Public\Desktop\360 Total Security.lnk
2016-07-28 20:56 - 2016-07-28 20:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
2016-07-28 20:56 - 2016-07-28 20:56 - 00000000 ____D C:\Users\moncy\AppData\Roaming\360TotalSecurity
2016-07-28 20:56 - 2016-07-11 15:20 - 00212712 _____ (360.cn) C:\Windows\system32\Drivers\360Box.sys
2016-07-28 20:56 - 2016-07-11 15:20 - 00189160 _____ (360安全中心) C:\Windows\system32\Drivers\360SelfProtection.sys
2016-07-28 20:56 - 2016-07-11 15:20 - 00135400 _____ (360.cn) C:\Windows\system32\Drivers\360AntiHacker.sys
2016-07-28 20:56 - 2016-07-11 15:20 - 00064872 _____ (360.cn) C:\Windows\system32\Drivers\qutmipc.sys
2016-07-28 20:56 - 2016-07-11 15:20 - 00034888 _____ (360.cn) C:\Windows\system32\Drivers\360Camera.sys
2016-07-28 20:55 - 2016-07-28 20:55 - 00000000 ____D C:\Program Files\Common Files\AV
2016-07-28 20:55 - 2016-07-11 15:20 - 00313448 _____ (360.cn) C:\Windows\system32\Drivers\qutmdrv.sys
2016-07-28 20:55 - 2016-07-11 15:20 - 00177232 _____ (360.cn) C:\Windows\system32\Drivers\BAPIDRV.SYS
2016-07-28 20:55 - 2016-07-11 15:20 - 00072936 _____ (360安全中心) C:\Windows\system32\Drivers\hookport.sys
2016-07-28 20:55 - 2016-07-11 15:20 - 00066128 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2016-07-28 20:55 - 2016-07-11 15:20 - 00023248 _____ (360.cn) C:\Windows\system32\Drivers\efimon.sys
2016-07-28 20:54 - 2016-07-28 20:54 - 00000000 ____D C:\Program Files\360
2016-07-28 20:50 - 2016-07-28 20:50 - 00001773 _____ C:\Users\moncy\Desktop\Recuva.lnk
2016-07-28 11:53 - 2016-07-29 09:32 - 00000000 ____D C:\Program Files\Recuva
2016-07-28 11:53 - 2016-07-28 11:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recuva
2016-07-27 23:10 - 2016-07-27 23:10 - 00000000 ____D C:\com.google.input_tools.t13n.ime.malayalam
2016-07-27 18:17 - 2016-07-27 18:17 - 00000000 ____D C:\$Windows.~WS
2016-07-26 19:12 - 2016-07-27 23:01 - 00000000 ____D C:\Windows10Upgrade
2016-07-26 19:12 - 2016-07-26 19:12 - 00000000 ____D C:\$GetCurrent
2016-07-26 12:27 - 2016-07-26 12:27 - 00000000 ____D C:\ProgramData\BDLogging
2016-07-26 12:26 - 2016-07-27 23:01 - 00000000 ____D C:\Users\moncy\AppData\LocalLow\IObit
2016-07-25 11:31 - 2016-06-10 23:39 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-07-25 11:31 - 2016-06-10 23:28 - 13806080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-07-25 10:51 - 2016-07-27 23:01 - 00000000 ____D C:\Users\moncy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-07-15 11:05 - 2016-07-30 14:40 - 00000000 ____D C:\Windows\rescache
2016-07-08 09:17 - 2016-07-29 09:32 - 00000000 ____D C:\Users\moncy\Desktop\MONCY
2016-07-07 11:29 - 2016-07-07 11:29 - 00007605 _____ C:\Users\moncy\AppData\Local\Resmon.ResmonCfg
2016-07-05 15:13 - 2016-07-05 15:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
2016-07-04 12:08 - 2016-07-04 12:08 - 00000000 ____D C:\Windows\Tasks\ImCleanDisabled
2016-07-04 12:08 - 2016-07-04 12:08 - 00000000 ____D C:\Program Files\Common Files\IObit
2016-07-04 12:07 - 2016-07-27 22:59 - 00000000 ____D C:\Users\moncy\AppData\Roaming\IObit
2016-07-04 12:07 - 2016-07-27 22:59 - 00000000 ____D C:\ProgramData\IObit
2016-07-04 12:07 - 2016-07-27 13:57 - 00000000 ____D C:\Program Files\IObit
2016-07-03 22:21 - 2016-07-28 08:50 - 00000000 ____D C:\Windows\pss
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-01 22:49 - 2016-01-28 13:43 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-08-01 22:43 - 2012-08-11 12:56 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-01 21:13 - 2012-08-12 13:22 - 00000000 ____D C:\Users\moncy\AppData\Roaming\vlc
