Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

http://ɴ.net/server.pac


  • This topic is locked This topic is locked
15 replies to this topic

#1 ethan_hines

ethan_hines

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 15 August 2016 - 02:39 AM

Greetings all,

 

I have a problem. I have window 10 version 1439.10 (insider edition) I have had the worst trouble continuously changing the proxy server from http://ɴ.net/server.pac to null. I enable the administrator account and I continuously have to change the settings back. I have tried using both registry and administrative tools such as policy editor to prevent changing of the proxy settings to no avail. Is there no way even as administrator to prevent this invasion. Ps . I have tried all known malware apps ie malware bytes/built-in windows defender ect....can anyone help? 



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 15 August 2016 - 09:40 AM

Hello

  •   Welcome to Bleeping Computer.
  •   My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  •   Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  •   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  •   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  •   In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  •   Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 ethan_hines

ethan_hines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 15 August 2016 - 02:05 PM

Here are the results:

\

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 15 August 2016 - 02:35 PM

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

2.

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will start to update its database...please wait until complete.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a report (AdwCleaner[SX].txt) will open in Notepad (where the largest value of X represents the most recent report).
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 ethan_hines

ethan_hines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 16 August 2016 - 04:56 PM

Here are the results of the fix:

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-08-2016 01
Ran by ethan (15-08-2016 19:48:15) Run:1
Running from C:\Users\ethan\Downloads
Loaded Profiles: ethan & Administrator (Available Profiles: ethan & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
(Splashtop Inc.) C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
(Hola Networks Ltd.) C:\Program Files\Hola\app\hola_updater.exe
(Hola Networks Ltd.) C:\Program Files\Hola\app\hola_svc.exe
C:\Program Files\Hola
C:\Program Files (x86)\Splashtop
HKLM\...\Run: [hola] => C:\Program Files\Hola\app\hola.exe [2162864 2016-08-10] (Hola Networks Ltd.) <===== ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
AutoConfigURL: [HKLM-x32] => hxxp://xn--koa.net/server.pac
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 24.200.243.189 24.200.241.37
Tcpip\..\Interfaces\{36679ebc-2aa7-4e09-8cf4-34ae5682d699}: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{3730e752-f4af-42c7-9a1d-151d4797a65e}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{51863385-e051-4c17-84ca-ef76dedd8b9d}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{6c0e132e-67de-404a-bdea-a1e94ff988db}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{c565c758-4af0-40a9-926a-b197d80be29d}: [NameServer] 208.67.222.222,208.67.220.220
Tcpip\..\Interfaces\{c565c758-4af0-40a9-926a-b197d80be29d}: [DhcpNameServer] 192.168.0.1 24.200.243.189 24.200.241.37
Tcpip\..\Interfaces\{e84ff6b1-61ba-4349-a3b4-3a1ecf5a0440}: [DhcpNameServer] 172.20.10.1
ManualProxies: 0hxxp://xn--koa.net/server.pac
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ca.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
