Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sirefef.gen!C removed but still persisting


  • This topic is locked This topic is locked
35 replies to this topic

#1 Igloo_nachos

Igloo_nachos

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 22 May 2013 - 09:59 PM

Hi,  

 

This is a follow up from this initial thread:  http://www.bleepingcomputer.com/forums/t/495512/infected-with-sirefefgenc-chrome/

 

Here are the logs, any help would be greatly appreciated.

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16576
Run by xc8963 at 0:51:17 on 2013-05-23
Microsoft Windows 7 Starter   6.1.7601.1.1252.61.1033.18.1014.44 [GMT -2:00]
.
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\AsusService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Trend Micro\Titanium\TiMiniService.exe
C:\Program Files\Trend Micro\Titanium\TiResumeSrv.exe
C:\ExpressGateUtil\VAWinService.exe
C:\windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\ExpressGateUtil\VAWinAgent.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\windows\system32\SearchIndexer.exe
C:\Users\xc8963\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xc8963\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xc8963\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xc8963\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xc8963\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xc8963\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\xc8963\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://asus.msn.com
uDefault_Page_URL = hxxp://asus.msn.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - 
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - 
uRun: [Google Update] "c:\users\xc8963\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"  /MINIMIZED
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [LiveUpdate] AsusSender.exe c:\program files\asus\liveupdate\LiveUpdate.exe auto
mRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe autorun
mRun: [VizorHtmlDialog.exe] "c:\program files\trend micro\titanium\uiframework\vizorhtmldialog.exe" "def" "eula" "c:\program files\trend micro\titanium\ui\installer.cmpt\resources\preinstall_01_welcome_trial.html" "DEF" "DEF" "DEF"
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\VizorShortCut.exe -ReFlush "none" "none"
mRun: [VAWinAgent] c:\expressgateutil\VAWinAgent.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [ASUSPRP] c:\program files\asus\aprp\APRP.EXE
mRun: [ASUSWebStorage] c:\program files\asus\asus webstorage\3.0.108.222\AsusWSPanel.exe /S
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
LSP: mswsock.dll
TCP: NameServer = 190.15.222.2 190.15.221.2 192.168.2.254
TCP: Interfaces\{00DB70AD-C214-4896-B367-72DF05075531} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{56DE429C-1B1F-4BDE-8141-C0E475EAB9B3} : DHCPNameServer = 190.15.222.2 190.15.221.2 192.168.2.254
TCP: Interfaces\{56DE429C-1B1F-4BDE-8141-C0E475EAB9B3}\5416379724F687D2236343341393 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{56DE429C-1B1F-4BDE-8141-C0E475EAB9B3}\746545D234134433 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{56DE429C-1B1F-4BDE-8141-C0E475EAB9B3}\74F6F676C656 : DHCPNameServer = 172.42.0.1
TCP: Interfaces\{56DE429C-1B1F-4BDE-8141-C0E475EAB9B3}\C41602C456368657A7160223 : DHCPNameServer = 10.0.0.2
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2011-5-6 11832]
R1 MpKsla00a7cf5;MpKsla00a7cf5;c:\programdata\microsoft\microsoft antimalware\definition updates\{018627ec-95b8-4a44-b49b-05137f6e9beb}\MpKsla00a7cf5.sys [2013-5-22 29904]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-5-6 64080]
R2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [2011-5-6 224680]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2010-12-6 109960]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-12-6 68208]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-9-30 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-9-30 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-9-30 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-9-30 19304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 100328]
S3 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-5-6 196320]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-3-2 183560]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2011-5-6 293928]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-5-6 33320]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-6 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2012-11-18 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2012-11-18 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2012-11-18 136808]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-11 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2011-2-11 27264]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-22 81704]
.
=============== Created Last 30 ================
.
2013-05-22 10:14:29 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-22 10:14:29 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-22 05:07:09 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{018627ec-95b8-4a44-b49b-05137f6e9beb}\MpKsla00a7cf5.sys
2013-05-21 23:21:53 724464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5f1cf7f0-f72b-4083-aff8-88b109db44a1}\gapaengine.dll
2013-05-21 23:17:41 7016152 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{018627ec-95b8-4a44-b49b-05137f6e9beb}\mpengine.dll
2013-05-21 23:17:02 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-20 21:37:37 7016152 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-05-20 21:21:29 -------- d--h--w- c:\programdata\Common Files
2013-05-20 21:21:29 -------- d-----w- c:\users\xc8963\appdata\local\MFAData
2013-05-20 21:21:29 -------- d-----w- c:\users\xc8963\appdata\local\Avg2013
2013-05-20 21:21:29 -------- d-----w- c:\programdata\MFAData
2013-05-20 21:08:42 -------- d-----w- c:\program files\Microsoft Security Client
2013-05-20 17:53:11 -------- d-----w- c:\program files\Mega Codec Pack
2013-05-15 01:18:41 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 01:18:41 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-15 01:18:41 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-15 01:13:01 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-15 01:13:00 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-15 01:12:58 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-15 01:04:37 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 01:04:37 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-01 21:06:57 -------- d-----w- c:\programdata\Rosetta Stone
2013-05-01 21:06:46 -------- d-----w- C:\Program Files (x86)
2013-04-23 20:05:46 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
==================== Find3M  ====================
.
2013-05-21 03:13:11 338944 ----a-w- c:\windows\system32\drivers\AFD.SYS
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-05 05:28:24 1767424 ----a-w- c:\windows\system32\wininet.dll
2013-04-05 05:26:26 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-04-05 05:26:21 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-04-05 05:26:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-04-05 04:29:45 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-04-05 03:38:25 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe
.
============= FINISH:  0:54:09.67 ===============
 

