Jump to content

Possible Systemwin.exe Virus Installing through IE Proxy


Recommended Posts

Dear Forum,

I believe I have the SystemWin.exe virus on my computer.

I've tried both MWB & Zemana to get rid of it but upon restart MWB is finding the following:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/12/2016
Scan Time: 14:27
Logfile: Results1.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.12.10.04
Rootkit Database: v2016.11.20.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User:

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320698
Time Elapsed: 2 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\systemwin.exe, 14728, , [c5e79e471f7b9d99c5087cd539c745bb]

Modules: 1
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\mgwz.dll, , [c5e79e471f7b9d99c5087cd539c745bb],

Registry Keys: 1
PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SystemWin, , [c5e79e471f7b9d99c5087cd539c745bb],

Registry Values: 5
PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSTEMWIN|ImagePath, "C:\Program Files (x86)\SystemWin\systemwin.exe" --service, , [7d2ffaebc8d285b1fdc1c38ef907fb05]
PUM.Optional.ProxyHijacker, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, , [d7d51cc921790d29a9289dc0808321df]
PUM.Optional.ProxyHijacker, HKU\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, , [c7e5bc29019971c5bb164f0e7e85ee12]
PUM.Optional.ProxyHijacker, HKU\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, , [406c2db87b1f0333f4dd5a03ba496997]
PUM.Optional.ProxyHijacker, HKU\S-1-5-21-2581644591-4208433480-3486313852-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, , [822aa63feab0c274eae7c895db289c64]

Registry Data: 0
(No malicious items detected)

Folders: 7
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\images, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates, , [c5e79e471f7b9d99c5087cd539c745bb],

Files: 90
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\systemwin.exe, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\AUTHORS.txt, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\config.txt, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\default.action, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\default.filter, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\LICENSE.txt, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\match-all.action, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\mgwz.dll, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\privoxy.log, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\README.txt, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\sourceid.conf, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\systemwin.log, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\trust.txt, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\user.action, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\user.filter, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\p_doc.css, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual\coding.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual\cvs.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual\documentation.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual\index.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual\introduction.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual\newrelease.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual\testing.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\developer-manual\webserver-update.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq\configuration.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq\contact.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq\copyright.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq\general.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq\index.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq\installation.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq\misc.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\faq\trouble.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\images\files-in-use.jpg, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\images\proxy_setup.jpg, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\actions-file.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\appendix.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\config.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\configuration.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\contact.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\copyright.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\files-in-use.jpg, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\filter-file.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\index.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\installation.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\introduction.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\proxy2.jpg, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\proxy_setup.jpg, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\p_doc.css, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\quickstart.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\seealso.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\startup.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\templates.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\doc\user-manual\whatsnew.html, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-list-section, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\blocked, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\cgi-error-404, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\cgi-error-bad-param, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\cgi-error-disabled, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\cgi-error-file, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\cgi-error-file-read-only, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\cgi-error-modified, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\cgi-error-parse, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\cgi-style.css, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\connect-failed, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\connection-timeout, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\default, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-add-url-form, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-for-url, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-for-url-filter, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-list, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-list-button, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-list-url, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-remove-url-form, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\edit-actions-url-form, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\forwarding-failed, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\mod-local-help, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\mod-support-and-service, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\mod-title, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\mod-unstable-warning, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\no-server-data, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\no-such-domain, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\show-request, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\show-status, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\show-status-file, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\show-url-info, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\show-version, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\toggle, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\toggle-mini, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\untrusted, , [c5e79e471f7b9d99c5087cd539c745bb],
PUP.Optional.Privoxy, C:\Program Files (x86)\SystemWin\templates\url-info-osd.xml, , [c5e79e471f7b9d99c5087cd539c745bb],

Physical Sectors: 0
(No malicious items detected)


I've tried to delete the Systemwin folder from program files but every time I restart it's re-downloading the files which MWB is picking up as a virus. This has something to do with IE and the proxy settings within IE. I'm not sure if that's how's its getting in each time but this little bug is driving me up the wall.

I would apprecate any guidence to help me through this bug bash.

Kind Regards,

James

 

Link to post
Share on other sites

Hello and :welcome:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. button.

    x5o4gh.png

  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif


icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

 


Let me know if this fixed it.

fixlist.txt

Link to post
Share on other sites

Since there are no more problems, we can declare this PC clean thumbs_up_smiley.gif

Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.


Step 1. - Creation of system restore point and tools removal.


Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings

  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.


Tool deletes old system restore points and creates a fresh system restore point after cleaning.


Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.


Security tips - highly recommended reading:


Maintenance tips:


Additional software that I personally use and install on all my clients devices:

  • Malwarebytes' Anti-Malware(paid version highly recommended) - to scan your system from time to time in search for malware.
  • Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
  • McShield - to prevent infections spread by removable media.
  • Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
  • uBlock - to surf the web without annoying ads!
  • Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.


If you're happy with the help provided and/or wish to show your appreciaton, please consider a donation: btn_donateCC_LG.gif
Thank you!

Stay safe,
TwinHeadedEagle :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.