SearchScopes: HKU\S-1-5-21-3336898020-3463846991-3472710618-1001 -> {1E3DA68F-7C99-4920-9F56-657B354DFA70} URL = hxxps://ca.search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
FF Session Restore: -> is enabled.
FF NetworkProxy: "type", 0
FF Extension: New XKit - C:\Users\ethan\AppData\Roaming\Mozilla\Firefox\Profiles\fpqzwzsk.default\Extensions\@new-xkit.xpi [2016-08-08]
FF Extension: Hola Better Internet - C:\Users\ethan\AppData\Roaming\Mozilla\Firefox\Profiles\fpqzwzsk.default\Extensions\jid1-4P0kohSJxU1qGg@jetpack [2016-08-02]
FF HKLM-x32\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] - C:\Program Files (x86)\Fiddler2\FiddlerHook
FF Extension: FiddlerHook - C:\Program Files (x86)\Fiddler2\FiddlerHook [2015-12-25] [not signed]
CHR StartupUrls: Default -> "hxxp://websearch.pu-results.info/?pid=320&r=2013/03/02&hid=4263669307&lg=EN&cc=CA"
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=orcl_default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Session Restore: Default -> is enabled.
CHR Extension: (ProxFlow) - C:\Users\ethan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aakchaleigkohafkfjfjbblobjifikek [2016-08-13]
R2 hola_svc; C:\Program Files\Hola\app\hola_svc.exe [5618864 2016-08-10] (Hola Networks Ltd.) <==== ATTENTION
R2 hola_updater; C:\Program Files\Hola\app\hola_updater.exe [5491328 2016-04-12] (Hola Networks Ltd.) <==== ATTENTION
R3 sthid; C:\Windows\System32\drivers\sthid.sys [21216 2015-03-04] (Splashtop Inc.)
016-08-15 03:30 - 2016-08-15 03:30 - 00000801 _____ C:\Users\Administrator\Downloads\server.pac
2016-07-16 10:15 - 2016-07-21 20:24 - 00000000 ____D C:\WINDOWS\OCR
2016-07-16 10:14 - 2016-07-21 09:58 - 00000000 ____D C:\WINDOWS\SysWOW64\winrm
2016-07-16 10:14 - 2016-07-21 09:58 - 00000000 ____D C:\WINDOWS\SysWOW64\WCN
2016-07-16 10:14 - 2016-07-21 09:58 - 00000000 ____D C:\WINDOWS\SysWOW64\slmgr
2016-07-16 10:14 - 2016-07-21 09:58 - 00000000 ____D C:\WINDOWS\SysWOW64\Printing_Admin_Scripts
2016-07-16 10:14 - 2016-07-21 09:58 - 00000000 ____D C:\WINDOWS\system32\winrm
2016-07-16 10:14 - 2016-07-21 09:57 - 00000000 ____D C:\WINDOWS\system32\WCN
2016-07-16 10:14 - 2016-07-21 09:57 - 00000000 ____D C:\WINDOWS\system32\slmgr
2016-07-16 10:14 - 2016-07-21 09:57 - 00000000 ____D C:\WINDOWS\system32\Printing_Admin_Scripts
2016-07-16 10:14 - 2016-07-16 10:14 - 00000000 ____D C:\WINDOWS\SysWOW64\sysprep
2016-07-16 10:14 - 2016-07-16 10:14 - 00000000 ____D C:\WINDOWS\SysWOW64\0409
2016-07-16 10:14 - 2016-07-16 10:14 - 00000000 ____D C:\WINDOWS\system32\0409
2016-07-16 10:14 - 2016-07-16 10:14 - 00000000 ____D C:\WINDOWS\SKB
2016-07-16 10:14 - 2016-07-16 10:14 - 00000000 ____D C:\WINDOWS\DigitalLocker
2016-07-16 08:40 - 2016-07-16 08:40 - 00000000 _SHDL C:\Users\Default User
2016-07-16 08:40 - 2016-07-16 08:40 - 00000000 _SHDL C:\Users\All Users
2016-08-11 15:51 - 2015-06-24 10:13 - 00000000 ____D C:\Users\ethan\Documents\ihelper
2016-08-11 15:51 - 2015-06-02 14:54 - 00000000 ____D C:\Users\ethan\AppData\Local\pangu
2016-08-11 14:20 - 2015-07-15 18:55 - 00000000 ____D C:\ProgramData\ProductData
2016-08-10 19:29 - 2015-04-24 21:21 - 00000000 ____D C:\Users\ethan\AppData\Local\Packages
C:\Program Files\Hola\app\hola.exe
Task: {1FB2FFB3-D76E-422D-BBEF-226326448403} - \Microsoft\XblGameSave\XblGameSaveTask\Logon -> No File <==== ATTENTION
AlternateDataStreams: C:\Users\ethan\Documents\smart-meter-flyer-DEC-25-2010.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\ethan\Documents\soapsc2012edition-121017073743-phpapp02.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\ethan\Documents\unstoppablestamina-7secretsthatpornstars-120625213915-phpapp01.pdf:$CmdZnID [26]
AlternateDataStreams: C:\Users\Public\DRM:??? ????? [48]
HOSTS:
Emptytemp:
IE trusted site: HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\...\hola.org -> hxxp://hola.org
*****************
 
