[maliprog]

To be honest this is one strange case. I found one Proxy entry in your firewall list.

C:\STUFF\NewsProxy-124\NewsProxy.exe

I'll remove application and that entry from firewall. Let's try this...

Step 1

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Files
  C:\STUFF\NewsProxy-124\NewsProxy.exe
  ipconfig /flushdns /c
  
  :Reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
  "C:\STUFF\NewsProxy-124\NewsProxy.exe"=-
  
  :Commands
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Let's install the free Avast for this step (If you already have install it then skip download and installation step):

http://www.avast.com...ivirus-download

Once you have it installed and it has updated, right click on it and select Open Avast! User Interface then click on Scan Computer, then on
Boot-Time Scan then Schedule Now. Reboot and let it run a scan. It will take many hours (like overnight) and unfortunately you may need to check back with it once in a while to see if it needs an input from you.

Please report if it found something and did it remove it.

Step 3

Please don't forget to include these items in your reply:

• OTL fix log

It would be helpful if you could post each log in separate post

[Advertisements]

Good morning,

Newsproxy is a very old utility that works with Usenet's Forte Agent. It's harmless.
I hadn't used it for ages and it was not currently an exception in the firewall.
I removed it just in case, but when I switched on this morning, the attempted redirects started straight away.
I have attached a jpg file to show the frequency of the attacks.
4.26.226.126 is the connection to Peerblock
65.55.200.139 is the connection to Microsoft

As for reinstalling Avast which I ditched a while back in favour of Microsoft's own anti malware and anti virus ... Well, I did explain in my original post of last September:
I have done full scans with Malwarebytes, Avast, DrWeb, Superantispyware, TDSSKiller, M/soft malicious software removal tool, Rootkit Buster, Rootkit Revealer, as well as scans with Trend Online and Eset.
All they did was find a few false positives. Their logs show nothing significant.
I installed Unhookexec.inf.
The file associations are correct.
HijackThis log shows nothing unusual.
The Hosts file is short, with localhost 127.0.0.1
I do not use proxies.
The firewall is working and set correctly.
I have cleant with CCleaner, Winaso and TuneUp.
I have not installed any fake antivirus, I am the only one using my PC.
I do not have any HideMyIP type utilities installed.
I do not use P2P things like Emule etc.
I use Firefox, but I think this is irrelevant since the attempt happens whenever I click on an application.
I had a look at 78.192.70.254 (weeks AFTER the redirect attempts started) - it's a Apache server in France, it asks for a password to log into.
I have read and followed the advice given in a number of forums.

This is why, in desperation I came to this forum after having already tried all I could find.

Attached Thumbnails

• 

[martin1981]

Good morning,

Newsproxy is a very old utility that works with Usenet's Forte Agent. It's harmless.
I hadn't used it for ages and it was not currently an exception in the firewall.
I removed it just in case, but when I switched on this morning, the attempted redirects started straight away.
I have attached a jpg file to show the frequency of the attacks.
4.26.226.126 is the connection to Peerblock
65.55.200.139 is the connection to Microsoft

As for reinstalling Avast which I ditched a while back in favour of Microsoft's own anti malware and anti virus ... Well, I did explain in my original post of last September:
I have done full scans with Malwarebytes, Avast, DrWeb, Superantispyware, TDSSKiller, M/soft malicious software removal tool, Rootkit Buster, Rootkit Revealer, as well as scans with Trend Online and Eset.
All they did was find a few false positives. Their logs show nothing significant.
I installed Unhookexec.inf.
The file associations are correct.
HijackThis log shows nothing unusual.
The Hosts file is short, with localhost 127.0.0.1
I do not use proxies.
The firewall is working and set correctly.
I have cleant with CCleaner, Winaso and TuneUp.
I have not installed any fake antivirus, I am the only one using my PC.
I do not have any HideMyIP type utilities installed.
I do not use P2P things like Emule etc.
I use Firefox, but I think this is irrelevant since the attempt happens whenever I click on an application.
I had a look at 78.192.70.254 (weeks AFTER the redirect attempts started) - it's a Apache server in France, it asks for a password to log into.
I have read and followed the advice given in a number of forums.

This is why, in desperation I came to this forum after having already tried all I could find.

Attached Thumbnails

• 

[maliprog]

Hi martin1981,

I'll ask my coworkers here at G2G for some help about this problem. Please stay toned. I'll reply as soon as I get new info.

[maliprog]

Hi martin1981,

I tried Pearblock on my system and I think that there is something wrong with your IP list/version of Pearblock.

Can you please try to uninstal Pearblock. Remove all folders related to Pearblock in Program Files. Download and install latest version of Pearblock and see if you have IP blocking problem now.

