Jump to content

hijack.autoconfigURL


Recommended Posts

Hi,

 

I ran MalwareBytes free multiple times and always clean the ocurrences. However  "hijack.autoconfigURL" keeps on popping up again. Malwarebytes finds it, cleans it, and later it reappears.

Attached FRST and Additions as per instructions.

 

Please help.

 

PS.

I found a topic with very similar problem 

https://forums.malwarebytes.org/index.php?/topic/177480-hijackautoconfigurl/?hl=autoconfigurl

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....
 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...
 

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



Next,

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.



Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs, also give an update on any remaining issues or concerns...

 

Thank you,

 

Kevin...
 

Fixlist.txt

Link to post
Share on other sites

Hi Kevin.   Frustrated here (not desperate yet...)

 

 

 

posting logs below.

A quick summary:

 

Apologies: ran FRST in portuguese -- only noticed it after log was completed. I think it can mostly be understood, a few translations just before the log:)
then:

. started Malwarebytes. Detected hijack autoconfigURL again. Sigh.
. adwcleaner: came clean
. jrt: removed stuff.
. check on registry shows hijack autoconfigURL reappeared! Left it there to see if remaining check would take care of it.
. Microsoft® Windows® Malicious Software Removal Tool (KB890830) x64: came clean
   registry still had it though. So I went ahead and (out of curiosity or stupidity...) edited it from "http://stop-block.org/..."to "nonono"

 

Thank you for your attention!

 

 

to the logs:

FRST: ------------------------------------------------------------------------------------------------------------------------------

nao encontrado == not found
removido (a) com sucesso == removed successfully
VBoxAswDrv => serviço Não pode ser removido == service could not be deleted (stopped/removed?)

 

Resultado da Correção pela Farbar Recovery Scan Tool (x64) Versão:07-02-2016
Executado por amigo (2016-02-11 06:52:20) Run:1
Executando a partir de C:\Users\amigo\Desktop
Perfis Carregados: amigo (Perfis Disponíveis: amigo & carlos & Marisa & outr & a)
Modo da Inicialização: Normal
==============================================

fixlist Conteúdo:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\MountPoints2: {520511f3-e796-11e1-82f0-1c7508e29205} - E:\AutoRun.exe
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\MountPoints2: {52051201-e796-11e1-82f0-1c7508e29205} - E:\AutoRun.exe
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\MountPoints2: {52051231-e796-11e1-82f0-1c7508e29205} - E:\AutoRun.exe
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\MountPoints2: {62c4af24-c316-11e3-b46b-1c7508e29205} - E:\AutoRun.exe
GroupPolicy: Restrição - Chrome <======= ATENÇÃO
CHR HKLM\SOFTWARE\Policies\Google: Restrição <======= ATENÇÃO
AutoConfigURL: [s-1-5-21-818743734-4024278451-580313599-1000] => hxxp://stop-block.org/wpad.dat?c2a59fa55a1ba96080f10660090a54b45951430
S3 cpuz134; \??\C:\Users\amigo\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
C:\Users\amigo\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\amigo\AppData\Local\Temp\sqlite3.exe
AlternateDataStreams: C:\ProgramData\Temp:4D066AD2
AlternateDataStreams: C:\ProgramData\Temp:5D7E5A8F
AlternateDataStreams: C:\ProgramData\Temp:798A3728
AlternateDataStreams: C:\ProgramData\Temp:93EB7685
AlternateDataStreams: C:\ProgramData\Temp:CDFF58FE
AlternateDataStreams: C:\ProgramData\Temp:E1F04E8D
AlternateDataStreams: C:\ProgramData\Temp:E3C56885
AlternateDataStreams: C:\Users\Todos os Usuários\Temp:4D066AD2
AlternateDataStreams: C:\Users\Todos os Usuários\Temp:5D7E5A8F
AlternateDataStreams: C:\Users\Todos os Usuários\Temp:798A3728
AlternateDataStreams: C:\Users\Todos os Usuários\Temp:93EB7685
AlternateDataStreams: C:\Users\Todos os Usuários\Temp:CDFF58FE
AlternateDataStreams: C:\Users\Todos os Usuários\Temp:E1F04E8D
AlternateDataStreams: C:\Users\Todos os Usuários\Temp:E3C56885
EmptyTemp:
end



*****************

Ponto de Restauração criado com sucesso.
Processos fechados com sucesso.
"HKU\S-1-5-21-818743734-4024278451-580313599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{520511f3-e796-11e1-82f0-1c7508e29205}" => chave removido (a) com sucesso.
HKCR\CLSID\{520511f3-e796-11e1-82f0-1c7508e29205} => chave não encontrado (a).
"HKU\S-1-5-21-818743734-4024278451-580313599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52051201-e796-11e1-82f0-1c7508e29205}" => chave removido (a) com sucesso.
HKCR\CLSID\{52051201-e796-11e1-82f0-1c7508e29205} => chave não encontrado (a).
"HKU\S-1-5-21-818743734-4024278451-580313599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{52051231-e796-11e1-82f0-1c7508e29205}" => chave removido (a) com sucesso.
HKCR\CLSID\{52051231-e796-11e1-82f0-1c7508e29205} => chave não encontrado (a).
"HKU\S-1-5-21-818743734-4024278451-580313599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{62c4af24-c316-11e3-b46b-1c7508e29205}" => chave removido (a) com sucesso.
HKCR\CLSID\{62c4af24-c316-11e3-b46b-1c7508e29205} => chave não encontrado (a).
C:\Windows\system32\GroupPolicy\Machine => movido com sucesso
C:\Windows\system32\GroupPolicy\GPT.ini => movido com sucesso
"HKLM\SOFTWARE\Policies\Google" => chave removido (a) com sucesso.
HKU\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => valor removido (a) com sucesso.
cpuz134 => serviço removido (a) com sucesso.
VBoxAswDrv => serviço Não pode ser removido
C:\Users\amigo\AppData\Local\Temp\jre-8u60-windows-au.exe => movido com sucesso
C:\Users\amigo\AppData\Local\Temp\sqlite3.exe => movido com sucesso
C:\ProgramData\Temp => ":4D066AD2" ADS removido (a) com sucesso..
C:\ProgramData\Temp => ":5D7E5A8F" ADS removido (a) com sucesso..
C:\ProgramData\Temp => ":798A3728" ADS removido (a) com sucesso..
C:\ProgramData\Temp => ":93EB7685" ADS removido (a) com sucesso..
C:\ProgramData\Temp => ":CDFF58FE" ADS removido (a) com sucesso..
C:\ProgramData\Temp => ":E1F04E8D" ADS removido (a) com sucesso..
C:\ProgramData\Temp => ":E3C56885" ADS removido (a) com sucesso..
"C:\Users\Todos os Usuários\Temp" => ":4D066AD2" ADS não encontrado (a).
"C:\Users\Todos os Usuários\Temp" => ":5D7E5A8F" ADS não encontrado (a).
"C:\Users\Todos os Usuários\Temp" => ":798A3728" ADS não encontrado (a).
"C:\Users\Todos os Usuários\Temp" => ":93EB7685" ADS não encontrado (a).
"C:\Users\Todos os Usuários\Temp" => ":CDFF58FE" ADS não encontrado (a).
"C:\Users\Todos os Usuários\Temp" => ":E1F04E8D" ADS não encontrado (a).
"C:\Users\Todos os Usuários\Temp" => ":E3C56885" ADS não encontrado (a).
EmptyTemp: => 682.3 MB de dados temporários Removidos.