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 22 May 2013 - 10:14 PM


Hello Igloo_nachos

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Igloo_nachos

Igloo_nachos
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 23 May 2013 - 03:27 PM

Hola Gringo,

 

Thanks for the quick reply.  I ran both, here are the logs:

 

# AdwCleaner v2.301 - Logfile created 05/23/2013 at 18:05:02
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Starter Service Pack 1 (32 bits)
# User : xc8963 - KRILL
# Boot Mode : Normal
# Running from : C:\Users\xc8963\Desktop\AdwCleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\Users\Public\Desktop\eBay.lnk
 
***** [Registry] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16576
 
[OK] Registry is clean.
 
-\\ Google Chrome v27.0.1453.93
 
File : C:\Users\xc8963\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [312 octets] - [23/05/2013 18:03:59]
AdwCleaner[S2].txt - [1230 octets] - [23/05/2013 18:05:02]
 
########## EOF - C:\AdwCleaner[S2].txt - [1290 octets] ##########
 
And here is JRT:
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Starter x86
Ran by xc8963 on Thu 23/05/2013 at 18:10:10.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\windows\system32\shoA518.tmp
 
 
 
~~~ Folders
 
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{01E1FF2A-A8F6-4543-888A-2DE27DE6E00E}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{05213FEE-8DAA-46BC-9830-987BDFBE76B1}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{06C881DE-62CA-44AD-881E-36899F7AEA84}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{0765DC65-DE35-4611-B8ED-E215178A7A43}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{07B61D7B-ADA5-4494-B4DF-263A8785CDD2}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{0B568F0B-F20A-4CC2-83FF-584CB40BD594}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{0C726F21-C32F-4913-B24C-4D7C988BCC1F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{0E14846E-A11F-4D1B-BE13-7D8B929F4C81}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{0E976C63-3FB4-4973-AF93-2C10BAD9CDB1}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{107FDD07-07EE-4D1A-A3C7-6EFFE9363103}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{10F4DC0E-5665-4AAD-AA2E-647F6D6586CE}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{12B55EB3-EF6A-4381-8B63-68C79A1458B7}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{13E5EF81-8557-4E2B-B95C-2A0FF3A4D36D}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{152B6ACE-80E9-43AD-8A1B-F5AC87353E14}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{161FA65A-932A-4A61-98A9-BE1C5C52C9F2}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{167A367E-078B-4D1B-AD62-E463AF59D80F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1807DE0F-977C-4698-823F-A338AA9E12EB}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{188FD5E1-F8D2-4F66-802A-D59C5909AA16}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1A059B7B-3DAA-452C-8E17-B935D2E2A0C9}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1A618829-5AD8-4EF5-B2A6-11777B909483}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1AC3A5ED-5A4A-46B5-A43C-77BB72964B43}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1B44325D-A736-4906-BDCC-CA4DFBDE3CEE}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1BD27049-ACD7-46FA-A26B-B6662EF0AF38}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1C3DCB6B-7915-4D12-9DD9-59253DA36CEE}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1D599D1E-05D9-4403-B477-6ADBFE4C5B17}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{1FA8CE76-317C-4BCC-AF23-28F9C3A61401}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{23774260-978C-4680-8440-78C5AD60C412}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{274413F5-BA19-4A51-85C4-91BA48C5ADF9}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{2A7ED0BF-DA2A-4BDC-932A-1B6D0909890B}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{2ABD630C-0829-45DD-BE4F-4975B2CF2B68}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{2B149548-2E23-4C11-9A06-DB62182FF343}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{2B377730-681C-4D11-ABA0-EA3287BD0387}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{2C332B50-3006-4B49-B26F-8E2DD4DE5E2A}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{2E2B178D-DFBC-4BE0-8CE4-2181E5320B77}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{325F39C2-D77D-41E9-ADB8-D97FBEB1ED0F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{32625550-BEF3-4FAA-B6D2-03533C6E8973}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{32B86726-CD5A-44AC-9A3F-DDDDF815DF8A}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{331268E2-CAED-428C-AA29-192CEA196745}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{3551896E-F030-455A-A60E-5216B373A322}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{3794C591-384D-4534-8439-4CEE66B989A2}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{3845182C-B14E-4C99-A085-8E191B98C1CE}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{3969F675-4597-4BDB-B8E1-26209AFE7ED6}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