[2668] C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe => process closed successfully.
[2420] C:\Program Files\Hola\app\hola_updater.exe => process closed successfully.
[2484] C:\Program Files\Hola\app\hola_svc.exe => process closed successfully.
C:\Program Files\Hola => moved successfully
C:\Program Files (x86)\Splashtop => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\hola => value removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\system32\GroupPolicy\User => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{36679ebc-2aa7-4e09-8cf4-34ae5682d699}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3730e752-f4af-42c7-9a1d-151d4797a65e}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{51863385-e051-4c17-84ca-ef76dedd8b9d}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6c0e132e-67de-404a-bdea-a1e94ff988db}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c565c758-4af0-40a9-926a-b197d80be29d}\\NameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c565c758-4af0-40a9-926a-b197d80be29d}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e84ff6b1-61ba-4349-a3b4-3a1ecf5a0440}\\DhcpNameServer => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully
HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
"HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1E3DA68F-7C99-4920-9F56-657B354DFA70}" => key removed successfully
HKCR\CLSID\{1E3DA68F-7C99-4920-9F56-657B354DFA70} => key not found. 
FF Session Restore: -> removed successfully
Firefox Proxy settings were reset.
C:\Users\ethan\AppData\Roaming\Mozilla\Firefox\Profiles\fpqzwzsk.default\Extensions\@new-xkit.xpi => moved successfully
C:\Users\ethan\AppData\Roaming\Mozilla\Firefox\Profiles\fpqzwzsk.default\Extensions\jid1-4P0kohSJxU1qGg@jetpack => moved successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\fiddlerhook@fiddler2.com => value removed successfully
C:\Program Files (x86)\Fiddler2\FiddlerHook => moved successfully
Chrome StartupUrls => removed successfully
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSearchKeyword => removed successfully
Chrome DefaultSuggestURL => removed successfully
Chrome Session Restore: => not found.
C:\Users\ethan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aakchaleigkohafkfjfjbblobjifikek => moved successfully
hola_svc => service removed successfully
hola_updater => service removed successfully
sthid => Unable to stop service.
sthid => service removed successfully
016-08-15 03:30 - 2016-08-15 03:30 - 00000801 _____ C:\Users\Administrator\Downloads\server.pac => Error: No automatic fix found for this entry.
C:\WINDOWS\OCR => moved successfully
C:\WINDOWS\SysWOW64\winrm => moved successfully
C:\WINDOWS\SysWOW64\WCN => moved successfully
C:\WINDOWS\SysWOW64\slmgr => moved successfully
C:\WINDOWS\SysWOW64\Printing_Admin_Scripts => moved successfully
C:\WINDOWS\system32\winrm => moved successfully
C:\WINDOWS\system32\WCN => moved successfully
C:\WINDOWS\system32\slmgr => moved successfully
C:\WINDOWS\system32\Printing_Admin_Scripts => moved successfully
C:\WINDOWS\SysWOW64\sysprep => moved successfully
C:\WINDOWS\SysWOW64\0409 => moved successfully
C:\WINDOWS\system32\0409 => moved successfully
C:\WINDOWS\SKB => moved successfully
C:\WINDOWS\DigitalLocker => moved successfully
Symbolic link found: "C:\Users\Default User" => "C:\Users\Default"
"C:\Users\Default User" => Symbolic link removed successfully
C:\Users\Default User => moved successfully
Symbolic link found: "C:\Users\All Users" => "C:\ProgramData"
"C:\Users\All Users" => Symbolic link removed successfully
C:\Users\All Users => moved successfully
C:\Users\ethan\Documents\ihelper => moved successfully
C:\Users\ethan\AppData\Local\pangu => moved successfully
C:\ProgramData\ProductData => moved successfully
 
"C:\Users\ethan\AppData\Local\Packages" folder move:
 
Could not move "C:\Users\ethan\AppData\Local\Packages" => Scheduled to move on reboot.
 