O sistema precisou ser reiniciado.

==== Fim de Fixlog 06:54:49 ====

 

 

Malwarebytes Anti-Malware.---------------------------------------------------------------------------------------------------------

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/02/2016
Scan Time: 07:19
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.11.01
Rootkit Database: v2016.02.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: amigo

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 508245
Time Elapsed: 27 min, 41 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Hijack.AutoConfigURL.PrxySvrRST, HKU\S-1-5-21-818743734-4024278451-580313599-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://stop-block.org/wpad.dat?c2a59fa55a1ba96080f10660090a54b45951430, Quarantined, [a5c880df8217d46201f1c5900afafc04]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

AdwCleaner --------------------------------------------------------------------------------------------------------------------------------------

# AdwCleaner v5.033 - Logfile created 11/02/2016 at 07:53:21
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [server]
# Operating system : Windows 7 Home Basic Service Pack 1 (x64)
# Username : amigo - ELEW
# Running from : C:\Users\amigo\Desktop\adwcleaner_5.033.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[s5].txt - [582 bytes] ##########

 

 

JRT-------------------------------------------------------------------------------------------------------------------------------------------

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 7 Home Basic x64
Ran by amigo (Administrator) on 11/02/2016 at 8:03:15,21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 39

Successfully deleted: C:\Users\amigo\AppData\Local\{07AA7C36-C432-4436-9AF2-5C9EC440486C} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{0BA5EE93-7F32-411B-AF80-587BC9C30C69} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{0F78BF07-6A29-43C9-A0FA-3749AE540ABD} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{1A19EC88-D631-4337-8376-ABFEB467FE06} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{2168E050-6157-4CDA-9C88-5C6C19086464} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{24F74DE3-ED5D-4DF0-AD6F-60390F56094F} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{2A506023-6179-4BA5-BBF5-299CBEE8711B} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{40E2ACC6-8126-4072-9711-E165E6828E0E} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{45E40511-4A4E-4253-AF51-399E86BE5D93} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{467BC5EC-32C7-4B21-A520-5D215237B93A} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{47DF079B-9A5B-4B95-92AE-6100A623CFE1} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{4815E52D-D950-4DCD-B8CD-1E99A2107E41} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{5ECF6B28-0ACE-4EEC-91DD-DD45B073F314} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{679B28DE-3C5E-485B-8CD1-53C0293533ED} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{6C803B56-0041-4314-AFBA-F44730B78509} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{731D7EEE-30FD-48F0-ABA7-99CC01D0A927} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{7D817777-9970-413B-B6DC-F12D10DF885E} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{80B10D59-8975-45BA-999A-8312FAB5B702} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{822FCA04-13C8-46DF-B57B-DA1211C76AF3} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{83041BF4-B5C2-4221-9060-B8B0167437CA} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{8D01225C-17C8-4D90-8F36-8820F106CDA4} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{93D9006E-A45D-4BAD-9DC2-8FCB8D22BE32} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{9B78A8D2-2B8D-4B52-B9E7-2610CEDBFD62} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{9DD4BE3A-0DF7-402A-9FBA-D04C35606B48} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{B47B588B-D21F-461D-A462-9E0800855A64} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{BF86DD4F-609D-4DC6-9D69-4CB2797D9AF8} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{C41C7128-CECA-4ED1-A4C8-11F4A7BB6144} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{D2FE456E-4E5A-4B91-A070-DC2AC13813A0} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{D39B962F-B8BF-4BF8-8FF2-095D1B07A4B4} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{DDF7936F-0276-4C35-8C98-84A60346A9A5} (Empty Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\{E3B10400-1F1A-4028-9C48-B6F2ADEF83FC} (Empty Folder)
Successfully deleted: C:\Windows\system32\Tasks\update-S-1-5-21-818743734-4024278451-580313599-1000 (Task)
Successfully deleted: C:\Windows\system32\Tasks\update-sys (Task)
Successfully deleted: C:\Windows\Tasks\update-S-1-5-21-818743734-4024278451-580313599-1000.job (Task)
Successfully deleted: C:\Windows\Tasks\update-sys.job (Task)
Successfully deleted: C:\Users\amigo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NEWUOZ1 (Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JEG0NVCO (Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNQJJZJC (Folder)
Successfully deleted: C:\Users\amigo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UW0X0L61 (Folder)



Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11/02/2016 at 8:07:59,48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Microsoft's " Malicious Software Removal Tool" -----------------------------------------------------------------------------------------------

 

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.33, February 2016 (build 5.33.12300.0)
Started On Thu Feb 11 08:15:08 2016

Engine: 1.1.12400.0
Signatures: 1.213.4702.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Thu Feb 11 08:36:18 2016


Return code: 0 (0x0)

 

---

 

problem remains. see summary at top of this post.

Link to post
Share on other sites

Yes frustation seems to come with the type malware you have on your system... Run the following:

 

51a612a8b27e2-Zoek.pngScan with ZOEK

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

*.exe Mirror http://smeenk.247fixes.com/Tools/zoek.exe

Temporary disable your AntiVirus and AntiSpyware protection - instructions here or here

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:



createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns >>"%temp%\log.txt";b


  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)


Please include its content in your next reply. Don't forget to re-enable security software! 
Next,
 
Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!

 

Let me see those logs in your reply,

 

Kevin...

Link to post
Share on other sites

so far so good: In the registry, I keep on checking on the value of autoconfigURL. Recall Instead of deleting the entry (as does malwarebytes) I switched the value to "nonono". A few hours went by and it has not changed yet.

 

 

I am using mostly OPERA as web browser. Noticed ZOEK empties cache from browsers except opera, so I´ll go ahead and clean it manually.

 

takes a (couple of) while(s) to run the exe´s. --- got too much (useless) stuff lying around..

 

logs:

 

zoek ---------------------------------------------------------------------------------------

 

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by amigo on 11/02/2016 at 10:26:23,55.
Microsoft Windows 7 Home Basic 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\amigo\Desktop\zoek.exe [scan all users] [script inserted]

==== System Restore Info ======================

11/02/2016 10:30:33 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Malwarebytes' Anti-Malware deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\Users\amigo\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\carlos\AppData\Roaming\Windows Live Writer deleted successfully
C:\Users\a\AppData\Local\VirtualStore deleted successfully
C:\Users\amigo\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\amigo\AppData\Local\EmieSiteList deleted successfully
C:\Users\amigo\AppData\Local\EmieUserList deleted successfully
C:\Users\carlos\AppData\Local\VirtualStore deleted successfully
C:\Users\outr\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


Configura‡Æo de IP do Windows

Libera‡Æo do Cache do DNS Resolver bem-sucedida.

