Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

proxy server hijack


  • This topic is locked This topic is locked
38 replies to this topic

#1 Fksociety

Fksociety

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 03 January 2017 - 08:54 AM

Hi,

 

Firstly, i installed one malicious software from an website ( MY MISTAKE ), after that my laptop starts running some software by itself.

It starts installing and running the software in background. And then i uninstalled some unknown software's which was not installed by me.

And then after cleaning , opening every browser a hijacker website like yeadb,cc (bla bla).. After running malware bytes , i almost got 7000 threats identified and deleted them in malware bytes. But after opening the chrome error like "There is no internet connection" error is coming Attached File  SS.png   303.55KB   2 downloads(See the screenshot). I think still there is proxy server hijacker virus in my laptop. Please help me to fix this.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 AM

Posted 05 January 2017 - 09:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs for my review.

Wait for further instructions.

#3 Fksociety

Fksociety
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 05 January 2017 - 09:42 AM

Thanks for your response.

 

FRST fileAttached File  FRST.txt   32.9KB   12 downloads

Addition fileAttached File  Addition.txt   31.54KB   8 downloads



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 AM

Posted 06 January 2017 - 09:10 AM


ATTENTION: System Restore is disabled
Turn your System Restore ON - Windows Help
https://support.microsoft.com/en-us/help/17228/windows-protect-my-pc-from-viruses
---

Remove this programs in bold via the Control Panel > Programs > Programs and Features.
Youtube Downloader HD v. 2.9.9.25 (HKLM-x32\...\Youtube Downloader HD_is1) (Version: - YoutubeDownloaderHD.com)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  -> No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: No Name -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\kannanyaso\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-05]
CHR Extension: (Chrome Media Router) - C:\Users\kannanyaso\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-05]
CHR HKU\S-1-5-21-2474219217-2653382505-2039235548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2474219217-2653382505-2039235548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2474219217-2653382505-2039235548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ckiffeoeeefajohcpadlcdnkiahkmdfp] - <no Path/update_url>
CHR HKU\S-1-5-21-2474219217-2653382505-2039235548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2474219217-2653382505-2039235548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2474219217-2653382505-2039235548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [gccplojjfpdbeidicabkegekmcplafee] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2474219217-2653382505-2039235548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hkdmihdclhhoghpojiifklmegjnjkdlh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2474219217-2653382505-2039235548-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ikdlehiegikpggplngbmpdgnidekfmjn] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ckiffeoeeefajohcpadlcdnkiahkmdfp] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gccplojjfpdbeidicabkegekmcplafee] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hkdmihdclhhoghpojiifklmegjnjkdlh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ikdlehiegikpggplngbmpdgnidekfmjn] - hxxps://clients2.google.com/service/update2/crx
S3 ewusbmbb; \SystemRoot\system32\DRIVERS\ewusbwwan.sys [X]
S3 ew_hwusbdev; \SystemRoot\system32\DRIVERS\ew_hwusbdev.sys [X]
S3 huawei_enumerator; \SystemRoot\System32\drivers\ew_jubusenum.sys [X]
S3 hwdatacard; \SystemRoot\system32\DRIVERS\ewusbmdm.sys [X]
S3 massfilter; system32\drivers\massfilter.sys [X]
S2 MBAMChameleon; \SystemRoot\system32\drivers\MBAMChameleon.sys [X]
S3 MBAMFarflt; \??\C:\Windows\system32\drivers\farflt.sys [X]
S3 MBAMProtection; \??\C:\Windows\system32\drivers\mbam.sys [X]
S3 MBAMWebProtection; \??\C:\Windows\system32\drivers\mwac.sys [X]
S3 ZTEusbmdm6k; \SystemRoot\system32\DRIVERS\ZTEusbmdm6k.sys [X]
S3 ZTEusbnet; \SystemRoot\system32\DRIVERS\ZTEusbnet.sys [X]
S3 ZTEusbnmea; \SystemRoot\system32\DRIVERS\ZTEusbnmea.sys [X]
S3 ZTEusbser6k; \SystemRoot\system32\DRIVERS\ZTEusbser6k.sys [X]
S3 ZTEusbvoice; \SystemRoot\system32\DRIVERS\ZTEusbvoice.sys [X]
Task: {53EDEBA0-AB32-437B-A50B-0EF316FB8E5F} - System32\Tasks\WinVDA => slp.exe
Task: {EB4AFC33-0F25-4405-9244-3139252D963F} - System32\Tasks\WinDriver => slp.exe
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2832\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2831\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2830\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2829\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2828\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2826\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2825\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2823\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2822\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2821\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2820\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2819\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2818\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2817\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2815\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2812\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2810\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2809\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2808\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2807\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2806\C\Users\kannanyaso\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://yeabd66.cc/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2651\C\Users\kannanyaso\Desktop\chrome - Shortcut.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://9o0gle.com/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2650\C\Users\kannanyaso\Desktop\chrome - Shortcut.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://9o0gle.com/
ShortcutWithArgument: C:\Users\kannanyaso\AppData\Local\Microsoft\Windows\FileHistory\Data\2648\C\Users\kannanyaso\Desktop\chrome - Shortcut.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --load-extension="C:\Users\KANNAN~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://9o0gle.com/
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

