Solved I need help interpreting a Malwarebytes detection

Asus mobo / M5a97 r2.0
August 31, 2014 at 15:20:48
Specs: Windows 7 64 bit, AMD FX 6300 \ GSKILL 1600 DDR3
I am running Win 7 64 bit. I have PIA (Private Internet Access) VPN installed. Before I installed PIA, I tried Privoxy and a few other freeware proxies. I uninstalled those before installing PIA. So right now I'm not sure if there are still remnants of those other proxies on my machine. I did a scan with Malwarebytes and it detects 4 instances of Proxyserver. I'm not sure if this is my PIA proxy or something else. This is what the detection looked like:
http://tinypic.com/m/ifn9s3/4

I choose the Quarantine option and applied actions

Malwarebytes then cleans and shows that the machine is clean. Pic below
http://tinypic.com/m/ifo5eh/4

But even if I don't reboot, and scan again, it is back to showing the same thing in Malwarebytes
http://tinypic.com/m/ifn9s3/4

Is it possible this is my legit PIA VPN re-installing itself. I've also heard that Malware can control some VPN's. I'm on this tack because my LAN settings keep switching back to 'Use a proxy service for your LAN', despite me unchecking that option when I completely close out of PIA. I'm doing all of this to diagnose why an online game install is failing - apparently due to this option being checked.

So I need to first interpret the results of the Malwarebytes scan, to know what it is detecting.
Thanks

message edited by Tim_B


See More: I need help interpreting a Malwarebytes detection

Report •


✔ Best Answer
August 31, 2014 at 18:40:18
Ok, we will get there, go through these & see if they help.

How to Check Hosts Files, DNS and Proxy Settings for Normal Internet Access after Malware Infection
http://www.dotfab.com/resources/how...

Infection has enabled proxy
http://www.bleepingcomputer.com/vir...
Start > Control Panel > Internet Options > Connections > LAN settings, untick > Use a proxy server for your LAN. Click OK twice.
Or,
Start > Run, Copy & Paste inetcpl.cpl in the Run box and press Enter.
Restore the Run command to Windows 7 and Vista Start menu
http://www.winhelponline.com/articl...



#1
August 31, 2014 at 15:49:05
Lets do it a different way, not sure at this stage how many steps it will take.

Run both of these, in this order.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
How to download from Softpedia
http://i.imgur.com/BWELEfV.gif
http://i.imgur.com/4luY3rU.gif
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
How to download from Softpedia
http://i.imgur.com/qO92huz.gif
http://i.imgur.com/qzTUYkX.gif
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#2
August 31, 2014 at 16:43:30
Thanks for responding Johnw. Thanks for the thorough instructions.

I downloaded, installed and ran both programs as per instructions.

Here is the AdwCleaner logfile:
# AdwCleaner v3.308 - Report created 31/08/2014 at 16:18:50
# Updated 20/08/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Tim - ASUSHOME
# Running from : D:\Tims Libraries\AdwCleaner\adwcleaner_3.308.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\GreenTree Applications
[!] Folder Deleted : C:\Program Files (x86)\MSR

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17239


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\y4ez3csm.default\prefs.js ]


-\\ Google Chrome v37.0.2062.102

[ File : C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [4572 octets] - [07/08/2014 13:56:11]
AdwCleaner[R1].txt - [1374 octets] - [07/08/2014 14:03:12]
AdwCleaner[R2].txt - [1496 octets] - [07/08/2014 14:09:01]
AdwCleaner[R3].txt - [1566 octets] - [07/08/2014 14:14:15]
AdwCleaner[R4].txt - [1792 octets] - [31/08/2014 16:16:20]
AdwCleaner[S0].txt - [4249 octets] - [07/08/2014 14:00:49]
AdwCleaner[S1].txt - [1100 octets] - [07/08/2014 14:05:05]
AdwCleaner[S2].txt - [1643 octets] - [07/08/2014 14:15:22]
AdwCleaner[S3].txt - [1729 octets] - [31/08/2014 16:18:50]

########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1789 octets] ##########


And here is the JRT logfile:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Ultimate x64
Ran by Tim on Sun 08/31/2014 at 16:32:34.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{02DD8284-A49F-43E5-9D84-

CF19DC9AD21D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{27DE7D30-BCCD-44D1-ADCB-

A74A4259EBEF}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3A0EFC4E-F167-4D0E-9C24-

FC5519237993}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{65DEE40A-3E93-4CAE-9F98-

B8E06DCEE2BF}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

\CurrentVersion\Explorer\Browser Helper Objects\{65DEE40A-3E93-4CAE-9F98-B8E06DCEE2BF}

~~~ Files

Successfully deleted: [File] "C:\Windows\syswow64\wscm32.dll"
Successfully deleted: [File] "C:\Windows\syswow64\wscm64.dll"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ytd video downloader"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd

video downloader"

~~~ FireFox

Emptied folder: C:\Users\Tim\AppData\Roaming\mozilla\firefox\profiles\y4ez3csm.default

\minidumps [5 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 08/31/2014 at 16:39:01.72
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks for looking at them
Tim


Report •

#3
August 31, 2014 at 16:48:18
Thanks Tim.