==== Deleting Files \ Folders ======================

C:\PROGRA~2\CodeBlocks_Fortran_v0.7rc2_Win32 deleted
C:\PROGRA~2\Skillbrains deleted
C:\PROGRA~2\DF2F24CA-1455026937-E011-9FD6-1C7508E29205 deleted
C:\acpegath.XML deleted
C:\IbmEgath.XML deleted
C:\installing.exe deleted
C:\UNWISE.EXE deleted
C:\LOGFILE.txt deleted
C:\found.000 deleted
C:\PROGRA~3\OberonGameConsole deleted
C:\Users\amigo\AppData\Local\updater.log deleted
C:\Users\amigo\AppData\Local\Skillbrains deleted
C:\Users\amigo\Downloads\ReimageRepair.exe deleted
"C:\Users\amigo\AppData\Roaming\el" deleted
"C:\Users\amigo\AppData\Roaming\ele" deleted
"C:\Users\amigo\AppData\Roaming\id" deleted
"C:\Users\amigo\AppData\Roaming\iv" deleted
"C:\Users\amigo\AppData\Roaming\lg" deleted

==== Orphaned Tasks deleted from Registry ======================

avast Emergency Update deleted
clear.fiMovieService.exe_2204040761 deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [15/01/2016 14:08]

==== Firefox Extensions ======================

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\amigo\AppData\Roaming\Mozilla\Firefox\Profiles\uawkznjy.default
2645990C521342DCD08963D2DF6CD0D2 - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll - RealPlayer HTML5VideoShim Plug-In (32-bit)
10737B44923217BC0E67D26A9FC1F0AA - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll - RealNetworks Chrome Background Extension Plug-In (32-bit)
684F2DF31062413E094280891DCB6EE1 - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1219160.dll - Shockwave for Director / Shockwave for Director
863AF0003392FEBC2667A8A790DED955 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll - Shockwave Flash


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[29/11/2015 18:55]
jfmjfhklogoienhpfnppmbcbjfjnkonk - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx[08/06/2012 10:45]


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}] not found

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LEW deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\amigo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Cache found

==== Empty Chrome Cache ======================

C:\Users\amigo\AppData\Local\Opera Software\Opera Stable\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=2127 folders=283 65220118 bytes)

==== Empty Temp Folders ======================

C:\Users\a\AppData\Local\Temp emptied successfully
C:\Users\amigo\AppData\Local\Temp will be emptied at reboot
C:\Users\carlos\AppData\Local\Temp emptied successfully
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Marisa\AppData\Local\Temp emptied successfully
C:\Users\outr\AppData\Local\Temp emptied successfully
C:\Users\USURIO~1\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\amigo\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on 11/02/2016 at 11:27:41,10 ======================

 

roguekiller-----------------------------------------------------------------------------------------

 

 

RogueKiller V11.0.11.0 [Feb 8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : amigo [Administrator]
Started from : C:\Users\amigo\Desktop\RogueKiller.exe
Mode : Scan -- Date : 02/11/2016 12:22:14

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer.msn.com-> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer.msn.com-> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUP][FIREFX:Addon] uawkznjy.default : FirefixTab [deskCutv2@gmail.com] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD6400BPVT-22HXZT1 +++++
--- User ---
[MBR] 83a64ba8d456d71fb0f915414978fb64
[bSP] bcda1d304084279e0e4f37687d29a0ee : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31459328 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31664128 | Size: 595018 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 

Link to post
Share on other sites

Kevin,

 

so I cleaned the cache in OPERA (along with passwords, etc..) and also removed and reinstalled the connect-to-the-internet software (pen-modem). The files in the pen-drive should be clean so I figured it would not harm to reinstall.

 

Meantime, rebooted the laptop.

 

just checked the registry again and it went back to the hijacked form.

HKU\...\autoconfigURL\http://stop-block.org/wpad.dat?c2a59fa55a1ba96080f10660090a54b45951430

 

big sigh...

 

I am considering looking for security patches to win7 (after a bad experience I stopped doing that). Just don´t know if it is useful while the system is somehow compromised.

 

Carlos

Link to post
Share on other sites

ok, first thank you for the continuous help.

 

a couple of notes:

1. when it started a couple of days ago, and before coming to the forum, one of the first things I noticed was a change in the screen saver. Back then I just switched it back to black-screen, and it stayed so.

2. back then somebody in a forum mentioned the hosts file windows/system32/drivers/etc/hosts. Sure enough there was some junk there that I commented out. 

#127.0.0.1 down.baidu2016.com
#
#127.0.0.1 123.sogou.com
#
#127.0.0.1 www.czzsyzgm.com
#
#127.0.0.1 www.czzsyzxl.com

the rest of the file is commented out too, so that´s that.

 

I realize this is most likely useless info, but goes for completeness.

 

Logs: all attached, FRST also pasted below

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-02-2016
Ran by amigo (administrator) on ELEW (11-02-2016 19:56:05)
Running from C:\Users\amigo\Desktop
Loaded Profiles: amigo (Available Profiles: amigo & carlos & Marisa & outr & a)
Platform: Windows 7 Home Basic Service Pack 1 (X64) Language: Português (Brasil)
Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\Opera\Opera.exe" "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(CyberLink) C:\Program Files (x86)\Acer\clear.fi\MVP\Kernel\DMR\DMREngine.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
() C:\ProgramData\DatacardService\HWDeviceService64.exe
(Opera Software) C:\Program Files (x86)\Opera\opera.exe
(Microsoft Corporation) C:\Windows\winsxs\amd64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7601.18917_none_cd438498869c9ff6\notepad.exe
(Microsoft Corporation) C:\Windows\winsxs\amd64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7601.18917_none_cd438498869c9ff6\notepad.exe
(Farbar) C:\Users\amigo\Desktop\EnglishFRST64.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7021880 2015-12-25] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\...\RunOnce: [isMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [isMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\Run: [HW_OPENEYE_OUC_VIVO INTERNET] => C:\Program Files (x86)\VIVO INTERNET\UpdateDog\ouc.exe [110592 2009-07-27] (Huawei Technologies Co., Ltd.)
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\MountPoints2: {95d2556f-d0d1-11e5-a2ef-1c7508e29205} - E:\AutoRun.exe
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\MountPoints2: {95d25584-d0d1-11e5-a2ef-1c7508e29205} - E:\AutoRun.exe
HKU\S-1-5-21-818743734-4024278451-580313599-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [KSS] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [919296 2015-06-03] (Kaspersky Lab ZAO)
HKU\S-1-5-18\...\RunOnce: [isMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-12-25] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

AutoConfigURL: [s-1-5-21-818743734-4024278451-580313599-1000] => dont://stop-block.org/wpad.dat?c2a59fa55a1ba96080f10660090a54b45951430
Tcpip\Parameters: [DhcpNameServer] 4.2.2.2 8.8.8.8
Tcpip\..\Interfaces\{A844B53F-F60B-4408-9C98-299AC50C40E7}: [DhcpNameServer] 4.2.2.2 8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-818743734-4024278451-580313599-1000 -> DefaultScope {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-818743734-4024278451-580313599-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-11-29] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File
BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-10-31] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-11-29] (AVAST Software)
BHO-x32: Auxiliar de Conexão do Windows Live ID -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-10-31] (Oracle Corporation)
IE Session Restore: HKU\S-1-5-21-818743734-4024278451-580313599-1000 -> is enabled.
DPF: HKLM-x32 {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u24-windows-i586.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