{39751FBE-E45E-4363-9EDC-F1E6C6967C2C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{39C2F910-962F-4769-BF0D-B86295A8FF5C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{3B0E150E-323C-45FF-9B77-75F2FE28C16B}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{3D25191D-BAD1-4F6F-B08D-88E16C79FD69}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{3FD9403E-E743-445E-89AF-B4BA363C2A1C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{40B3BFFB-7E3A-46FD-A668-7F63F752AEFE}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{42D41EE0-C9DD-424D-A307-660A2BEC7F14}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{46F75F89-6009-4645-A5EF-F8ED2CF90E25}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{475A7F38-D7EE-49E4-B1ED-E50A502E9F2F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{483A86AE-E9B8-4888-8691-58B7F44B30EF}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{48619327-9E37-4D7C-A719-F5A7D4434C3D}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{48FBA2C2-84FC-4218-A51D-5713EDA22E00}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{4C8FD570-FBF8-4DAE-A644-8C0D85EA1DF4}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{4EA1AB97-75C2-478E-8A88-319CB9214B98}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{50948E09-55F9-4274-8907-66E698EB4DB4}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{50B8FDFD-710E-4DDA-81AC-B332E97C94DB}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{5206640C-76BB-48F8-A045-10147BFA4866}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{523F8ABE-2F13-48A1-89D7-F41ABAE1ACB4}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{545D1B7E-319B-4D6E-A8E2-AE72112F1FC0}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{54760537-D192-49C6-822B-D4EFA7C2EACA}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{547E9DDE-CBB0-44C1-81D3-C9D7337E494E}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{565EEABA-4168-4014-B062-067623ACB706}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{57C10BBA-32E3-4B67-A800-2C21D7DC80FA}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{57D6F582-ED86-4E15-A5E6-0EC84A00CFA0}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{58EED63B-75A5-4B4D-913E-57BA60D139EF}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{59414B8A-C5FD-47D2-92FA-47EB2A996656}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{59E3FB09-6F05-468F-881E-402CE4EF28CC}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{5AAC7265-1A2C-4CF0-886F-F02A63E20B4C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{5C2B5EED-269D-4F7C-99AC-6BC1CA33EC60}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{5C8968D1-740C-4124-86B2-26547180FC6A}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{5EF9EE1F-5630-42EB-A98B-5FF2AB5C4AFE}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{5F0B5C0B-E74E-4CAD-B7AC-C18FC156BC66}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{5F8E0A98-C21A-4BDE-B0FE-911861DAFAF1}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{60BFF2F6-7159-4720-9FB1-03C6F92B9CA1}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{60E68640-F2E0-4108-8E4B-F322DC3B5392}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{615CBCC6-C892-411B-B189-C2FAAEB7AE11}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{629A5B83-1354-4EAB-979C-1D20F6C75B5D}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{62C499AC-A74F-4109-903D-5AFC5EBFDA71}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{63026779-9DAC-4C7F-8BDA-332795F120C6}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{651BB44A-CE05-4A5C-B474-4E56CFC08659}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{65595AB7-6FB2-495C-90A8-01BA15EE1F98}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{68BC1AC1-719E-442B-9728-116FE4D0FF70}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{6B00CD8A-FBD2-472B-A263-A943119B6BAC}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{6CA51120-B78E-4DC8-999D-CD4E72A58EE5}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{6F47394F-B521-45A0-B225-51BAE20C6A9D}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{70E95140-B60D-46A6-8C4F-ED303BD8EFCD}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{71B2C1C5-E071-43A4-81E4-2678AC2B1C9D}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{733B406A-1D15-4711-BFAF-0AFA83509D49}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{739928CF-8BBF-4A25-8AFA-FFD3906EA186}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{73D1DDDD-92EF-4183-85D0-EFC3A427F37C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{767B75F4-3A52-4E03-A1A9-FAABC965A616}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{78CB88A7-3843-44C7-849E-AA15FB5B70FF}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{792C2071-6CCD-49F8-A41B-C7496F563A22}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{7B1C19F1-1990-4576-B7EE-3934534DFCCA}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{7B5007B7-46B0-4F21-9BA2-D01E547F3D2D}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{7E1F219D-687E-415E-81B3-C32DF9809885}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{807B3755-