Update & Run Malwarebytes' Anti-Malware ( MBAM ) Free Version again please. Use Quick scan ( now called Threat Scan )
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif
Copy and Paste the contents of the log, in your reply please.


Report •

Related Solutions

#4
August 31, 2014 at 18:09:34

Johnw,
Is there any way to post an image directly into the forum post here? It would be simpler.

I will update and run Malwarebytes again as per your instructions , but first I have some other dots to connect here...

Back when I installed the PIA VPN client, I had difficulty configuring the proxy, so their support had me run Portchecker to see if it was working. And I believe it was Portchecker that installed Privoxy.exe as part of it's working app. However I can't remember for sure.

Well in the AdwCleaner scan you had me run, it detected under the Folders tab something called MSR in path C:\Program Files (x86)\MSR. This item was also detected earlier in Malwarebytes but I gave it an exception as I thought, after looking into it, that it was related to Microsofts Genuine Authentication Check. It appears I was wrong though. MSR shows up in WIndows 7 Programs and Features as installed item: System Update kb77600 and the publisher as MSR. see pic here:
http://tinypic.com/m/ifo80l/4

So after I ran the AdwCleaner scan you wanted, then cleaned and rebooted, the text file I posted shows entry: [!] Folder Deleted : C:\Program Files (x86)\MSR
I rescanned with AdwCleaner and it detected the same item again under Folders. Pic here:
http://tinypic.com/m/ifo7l4/4

I chose clean, rebooted and it still detects it.

I don't know why I didn't do this first, but I went to C:\Program Files (x86)\MSR and there was subfolder Privoxy with contents, see pic:
http://tinypic.com/m/ifo80o/4

This is when I remebered the connection of Privoxy to Portchecker noted above. So I uninstalled Portchecker thinking it might be re-installing Privoxy. Then I attempted to uninstall Privoxy from the MSR>Privoxy folder using the uninstaller. It appears to uninstall, see pic here:
http://tinypic.com/m/ifo83k/4

But when I reboot it is back to being installed - showing both in the MSR folder and in Programs and Features
http://tinypic.com/m/ifo80o/4
http://tinypic.com/m/ifo80l/4

The same thing happens if I use the AdwCleaner Clean option. It says it is removing the folder, but upon reboot it has re-installed itself.

I'm baffled by this and I believe this is the problem that keeps changing my LAN settings and causing problems with other online installations. Even if I have completely closed out and shut down the PIA VPN client and had re-assurances from PIA that Privoxy is not a part of their WIndows VPN client. I have no idea what is causing it to re-install.

I will however do as you advised and rescan with Malwarebytes and post the results back here


Report •

#5
August 31, 2014 at 18:32:40
Ok Johnw,

I rescanned with Malwarebytes Threat Scan including Rootkits, and it detects the same 4 Registry values related to Privoxy. This was the result:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/31/2014
Scan Time: 6:13:52 PM
Logfile: Malwarebytes Scan_1_8_31_2014.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.08.31.07
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tim

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 306680
Time Elapsed: 6 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 4
PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:8118;https=127.0.0.1:8118, , [5445caff5e1d3204c457e60c0bf7a957]
PUM.Bad.Proxy, HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:8118;https=127.0.0.1:8118, , [9009c6037ffc1224d348985aa062e020]
PUM.Bad.Proxy, HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:8118;https=127.0.0.1:8118, , [6f2a854476058fa78596c72bd0328e72]
PUM.Bad.Proxy, HKU\S-1-5-21-3284267918-3161681062-1870621831-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:8118;https=127.0.0.1:8118, , [d7c2626765164fe764b77181cf3301ff]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

I chose the Quarantine option, rebooted, rescanned and got the same result.

Thanks for looking at this Johnw

message edited by Tim_B


Report •

#6
August 31, 2014 at 18:40:18
✔ Best Answer
Ok, we will get there, go through these & see if they help.

How to Check Hosts Files, DNS and Proxy Settings for Normal Internet Access after Malware Infection
http://www.dotfab.com/resources/how...