FireFox:
========
FF ProfilePath: C:\Users\amigo\AppData\Roaming\Mozilla\Firefox\Profiles\uawkznjy.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_226.dll [2015-10-31] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-31] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1219160.dll [2015-07-23] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-10-31] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-10-31] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=15.0.4.53 -> c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll [2012-06-08] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprjplug;version=15.0.4.53 -> c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll [2012-06-08] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2012-06-08] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2012-06-08] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=15.0.4.53 -> c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll [2012-06-08] (RealPlayer)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-01-15]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-11-29]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2011-10-26]

Opera:
=======
OPR Extension: (Adblock Plus) - C:\Users\amigo\AppData\Roaming\Opera Software\Opera Stable\Extensions\oidhhegpmlfpoeialbgcdocjalghfpkp [2014-01-01]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [226440 2015-12-25] (AVAST Software)
S3 becldr3Service; C:\Program Files (x86)\BCL Technologies\easyConverter SDK 3\Common\becldr.exe [176128 2011-04-19] () [File not signed]
R2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] ()
S2 kss; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [919296 2015-06-03] (Kaspersky Lab ZAO)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2010-11-11] (NTI Corporation)
R2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2259224 2016-01-03] (IBM Corp.)
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1042304 2016-02-09] (Enigma Software Group USA, LLC.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-12-25] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [97648 2015-12-25] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-12-25] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-12-25] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1065208 2016-01-20] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [464256 2016-01-20] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [155304 2015-12-25] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [273784 2015-12-25] (AVAST Software)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2016-02-09] (Enigma Software Group USA, LLC.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-02-09] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 ONDAusbmdm6k; C:\Windows\System32\DRIVERS\ONDAusbmdm6k.sys [150656 2008-04-23] (ONDA Incorporated)
S3 ONDAusbnmea; C:\Windows\System32\DRIVERS\ONDAusbnmea.sys [150656 2008-04-23] (ONDA Incorporated)
S3 ONDAusbser6k; C:\Windows\System32\DRIVERS\ONDAusbser6k.sys [150656 2008-04-23] (ONDA Incorporated)
R1 RapportCerberus_1507079; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1507079.sys [961880 2015-12-15] (IBM Corp.)
R1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [503320 2016-01-03] (IBM Corp.)
R0 RapportHades64; C:\Windows\System32\Drivers\RapportHades64.sys [141304 2016-01-03] (IBM Corp.)
S3 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [396152 2016-01-03] (IBM Corp.)
R1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [496408 2016-01-03] (IBM Corp.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-02-11] ()
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-11 16:57 - 2016-02-11 16:57 - 00001019 _____ C:\Users\Public\Desktop\Kaspersky Security Scan.lnk
2016-02-11 16:57 - 2016-02-11 16:57 - 00000000 ____D C:\Users\Todos os Usuários\Kaspersky Lab
2016-02-11 16:57 - 2016-02-11 16:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Security Scan
2016-02-11 16:57 - 2016-02-11 16:57 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2016-02-11 16:57 - 2016-02-11 16:57 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2016-02-11 16:34 - 2016-02-11 16:34 - 00000000 ____D C:\Users\amigo\Desktop\kaspersky
2016-02-11 13:25 - 2016-02-11 13:25 - 00001204 _____ C:\Users\Public\Desktop\Segurança Online.lnk
2016-02-11 13:25 - 2016-02-11 13:25 - 00001186 _____ C:\Users\Public\Desktop\Kantoo English.lnk
2016-02-11 13:25 - 2016-02-11 13:25 - 00001031 _____ C:\Users\Public\Desktop\VIVO INTERNET.lnk
2016-02-11 13:25 - 2016-02-11 13:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VIVO INTERNET
2016-02-11 13:25 - 2011-12-16 09:38 - 00422400 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ewusbwwan.sys
2016-02-11 13:25 - 2011-12-02 14:23 - 00223744 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_juwwanecm.sys
2016-02-11 13:25 - 2011-09-09 11:51 - 00098304 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_jucdcacm.sys
2016-02-11 13:25 - 2011-09-09 11:51 - 00087040 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_jubusenum.sys
2016-02-11 13:25 - 2011-09-09 11:51 - 00072192 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_jucdcecm.sys
2016-02-11 13:25 - 2011-09-09 11:51 - 00028672 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_juextctrl.sys
2016-02-11 13:25 - 2011-08-16 17:17 - 00223232 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ewusbmdm.sys
2016-02-11 13:25 - 2010-10-08 16:59 - 00032768 _____ (Huawei Tech. Co., Ltd.) C:\Windows\system32\Drivers\ewdcsc.sys
2016-02-11 13:25 - 2010-09-26 18:09 - 00022016 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_hwupgrade.sys
2016-02-11 13:25 - 2010-08-06 07:43 - 01001472 _____ (DiBcom SA) C:\Windows\system32\Drivers\mod7700.sys
2016-02-11 13:25 - 2010-07-27 09:52 - 00117248 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_hwusbdev.sys
2016-02-11 13:25 - 2010-03-20 12:06 - 00013952 _____ (Huawei Technologies Co., Ltd.) C:\Windows\system32\Drivers\ew_usbenumfilter.sys
2016-02-11 13:24 - 2016-02-11 13:25 - 00000000 ____D C:\Program Files (x86)\VIVO INTERNET
2016-02-11 12:24 - 2016-02-11 12:24 - 00003408 _____ C:\Users\amigo\Desktop\RogueKillerLog.txt
2016-02-11 11:59 - 2016-02-11 12:45 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-02-11 11:59 - 2016-02-11 12:24 - 00000000 ____D C:\Users\Todos os Usuários\RogueKiller
2016-02-11 11:59 - 2016-02-11 12:24 - 00000000 ____D C:\ProgramData\RogueKiller
2016-02-11 11:37 - 2016-02-11 11:42 - 20943432 _____ C:\Users\amigo\Desktop\RogueKiller.exe
2016-02-11 11:20 - 2016-02-11 10:25 - 00024064 _____ C:\Windows\zoek-delete.exe
2016-02-11 10:25 - 2016-02-11 11:10 - 00000000 ____D C:\zoek_backup
2016-02-11 10:22 - 2016-02-11 10:22 - 01309184 _____ C:\Users\amigo\Desktop\zoek.exe
2016-02-11 08:12 - 2016-02-11 08:14 - 54329568 _____ (Microsoft Corporation) C:\Users\amigo\Desktop\Windows-KB890830-x64-V5.33.exe
2016-02-11 08:07 - 2016-02-11 08:07 - 00004817 _____ C:\Users\amigo\Desktop\JRT.txt
2016-02-11 07:59 - 2016-02-11 07:59 - 01609032 _____ (Malwarebytes) C:\Users\amigo\Desktop\JRT.exe
2016-02-11 07:49 - 2016-02-11 07:49 - 00001309 _____ C:\Users\amigo\Desktop\malwarebytesLog.txt
2016-02-11 07:13 - 2016-02-11 07:15 - 00001311 _____ C:\Users\amigo\Desktop\malwarebytesOldLog.txt
2016-02-11 07:10 - 2016-02-11 07:52 - 00000801 _____ C:\Users\amigo\Desktop\myActivityLog.txt
