defferentia.ru and disorderstatus.ru help :D

Viruses and worms
1

Greetings!

It appears my laptop was also infected because I keep getting alerts from avast :frowning:

I already read the other posts and installed and ran FRST.EXE. But I am not sure what to do next. Please help me…

Here’s what the generated fixlog had:

Fix result of Farbar Recovery Scan Tool (x86) Version:31-08-2015 Ran by Hanceely (2015-09-04 18:58:16) Run:1 Running from C:\Users\Hanceely\Desktop Loaded Profiles: Hanceely (Available Profiles: Hanceely) Boot Mode: Normal

==============================================

fixlist content:

Start

RemoveProxy:
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:62761;https=127.0.0.1:62761
Tcpip\Parameters: [DhcpNameServer] 122.255.99.228 122.255.99.236

CreateRestorePoint:
CMD: bitsadmin /util /setieproxy localsystem NO_PROXY RESET

CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DC2EF05D-8CDB-47E1-9131-08DDEE8E7B11} - System32\Tasks\LinkBuilder-S-2151721119 => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exe <==== ATTENTION
Task: {FA4BDF02-3C78-4CD7-B0C5-2B107F229995} - \GPUP → No File <==== ATTENTION
Task: C:\Windows\Tasks\LinkBuilder-S-2151721119.job => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exeT/schedule /profile c:\programdata\trusted publisher\systemssupport\2151721119.ini <==== ATTENTION
SearchScopes: HKLM → DefaultScope value is missing
SearchScopes: HKLM-x32 → DefaultScope value is missing
CHR HKLM.…\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]
CHR HKLM-x32.…\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]

Hosts:
c:\programdata\trusted publisher
C:\ProgramData\AskPartnerNetwork
C:\ProgramData\msvhzuru.exe

EmptyTemp:
End

========= RemoveProxy: =========

HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-3687242877-1089386031-4052543201-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer => value removed successfully.
HKU\S-1-5-21-3687242877-1089386031-4052543201-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-3687242877-1089386031-4052543201-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.

========= End of RemoveProxy: =========

HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable => value removed successfully.
HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer => value not found.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer => value removed successfully.
Restore point was successfully created.

========= bitsadmin /util /setieproxy localsystem NO_PROXY RESET =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Internet proxy settings for account localsystem set to NO_PROXY.
(connection = default)

========= End of CMD: =========

Processes closed successfully.
HKLM\SOFTWARE\Policies\Google => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{DC2EF05D-8CDB-47E1-9131-08DDEE8E7B11} => key not found.
C:\Windows\System32\Tasks\LinkBuilder-S-2151721119 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LinkBuilder-S-2151721119 => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{FA4BDF02-3C78-4CD7-B0C5-2B107F229995} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GPUP => key not found.
C:\Windows\Tasks\LinkBuilder-S-2151721119.job => not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope => value restored successfully
\DefaultScope => value not found.
HKLM\SOFTWARE\Google\Chrome\Extensions\aaaaaiabcopkplhgaedhbloeejhhankf => key not found.
“C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx” => not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
“c:\programdata\trusted publisher” => File/Folder not found.
“C:\ProgramData\AskPartnerNetwork” => File/Folder not found.
“C:\ProgramData\msvhzuru.exe” => File/Folder not found.
EmptyTemp: => 9.6 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 19:10:16 ====

2

Where did you get the fixlist from ?

I will need the original FRST logs

3

I got it from here: https://forum.avast.com/index.php?topic=175918.0

Start

RemoveProxy:
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:62761;https=127.0.0.1:62761
Tcpip\Parameters: [DhcpNameServer] 122.255.99.228 122.255.99.236

CreateRestorePoint:
CMD: bitsadmin /util /setieproxy localsystem NO_PROXY RESET

CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DC2EF05D-8CDB-47E1-9131-08DDEE8E7B11} - System32\Tasks\LinkBuilder-S-2151721119 => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exe <==== ATTENTION
Task: {FA4BDF02-3C78-4CD7-B0C5-2B107F229995} - \GPUP → No File <==== ATTENTION
Task: C:\Windows\Tasks\LinkBuilder-S-2151721119.job => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exeT/schedule /profile c:\programdata\trusted publisher\systemssupport\2151721119.ini <==== ATTENTION
SearchScopes: HKLM → DefaultScope value is missing
SearchScopes: HKLM-x32 → DefaultScope value is missing
CHR HKLM.…\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]
CHR HKLM-x32.…\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]

Hosts:
c:\programdata\trusted publisher
C:\ProgramData\AskPartnerNetwork
C:\ProgramData\msvhzuru.exe

EmptyTemp:
End

4

Did you see this ?