Infection has enabled proxy
http://www.bleepingcomputer.com/vir...
Start > Control Panel > Internet Options > Connections > LAN settings, untick > Use a proxy server for your LAN. Click OK twice.
Or,
Start > Run, Copy & Paste inetcpl.cpl in the Run box and press Enter.
Restore the Run command to Windows 7 and Vista Start menu
http://www.winhelponline.com/articl...


Report •

#7
August 31, 2014 at 18:46:30
"Is there any way to post an image directly into the forum post here? It would be simpler"
Used to be down under > Post Reply!

I use this.

Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru
How to use for images.
http://i.imgur.com/mWxzNlv.gif
http://i.imgur.com/ODCCcPf.gif
http://i.imgur.com/zalhLtW.gif
How to use for files.
http://i.imgur.com/FhtnM6c.gif
http://i.imgur.com/Wg3nZ4G.gif
http://i.imgur.com/txFkgpT.gif

message edited by Johnw


Report •

#8
August 31, 2014 at 21:19:52
Alright Johnw, I think we've got it.

I went into Malwarebytes and cleared all exclusions. In the exclusions were all the rest of the Privoxy files - apparently I must have excluded them in troubleshooting the PIA VPN problems. It's gotten so convoluted I've lost track. At any rate I used the iExplorer.exe tool you linked me to (RKill) first, then re-scanned with Malwarebytes. It showed all the items that were previously excluded. Here is the logfile:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/31/2014
Scan Time: 7:38:39 PM
Logfile: Malwarebytes Scan_2_8_31_2014.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.01.01
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tim

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 306231
Time Elapsed: 5 min, 50 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.SystemUpdater.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\System Update kb77600, , [6b2eb71268130036899d0ec89e64c937],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 8
PUP.Optional.SystemUpdater.A, C:\Windows\Microsoft\System Update kb77600, , [6b2eb71268130036899d0ec89e64c937],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\images, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates, , [2f6a4683c0bb1b1be17e3b9bcb377789],

Files: 67
PUP.Optional.SystemUpdater.A, C:\Windows\Microsoft\System Update kb77600\ConfigurationData.dll, , [6b2eb71268130036899d0ec89e64c937],
PUP.Optional.SystemUpdater.A, C:\Windows\Microsoft\System Update kb77600\Installer.dll, , [6b2eb71268130036899d0ec89e64c937],
PUP.Optional.SystemUpdater.A, C:\Windows\Microsoft\System Update kb77600\InstallerLibrary.dll, , [6b2eb71268130036899d0ec89e64c937],
PUP.Optional.SystemUpdater.A, C:\Windows\Microsoft\System Update kb77600\win32.reg, , [6b2eb71268130036899d0ec89e64c937],
PUP.Optional.SystemUpdater.A, C:\Windows\Microsoft\System Update kb77600\WindowsUpdater.exe, , [6b2eb71268130036899d0ec89e64c937],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\AUTHORS.txt, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\config.txt, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\default.action, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\default.filter, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\LICENSE.txt, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\match-all.action, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\mgwz.dll, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\privoxy.exe, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\privoxy.log, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\privoxy_uninstall.exe, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\README.txt, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\trust.txt, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\user.action, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\user.action_empty, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\user.filter, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\user.filter_old, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\p_doc.css, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual\coding.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual\cvs.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual\documentation.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual\index.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual\introduction.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual\newrelease.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual\testing.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\developer-manual\webserver-update.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq\configuration.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq\contact.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq\copyright.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq\general.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq\index.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq\installation.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq\misc.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\faq\trouble.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\images\files-in-use.jpg, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\images\proxy_setup.jpg, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\actions-file.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\appendix.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\config.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\configuration.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\contact.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\copyright.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\files-in-use.jpg, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\filter-file.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\index.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\installation.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\introduction.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\proxy2.jpg, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\proxy_setup.jpg, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\p_doc.css, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\quickstart.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\seealso.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\startup.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\templates.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\doc\user-manual\whatsnew.html, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates\cgi-style.css, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates\connect-failed, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates\mod-local-help, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates\mod-support-and-service, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates\mod-title, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates\mod-unstable-warning, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates\no-such-domain, , [2f6a4683c0bb1b1be17e3b9bcb377789],
PUP.Optional.Privoxy.A, C:\Program Files (x86)\MSR\Privoxy\templates\url-info-osd.xml, , [2f6a4683c0bb1b1be17e3b9bcb377789],

Physical Sectors: 0
(No malicious items detected)


(end)

Yah a lot!