If the problem persists after a restart of the computer then we still have work to do.

SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TcpIP\Parameters\Search List /sub
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===



    p.s.
    These programs should be updated.
    Will take care of them when all is well.

    Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.286 - Adobe Systems Incorporated)
    Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
    Java 7 Update 79 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417079FF}) (Version: 7.0.790 - Oracle)
    ===


    Please post the Fixlog.txt and the SystemLook.txt files, let me know what problem persists with this computer.


#5 Fksociety

Fksociety
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 06 January 2017 - 09:47 AM

Fixlog:Attached File  Fixlog.txt   23.26KB   4 downloads

systemlook log:Attached File  SystemLook.txt   582bytes   6 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 AM

Posted 11 January 2017 - 08:20 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
resetieproxy;

Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#7 Fksociety

Fksociety
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 11 January 2017 - 09:34 AM

Attached File  zoek-results.log   7.39KB   7 downloads

 

Still my problem exists after the run!

 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 AM

Posted 11 January 2017 - 10:44 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#9 Fksociety

Fksociety
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 11 January 2017 - 12:01 PM

RogueKiller V12.9.2.0 (x64) [Jan  9 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : kannanyaso [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/11/2017 21:24:29 (Duration : 00:43:23)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\csastats -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\ProductSetup -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\csastats -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\ProductSetup -> Found
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | bdx :  [x] -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path|VT.Unknown] %WINDIR%\Tasks\{3D7FF45F-98F9-06BF-C6D3-613EE174144D}.job -- C:\Users\KANNAN~1\AppData\Local\3D7FF4~1\Sync.exe (/Check) -> Found

¤¤¤ Files : 10 ¤¤¤
[File.Forged|VT.Unknown][File] C:\Windows\System32\drivers\EsgScanner.sys -> Found
[PUP.Gen1][Folder] C:\Users\kannanyaso\AppData\Roaming\Easeware -> Found
[Tr.Gen0][File] C:\Users\kannanyaso\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\kannanyaso\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\kannanyaso\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\kannanyaso\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\kannanyaso\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\kannanyaso\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\kannanyaso\AppData\Roaming\uTorrent\updates\3.4.8_42576\utorrentie.exe -> Found
[Tr.Gen0][File] C:\Users\kannanyaso\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.Proxy][Firefox:Config] dhkpy82g.default : user_pref("network.proxy.http", "127.0.0.1"); -> Found
[PUM.Proxy][Firefox:Config] dhkpy82g.default : user_pref("network.proxy.http_port", 8080); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BPVT-22JJ5T0 +++++
--- User ---
[MBR] cd8a8fead3f220082f1606a23e602f18
[BSP] 9f9f1a61b41a27603082e309ddb58b9b : Linux|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18432 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 37750784 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 37955584 | Size: 106184 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 255422462 | Size: 180526 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

Above are the contents in the scan and i didnt deleted only the RED items , I've deleted every threats after the scan..is it okay?



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 AM

Posted 11 January 2017 - 01:52 PM


Run the RogueKiller tool and delete these entries.