6C51-4AB5-8447-67CDAF7387D7}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{80D241A7-9812-4D10-BB14-F7F046024112}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{86AB54F3-ACE9-4765-AF4A-8980FDF1419F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{881D5C29-281A-4286-A9BD-439B471BA48B}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{883041BD-B415-439A-B81C-8EF12F1B556C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{8A51324E-0535-4ECC-B533-1F2E4111AA10}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{8E7780CC-6787-45EA-B03A-62A7AEFAD4EE}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{8F236083-E05F-48E7-BC55-9B8E709ED425}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{91A70958-2DA8-4ABC-B1B9-55DB8D7E1492}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{92B1A30A-33C5-4C53-AF70-66AD59CD4C7A}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{94181DF0-01A9-40A7-803E-466FEFA7D41E}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{974200F4-C26B-42CA-BDD0-AAFD22E5A610}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{98B576F7-BD00-44DE-82D3-826BBCE00F88}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{98D6E4D8-5917-41D6-81E4-843C74EB5C93}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{99009A95-75E0-4B0C-BB3F-BDEE6E507051}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{993621A4-563A-44C8-B8B9-70547BDFE0C4}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{9A09C90D-219B-4086-95D8-944A5489DD8E}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{9C27E50B-858B-43E1-BEF6-D7A89A2E9CB1}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{9CA24732-024E-4139-BD48-90E0C5BC4F90}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{9CE4F42B-823E-4FF1-BF91-E7FC28FC3A0F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{9FF7B294-C083-4047-A85E-15DDCED9925A}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{A1776AB8-B53D-461F-878F-970B30F8CA37}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{A2F0985C-ECAF-4BC0-87C6-35BED702A024}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{A41D3A6C-0F5A-40FC-8A88-94316C5BF9C2}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{A57D0205-448B-427B-90B6-E1F7EF77FBD0}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{A5BFEC68-956C-4630-B12B-A63A53D36D70}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{A94FDBE3-6C23-4838-BADD-911A90CD958B}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{AAA27424-586E-429D-B94A-81F7E007F7B3}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{AEECFDF7-6796-4C27-96CA-8E7BD958B439}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{AF8BE0A2-DDDE-42CA-AEC3-71ADD6BE9F1F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{AFBBEFCB-C047-4C30-9084-80BC85BDC649}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B01DABFC-F1A6-4549-A11D-610AF9ACA63F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B0FB26E6-8817-472A-B7A8-6979E769B32C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B1DF8D5A-18BC-45DB-BA9C-C4F6E8578960}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B5C03FF6-12FE-4419-A731-9D5B039FB728}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B67232D6-7848-497B-8C74-EE1B54F0E618}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B6B8E13B-B2D5-4FF9-9B57-9A60ADBCB14A}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B702366A-FA8B-4ABC-9B6B-8B011EDE3BF9}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B71CB868-6EFF-4065-A004-7E2CCF46679C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{B9E91E87-1148-42D6-8931-47D7BE9C8BB2}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{BB88DEA9-1701-48CA-9DCC-897263E55DB2}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{BC34B178-061B-4DAB-A7B2-C2D1F5545977}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{BEC7F705-3DC7-4251-80CD-C30342EBF801}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{BFB03A43-D5D7-4B6C-8E4B-DB22AB363CCF}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{BFBB64A1-139A-49A0-9DA3-B1383E7E936A}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{BFFEE854-273F-4730-BE0B-4D0CC7794B1C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{C125FB46-4F53-4EF2-8DD4-44FF1B9BC089}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{C2675BB0-ADD8-4580-A385-C690641AD22F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{C290340F-F287-42D0-B36E-65F4B1C42D1E}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{C4AC95D1-ABBF-473E-93D2-44B96BF7CD18}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{C5638333-9CAA-45B3-B2BB-4E0F75B98A0B}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{C93F17ED-380F-4FA3-B92B-7F6520930220}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{C9D67BFD-CAFF-406D-AB37-844F13F92DD6}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{CB286C83-6D69-4B7A-938C-81621431F160}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{CEE5DDBC-DA66-46BD-9459-58991E5AA840}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{D141535B-7A42-448C-949A-FC477D16E074}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{D19460E5-96AC-4D1F-9F18-1B88FD924076}