If you still have problem then:

We are going to run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:

• My Computer
• Tools
• Folder Options
• View
• "Uncheck" Hide protected operating system files.

Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:

• My Computer
• Tools
• Folder Options
• View
• "Check" Hide protected operating system files.

[martin1981]

Good morning,
Many thanks for your assistance.

I was away the past 2 days.
I'll now resume the malware hunt.

[martin1981]

Hi again,

I wonder if Peerblock seems to work better on your syste is dowen to the fact that you don't have a resident malware which Peerblock would stop.
The fact is, every time I start my PC or start a .exe file, I do not want unsolicited redirects to 78.192.70.254 which is a server in Paris, and I dded this IP in Peerblock block list.

Anyway, I completely uninstalled Peerblock.
Restarted the PC, started TCPview to see what was going on, clicked on a .exe file (tdsskiller.exe)and straight away saw a whole list of free redirects to 78.192.70.254

Went to Peerblock's website, downloaded and installed current version.
Free redirects to 78.192.70.254 straight away.
As I already said, I don't want the content of my PC to be redirected to that French server and I inserted the nasty IP in Peerblock blocklist.
Subsequent attempted redirects were instantly blocked.
Please see attached jpg 1.jpg

----------------------------------

Did sfc /scannow as instructed.
Window opened and the scan started
Took 1/2 hour or so, nothing was reported.

As we are second Wednesday of the month, time for Microsoft update.
I validated automatic updates in the security center.
Impossible to update because of the persistent attempted redirects.
Please see attached jpg 2.jpg

I did the updates via Internet Explorer tools/update.
Fewer attempted redirects, went OK, all updates installed.
I have always done the updating regularly and in time since I had the PC, and the attempted redirects started nearly a year ago.
I also use the Update Checker from filehippo.com so that other applications are also updated.

The problem is not Peerblock blocking the attempted redirects -which I am grateful it does.
The problem is that there is something nasty in my PC, which tries to redirect what I do to 78.192.70.254

There must be other users affected by this malware, but perhaps they aren't aware it's happening.

Attached Thumbnails

• 
• 

[maliprog]

Problem is that logs doesn't show us any type of malware. So we must try anything (even basic stuff) and try to figure this out.

Please click on Start and then to Run
Type in msconfig and press Enter
Now click on Startups
Then uncheck everything and press Apply button.
Restart your system now
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

If system boots and there was no IP requests then there is chance we found problem
Try going back into msconfig and check one item and reboot
Keep doing that till you have found the problem or all are finally checked.


If this fails then:

Please click on Start and then to Run
Type in msconfig and press Enter
Now click on Services
Click on the Hide All Microsoft Services
Then uncheck everything and press Apply button.
Restart your system now

If system boots and there was no IP requests then there is chance we found problem
Try going back into msconfig and check one item and reboot
Keep doing that till you have found the problem or all are finally checked.


Post back with the results

[martin1981]

Good morning,

Thanks for your assistance.
I have done the startups routine before. Easy since I only have antivirus, antimalware and Peerblock on startup. None of them is the malware source.

I'll have a go at the services during the week-end.
It won't be fun.

Best regards
Martin

[maliprog]

OK. Please let me know how was it. My coworkers pointed few steps we can try to figure this out and we'll do it after this. I'll prepare them for you while you run my last instructions.

[martin1981]

Good morning,

It didn't go well at all.
I have very few non-Microsoft services in msconfig, but aaargghh....
I spent a long time struggling to reinstall and made to work my sound and video which got somehow messed up in the process.
The malware is not to be blamed for this.
NVidia would not reinstall to start with, then I had a message on the screen "no video card detected". Looked in a Nvidia forum where the advice was to reinstall Windows (no way!)...
Got everything finally back to work by Sunday night, but the 78.192.70.254 nonsense is still here.

What I cannot understand is that the attempted redirects start on boot as soon as the internet connection is made. (nothing to do with my ISP as nothing happens to my laptop when connected to the same router)
The Ntbootlog shows nothing out of the ordinary.
Even with nothing at all in the startup, it still tries to go to 78.192.70.254 as TCPview shows me.

I did a search of all .dll files and scanned the lot with Malwarebytes (latest update of yesterday): nothing, same with .xml files: nothing.
Did a scan with ZHPDiag: it only reported a few remnants of adware -which I removed- in the registry.

There is of course the option of low level formating the hard drive and reinstalling everything. However, I would prefer to cure the problem in case it happens again in the future.

[maliprog]

This sure is one strange case. I have one step that might give us some light on your case.

Download Process Monitor http://live.sysinter...com/Procmon.exe

Save it to your desktop. Run Process Monitor.

