unwanted windows poping up

[Juliet]

Morning.

Let's try to remove the infections found by Eset first.


Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
Folder:
C:\Users\bob\AppData\Roaming\QY
C:\Users\bob\AppData\Roaming\XZQE
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.




~~~~~~~~~~~~~~~~~~~~~~~`

From here I want you to download and scan with Hitman Pro.
After you download and install please boot into safe mode to run the scan.

http://www.bleepingcomputer.com/tuto...-in-safe-mode/

HitmanPro

• Please download HitmanPro.
• Launch the program by double clicking on the icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
• Click on the next button. You must agree with the terms of EULA.
• Check the box beside "No, I only want to perform a one-time scan to check this computer".
• Click on the next button.
• The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
• When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
• Click on the next button.
• Click on the "Export scan results to XML file".
• Save that file to your desktop and zip and attach it in your next reply.

Check proxy connections after running this fix.


IF the proxy has set itself back, also save these instructions in case the need to be reversed.

You feel comfortable in the registry?

Click Start > type regedit in the search field and press Enter.

Expand the HKEY_CURRENT_USER hive by clicking on the "+" sign next to it. Continue expanding "Software," "Microsoft," "Windows" and "CurrentVersion," then click on the "Internet Settings" subkey or folder.
View the contents of the Internet Settings folder on the right pane. Double-click on the "ProxyEnable" DWORD value to open the "Edit DWORD Value" window. Change "Value data" to "1" and press "OK" to confirm.
Double-click on the "ProxyServer" string value.
Reboot the machine.
Has it gone now?

[bobbym]

Hi
ok here are the 2 reports


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-10-2014
Ran by bob at 2014-10-19 14:01:36 Run:3
Running from C:\Users\bob\Desktop
Loaded Profiles: bob (Available profiles: bob)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
Folder:
C:\Users\bob\AppData\Roaming\QY
C:\Users\bob\AppData\Roaming\XZQE
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End
*****************

Processes closed successfully.
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe => Moved successfully.
uInternet Settings,ProxyServer = http=127.0.0.1:34484 => Error: No automatic fix found for this entry.
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net => Error: No automatic fix found for this entry.

========================= Folder: ========================

Directory Not Found
C:\Users\bob\AppData\Roaming\QY => Moved successfully.
C:\Users\bob\AppData\Roaming\XZQE => Moved successfully.

========= ipconfig /flushdns =========


========= End of CMD: =========


========= netsh winsock reset all =========


========= End of CMD: =========


========= netsh int ipv4 reset =========


========= End of CMD: =========


========= netsh int ipv6 reset =========


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog ====




<?xml version="1.0"?>

-<Log filesProcessed="20196" timeSpentInSecs="59" date="2014-10-19T14:14:57" version="3.7.9.225" scan="Normal" windows="6.1.1.7601.X64/2" computer="BOB-PC">


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ad.360yield.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ad.mlnadvertising.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.audience2media.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.creative-serving.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.pubmatic.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.stickyadstv.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.undertone.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.yahoo.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:adtech.de"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:adtechus.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:advertising.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:at.atwola.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:atdmt.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:bs.serving-sys.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:burstnet.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:casalemedia.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:collective-media.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:doubleclick.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:engine.phn.doublepimp.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:livejasmin.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:media6degrees.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:mediaplex.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:pd0.imp.revsci.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:questionmarket.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:revsci.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ru4.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:serving-sys.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:smartadserver.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:statse.webtrendslive.com"/>

</Item>


-<Item status="None" score="24.0" type="Suspicious">

<File path="C:\Users\bob\Desktop\FRST-OlderVersion\FRST64.exe" hash="9E08075333C377229E2763BC669558FC99F9BD3AB1FE14882E581D2F74E9A5BC"/>

</Item>


-<Item status="None" score="24.0" type="Suspicious">

<File path="C:\Users\bob\Desktop\FRST64.exe" hash="88DAA88F206F6E230A885CD4FD6F165D3042C459C6A7AAF3EFACB11C7577EE70"/>

</Item>


-<Item status="None" score="27.0" type="Suspicious">

<File path="C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe" hash="0FF64DCE66D4C4412C52B933133B7ED63E195286238437AD873E1AA29DD0BF2A"/>


-<Startup>

<Key path="HKLM\SYSTEM\CurrentControlSet\Services\Direct3dTextWin32\"/>

</Startup>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\RST\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\SI-App\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Upt\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\WinUpd\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\RST\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\SI-App\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\Upt\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\WinUpd\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com\"/>

</Item>


-<Item status="None" score="0.0" type="Repair">

<File path="HKU\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings"/>

</Item>

</Log>



in your regedit you specified to change the "Value data" to "1" as it was already a "1" I changed it to "0" like my other computer.
the next line
Double-click on the "ProxyServer" string value.
you gave no info as to what to do, I deleted the string value.

I did all the above in safe mode.

checking Proxy settings when the computer is run up normally are still reverting to "use proxy" and page is grayed out.

a quick check on the registry sees the edits reverted back as they were. I have just edited all four, the first two to "0" and the last two to blank.
I will post this then reboot to see if the registry is still reverting back.

[bobbym]

OK
so I have just rebooted. the registry entries for the proxy are all still there as before. they must have something hidden somewere else to put it all back.

[Juliet]

Hitman found this
C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe

Is this something you downloaded?

It also found FRST as suspicious...just look over that.

Also please download Windows Repair (all in one) from here


Install the program then go to step 4 and create a new system restore point and new registry backup.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:




NEXT
On the the Start Repairs tab => Click the Start



Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):


Click on box next to the Restart System when Finished. Then click on Start.