I chose to Quarantine all, then rebooted. Upon rescan it showed me as being clean! No more items detected.
http://tinypic.com/m/ifoarp/4

And here is the clean logfile confirming that:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/31/2014
Scan Time: 9:02:12 PM
Logfile: Malwarebytes Scan_3_8_31_2014.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.01.01
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tim

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 306245
Time Elapsed: 5 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

I've rebooted and rescanned a couple times and it shows clean. Also, now the LAN settings I choose are holding without the proxy taking control of them. Thankfully! So now it is on to diagnosing the next part of the problem involving the installation of the online game, but for that I'll be working with tech support.

Thanks for all your help Johnw!

And thanks for the link to the image uploader,
cheers
Tim


Report •

#9
August 31, 2014 at 21:25:05
Run these again Tim, to cleanup the dregs.

AdwCleaner & Junkware Removal Tool.


Report •

#10
August 31, 2014 at 21:56:36
OK Johnw, I ran them and they came up clean

AdwCleaner detected the MSR folder, but it was just the remaining folder - the Privoxy folder and all items were successfully quarantined by Malwarebytes. So AdweCleaner now also removed the MSR folder.
AdwCleaner logfile:
# AdwCleaner v3.308 - Report created 31/08/2014 at 21:39:40
# Updated 20/08/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Tim - ASUSHOME
# Running from : D:\Tims Libraries\AdwCleaner\adwcleaner_3.308.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\MSR

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17239


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\y4ez3csm.default\prefs.js ]


-\\ Google Chrome v37.0.2062.102

[ File : C:\Users\Tim\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}

*************************

AdwCleaner[R0].txt - [4572 octets] - [07/08/2014 13:56:11]
AdwCleaner[R10].txt - [2214 octets] - [31/08/2014 17:36:12]
AdwCleaner[R11].txt - [2126 octets] - [31/08/2014 21:38:00]
AdwCleaner[R1].txt - [1374 octets] - [07/08/2014 14:03:12]
AdwCleaner[R2].txt - [1496 octets] - [07/08/2014 14:09:01]
AdwCleaner[R3].txt - [1566 octets] - [07/08/2014 14:14:15]
AdwCleaner[R4].txt - [1792 octets] - [31/08/2014 16:16:20]
AdwCleaner[R5].txt - [1732 octets] - [31/08/2014 16:46:00]
AdwCleaner[R6].txt - [1792 octets] - [31/08/2014 16:47:40]
AdwCleaner[R7].txt - [1912 octets] - [31/08/2014 17:09:21]
AdwCleaner[R8].txt - [1972 octets] - [31/08/2014 17:11:57]
AdwCleaner[R9].txt - [1884 octets] - [31/08/2014 17:15:58]
AdwCleaner[S0].txt - [4249 octets] - [07/08/2014 14:00:49]
AdwCleaner[S1].txt - [1100 octets] - [07/08/2014 14:05:05]
AdwCleaner[S2].txt - [1643 octets] - [07/08/2014 14:15:22]
AdwCleaner[S3].txt - [1869 octets] - [31/08/2014 16:18:50]
AdwCleaner[S4].txt - [1865 octets] - [31/08/2014 16:58:00]
AdwCleaner[S5].txt - [2045 octets] - [31/08/2014 17:12:57]
AdwCleaner[S6].txt - [1951 octets] - [31/08/2014 17:17:03]
AdwCleaner[S7].txt - [2286 octets] - [31/08/2014 17:37:12]
AdwCleaner[S8].txt - [2263 octets] - [31/08/2014 21:39:40]

########## EOF - C:\AdwCleaner\AdwCleaner[S8].txt - [2323 octets] ##########


And the clean JRT logfile:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Ultimate x64
Ran by Tim on Sun 08/31/2014 at 21:42:53.16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 08/31/2014 at 21:49:24.68
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thanks again johnw


Report •

#11
August 31, 2014 at 22:09:48
Here is info of how users get problems Tim.

From your log.
Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic )
http://dottech.org/23420/cnet-crapw...

As you can see from your logs, you had a lot of stuff installed, that you did not know had been installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.
I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
http://www.softpedia.com/get/Multim...
Users are advised to pay attention while installing this ad-supported application:
· Offers to change the homepage for web browsers installed in the system
· Offers to change the default search engine for web browsers installed in the system
· Offers to install StartNow Toolbar that the program does not require to fully function
SS ( screenshots ) of above
http://i.imgur.com/CSBplyA.gif
http://i.imgur.com/3eWWoXm.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies.
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://unchecky.com/
How to download from Softpedia
http://i.imgur.com/iZ3Fzmc.gif
http://i.imgur.com/NNgm1rF.gif
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

#12
August 31, 2014 at 22:13:01
A final tool to install & run.

RunTFC
http://www.geekstogo.com/forum/file...
http://www.bleepingcomputer.com/dow...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Download it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Double-click TFC.exe to run it. Note: If you are running on Vista/Windows 7/8, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Report •

Ask Question