2016-02-11 06:52 - 2016-02-11 06:54 - 00005213 _____ C:\Users\amigo\Desktop\Fixlog.txt
2016-02-10 22:10 - 2016-02-10 22:11 - 00044754 _____ C:\Users\amigo\Desktop\Addition.txt
2016-02-10 22:09 - 2016-02-11 19:56 - 00014139 _____ C:\Users\amigo\Desktop\FRST.txt
2016-02-10 22:09 - 2016-02-11 19:56 - 00000000 ____D C:\FRST
2016-02-10 22:05 - 2016-02-11 19:30 - 02370560 _____ (Farbar) C:\Users\amigo\Desktop\EnglishFRST64.exe
2016-02-10 13:06 - 2016-02-10 13:09 - 00204730 _____ C:\TDSSKiller.3.1.0.9_10.02.2016_13.06.11_log.txt
2016-02-10 13:04 - 2016-02-10 13:05 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\amigo\Desktop\tdsskiller.exe
2016-02-09 19:05 - 2016-02-09 19:06 - 06828320 _____ (Piriform Ltd) C:\Users\amigo\Desktop\ccsetup_514.exe
2016-02-09 17:12 - 2016-02-10 08:32 - 00000000 ____D C:\Users\amigo\Desktop\quarentena
2016-02-09 16:48 - 2016-02-09 16:48 - 00003318 _____ C:\Windows\System32\Tasks\SpyHunter4Startup
2016-02-09 16:48 - 2016-02-09 16:48 - 00001051 _____ C:\Users\amigo\Desktop\SpyHunter.lnk
2016-02-09 16:48 - 2016-02-09 16:48 - 00000000 ____D C:\Users\amigo\AppData\Roaming\Enigma Software Group
2016-02-09 16:48 - 2016-02-09 16:48 - 00000000 _____ C:\autoexec.bat
2016-02-09 16:47 - 2016-02-09 16:47 - 00000000 ____D C:\sh4ldr
2016-02-09 16:39 - 2016-02-09 16:39 - 00022704 _____ C:\Windows\system32\Drivers\EsgScanner.sys
2016-02-09 16:36 - 2016-02-09 16:36 - 00000000 ____D C:\Program Files\Enigma Software Group
2016-02-09 15:16 - 2016-02-09 16:35 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\amigo\Desktop\SpyHunter-Installer.exe
2016-02-09 14:03 - 2016-02-11 07:53 - 00000000 ____D C:\AdwCleaner
2016-02-09 13:53 - 2016-02-11 06:56 - 00000008 __RSH C:\Users\Todos os Usuários\ntuser.pol
2016-02-09 13:53 - 2016-02-11 06:56 - 00000008 __RSH C:\ProgramData\ntuser.pol
2016-02-09 13:41 - 2016-02-09 14:54 - 01508352 _____ C:\Users\amigo\Desktop\adwcleaner_5.033.exe
2016-01-25 22:27 - 2016-01-25 22:27 - 18075592 _____ C:\Users\amigo\Desktop\PDFXVwer.zip
2016-01-25 22:27 - 2016-01-25 22:27 - 00000000 ____D C:\Users\amigo\Desktop\PDFXVwer
2016-01-22 22:01 - 2016-01-22 22:01 - 00009316 _____ C:\Users\amigo\Desktop\Por que o preço dos imóveis vai cair _ Financês _ Gazeta do Povo.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-11 19:28 - 2015-10-31 15:06 - 00000902 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-11 19:28 - 2015-07-04 21:47 - 01727156 _____ C:\Windows\ntbtlog.txt
2016-02-11 13:29 - 2011-04-01 03:32 - 00669202 _____ C:\Windows\system32\prfh0416.dat
2016-02-11 13:29 - 2011-04-01 03:32 - 00140084 _____ C:\Windows\system32\prfc0416.dat
2016-02-11 13:29 - 2009-07-14 03:13 - 01545960 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-11 13:29 - 2009-07-14 01:20 - 00000000 ____D C:\Windows\inf
2016-02-11 13:25 - 2012-08-17 17:48 - 00000000 ____D C:\Users\Todos os Usuários\DatacardService
2016-02-11 13:25 - 2012-08-17 17:48 - 00000000 ____D C:\ProgramData\DatacardService
2016-02-11 13:17 - 2009-07-14 02:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-11 13:17 - 2009-07-14 02:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-11 13:13 - 2011-07-09 15:10 - 00000000 ____D C:\Users\Todos os Usuários\clear.fi
2016-02-11 13:13 - 2011-07-09 15:10 - 00000000 ____D C:\ProgramData\clear.fi
2016-02-11 13:10 - 2009-07-14 03:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-11 09:10 - 2015-06-29 15:33 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-02-11 08:15 - 2011-07-11 19:21 - 146614896 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-02-11 06:53 - 2011-07-20 12:43 - 00000000 ____D C:\Users\amigo\AppData\LocalLow\Temp
2016-02-11 06:53 - 2009-07-14 01:20 - 00000000 ____D C:\Windows\system32\GroupPolicy
2016-02-10 08:35 - 2015-07-04 18:49 - 00000000 ____D C:\Windows\pss
2016-02-10 07:07 - 2015-07-04 21:05 - 00000000 ____D C:\Users\amigo\Desktop\manutencao
2016-02-09 16:48 - 2011-07-09 11:29 - 00000000 ____D C:\Users\amigo
2016-02-09 16:35 - 2014-07-05 16:05 - 00001124 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2016-02-09 16:35 - 2011-03-31 22:55 - 00001450 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
2016-02-09 16:35 - 2011-03-31 22:55 - 00001366 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk
2016-02-09 16:35 - 2011-03-31 22:55 - 00001297 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk
2016-02-09 16:35 - 2011-03-31 22:54 - 00002482 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Messenger.lnk
2016-02-09 16:35 - 2009-07-14 02:57 - 00001511 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-02-09 16:35 - 2009-07-14 02:57 - 00001340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
2016-02-09 16:35 - 2009-07-14 02:57 - 00001292 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
2016-02-09 16:35 - 2009-07-14 02:57 - 00001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
2016-02-09 16:35 - 2009-07-14 02:54 - 00001198 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
2016-02-09 16:34 - 2014-01-27 17:03 - 00001125 _____ C:\Users\Public\Desktop\PDF2Word Converter (bioPDF).lnk
2016-02-09 16:34 - 2013-10-28 00:09 - 00000986 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera 18.lnk
2016-02-09 16:34 - 2013-07-18 00:36 - 00001053 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-02-09 16:34 - 2013-01-24 18:37 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2016-02-09 16:34 - 2011-11-12 16:32 - 00001751 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eraser.lnk
2016-02-09 16:34 - 2011-07-09 12:47 - 00001833 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2016-02-09 16:34 - 2011-03-31 23:03 - 00002161 _____ C:\Users\Public\Desktop\clear.fi.lnk
2016-02-09 16:34 - 2011-03-08 06:54 - 00002727 _____ C:\Users\Public\Desktop\clear.fi Tutorial.lnk
2016-02-09 16:34 - 2011-03-08 06:50 - 00002149 _____ C:\Users\Public\Desktop\Acer GameZone Console.lnk
2016-02-09 16:34 - 2011-03-08 06:39 - 00002002 _____ C:\Users\Public\Desktop\Dolby Setting.lnk
2016-02-09 16:34 - 2009-07-14 03:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-02-09 16:33 - 2015-04-29 10:45 - 00001740 _____ C:\Users\amigo\Desktop\IRPF2015 - Declaração de Ajuste Anual, Final de Espólio e Saída Definitiva do País.lnk
2016-02-09 16:33 - 2013-12-29 23:30 - 00000973 _____ C:\Users\amigo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-02-09 16:33 - 2009-07-14 03:01 - 00001218 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
2016-02-09 16:33 - 2009-07-14 02:49 - 00001246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
2016-02-09 15:19 - 2015-06-29 15:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-02-09 15:19 - 2015-06-29 15:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-02-09 14:02 - 2009-07-14 00:34 - 00000505 _____ C:\Windows\win.ini
2016-02-08 19:25 - 2012-10-01 13:31 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-01-23 11:18 - 2015-04-18 17:39 - 00000000 ____D C:\Users\amigo\Desktop\financeiro
2016-01-20 19:25 - 2011-07-10 00:12 - 01065208 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2016-01-20 19:25 - 2011-07-10 00:12 - 00464256 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2016-01-19 19:31 - 2013-10-27 16:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Proteção de Terminal Trusteer
2016-01-15 14:11 - 2009-07-14 01:20 - 00000000 ____D C:\Windows\ModemLogs