2016-08-01 21:05 - 2012-08-10 10:00 - 00920764 _____ C:\Windows\system32\PerfStringBackup.INI
2016-08-01 21:05 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\inf
2016-08-01 17:00 - 2009-07-14 10:04 - 00026192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-01 17:00 - 2009-07-14 10:04 - 00026192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-01 16:55 - 2012-12-21 11:09 - 00000000 ____D C:\Users\moncy\AppData\Local\TSVNCache
2016-08-01 16:55 - 2012-08-11 12:56 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-01 16:53 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\system32\inetsrv
2016-08-01 16:51 - 2009-07-14 10:23 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-01 13:57 - 2009-07-14 10:23 - 00032608 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-08-01 12:00 - 2012-12-21 11:53 - 00000000 ___RD C:\Users\moncy\Dropbox
2016-08-01 11:47 - 2016-01-26 17:10 - 00000000 ____D C:\AdwCleaner
2016-08-01 10:23 - 2012-08-10 23:13 - 00000000 ____D C:\Windows\Panther
2016-08-01 10:23 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\ModemLogs
2016-08-01 07:11 - 2009-07-14 07:34 - 00000215 _____ C:\Windows\system.ini
2016-08-01 00:58 - 2009-07-14 07:33 - 20971520 _____ C:\Windows\system32\config\SYSTEM.bak
2016-08-01 00:58 - 2009-07-14 07:33 - 146800640 _____ C:\Windows\system32\config\SOFTWARE.bak
2016-08-01 00:58 - 2009-07-14 07:33 - 04194304 _____ C:\Windows\system32\config\DEFAULT.bak
2016-08-01 00:58 - 2009-07-14 07:33 - 00262144 _____ C:\Windows\system32\config\SECURITY.bak
2016-08-01 00:58 - 2009-07-14 07:33 - 00262144 _____ C:\Windows\system32\config\SAM.bak
2016-07-30 12:05 - 2012-08-11 12:55 - 00000000 ____D C:\Program Files\Google
2016-07-30 10:56 - 2016-01-25 10:50 - 00000008 __RSH C:\Users\moncy\ntuser.pol
2016-07-30 10:56 - 2014-01-30 09:41 - 00000008 __RSH C:\ProgramData\ntuser.pol
2016-07-30 10:56 - 2012-08-10 09:59 - 00000000 ____D C:\Users\moncy
2016-07-30 10:53 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\system32\NDF
2016-07-30 09:53 - 2012-10-10 14:52 - 00000000 ____D C:\Users\moncy\AppData\Roaming\TeamViewer
2016-07-29 21:49 - 2015-07-17 14:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HxD Hex Editor
2016-07-29 09:05 - 2012-10-03 18:01 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
2016-07-29 09:05 - 2012-10-03 18:01 - 00001944 _____ C:\Users\Public\Desktop\Adobe Reader 9.lnk
2016-07-29 07:30 - 2014-09-23 09:04 - 00000000 ____D C:\Users\moncy\AppData\Local\136
2016-07-29 00:48 - 2012-08-12 13:20 - 00000000 ____D C:\Program Files\MSXML 4.0
2016-07-29 00:31 - 2015-09-04 10:05 - 00000000 ____D C:\Users\moncy\AppData\Roaming\BitTorrent
2016-07-29 00:31 - 2015-07-17 14:45 - 00000000 ____D C:\Program Files\HxD
2016-07-29 00:31 - 2012-12-21 10:06 - 00000000 ____D C:\Program Files\TortoiseSVN
2016-07-29 00:31 - 2012-12-07 17:51 - 00000000 ____D C:\Program Files\Audacity
2016-07-29 00:31 - 2012-08-13 10:05 - 00000000 ____D C:\Users\moncy\AppData\Roaming\Skype
2016-07-28 23:57 - 2012-10-30 17:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DGPDev
2016-07-28 20:34 - 2012-08-10 16:43 - 00000000 ____D C:\Users\moncy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink DVD Suite
2016-07-28 15:01 - 2015-01-21 17:59 - 00000000 ____D C:\Users\moncy\Documents\Visual Studio 2013
2016-07-28 14:37 - 2012-08-30 09:26 - 141983760 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-07-28 07:42 - 2012-08-23 10:24 - 00000000 ____D C:\Users\moncy\AppData\Local\ElevatedDiagnostics