"C:\Program Files\Hola\app\hola.exe" => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1FB2FFB3-D76E-422D-BBEF-226326448403}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FB2FFB3-D76E-422D-BBEF-226326448403}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\XblGameSave\XblGameSaveTask\Logon" => key removed successfully
C:\Users\ethan\Documents\smart-meter-flyer-DEC-25-2010.pdf => ":$CmdZnID" ADS removed successfully.
C:\Users\ethan\Documents\soapsc2012edition-121017073743-phpapp02.pdf => ":$CmdZnID" ADS removed successfully.
C:\Users\ethan\Documents\unstoppablestamina-7secretsthatpornstars-120625213915-phpapp01.pdf => ":$CmdZnID" ADS removed successfully.
"C:\Users\Public\DRM" => ":??? ?????" ADS not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
"HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org" => key removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 585688 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9549314 B
Java, Flash, Steam htmlcache => 108378090 B
Windows/system/drivers => 110082866 B
Edge => 5627189 B
Chrome => 449897125 B
Firefox => 11888268 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 354368 B
ethan => 157899028 B
Administrator => 4658541 B
 
RecycleBin => 0 B
EmptyTemp: => 819.1 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 15-08-2016 21:09:13)
 
C:\Users\ethan\AppData\Local\Packages => Is moved successfully
 
==== End of Fixlog 21:09:13 ====


#6 ethan_hines

ethan_hines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 16 August 2016 - 05:00 PM

Also please note that since running this program my Start Menu/Notification Area are un usable. I can right click on the start menu button but that's it.

EDIT:  I have had this problem with the Start Menu/Notificaton Area not working before but it went away after awhile FIXED

EDIT2: And the proxy is still getting changed. to see attached image

Attached Files


Edited by ethan_hines, 16 August 2016 - 07:32 PM.


#7 ethan_hines

ethan_hines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 16 August 2016 - 05:54 PM

And here are the results of Adwcleaner:

# AdwCleaner v6.000 - Logfile created 16/08/2016 at 18:25:45
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-16.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : ethan - WIN-MN2OE5SBDGE
# Running from : C:\Users\ethan\Downloads\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\ethan\AppData\Local\YSearchUtil
[-] Folder deleted: C:\Users\ethan\AppData\Roaming\Hola
[-] Folder deleted: C:\Users\ethan\AppData\Roaming\tencent
[#] Folder deleted on reboot: C:\Users\ethan\AppData\Roaming\Tencent
[-] Folder deleted: C:\ProgramData\VideoDownloaderUltimateWinApp
[#] Folder deleted on reboot: C:\ProgramData\Application Data\VideoDownloaderUltimateWinApp
[-] Folder deleted: C:\Users\ethan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fakeocdnmmmnokabaiflppclocckihoj
[-] Folder deleted: C:\Users\ethan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmpojjilddefgnhiicjcmhbkjgbbclob
 
 
***** [ Files ] *****
 
[!] File not deleted: 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key deleted: [x64] HKLM\SOFTWARE\Hola
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hola
[-] Key deleted: HKU\.DEFAULT\Software\Hola
[-] Key deleted: HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\Software\Hola
[-] Key deleted: HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\Software\IM
[-] Key deleted: HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\Software\Link64
[-] Key deleted: HKU\S-1-5-21-3336898020-3463846991-3472710618-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\VideoDownloaderUltimateWinApp
[#] Key deleted on reboot: HKU\S-1-5-18\Software\Hola
[#] Key deleted on reboot: HKCU\Software\Hola
[#] Key deleted on reboot: HKCU\Software\IM
[#] Key deleted on reboot: HKCU\Software\Link64
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\VideoDownloaderUltimateWinApp
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [hola]
[-] Key deleted: HKLM\SOFTWARE\Classes\f
[#] Value deleted on reboot: HKLM\SOFTWARE\Google\Chrome\Extensions\npdicihegicnhaangkdmcgbjceoemeoo []
 
 
***** [ Web browsers ] *****
 
[!] [dmpojjilddefgnhiicjcmhbkjgbbclob] [extensionSecure Preferences ] not deleted: 
[!] [fakeocdnmmmnokabaiflppclocckihoj] [extensionSecure Preferences ] not deleted: 
[!] [npdicihegicnhaangkdmcgbjceoemeoo] [extensionSecure Preferences ] not deleted: 
[!] [npdicihegicnhaangkdmcgbjceoemeoo] [extensionSecure Preferences ] not deleted: 
[-] [aol.com] [Search Provider] Deleted: aol.com
[-] [ask.com] [Search Provider] Deleted: ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [3636 Bytes] - [16/08/2016 18:25:45]
C:\AdwCleaner\AdwCleaner[S0].txt - [4062 Bytes] - [16/08/2016 17:59:27]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3782 Bytes] ##########


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 17 August 2016 - 07:26 AM

Please run FRST and post the new FRST.txt.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 17 August 2016 - 07:54 AM

Please run MBAM then follow the directions in step 2.