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{D642DCF5-CF2A-4EED-9D41-EE6043A2BABB}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{D7FF5282-CB9D-42FC-BBDF-0EC4BB86BD1E}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{DA9DC296-922E-466E-9678-07FD8FEC2559}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{DB752857-A0EA-4E5D-964F-F3C84503C1ED}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{DBCA5629-AC06-4B6A-8AA9-4393F2E7D3BE}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{DC814FD6-1668-497E-9585-9B92972F847D}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{DC8F4273-1DD8-435A-A9A3-090E38B71A0C}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{DF7B71FD-0801-406B-9C91-05FF7389C191}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{E0E32B72-EA48-49AB-9F7A-C22983D655D1}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{E199A772-8B59-4791-BD9A-BC59EF290A34}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{E46E19A8-1251-4AF7-8440-929CF1E05925}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{E489777C-572B-45D3-821E-B14D3E201644}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{E66F4476-90AA-43AF-82BF-3564E5BC2881}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{E79A6FA9-20B0-4828-A785-A5CE4CF57198}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{E8558D59-7E2D-4DC1-8465-6CFE3634F038}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{EB615390-BF0A-478E-9BD8-A752EE48C831}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{EC27FC21-666F-4084-9598-399BF83DCFEC}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{EF0C675A-DE88-43E2-BD46-7AE0208FDE78}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{F1F4CDE2-3CC2-48FF-A98A-B1FABD855151}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{F204AF0B-A8B2-4AE3-A0A0-1271D6BF447F}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{F42C86A0-3F0E-4AB2-8CC6-23B1FE9F2640}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{F5FF8086-4E55-4059-B644-CD985B89F721}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{F65254A4-53E0-4B98-8114-203058BF69E7}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{F671063E-2476-4EDC-8E5D-905C89B64456}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{F7D44B26-A14B-464C-9A9D-DDA0C1BF4A4A}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{F8420B6E-6EF0-4966-B71D-BBA8DF7C0B26}
Successfully deleted: [Empty Folder] C:\Users\xc8963\appdata\local\{FE0632C8-6FDD-4041-8E71-8019DBF45539}
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 23/05/2013 at 18:14:35.76
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Computer is running fine in terms of speed as it has the whole time, the virus doesn't seem to have affected this at all however I am still getting errors when I try to go to websites such as Facebook, Gmail etc which is:
 
The server's security certificate is revoked!
You attempted to reach www.facebook.com, but the certificate that the server presented has been revoked by its issuer. This means that the security credentials the server presented absolutely should not be trusted. You may be communicating with an attacker.

 

The virus is still affecting things such as operating Microsoft Security Essentials saying I don't have the required permissions and I tried to open up Windows Firewall with Advanced Security and it gave me this error:

 

There was an error opening the Windows Firewall with Advanced Security snap in.  The Windows Firewall with Advanced Security snap-in failed to load. Restart the Windows Firewall service on the computer that you are managing. Error code 0x6D9

 

I hope that information helps,  thanks!



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 23 May 2013 - 05:54 PM


Hello Igloo_nachos

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Igloo_nachos

Igloo_nachos
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 24 May 2013 - 09:58 PM

Hi Gringo,
 
All went well.  I have run CF and now am not getting the errors from Google Chrome also I do not have random .exe's running.
 
How certain is it that the virus has been nuked?
 
 
Here is the combofix log:



ComboFix 13-05-24.01 - xc8963 24/05/2013  22:33:32.1.4 - x86
Microsoft Windows 7 Starter   6.1.7601.1.1252.61.1033.18.1014.325 [GMT -2:00]
Running from: c:\users\xc8963\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\windows\$NtUninstallKB39680$\1438109367\@
c:\windows\$NtUninstallKB39680$\1438109367\Desktop.ini
c:\windows\$NtUninstallKB39680$\1438109367\L\00000004.@
c:\windows\$NtUninstallKB39680$\1438109367\L\201d3dde
c:\windows\$NtUninstallKB39680$\1438109367\L\6715e287
c:\windows\$NtUninstallKB39680$\1438109367\L\76603ac3
c:\windows\$NtUninstallKB39680$\1438109367\L\xadqgnnk
c:\windows\$NtUninstallKB39680$\1438109367\U\00000004.@
c:\windows\$NtUninstallKB39680$\1438109367\U\00000008.@
c:\windows\$NtUninstallKB39680$\1438109367\U\000000cb.@
c:\windows\$NtUninstallKB39680$\1438109367\U\80000000.@
c:\windows\$NtUninstallKB39680$\1438109367\U\80000032.@
c:\windows\$NtUninstallKB39680$\4117925214
c:\windows\system32\SETE90E.tmp
c:\windows\system32\SETEC31.tmp
c:\windows\system32\SETEEE2.tmp