2016-07-28 06:09 - 2013-07-27 09:00 - 00000000 ____D C:\Windows\system32\MRT
2016-07-28 00:55 - 2012-08-10 16:14 - 00406184 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-07-27 23:01 - 2016-05-13 20:02 - 00000000 ____D C:\Users\TestWebPool
2016-07-27 23:01 - 2016-05-13 14:39 - 00000000 ____D C:\Users\DefaultAppPool
2016-07-27 23:01 - 2016-05-12 13:53 - 00000000 ____D C:\Users\Classic .NET AppPool
2016-07-27 23:01 - 2015-04-06 08:10 - 00000000 ___SD C:\Windows\system32\GWX
2016-07-27 23:01 - 2014-12-12 11:50 - 00000000 ____D C:\Windows\system32\appraiser
2016-07-27 23:01 - 2012-08-12 13:33 - 00000000 ____D C:\Program Files\Microsoft CAPICOM 2.1.0.2
2016-07-27 23:01 - 2012-08-11 09:42 - 00000000 ____D C:\Users\moncy\AppData\Roaming\EditPlus 3
2016-07-27 23:01 - 2009-07-14 13:20 - 00000000 ____D C:\Program Files\Windows Journal
2016-07-27 23:01 - 2009-07-14 08:07 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-07-27 23:00 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\registration
2016-07-27 22:59 - 2013-01-31 14:07 - 00000000 ____D C:\Users\moncy\AppData\Local\Mozilla
2016-07-27 13:57 - 2012-10-12 15:46 - 00000000 ____D C:\Users\moncy\AppData\Roaming\Apple Computer
2016-07-26 11:53 - 2012-08-11 09:38 - 00000600 _____ C:\Users\moncy\AppData\Roaming\winscp.rnd
2016-07-25 12:00 - 2012-09-20 09:38 - 00000028 _____ C:\Windows\ODBC.INI
2016-07-25 12:00 - 2012-09-20 09:28 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 9.0
2016-07-25 11:55 - 2012-08-20 12:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2016-07-25 11:55 - 2012-08-20 12:25 - 00000000 ____D C:\Program Files\HP
2016-07-25 11:54 - 2012-10-30 10:11 - 00000000 ____D C:\Users\moncy\AppData\Local\MagicSoftware
2016-07-25 11:54 - 2012-08-20 12:24 - 00000000 ____D C:\Users\moncy\AppData\Local\HP
2016-07-25 11:51 - 2012-11-09 12:42 - 00000000 ___RD C:\Users\moncy\Documents\Scanned Documents
2016-07-25 10:51 - 2012-12-21 11:09 - 00000000 ____D C:\Users\moncy\AppData\Roaming\Dropbox
2016-07-25 10:49 - 2016-01-28 13:43 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-07-25 10:49 - 2016-01-28 13:43 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-07-25 10:40 - 2016-01-28 13:43 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2016-07-25 10:40 - 2014-05-05 16:31 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-07-25 10:38 - 2012-08-11 12:55 - 00000000 ____D C:\Windows\system32\Macromed
2016-07-25 10:33 - 2015-06-17 10:01 - 00000000 ____D C:\Users\moncy\AppData\Local\Dropbox
2016-07-25 10:33 - 2012-08-10 16:51 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 8
2016-07-25 10:33 - 2012-08-10 16:51 - 00000000 ____D C:\Program Files\Microsoft Office
2016-07-25 10:33 - 2012-08-10 16:31 - 00000000 ____D C:\ProgramData\CyberLink
2016-07-25 10:25 - 2016-05-20 15:10 - 00000000 ____D C:\Users\moncy\AppData\LocalLow\BitTorrent
2016-07-21 19:21 - 2012-09-17 09:23 - 00139264 ___SH C:\Users\moncy\Documents\Thumbs.db
2016-07-12 23:11 - 2012-08-10 16:31 - 00000000 ____D C:\Users\moncy\AppData\Roaming\CyberLink
2016-07-07 23:31 - 2013-09-12 23:57 - 00000000 ____D C:\Users\moncy\AppData\Local\Paint.NET
2016-07-05 15:13 - 2016-04-05 13:44 - 00002005 _____ C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2016-07-05 15:13 - 2016-01-28 13:43 - 00000000 ____D C:\Program Files\McAfee Security Scan
2016-07-04 15:01 - 2013-05-08 17:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ffdshow
 