On the toolbar make sure that you select "Show Registry Activity", "Show Network Activity", "Show Processes and Thread Activity" (Last

Start an exe process then as soon as it starts (or you get the notice of the attempt to go to 78.192.70.254), File, then uncheck Capture Events. Once it stops:

See if you can find where it is calling 78.192.70.254 and scroll so that the call to 78.192.70.254 is about 20 lines down from the top.

Now click at the top of the page and then go down to the bottom of the page, hold down the shift key and click on the last line. That should highlight a full page of events.

File, Save, check Highlighted Events then OK. It should save the file to logfile.pml which should be on your desktop. Close Process Monitor. Zip up the logfile.pml and attach it to a Reply. (You can also rename it to logfile.txt and attach it)

[martin1981]

Many thanks

Zipped logfiles attached.
I did a .pml save and a .csv save, just in case.

I turned off Peerblock so that it would not show dozens of blocked attempts.
It does however show the actual redirects to 78.192.70.254 (which procmon calls 78-192-70-254)
I used Microsoft's Filemon to "bait" the malware.
The actual redirects are at
05.13.403...
05.19.309...
05.22.153...
05.28.168...
05.31.450...
05.40.215...
Each time it shows a TCPReconnect

I sincerely hope you and your colleagues can make some sense out of this tenacious problem.

Attached Files

•  Logfile.zip   562.07KB   129 downloads
•  LogfileCSV.zip   177.09KB   88 downloads

[maliprog]

We'll try to analyse this log and get back to you as soon as possible. In mean time please do this two steps for me.

Step 1

Please start Notepad
Copy and paste these lines in Notepad

netsh int ip reset reset.txt
netsh winsock reset
netsh advfirewall reset

Save file as repair.bat on your desktop
Double click to run it
Restart your system to finish this step

Step 2

Let's try to reset router to its default configuration.

Write down configuration information such as IP addresses, security keys, opened ports and services, etc., that you modified.

Reset can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

After this test your PC for redirection and come back with results.

[martin1981]

Did the repair.bat
Log below

Reset the router as instructed, retyped the various things for connection, rebooted.
Exact same attempted redirection as soon as the connection was made
Screendump attached "malware.pdf" (wouldn't let me upload as .docx file)


Reset.txt log:

deleted SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\CacheHashTableBucketSize
deleted SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\CacheHashTableSize
deleted SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheEntryTtlLimit
deleted SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\MaxSoaCacheEntryTtlLimit
reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{8814F931-AC3A-428D-889F-6D5AE0FFBB8F}\NameServerList
old REG_MULTI_SZ =
<empty>