c:\windows\system32\SETF40A.tmp
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected 
Restored copy from - The cat found it :) 
.
(((((((((((((((((((((((((   Files Created from 2013-04-25 to 2013-05-25  )))))))))))))))))))))))))))))))
.
.
2013-05-25 00:55 . 2013-05-25 02:45 -------- d-----w- c:\users\xc8963\AppData\Local\temp
2013-05-25 00:55 . 2013-05-25 00:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-25 00:29 . 2013-05-21 03:13 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-05-23 21:16 . 2013-05-23 21:16 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2013-05-23 20:10 . 2013-05-23 20:10 -------- d-----w- c:\windows\ERUNT
2013-05-23 20:09 . 2013-05-23 20:09 -------- d-----w- C:\JRT
2013-05-22 10:14 . 2013-05-22 10:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-22 10:14 . 2013-05-22 10:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 23:21 . 2013-05-21 23:17 724464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5F1CF7F0-F72B-4083-AFF8-88B109DB44A1}\gapaengine.dll
2013-05-21 23:17 . 2013-05-14 03:49 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{018627EC-95B8-4A44-B49B-05137F6E9BEB}\mpengine.dll
2013-05-21 23:17 . 2013-05-02 15:28 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-20 21:37 . 2013-05-14 03:49 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-20 21:21 . 2013-05-20 21:27 -------- d-----w- c:\programdata\MFAData
2013-05-20 21:21 . 2013-05-20 21:21 -------- d--h--w- c:\programdata\Common Files
2013-05-20 21:21 . 2013-05-20 21:21 -------- d-----w- c:\users\xc8963\AppData\Local\MFAData
2013-05-20 21:21 . 2013-05-20 21:21 -------- d-----w- c:\users\xc8963\AppData\Local\Avg2013
2013-05-20 21:08 . 2013-05-20 21:09 -------- d-----w- c:\program files\Microsoft Security Client
2013-05-20 17:53 . 2013-05-20 17:53 -------- d-----w- c:\program files\Mega Codec Pack
2013-05-15 01:18 . 2013-02-27 05:05 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-15 01:18 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-15 01:18 . 2013-02-27 04:49 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 01:13 . 2013-03-19 04:53 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-15 01:13 . 2013-03-19 03:33 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-15 01:12 . 2013-04-10 03:14 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-15 01:04 . 2013-04-10 05:18 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 01:04 . 2013-04-10 05:18 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-01 21:06 . 2013-05-01 21:06 -------- d-----w- c:\programdata\Rosetta Stone
2013-05-01 21:06 . 2013-05-01 21:06 -------- d-----w- C:\Program Files (x86)
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-13 16:16 . 2010-06-24 18:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-13 04:45 . 2013-05-15 01:18 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 01:18 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45 . 2013-04-23 20:05 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-03-22 05:06 . 2013-03-22 05:06 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-22 05:06 . 2013-03-22 05:06 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-03-22 05:06 . 2013-03-22 05:06 158720 ----a-w- c:\windows\system32\msls31.dll
2013-03-22 05:06 . 2013-03-22 05:06 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-03-22 05:06 . 2013-03-22 05:06 138752 ----a-w- c:\windows\system32\wextract.exe
2013-03-22 05:06 . 2013-03-22 05:06 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-03-22 05:06 . 2013-03-22 05:06 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-22 05:06 . 2013-03-22 05:06 12800 ----a-w- c:\windows\system32\mshta.exe
2013-03-22 05:06 . 2013-03-22 05:06 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-03-22 05:06 . 2013-03-22 05:06 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-03-22 05:06 . 2013-03-22 05:06 38400 ----a-w- c:\windows\system32\imgutil.dll
2013-03-22 05:06 . 2013-03-22 05:06 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-03-22 05:06 . 2013-03-22 05:06 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-03-22 05:06 . 2013-03-22 05:06 361984 ----a-w- c:\windows\system32\html.iec
2013-03-22 05:06 . 2013-03-22 05:06 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-03-22 05:06 . 2013-03-22 05:06 23040 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-22 05:06 . 2013-03-22 05:06 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-19 05:04 . 2013-04-09 19:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-09 19:13 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-09 19:13 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-09 19:13 69632 ----a-w- c:\windows\system32\smss.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-05-20 17:53 224256 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2013-05-01 802136]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-04-19 18678376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-04-13 548744]
"LiveUpdate"="AsusSender.exe" [2011-03-11 34728]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2011-01-06 414384]