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Could you attach your two FRST logs and I will look at them

5

First one:

Start

RemoveProxy:
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:62761;https=127.0.0.1:62761
Tcpip\Parameters: [DhcpNameServer] 122.255.99.228 122.255.99.236

CreateRestorePoint:
CMD: bitsadmin /util /setieproxy localsystem NO_PROXY RESET

CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DC2EF05D-8CDB-47E1-9131-08DDEE8E7B11} - System32\Tasks\LinkBuilder-S-2151721119 => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exe <==== ATTENTION
Task: {FA4BDF02-3C78-4CD7-B0C5-2B107F229995} - \GPUP → No File <==== ATTENTION
Task: C:\Windows\Tasks\LinkBuilder-S-2151721119.job => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exeT/schedule /profile c:\programdata\trusted publisher\systemssupport\2151721119.ini <==== ATTENTION
SearchScopes: HKLM → DefaultScope value is missing
SearchScopes: HKLM-x32 → DefaultScope value is missing
CHR HKLM.…\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]
CHR HKLM-x32.…\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]

Hosts:
c:\programdata\trusted publisher
C:\ProgramData\AskPartnerNetwork
C:\ProgramData\msvhzuru.exe

EmptyTemp:
End

Second one:

Fix result of Farbar Recovery Scan Tool (x86) Version:31-08-2015 Ran by Hanceely (2015-09-04 18:58:16) Run:1 Running from C:\Users\Hanceely\Desktop Loaded Profiles: Hanceely (Available Profiles: Hanceely) Boot Mode: Normal

==============================================

fixlist content:

Start

RemoveProxy:
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:62761;https=127.0.0.1:62761
Tcpip\Parameters: [DhcpNameServer] 122.255.99.228 122.255.99.236

CreateRestorePoint:
CMD: bitsadmin /util /setieproxy localsystem NO_PROXY RESET

CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DC2EF05D-8CDB-47E1-9131-08DDEE8E7B11} - System32\Tasks\LinkBuilder-S-2151721119 => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exe <==== ATTENTION
Task: {FA4BDF02-3C78-4CD7-B0C5-2B107F229995} - \GPUP → No File <==== ATTENTION
Task: C:\Windows\Tasks\LinkBuilder-S-2151721119.job => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exeT/schedule /profile c:\programdata\trusted publisher\systemssupport\2151721119.ini <==== ATTENTION
SearchScopes: HKLM → DefaultScope value is missing
SearchScopes: HKLM-x32 → DefaultScope value is missing
CHR HKLM.…\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]
CHR HKLM-x32.…\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]

Hosts:
c:\programdata\trusted publisher
C:\ProgramData\AskPartnerNetwork
C:\ProgramData\msvhzuru.exe

EmptyTemp:
End

========= RemoveProxy: =========

HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-3687242877-1089386031-4052543201-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer => value removed successfully.
HKU\S-1-5-21-3687242877-1089386031-4052543201-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-3687242877-1089386031-4052543201-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.

========= End of RemoveProxy: =========

HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable => value removed successfully.
HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer => value not found.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer => value removed successfully.
Restore point was successfully created.

========= bitsadmin /util /setieproxy localsystem NO_PROXY RESET =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Internet proxy settings for account localsystem set to NO_PROXY.
(connection = default)

========= End of CMD: =========

Processes closed successfully.
HKLM\SOFTWARE\Policies\Google => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{DC2EF05D-8CDB-47E1-9131-08DDEE8E7B11} => key not found.
C:\Windows\System32\Tasks\LinkBuilder-S-2151721119 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LinkBuilder-S-2151721119 => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{FA4BDF02-3C78-4CD7-B0C5-2B107F229995} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GPUP => key not found.
C:\Windows\Tasks\LinkBuilder-S-2151721119.job => not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope => value restored successfully
\DefaultScope => value not found.
HKLM\SOFTWARE\Google\Chrome\Extensions\aaaaaiabcopkplhgaedhbloeejhhankf => key not found.
“C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx” => not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
“c:\programdata\trusted publisher” => File/Folder not found.
“C:\ProgramData\AskPartnerNetwork” => File/Folder not found.
“C:\ProgramData\msvhzuru.exe” => File/Folder not found.
EmptyTemp: => 9.6 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 19:10:16 ====

6

OK we have a communication problem here :slight_smile:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.