1.
Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.

  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  • Malwarebytes will automatically open to its Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"

    malwarebytes-anti-malware-fix-now.jpg
    .
  • Click on Update Now to download the current database definitions, then click the Scan Now >> button.
    .
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  • You will be prompted to update Malwarebytes...click on the Update Now button.

    malwarebytes-anti-malware-2-0-update-now
    .
  • The THREAT SCAN will automatically begin.

    malwarebytes-anti-malware-scan.jpg
    .
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

    malwarebytes-anti-malware-potential-thre
    .
  • To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

    mbam4_zps490948cc.png
    .
  • After rebooting the computer, copy and paste the mbam.log in your next reply.

.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)

  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)

  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd


2.
Now restart your machine and do the following.
If you think you can get the autoconfig entry to load on demand or quickly then you could monitor it in real time using Process Monitor from Microsoft.
https://technet.microsoft.com/en-us/sysinternals/bb896645

This program will save very large files quickly as it monitors everything going on with the system.

Extract the files from the zip into their own folder. Then run Procmon.exe with Admin rights by right clicking over it and choose "Run as administrator"
With it running try to get the autoconfig change to happen if you can. Then click on File Save and save the Process Monitor Log file so some location you can find. Then zip fhat file up and if it's 30MB or less send it to me in a PM.

 

AutoProxyURLMalware001.thumb.PNG.c984924

 

 

AutoProxyURLMalware002.thumb.PNG.d27a839

 

 

You should see something similiar to this. It may not be the same .exe,  but it should show which one it is.  I would try surfing the net and see if you can get it to happen. I think I know whats causing it but I want to confirm it.


Edited by fireman4it, 17 August 2016 - 08:08 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 ethan_hines

ethan_hines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 19 August 2016 - 01:02 PM

I ran Malwarebytes anti-malware. There was only one potential unwanted program:

PUP.Optional.OpenCandy, C:\Users\ethan\AppData\Roaming\uTorrent\updates\3.4.3_40097.exe, , [0e8453f937631521e9d989dfc83a4fb1]

 

I removed it and I also tried "capturing" the change in realtime but it doesn't seem to happen at regular intervals i.e As soon as chrome is launched.

 

I filtered for Path is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL so that if any process tried to tamper with it it would show but eventually procmon advised me it ran out of memory to capture more events and I gave up.

 

Hypothetically speaking if I go into the "Administrator" account and remove the Auto Proxy Configuration information is there no way I can lock down that particular Registry Key? Or at the very least have some software advise me that that Key has been changed (other than procmon)? I mean if I have to format my PC I will but I want to make 100% sure that this "virus" can not usurp my Administrator account and change things at a high level of security.



#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 19 August 2016 - 01:06 PM

Please run FRST again and post the log. If you reformat it would take care of the problem if you can do that.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 ethan_hines

ethan_hines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 19 August 2016 - 06:54 PM

Well I think I have traced it down to a VERY sneaky Trojan which replaced my ISUSPM.exe in 

C:\Program Files (x86)\Common Files\InstallShield\updateservices\ISUSPM.exe and setup a scheduled task to run at 6pm everyday.....nice huh? Well...it's gone now. I thank you for your time and dedication to this nefarious unrelenting battle. 



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 19 August 2016 - 09:16 PM

 

Well...it's gone now. I thank you for your time and dedication to this nefarious unrelenting battle.

What do you mean its gone now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 ethan_hines

ethan_hines
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 19 August 2016 - 09:29 PM

I mean my proxy settings are staying correct. No more manipulation

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 22 August 2016 - 07:23 AM

That file was the file I suspected had been infected.

 

 

It Appears That Your Pc Is Now Clean!

***



Clean up:

***



Right-click  AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.


***



Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***



Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.

***



Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Browse more secure


:step2: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).

:step3: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.

:step4: Use only one anti-virus software and keep it up-to-date.

:step5: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step6: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step7: Use Strong passwords!

:step8: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users