~~~~~~~~~~~~~~~~~~~~~~~

Please download MiniToolBox http://www.bleepingcomputer.com/download/minitoolbox/
save it to your desktop and run it.

Checkmark the following check-boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

[Juliet]

Also, since your reading and editing wont work, let's give this a try

goto the Google Chrome icon, right click and open it with "Run as Administrator."
3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer.

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.

[bobbym]

Hi
well have run repair and MiniToolBox

results

MiniToolBox by Farbar Version: 21-07-2014
Ran by bob (administrator) on 19-10-2014 at 19:33:27
Running from "C:\Users\bob\Downloads"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:30403

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Generic Marvell Yukon 88E8056 based Ethernet Controller = Local Area Connection 2 (Connected)
Intel(R) 82566DM Gigabit Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : bob-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dlink.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : dlink.com
Description . . . . . . . . . . . : Generic Marvell Yukon 88E8056 based Ethernet Controller
Physical Address. . . . . . . . . : 00-01-29-23-35-16
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c088:257:4060:5f84%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, October 19, 2014 7:20:15 PM
Lease Expires . . . . . . . . . . : Monday, October 20, 2014 7:20:15 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 301990185
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-72-F3-F7-00-01-29-22-D3-6E
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82566DM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-01-29-22-D3-6E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.dlink.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : dlink.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{3C5DAC5B-C32C-4CE0-AE74-B6CCD5F04F22}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:2d:3477:3f57:fefa(Preferred)
Link-local IPv6 Address . . . . . : fe80::2d:3477:3f57:fefa%14(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.1.1

Name: google.com.dlink.com
Address: 92.242.132.16


Pinging google.com [74.125.230.103] with 32 bytes of data:
Reply from 74.125.230.103: bytes=32 time=28ms TTL=56
Reply from 74.125.230.103: bytes=32 time=27ms TTL=56

Ping statistics for 74.125.230.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 28ms, Average = 27ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com.dlink.com
Address: 92.242.132.16


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=185ms TTL=50
Reply from 206.190.36.45: bytes=32 time=180ms TTL=50

Ping statistics for 206.190.36.45:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 180ms, Maximum = 185ms, Average = 182ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
12...00 01 29 23 35 16 ......Generic Marvell Yukon 88E8056 based Ethernet Controller
10...00 01 29 22 d3 6e ......Intel(R) 82566DM Gigabit Network Connection
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.5 276
192.168.1.5 255.255.255.255 On-link 192.168.1.5 276
192.168.1.255 255.255.255.255 On-link 192.168.1.5 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.5 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.5 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 ::/0 On-link
1 306 ::1/128 On-link
14 58 2001::/32 On-link
14 306 2001:0:5ef5:79fd:2d:3477:3f57:fefa/128
On-link
12 276 fe80::/64 On-link
14 306 fe80::/64 On-link
14 306 fe80::2d:3477:3f57:fefa/128
On-link
12 276 fe80::c088:257:4060:5f84/128
On-link
1 306 ff00::/8 On-link
14 306 ff00::/8 On-link
12 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


System errors:
=============
Error: (10/19/2014 07:22:52 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:22:46 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 07:22:15 PM) (Source: Service Control Manager) (User: )

Error: (10/19/2014 07:20:46 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:20:46 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 07:18:03 PM) (Source: Service Control Manager) (User: )
Description: The Windows Modules Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (10/19/2014 07:00:23 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/19/2014 07:00:16 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/19/2014 06:59:46 PM) (Source: Service Control Manager) (User: )

Error: (10/19/2014 06:58:19 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053


Microsoft Office Sessions:
=========================
Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 07:22:16 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (10/19/2014 06:59:46 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


CodeIntegrity Errors:
===================================
Date: 2014-10-17 23:03:37.584
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-17 23:03:37.459
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.