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{8814F931-AC3A-428D-889F-6D5AE0FFBB8F}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableProxy
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1C89B43F-6880-488C-9C16-DC305AE88D85}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1C89B43F-6880-488C-9C16-DC305AE88D85}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1C89B43F-6880-488C-9C16-DC305AE88D85}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1C89B43F-6880-488C-9C16-DC305AE88D85}\Mtu
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1C89B43F-6880-488C-9C16-DC305AE88D85}\TcpWindowSize
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3D154A7C-2857-4DE6-8194-2693FDC33DAD}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3D154A7C-2857-4DE6-8194-2693FDC33DAD}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3D154A7C-2857-4DE6-8194-2693FDC33DAD}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3D154A7C-2857-4DE6-8194-2693FDC33DAD}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3D154A7C-2857-4DE6-8194-2693FDC33DAD}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3D154A7C-2857-4DE6-8194-2693FDC33DAD}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{414E9E6F-D709-45FE-B999-6DE2A936BE84}\Mtu
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{414E9E6F-D709-45FE-B999-6DE2A936BE84}\TcpWindowSize
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{455DCAC7-772F-44A5-A724-0859A6853F1C}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{455DCAC7-772F-44A5-A724-0859A6853F1C}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{455DCAC7-772F-44A5-A724-0859A6853F1C}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{455DCAC7-772F-44A5-A724-0859A6853F1C}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{455DCAC7-772F-44A5-A724-0859A6853F1C}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{455DCAC7-772F-44A5-A724-0859A6853F1C}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A1D0A68-C5F2-401A-81CD-EB6210573F1F}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A1D0A68-C5F2-401A-81CD-EB6210573F1F}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A1D0A68-C5F2-401A-81CD-EB6210573F1F}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A1D0A68-C5F2-401A-81CD-EB6210573F1F}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A1D0A68-C5F2-401A-81CD-EB6210573F1F}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A1D0A68-C5F2-401A-81CD-EB6210573F1F}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A1D0A68-C5F2-401A-81CD-EB6210573F1F}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A1D0A68-C5F2-401A-81CD-EB6210573F1F}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70CD94B5-9D8C-486E-B8E8-3D3AFB6444E7}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70CD94B5-9D8C-486E-B8E8-3D3AFB6444E7}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70CD94B5-9D8C-486E-B8E8-3D3AFB6444E7}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70CD94B5-9D8C-486E-B8E8-3D3AFB6444E7}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70CD94B5-9D8C-486E-B8E8-3D3AFB6444E7}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70CD94B5-9D8C-486E-B8E8-3D3AFB6444E7}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70CD94B5-9D8C-486E-B8E8-3D3AFB6444E7}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\Mtu
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\TcpWindowSize
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A8F0683-4D03-4AFE-919F-D6ED856F8F67}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A8F0683-4D03-4AFE-919F-D6ED856F8F67}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A8F0683-4D03-4AFE-919F-D6ED856F8F67}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A8F0683-4D03-4AFE-919F-D6ED856F8F67}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A8F0683-4D03-4AFE-919F-D6ED856F8F67}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A8F0683-4D03-4AFE-919F-D6ED856F8F67}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7B48EE6F-0AC9-4D66-BFD6-E287EAFDDF41}\Mtu
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7B48EE6F-0AC9-4D66-BFD6-E287EAFDDF41}\TcpWindowSize
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8814F931-AC3A-428D-889F-6D5AE0FFBB8F}\Mtu
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8814F931-AC3A-428D-889F-6D5AE0FFBB8F}\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8814F931-AC3A-428D-889F-6D5AE0FFBB8F}\TcpWindowSize
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93AC5D81-74F9-4571-B409-C7870CD9B12D}\Mtu
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93AC5D81-74F9-4571-B409-C7870CD9B12D}\TcpWindowSize
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{99DF8FB4-AFD3-4B43-8321-504213A3102F}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{99DF8FB4-AFD3-4B43-8321-504213A3102F}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{99DF8FB4-AFD3-4B43-8321-504213A3102F}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{99DF8FB4-AFD3-4B43-8321-504213A3102F}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{99DF8FB4-AFD3-4B43-8321-504213A3102F}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{99DF8FB4-AFD3-4B43-8321-504213A3102F}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8CA05A4-E231-4FBE-A782-B4D8DD27F3EE}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8CA05A4-E231-4FBE-A782-B4D8DD27F3EE}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8CA05A4-E231-4FBE-A782-B4D8DD27F3EE}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8CA05A4-E231-4FBE-A782-B4D8DD27F3EE}\Mtu
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B8CA05A4-E231-4FBE-A782-B4D8DD27F3EE}\TcpWindowSize
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTtl
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePmtuBhDetect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePmtuDiscovery
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\GlobalMaxTcpWindowSize
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDupAcks
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset Linkage\UpperBind for USB\VID_0BDA&PID_8187\6&301DA863&0&4. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for USB\VID_0BDA&PID_8189\6&301DA863&0&1. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for USB\VID_0BDA&PID_8187\6&301DA863&0&1. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for USB\VID_0BDA&PID_8187\6&AAA4719&0&1. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for USB\VID_0BDA&PID_8187\6&1D63F7BE&0&1. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for USB\VID_0BDA&PID_8187\5&2E60703B&0&5. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for USB\VID_0BDA&PID_8189\00E04C000001. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for ROOT\MS_NDISWANBH\0000. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for PCI\VEN_8086&DEV_27DC&SUBSYS_2A22103C&REV_01\4&1AF1648C&0&40F0. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for PCI\VEN_10EC&DEV_8139&SUBSYS_577C1462&REV_10\4&1A671D0C&0&60F0. bad value was:
REG_MULTI_SZ =
PSched

<completed>

Attached Files

•  malware.pdf   133.19KB   102 downloads

[maliprog]

OK. Let's dig little deeper into connection setting on your system.

Step 1

Please start Notepad
Copy and paste these lines in Notepad

reg  query  "HKLM\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"  /s >>  \junk.txt
reg  query  "HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"  /s >>  \junk.txt
reg  query  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer  /s  >>  \junk.txt
reg  query  HKLM\SECURITY\Policy  /s >> \junk.txt
reg  query  HKCR\exefile  /s  >>  \junk.txt

Save file as connection.bat on your desktop
Double click to run it
Attach or Zip and Attach the file C:\junk.txt

Step 2

Download ShellExView.

shexview_setup.exe

Once you get it installed, run it and look in the third or fourth column from the RIGHT. It should say MICROSOFT.
Click once or twice on MICROSOFT so that items with NO are at the top.
Select all of the NO items and then click on the red led looking icon in the upper left. This should disable all of the non-microsoft additions to Explorer.
Reboot and see if you still get the 78.192.70.254 connections.