svchost.exe process and a bunch of PUM (and other stuffs)

[Curson]

Hi Heantrad,

OK.
Additionally, please download TCPView, then execute it.
Locate the column "Local Port" and copy/paste the line that has the value 64178 (you can sort the column) in your next reply.

Regards.

[Heantrad]

Hi Heantrad,

OK.
Additionally, please download TCPView, then execute it.
Locate the column "Local Port" and copy/paste the line that has the value 64178 (you can sort the column) in your next reply.

Regards.

Alright, sorry for replying a bit late, but I will do all that in a moment.
When AdwCleaner detected the Proxy for the first time, I had installed MalwareBytes, AdwCleaner, CCleaner and Microsoft Security Essentials only.
Also I use Dropbox, don't know if it uses a Proxy.

[Heantrad]

Hi Heantrad,

OK.
Additionally, please download TCPView, then execute it.
Locate the column "Local Port" and copy/paste the line that has the value 64178 (you can sort the column) in your next reply.

Regards.

Alright, here you have the FRST logs
Also, there was no 64178 value, don't know why, if you needed it for the svchost.exe process that RogueKiller detects, it hasn't appeared again so far, if it appears again, I'll run TCPView again.

[Curson]

Hi Heantrad,

Since the port 64178 was not listed, theses lines are harmless.
However, we are going to delete them.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Regards.

[Heantrad]

Hi Heantrad,

Since the port 64178 was not listed, theses lines are harmless.
However, we are going to delete them.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Regards.

Done, here you have the fixlog.
By the way, when I did the fix, Google chrome reseted the fixed tabs and the most visited websites that I had, maybe it was related to that?
Also, AdwCleaner still detects the ProxyOverride <-looopback> CORRECTION: I defragmented the disk and appart of creating a restauration point that occupies 4 GB it made the loopback thing dissapear, so, that.

Oh and the svchost process has appeared again (and those four DNS registry keys are the only ones that appear now, two of them have dissapeared):

RogueKiller V10.9.1.0 [Jul  9 2015] by Adlice Software
correo : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Sitio web : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Sistema Operativo : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Iniciado en : Modo Normal
Usuario : PAQUITO [Administrador]
Started from : C:\Users\PAQUITO\Desktop\Carpetas\Programas\RogueKiller.exe
Modo : Escanear -- Fecha : 07/19/2015 20:06:30

¤¤¤ Procesos : 1 ¤¤¤
[Proc.Svchost] svchost.exe(4052) --

• -> Eliminado [TermThr]

¤¤¤ Registro : 4 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 62.81.16.164 62.81.16.213 ([SPAIN (ES)][SPAIN (ES)])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 62.81.16.164 62.81.16.213 ([SPAIN (ES)][SPAIN (ES)])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{18969D2B-6655-459E-970C-054BCF84438E} | DhcpNameServer : 62.81.16.164 62.81.16.213 ([SPAIN (ES)][SPAIN (ES)])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{18969D2B-6655-459E-970C-054BCF84438E} | DhcpNameServer : 62.81.16.164 62.81.16.213 ([SPAIN (ES)][SPAIN (ES)])  -> Encontrado

¤¤¤ Tareas : 0 ¤¤¤

¤¤¤ Archivos : 0 ¤¤¤

¤¤¤ Archivo de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Cargado) ¤¤¤

¤¤¤ Navegadores Web : 0 ¤¤¤

¤¤¤ Chequeo MBR : ¤¤¤
+++++ PhysicalDrive0: ST380011A ATA Device +++++
--- User ---
[MBR] 56e60236016fbee647d48fdc4748b6cb
[BSP] f9290963082e6a88bf87140ae95018f6 : Windows XP MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD50 00AZRX-00A8L SCSI Disk Device +++++
--- User ---
[MBR] 2c2b02fc763bc7f60c91970e27545702
[BSP] 8618bcf435fd08ab414ac96125d49708 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476929 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Función incorrecta. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

+++++ PhysicalDrive5: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

And finally, today when I turned on the PC after executing the fix yesterday, the Windows 10 free install thing appeared (it hadn't appeared for me before, don't know why)

[Curson]

Hi Heantrad,

Could you please download RogueKiller latest version, do a scan and post the JSON report ?

Regards.

[Heantrad]

Hi Heantrad,

Could you please download RogueKiller latest version, do a scan and post the JSON report ?

Regards.

I got one log without the svchost and another with the svchost, I'll attach both.

[Curson]

Hi Heantrad,

Your system is clean.

Regards.

[Heantrad]

Hi Heantrad,

Your system is clean.

Regards.

Thanks a lot.
So, the svchost process is just a normal process that crashes for an unknow reasons and restarts again?
However, if something more happens I will reply, thanks again for helping me with all this stuff.

[Curson]

Hi Heantrad,

You are welcome.
The fact RogueKiller detects the newly created svchost process is a bug we need to troubleshoot.

Regards.

[Heantrad]

Hi Heantrad,

You are welcome.
The fact RogueKiller detects the newly created svchost process is a bug we need to troubleshoot.

Regards.

Alright.
Also, something I forgot to ask and I shoulded do from the beginning.
Does AZLyrics have a virus?

[Curson]

Hi Heantrad,

According to VirusTotal, AZLyrics were distributing malwares in 2014.
There were no detection since then, so it should be alright. However, I strongly advice you to run an adblocker program when browsing it.

Regards.

[Heantrad]

Hi Heantrad,

According to VirusTotal, AZLyrics were distributing malwares in 2014.
There were no detection since then, so it should be alright. However, I strongly advice you to run an adblocker program when browsing it.

Regards.

Alright, no more lyrics websites, once is enough to learn.
Thanks again.

[Curson]

Hi Heantrad,

You are very welcome.

Regards.

[Heantrad]

Hi Heantrad,

You are very welcome.

Regards.

Also, should I make a reply on the false positives post about the DNS thing or it doesn't matter?