=========================== Installed Programs ============================
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Avira (HKLM-x32\...\{9bd9b85e-7792-483b-a318-cc51ff0877ed}) (Version: 1.1.22.50000 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.22.50000 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.306 - Avira)
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.3.188.0 - Microsoft Corporation) Hidden
Microsoft Office 2000 Disc 2 (HKLM-x32\...\{00040409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Office 2000 Professional (HKLM-x32\...\{00010409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.0 - Tweaking.com)
Tweaking.com - Windows Repair (All in One) (HKLM-x32\...\Tweaking.com - Windows Repair (All in One)) (Version: 2.9.2 - Tweaking.com)
Winmail Opener 1.6 (HKLM-x32\...\Winmail Opener) (Version: 1.6 - Eolsoft)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 26%
Total physical RAM: 4086.18 MB
Available physical RAM: 3015.2 MB
Total Pagefile: 8170.54 MB
Available Pagefile: 6757.97 MB
Total Virtual: 4095.88 MB
Available Virtual: 3980.67 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:29.72 GB) (Free:2.93 GB) NTFS
3 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.04 GB) NTFS
4 Drive e: (New Volume) (Fixed) (Total:26.37 GB) (Free:24.94 GB) NTFS
5 Drive f: (New Volume) (Fixed) (Total:29.55 GB) (Free:29.43 GB) NTFS
7 Drive h: () (Fixed) (Total:298.09 GB) (Free:295.59 GB) NTFS

========================= Users: ========================================

User accounts for \\BOB-PC

Administrator bob Guest

========================= Minidump Files ==================================

No minidump file found


**** End of log ****



have carried out IE but still not staying in Auto still grayed out.

still getting the unwanted windows.

[bobbym]

Hi
just checked the registry, there is no sign of the entries there but the proxy address is still being put into the "use proxy" window.

[Juliet]

Also, since your reading and editing wont work, let's give this a try

goto the Google Chrome icon, right click and open it with "Run as Administrator."
3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer.

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.

Try the above?

It's rather awkward that while in safe mode the settings stay as expected. When booting into normal mode the settings are reversed back.
Like, an item in your startups list should be removed?, Antivirus disabled while changing the setting?

I'm running out of ideas, or closely. Will ask other malware techs to step in an offer suggestions.

A couple of things we can do

The below is for a Linksys router but most follow the same instructions.
http://kb.linksys.com/Linksys/GetArt...80&converted=0


Connect through a Cable or DSL modem?

Turn the modem off. Wait 3 to 5 minutes and turn it back. Wait for all lights to stop blinking and check setting again.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. rkill.pif
5. WiNlOgOn.exe
6. uSeRiNiT.exe

This will produce a log. Please post this in your next reply.

[bobbym]

Hi
Good morning

the first Rkill.EXE worked fine

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/20/2014 09:36:24 AM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe (PID: 1744) [UP-HEUR]
* C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe (PID: 1252) [UP-HEUR]

2 proccesses terminated!

Active Proxy Server Detected

* Proxy Disabled.
* ProxyOverride value deleted.
* ProxyServer value deleted.
* AutoConfigURL value deleted.
* Proxy settings were backed up to Registry file.

Checking Registry for malware related settings:

* No issues found in the Registry.

Backup Registry file created at:
C:\Users\bob\Desktop\rkill\rkill-10-20-2014-09-36-34.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

* Reparse Point/Junctions Found (Most likely legitimate)!

* C:\Windows\AppPatch\spbin => C:\PROGRA~2\SearchProtect\SearchProtect\bin [Dir]

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

Program finished at: 10/20/2014 09:38:05 AM
Execution time: 0 hours(s), 1 minute(s), and 41 seconds(s)

I will run Rogue Killer again If It finds anything I will post it as well