==================== Files in the root of some directories =======

2013-07-27 22:39 - 2013-07-27 22:39 - 0007605 _____ () C:\Users\amigo\AppData\Local\Resmon.ResmonCfg
2014-05-26 22:43 - 2014-05-26 22:43 - 0000455 _____ () C:\Users\amigo\AppData\Local\UserProducts.xml
2011-03-31 23:00 - 2011-03-31 23:04 - 0016108 _____ () C:\ProgramData\ArcadeDeluxe5.log
2015-03-30 22:39 - 2015-03-30 22:39 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2011-03-08 06:43 - 2010-03-02 21:59 - 0131984 _____ () C:\ProgramData\FullRemove.exe

Some files in TEMP:
====================
C:\Users\amigo\AppData\Local\Temp\dllnt_dump.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-02-08 00:40

==================== End of FRST.txt ============================

Addition.txt

Shortcut.txt

FRST.txt

Link to post
Share on other sites

Double-click RogueKiller.exe to run again. (Vista/7/8/10 right-click and select Run as Administrator)

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Web browsers tab and locate the following detections:


[PUP][FIREFX:Addon] uawkznjy.default : FirefixTab [deskCutv2@gmail.com] -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked


Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference.


Next,


Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Next,


Please download SystemLook from the following link below and save it to your Desktop. Use the correct version 32bit or 64bit.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe     <<-   64 bit….

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe   <<-  32 bit
 

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :regfind*deskcut*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Let me see those logs....

 

Kevin...

Fixlist.txt

Link to post
Share on other sites

Hi Kevin,

 

thanks again - I realize you are in the odd situation of cleaning someone else´s nasty mess without actual to the system or its history, So, anyways,

 

a couple of notes from the fixlist:

1. the E: drive is the modem pen-drive that I use to connect to the internet. I presume autorun is to install drivers etc  There is a recurrent ouc.exe that shows in FRST.txt - part of the package.

2. cygwin is a unix emulator that I installed way back when I got this laptop and needed unix like capabilities - was too scared to wipe out windows and simply install linux in it,  cygwin.bat is a starter batch file.

 

3. on roguekiller: when I run it there are 2 more entries FIREFX@... on web browser (indicated CLEAN) with value  AVAST and the second OASIS SPACE.  Now Oasis space was something I cleaned up before initially talking to you. I am not running FIREFOX lately, but I suppose I should clean those too?

 

That said, to the logs:

 

 

 

RogueKiller.exe-----------------------------------------------------------------

 

 

RogueKiller V11.0.11.0 [Feb 8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : amigo [Administrator]
Started from : C:\Users\amigo\Desktop\RogueKiller.exe
Mode : Delete -- Date : 02/11/2016 22:19:02

¤¤¤ Processes : 2 ¤¤¤
[suspicious.Path] ouc.exe(3644) -- C:\Users\amigo\AppData\Roaming\VIVO INTERNET\ouc.exe[-] -> Killed [TermProc]
[suspicious.Path] (SVC) RapportCerberus_1507079 -- \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1507079.sys[7] ->

ERROR [41c]

¤¤¤ Registry : 5 ¤¤¤
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RapportCerberus_1507079 (\??\C:\ProgramData\Trusteer\Rapport\store\exts

\RapportCerberus\baseline\RapportCerberus64_1507079.sys) -> Not selected
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RapportCerberus_1507079 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus

\baseline\RapportCerberus64_1507079.sys) -> Not selected
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RapportCerberus_1507079 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus

\baseline\RapportCerberus64_1507079.sys) -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer.msn.com

-> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer.msn.com

-> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUP][FIREFX:Addon] uawkznjy.default : FirefixTab [deskCutv2@gmail.com] -> Deleted

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD6400BPVT-22HXZT1 +++++
--- User ---
[MBR] 83a64ba8d456d71fb0f915414978fb64
[bSP] bcda1d304084279e0e4f37687d29a0ee : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31459328 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31664128 | Size: 595018 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HUAWEI SD Storage USB Device +++++
Error reading User MBR! ([15] O dispositivo não está pronto. ) translates to "device not ready"
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Não há suporte para o pedido. ) translates to "no support for the request"

FRST -------------------------------------------------------------------------------------------------

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-02-2016
Ran by amigo (2016-02-11 22:56:04) Run:2
Running from C:\Users\amigo\Desktop
Loaded Profiles: amigo (Available Profiles: amigo & carlos & Marisa & outr & a)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\MountPoints2: {95d2556f-d0d1-11e5-a2ef-1c7508e29205} - E:\AutoRun.exe
HKU\S-1-5-21-818743734-4024278451-580313599-1000\...\MountPoints2: {95d25584-d0d1-11e5-a2ef-1c7508e29205} - E:\AutoRun.exe
AutoConfigURL: [s-1-5-21-818743734-4024278451-580313599-1000] => dont://stop-block.org/wpad.dat?c2a59fa55a1ba96080f10660090a54b45951430
BHO-x32: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File
File: C:\cygwin\Cygwin.bat
Hosts:
EmptyTemp:
end



*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-818743734-4024278451-580313599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95d2556f-d0d1-11e5-a2ef-1c7508e29205}" => key removed successfully
HKCR\CLSID\{95d2556f-d0d1-11e5-a2ef-1c7508e29205} => key not found.
"HKU\S-1-5-21-818743734-4024278451-580313599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{95d25584-d0d1-11e5-a2ef-1c7508e29205}" => key removed successfully
HKCR\CLSID\{95d25584-d0d1-11e5-a2ef-1c7508e29205} => key not found.
HKU\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}" => key removed successfully
HKCR\Wow6432Node\CLSID\{3049C3E9-B461-4BC5-8870-4C09146192CA} => key not found.