[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\csastats -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\ProductSetup -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\csastats -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2474219217-2653382505-2039235548-1001\Software\ProductSetup -> Found
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | bdx : [x] -> Found
[Suspicious.Path|VT.Unknown] %WINDIR%\Tasks\{3D7FF45F-98F9-06BF-C6D3-613EE174144D}.job -- C:\Users\KANNAN~1\AppData\Local\3D7FF4~1\Sync.exe (/Check) -> Found
[File.Forged|VT.Unknown][File] C:\Windows\System32\drivers\EsgScanner.sys -> Found
[PUP.Gen1][Folder] C:\Users\kannanyaso\AppData\Roaming\Easeware -> Found


Restart the computer normally.

How is it now?

p.s.
[PUM.Proxy][Firefox:Config] dhkpy82g.default : user_pref("network.proxy.http", "127.0.0.1"); -> Found
[PUM.Proxy][Firefox:Config] dhkpy82g.default : user_pref("network.proxy.http_port", 8080); -> Found


These I believe are from this VPN
HKLM-x32\...\Run: [PD-Proxy] => I:\download\PD-Proxy_VPN\PD-Proxy_2.2.0\PD-Launcher.exe

FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.ftp", ""
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.ftp_port", 0
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.socks", ""
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.socks_port", 0
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.ssl", ""
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.ssl_port", 0
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> ftp", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> ftp_port", 8080
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> http", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> http_port", 8080
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> no_proxies_on", ""
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> share_proxy_settings", true
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> socks", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> socks_port", 8080
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> ssl", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> ssl_port", 8080
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> type", 1

Are you still using it?

#11 Fksociety

Fksociety
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 12 January 2017 - 01:12 AM

I've already deleted those entries on my first scan. And i rescan in rogue killer. After the scan there is no entries which you have said to delete. Only

 

[PUM.Proxy][Firefox:Config] dhkpy82g.default : user_pref("network.proxy.http", "127.0.0.1"); -> Found
[PUM.Proxy][Firefox:Config] dhkpy82g.default : user_pref("network.proxy.http_port", 8080); -> Found

 

these threats showed and i didnt deleted this , left as it is. After restarting the laptop. Chrome worked for a minute and showed the "NO INTERNET CONNECTION' error after the minute.

 

 

 

p.s.
[PUM.Proxy][Firefox:Config] dhkpy82g.default : user_pref("network.proxy.http", "127.0.0.1"); -> Found
[PUM.Proxy][Firefox:Config] dhkpy82g.default : user_pref("network.proxy.http_port", 8080); -> Found


These I believe are from this VPN
HKLM-x32\...\Run: [PD-Proxy] => I:\download\PD-Proxy_VPN\PD-Proxy_2.2.0\PD-Launcher.exe

FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.ftp", ""
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.ftp_port", 0
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.socks", ""
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.socks_port", 0
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.ssl", ""
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> backup.ssl_port", 0
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> ftp", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> ftp_port", 8080
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> http", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> http_port", 8080
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> no_proxies_on", ""
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> share_proxy_settings", true
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> socks", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> socks_port", 8080
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> ssl", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> ssl_port", 8080
FF NetworkProxy: Mozilla\Firefox\Profiles\dhkpy82g.default -> type", 1

Are you still using it?

 

I dont understand this part??..

 

P.S: I cant able to connect to the internet in my all browsers like chrome,opera and IE. But im using internet via FF using a foxyproxy addon. This addon helps me to connect to the internet. Without that addon i cant able to connect to the internet in FF also.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 AM

Posted 12 January 2017 - 09:45 AM

Lets just do this for now.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

Is Chrome running OK now?

#13 Fksociety

Fksociety
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 12 January 2017 - 10:16 AM

Reinstalled like you said, Still my problem exits.

 

THERE IS NO INTERNET CONNECTION -error in chrome.

 

P.s:I already reinstalled chrome before, all my bookmarks saved was deleted previously. So there is no bookmark now to backup!


Edited by Fksociety, 12 January 2017 - 10:17 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 AM

Posted 12 January 2017 - 10:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Is Chrome OK now?

#15 Fksociety

Fksociety
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 12 January 2017 - 10:29 AM

Is this reply belongs to this post?? Just to make sure because you're introducing yourself once again..?? I hope this reply is not to any another post.


Edited by Fksociety, 12 January 2017 - 10:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users