"VizorHtmlDialog.exe"="c:\program files\Trend Micro\Titanium\UIFramework\VizorHtmlDialog.exe" [2010-10-08 1123664]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2010-10-12 112632]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\VizorShortCut.exe" [2010-10-20 218448]
"VAWinAgent"="c:\expressgateutil\VAWinAgent.exe" [2011-03-24 45448]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-08-24 9722472]
"ASUSPRP"="c:\program files\ASUS\APRP\APRP.EXE" [2011-05-06 2018032]
"ASUSWebStorage"="c:\program files\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-19 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-19 174360]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-19 150808]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1425208]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AsusVibeLauncher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AsusVibeLauncher.lnk
backup=c:\windows\pss\AsusVibeLauncher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsHook]
2011-03-11 01:06 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyMon]
2011-03-11 01:06 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyService]
2011-03-11 01:06 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesAirMessage]
2012-11-01 16:16 577536 ----a-w- c:\program files\Samsung\Kies\KiesAirMessage.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPreload]
2012-11-12 14:45 968120 ----a-w- c:\program files\Samsung\Kies\Kies.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-11-12 14:45 309688 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 09:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperHybridEngine]
2011-03-11 01:06 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2013-05-01 19:04 802136 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 NisSrv;NisSrv;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [x]
S1 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 TiMiniService;TiMiniService;c:\program files\Trend Micro\Titanium\TiMiniService.exe [x]
S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-22 10:14]
.
2013-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2908918139-2372157502-4132180202-1000Core.job
- c:\users\xc8963\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-15 02:21]
.
2013-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2908918139-2372157502-4132180202-1000UA.job
- c:\users\xc8963\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-15 02:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://asus.msn.com
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 190.15.222.2 190.15.221.2 192.168.2.254
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2960)
c:\progra~1\ASUS\ASUSWE~1\30108~1.222\ASUSWS~1.DLL
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
c:\program files\ASUS\ASUS WebStorage\3.0.108.222\LogicNP.EZNamespaceExtensions.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Trend Micro\Titanium\TiResumeSrv.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\InstantOn\InsOnWMI.exe
.
**************************************************************************
.
Completion time: 2013-05-25  00:50:57 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-25 02:50
.
Pre-Run: 32,953,454,592 bytes free
Post-Run: 33,180,192,768 bytes free
.
- - End Of File - - B5AD6405522D30D06B1BE5131D569045


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 24 May 2013 - 10:12 PM



Hello Igloo_nachos


:multiple Anti Virus programs:
  • It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:


    AV: Microsoft Security Essentials
    AV: Trend Micro Titanium



    Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

    Please remove all but one of them.

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Igloo_nachos

Igloo_nachos
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 25 May 2013 - 07:19 PM

Hey Gringo,

 

So while running Combofix it told me that I am infected with Rootkit.ZeroAccess!  and it has inserted itself into the tcp/ip stack, sorry I forgot to mention it but it also told me that the first time I ran it.

 

I also can not access Microsoft Security Essentials so I can't turn it off, I removed my other virus scanner, I can't uninstall MSE.

 

Thanks for your help

 

Here is the log:

 

ComboFix 13-05-24.01 - xc8963 25/05/2013  21:11:44.2.4 - x86
Microsoft Windows 7 Starter   6.1.7601.1.1252.61.1033.18.1014.452 [GMT -2:00]
Running from: c:\users\xc8963\Desktop\ComboFix.exe
Command switches used :: c:\users\xc8963\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB39680$
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-25 to 2013-05-25  )))))))))))))))))))))))))))))))
.
.
2013-05-25 23:24 . 2013-05-25 23:24 -------- d-----w- c:\users\xc8963\AppData\Local\temp
2013-05-25 23:24 . 2013-05-25 23:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-25 00:29 . 2013-05-21 03:13 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-05-23 21:16 . 2013-05-23 21:16 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2013-05-23 20:10 . 2013-05-23 20:10 -------- d-----w- c:\windows\ERUNT
2013-05-23 20:09 . 2013-05-23 20:09 -------- d-----w- C:\JRT