========================= File: C:\cygwin\Cygwin.bat ========================

File not signed
MD5: 7D1844587162237957143B353679EFF6
Creation and modification date: 2011-08-09 09:55 - 2011-08-09 09:55
Size: 0000057
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 26.3 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 22:57:57 ====

 

 

SystemLook.exe -------------------------------------------------------------------------------------------

 

SystemLook 30.07.11 by jpshortstuff
Log created at 23:14 on 11/02/2016 by amigo
Administrator - Elevation successful

========== regfind ==========

Searching for "*deskcut*"
No data found.

-= EOF =-

RogueKillerLog2.txt

Fixlog.txt

SystemLook.txt

Link to post
Share on other sites

Yes the E:\ drive entries listed for removal (mount points) were only registry remnants of previous actions, mount points can be exploited by malware, hence I list for removal... 

 

In roguekiller you see the browser entry I list for removal "[PUP][FIREFX:Addon] uawkznjy.default : FirefixTab [deskCutv2@gmail.com] -> Deleted"

 

deskCut shows in that entry, I know deskcut is a nasty malware that will hijack browsers and cause big problems, usually Malwarebytes does remove that infection. I assume what we see is remnant from a previous infection maybe?

 

Read here: https://forums.malwarebytes.org/index.php?/topic/170746-removal-instructions-for-deskcut/ that was the reason for the registry search...

 

Next,

 

I want you to run Malwarebytes again, then RogueKiller....

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


 

Next,

 

Run RogueKiller again (no fixes, just scan)

 

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!


 

Post those logs, let me know if any remaining issues or concerns...

 

Thank you,

 

Kevin.....

Link to post
Share on other sites

Hi Kevin,

 

learned a new (for me) acronym yesterday. PITA. goes along just fine with this laptop...

 

quick comments: I am looking around to see what I can find (nothing useful really). What I am hoping to find now is what triggers for the hijack in the registry. Though now I don´t know if there is anything else performed other than that. Will test resident wireless card to see if that also gets activated.  For completeness, I am also not running much stuff. Mostly googling or the favorite 2/3 web sites. Only OPERA with plugins disallowed (granted older version) for now.

 

summary 

I had just rebooted before running Malwarebytes. autoconfigURL was active.

run Malwarebytes: it detected and removed the entry.autoconfigURL.

reboot, let the computer idle for a while (internet on, OPERA up but idle. )

after about an hour came back and autoconfigURL was back up...

ran ROGUEKILLER. (even though autoconfigURL was on, I don´t think it caught it.

 

logs

 

Malwarebytes -----------------------------------------------------------------------------------------------------------------------

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/02/2016
Scan Time: 11:13
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.12.02
Rootkit Database: v2016.02.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: amigo

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 509359
Time Elapsed: 28 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Hijack.AutoConfigURL.PrxySvrRST, HKU\S-1-5-21-818743734-4024278451-580313599-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL, http://stop-block.org/wpad.dat?c2a59fa55a1ba96080f10660090a54b45951430, Quarantined, [32a0d08f0099e35336ec4512f90b837d]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

 

RogueKiller ---------------------------------------------------------------------------------------------------------

 

 

RogueKiller V11.0.11.0 [Feb 8 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : amigo [Administrator]
Started from : C:\Users\amigo\Desktop\RogueKiller.exe
Mode : Scan -- Date : 02/12/2016 13:10:23

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer.msn.com-> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-818743734-4024278451-580313599-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://acer.msn.com-> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{31EE25DB-FC35-4493-9EA1-45759A0D1B9A} | NameServer : 200.204.135.203 200.204.135.200 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{31EE25DB-FC35-4493-9EA1-45759A0D1B9A} | NameServer : 200.204.135.203 200.204.135.200 ([X][-]) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD6400BPVT-22HXZT1 +++++
--- User ---
[MBR] 83a64ba8d456d71fb0f915414978fb64
[bSP] bcda1d304084279e0e4f37687d29a0ee : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31459328 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31664128 | Size: 595018 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: HUAWEI SD Storage USB Device +++++
Error reading User MBR! ([15] O dispositivo não está pronto. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Não há suporte para o pedido. )
 

malwarebytesLog4.txt

RogueKillerLog4.txt

Link to post
Share on other sites

Yes I agree, a proper PITA... Obviously we are missing whatever replaces the Hijacker after removal, you mention the wireless card, I assume you are referring to DNS settings? There is a disparity with DNS settings...

 

These are entries from RogueKiller.

 

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{31EE25DB-FC35-4493-9EA1-45759A0D1B9A} | NameServer : 200.204.135.203 200.204.135.200 ([X][-]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{31EE25DB-FC35-4493-9EA1-45759A0D1B9A} | NameServer : 200.204.135.203 200.204.135.200 ([X][-]) -> Found

 

The ip addresses above go her:

 

IP Information for 200.204.135.200
Quick Stats
IP Location     Brazil Sao Paulo Vivo S.a.
ASN     AS27699 TELEF (registered Aug 25, 2003)
Resolve Host    200-204-135-200.dial-up.telesp.net.br
Whois Server    whois.lacnic.net
IP Address    200.204.135.200

Is that entry known to you and trusted?

The other IP entries we see in FRST logs differ and show a follows:

IP Information for 4.2.2.2
Quick Stats
IP Location     United States Broomfield Level 3 Communications Inc.
ASN     AS3356 LEVEL3 - Level 3 Communications, Inc. (registered Mar 10, 2000)
Resolve Host    b.resolvers.Level3.net
Whois Server    whois.arin.net
IP Address    4.2.2.2
Reverse IP    29 websites use this address.

Is that known to you and trusted?

Link to post
Share on other sites

in short, first IP (200.204.135.203) should be very much clean. Second IP (4.2.2.2) means little to me, however I´d guess is also clean (see below at the end).

 

more verbose:

some things I am looking at. I´ll try to be concise and clear (hopefully, yet I am rusty in English and in the never-really-good-just-curiosity/need-driven computer tech side). That said:

 

1. You might have guessed already: I keep using regedit to check the autoconfigURL. If the registry is clean (autoconfigURL not set), then great for a few more minutes.., otherwise I manually delete it.

 

2. last I tried: Use CCleaner, and disable all programs set to come up at startup other than AVAST. 

  Shutdown, then start. Keep it idle. After 10 mins, regedit came clean. Went out, came back about 1 hour later: regedit showed autoconfigURL set again.  Arghhh.

 

"wireless card". there are 2 ways I can connect to the internet:

 

a. This (ACER brand) laptop´s builtin wireless capability - that´s what I am calling wireless card. However I don´t have a steady provider for that, so I use mostly (there is a free provider during summer, but not that convenient.  Looking back, I may have used this while I was running FRST, don´t know - maybe run again to check). Ugh, messy looking item..

 

b. (most used) this pen-drive looking modem. It takes a chip which connects to a cell-phone/'broadband" provider called VIVO, here in Brazil.