==================== Files in the root of some directories =======
 
2013-03-28 12:36 - 2013-03-28 12:36 - 0034606 _____ () C:\Program Files\CMS Setup Log.txt
2012-08-11 09:38 - 2016-07-26 11:53 - 0000600 _____ () C:\Users\moncy\AppData\Roaming\winscp.rnd
2013-09-09 21:07 - 2013-09-09 21:07 - 0004096 ____H () C:\Users\moncy\AppData\Local\keyfile3.drm
2012-12-10 21:42 - 2016-04-01 21:45 - 0001038 _____ () C:\Users\moncy\AppData\Local\MediaCopeLogTemp.txt
2013-04-20 12:56 - 2013-04-20 12:56 - 0000600 _____ () C:\Users\moncy\AppData\Local\PUTTY.RND
2016-07-07 11:29 - 2016-07-07 11:29 - 0007605 _____ () C:\Users\moncy\AppData\Local\Resmon.ResmonCfg
2013-11-23 18:25 - 2013-11-23 18:25 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Some files in TEMP:
====================
C:\Users\moncy\AppData\Local\Temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-07-30 14:32
 
==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 03 August 2016 - 09:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2008440364-1844915008-329570366-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-2008440364-1844915008-329570366-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\moncy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR HKLM\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [glcimepnljoholdmjchkloafkggfoijh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [pgoackgjjkpbkjoomkklkofbhpkbeboc] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2008440364-1844915008-329570366-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pgoackgjjkpbkjoomkklkofbhpkbeboc] - hxxps://clients2.google.com/service/update2/crx
S3 catchme; \??\C:\Users\moncy\AppData\Local\Temp\catchme.sys [X]
S1 ehrrdmzs; \??\C:\Windows\system32\drivers\ehrrdmzs.sys [X]
S1 ejvmqxuy; \??\C:\Windows\system32\drivers\ejvmqxuy.sys [X]
S1 ijnittge; \??\C:\Windows\system32\drivers\ijnittge.sys [X]
Task: {F6774306-58E8-410D-9678-A5CE98DB2411} - \{6B719E4F-5C96-4327-85DA-4B724526BF50} -> No File <==== ATTENTION
RemoveProxy:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader Vvia the Control Panel > Programs > Programs and Features.
Adobe Reader 9.5.3 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.3 - Adobe Systems Incorporated)

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)

Please post the logs and let me know if the problem persists.

#3 Zachariah

Zachariah
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 03 August 2016 - 12:46 PM

Thank you nasdaq.

 

I followed all the steps you had written. Please have a look at fixlog.txt

 

After the reboot also, the same problem exists. To reproduce the proxy error, I  disabled malwarebytes, the browser started accessing wpad.browsersecurity.info/wpad.dat and accordingly the browser settings blocked the internet connection. I have attached proxyerror.png (in IE) for your reference. The registry values for wpad keys also got changed adding the value - "WpadDetectedUrl"="http://wpad.browsersecurity.info/wpad.dat"

 

As an alternate temporary solution to access internet, I unchecked 'Auto detect settings' selection in internet options and hence allowing the access bypassing the wpad checking for proxy.

But this is not a permanent solution. Because other processes like svchost still accesses wpad.dat even though 'Auto detect settings'  is disabled. I can see the same pop-up from svchost when malwarebytes is enabled and 'Auto detect settings'  is disabled.

 

When I select 'Auto Detect settings' keeping malwarebytes protection , malwarebytes again started giving pops on blocking malicious website - wpad.browsersecurity.info for chrome. Chrome allows the connection, but in IE still the connection is blocked. 

 

I did a complete scan with malwarebyes, kaspersky, None of them can find any issue.

Attached Files


Edited by Zachariah, 03 August 2016 - 12:59 PM.


#4 Zachariah

Zachariah
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 04 August 2016 - 05:45 AM

Hello nasdaq,

I could find out the solution for the issue.

Hereby listing the steps I followed:

  1. When 'Automatically Detect Settings’ is enabled, the browser searches for wpad.dat locally, if not found it finds out the location of wpad.dat configuration which has proxy information either from registry or using DHCP/DNS. 
  2. Browser attaches HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TcpIP\Parameters\Search List as the suffix with wpad
  3. In my computer the above value of 'Search List'was 'browsersecurity.info', so browser/other processes appended 'wpad' with the suffix 'browsersecurity.info' to get the address as  'wpad.browsersecurity.info/wpad.dat '

Recommended change:

  • Search for TcpIP\Parameters\Search List in the registry and validate the domain name suffixes 

Thank you for your support once again.

 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 04 August 2016 - 09:36 AM

Are you saying that all is well.

If so I appreciate the information.

#6 Zachariah

Zachariah
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 04 August 2016 - 11:20 AM

Yes nasdaq, as of now I think everything is working fine, not yet seen any pop-up or warning from any of the anti-malwares.

 

People who are worried on similar kind of issues may find these steps helpful, so posted the information .



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 05 August 2016 - 07:55 AM

Thank you.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 11 August 2016 - 08:06 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users