,

When I run ipconfig /all in the MSDOS prompt, I get:

(b) actually using

PPP VIVO INTERNET adaptor

blah-blah

DNS servers: 200.204.135.203 and 200.204.135.200

googgling gives me "http://www.speedguide.net/ip/200.204.135.203"which tells me it is related/owned to/by VIVO, so I guess I trust it. Same for the other.

 

(a) builtin card:  (not being used at the moment)

Wireless connection adaptor. Atheros ...

blah-blah

DNS servers: 4.2.2.2 and 8.8.8.8

have no clue for what those are. Google did not say anything recognizable either. Hmm. speedguide (above) says 8.8.8.8 is google related and 4.2.2.2 is Level 3 comm (as you pointed). speedguide says it is not blacklisted in databases checked.

 

I´ll try now to shutdown / boot-up with the built-in wireless set to off. See if it remains so and if autoconfigURL still gets set again.  I´ll let you know if I get something that has a chance to be useful..

Link to post
Share on other sites

Thanks for the update, obviously we are still missing whatever is replacing the Hijacker... I want you to run your system in "Clean Boot" mode, basically clean boot is all none system services disabled. Run malwarebytes to remove the hijacker then re-boot and see if the issue returns. When I say disable all none system services, important none system services such as security and internet will have to be left active...

 

The full instructions are at the following link: https://support.microsoft.com/en-gb/kb/929135 scroll to the section related to Windows 7.....

 

One other point, the dongle you use for the internet connection, is it possible to reset that device and uninstall and reinstall software..

Link to post
Share on other sites

ok, I am done for today - after some serious struggles...

 

dongle: in short, I don´t know. I think I tried to write something to it in the past but could not do it. Doesn´t mean it can´t be done..

 

before reading your reply, I had the computer clean for two hours (no internet). As soon as I connected it the autoconfigURL got set...

 

With autoconfigURL set (hijacked) I tried to clean boot following the instructions. But.... msconfig was freezing on me. Then I thought of rebooting into safe mode with networking.Done.    I am pretty sure it was still hijacked then, yet... I ran MalwareBytes (in safe mode, administrator mode (required?) and it found NO issue. Checked registry and it was clean (!?"!).  I´ll try to reproduce it tomorrow.   

 

Then I ran msconfig and found out it did not freeze in this mode. Then rebooted and things did not work properly anymore. Got back and forth with safe mode and eventually seems to be working. Weird things: Complained about error analysing eraser.exe (downloaded a long time ago) saying "error analysing c:\windows\microsoft.net\framework64\v2.0.50727\config\machine

Seriously? eraser or framework? ..

 

then I ran ccleaner and lots of complaints about codeblock (ok, removed) other stuff, and interestingly 4 lines with

 

Problem                 DATA                    Registry Key

Invalid firewall rule {C1DB843F-EBED-4170-924A-9F8879FEFEC0} - C:\Users\amigo\AppData\Local\Temp\7zSC486.tmp\SymNRT.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule {F4B77FDF-F42B-43F3-B608-26E3DEC005B6} - C:\Users\amigo\AppData\Local\Temp\7zSC486.tmp\SymNRT.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule {C1DB843F-EBED-4170-924A-9F8879FEFEC0} - C:\Users\amigo\AppData\Local\Temp\7zSC486.tmp\SymNRT.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule {F4B77FDF-F42B-43F3-B608-26E3DEC005B6} - C:\Users\amigo\AppData\Local\Temp\7zSC486.tmp\SymNRT.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

 

I checked SymNRT and seems Norton related. I think this laptop came with Norton pre-installed, but I never used/activated it, so mildly suspicious. Anyway ...Temp doesn´t have it anymore.

 

I´ll do some cleaning tomorrow and get back to you.  Thank you, Carlos

Link to post
Share on other sites

Hi Kevin,

 

status update: no difference .. :-)

kidding, not exactly. 

I think I can tell you with certainty that the change in the registry happens only if I connect the dongle AND establish a connection to the internet with it.  

I spent a few hours connected using the builtin wireless with the local signal provider and even after 5 hours there was no hijack in the registry. If I just connect/mount the dongle, without actually connecting to the internet nothing happens either (meaning, the software for establishing the connection gets up and running, but I don´t hit the "connect" button.).  Then if I switch from the local signal to the "cell-phone" signal then, it takes a little while (minutes) and autoconfigURL shows up in the registry.           

Having said that,  I worry that I am only following the registry - unaware if there are other bad things that I can´t see.  I guess no extra surprises in MalwareBytes report is a good sign.?

 

Anyways, don´t know if it is useful info or not. 

Other curiosities.

 

1 After finding the hijack in the registry, I booted into safe-mode, confirmed hijack was still there. Then ran MalwareBytes. It did not warn of the problem nor proposed to delete it. However after it finished the registry was clean again.

 

2. A couple of directories  C:\  ("program files", "documents and settings", and those dirs full of numbers in the name) became locked (that mini-lock-icon).  I am guessing it´s not malware, but related to windows instabilities I introduced over the years. ?

 

 I´ll try and fix these directory permissions, unless you tell me that I should not for some malware related issue.

 

Thank you,

Carlos

Link to post
Share on other sites

Hiya Carlos,

 

Can you zip up the folders you mention and attach to your reply, or maybe worthwhile upload files from those folders to VirusTotal to have them checked out

 

Regarding the dongle, is it possible to get a different dongle and sim card to try, maybe a family member or friend have one... Your description definitely points the finger directly at the dongle....

 

Cheers,

 

Kevin

Link to post
Share on other sites

Howdy,

 

moderately optimistic.

 

In parts. Couldn´t access the directories. Playing around, got to msdos prompt. "dir \a" says "C:\Documents and Settings" is a JUNCTION. The actual line reads

14/07/2009 03:08 <JUNCTION>  Documents and Settings [C:\Users]

 

I can "CD Documents and Settings", Once inside If I do "dir" I get "file not found". However there is a C:\Users directory and dir inside of it lists the user accounts.  

 

Clearly this is above my understanding. I just never noticed it before. I guess better leave it alone.

 

As for the dongle. Can´t get a hold of another one easily. But I did uninstall all the related software, went to Program Files, deleted what was left from it, then got an install package from the manufacturer and reinstalled. Knock on wood - so far it has not produced the autoconfigURL entry in the registry.

 

I´ll keep on looking for a couple of days see if something pops up, then get back to you.

 

For now, Thanks!

Carlos

Link to post
Share on other sites

Hiya Carlos,

 

Thanks for the update, yes I agree on the dongle and its related software, definitely appears to where the issue eminated from......

 

Run one more scan for me, this will show if any bad junctions aswell as other information....

 

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.

 

Let me see the log....

 

heers,

 

Kevin..

Link to post
Share on other sites

Kevin,

 

looking good so far -- autoconfigURL has not been set after the dongle update.  Though I´ll feel more confident after a couple of days.  Hopefully I´ll let you know that all is fine.

 

and thank you for the junctions test.

Carlos

 

Log for RKill:

 

Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/14/2016 06:56:43 PM in x64 mode.
Windows Version: Windows 7 Home Basic Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 02/14/2016 07:00:19 PM
Execution time: 0 hours(s), 3 minute(s), and 35 seconds(s)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.