2013-05-22 10:14 . 2013-05-22 10:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-22 10:14 . 2013-05-22 10:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-21 23:21 . 2013-05-21 23:17 724464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5F1CF7F0-F72B-4083-AFF8-88B109DB44A1}\gapaengine.dll
2013-05-21 23:17 . 2013-05-14 03:49 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{018627EC-95B8-4A44-B49B-05137F6E9BEB}\mpengine.dll
2013-05-21 23:17 . 2013-05-02 15:28 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-20 21:37 . 2013-05-14 03:49 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-20 21:21 . 2013-05-20 21:27 -------- d-----w- c:\programdata\MFAData
2013-05-20 21:21 . 2013-05-20 21:21 -------- d--h--w- c:\programdata\Common Files
2013-05-20 21:21 . 2013-05-20 21:21 -------- d-----w- c:\users\xc8963\AppData\Local\MFAData
2013-05-20 21:21 . 2013-05-20 21:21 -------- d-----w- c:\users\xc8963\AppData\Local\Avg2013
2013-05-20 21:08 . 2013-05-20 21:09 -------- d-----w- c:\program files\Microsoft Security Client
2013-05-20 17:53 . 2013-05-20 17:53 224256 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
2013-05-20 17:53 . 2013-05-20 17:53 -------- d-----w- c:\program files\Mega Codec Pack
2013-05-15 01:18 . 2013-02-27 05:05 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-15 01:18 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-15 01:18 . 2013-02-27 04:49 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 01:13 . 2013-03-19 04:53 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-15 01:13 . 2013-03-19 03:33 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-15 01:12 . 2013-04-10 03:14 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-15 01:04 . 2013-04-10 05:18 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 01:04 . 2013-04-10 05:18 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-01 21:06 . 2013-05-01 21:06 -------- d-----w- c:\programdata\Rosetta Stone
2013-05-01 21:06 . 2013-05-01 21:06 -------- d-----w- C:\Program Files (x86)
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-13 16:16 . 2010-06-24 18:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-13 04:45 . 2013-05-15 01:18 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 01:18 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45 . 2013-04-23 20:05 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-03-22 05:06 . 2013-03-22 05:06 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-22 05:06 . 2013-03-22 05:06 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-03-22 05:06 . 2013-03-22 05:06 158720 ----a-w- c:\windows\system32\msls31.dll
2013-03-22 05:06 . 2013-03-22 05:06 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-03-22 05:06 . 2013-03-22 05:06 138752 ----a-w- c:\windows\system32\wextract.exe
2013-03-22 05:06 . 2013-03-22 05:06 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-03-22 05:06 . 2013-03-22 05:06 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-22 05:06 . 2013-03-22 05:06 12800 ----a-w- c:\windows\system32\mshta.exe
2013-03-22 05:06 . 2013-03-22 05:06 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-03-22 05:06 . 2013-03-22 05:06 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-03-22 05:06 . 2013-03-22 05:06 38400 ----a-w- c:\windows\system32\imgutil.dll
2013-03-22 05:06 . 2013-03-22 05:06 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-03-22 05:06 . 2013-03-22 05:06 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-03-22 05:06 . 2013-03-22 05:06 361984 ----a-w- c:\windows\system32\html.iec
2013-03-22 05:06 . 2013-03-22 05:06 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-03-22 05:06 . 2013-03-22 05:06 23040 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-22 05:06 . 2013-03-22 05:06 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-19 05:04 . 2013-04-09 19:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-09 19:13 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-09 19:13 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-09 19:13 69632 ----a-w- c:\windows\system32\smss.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-05-20 17:53 224256 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2013-05-01 802136]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-04-19 18678376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-04-13 548744]
"LiveUpdate"="AsusSender.exe" [2011-03-11 34728]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2011-01-06 414384]
"VAWinAgent"="c:\expressgateutil\VAWinAgent.exe" [2011-03-24 45448]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-08-24 9722472]
"ASUSPRP"="c:\program files\ASUS\APRP\APRP.EXE" [2011-05-06 2018032]
"ASUSWebStorage"="c:\program files\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-19 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-19 174360]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-19 150808]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1425208]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AsusVibeLauncher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AsusVibeLauncher.lnk
backup=c:\windows\pss\AsusVibeLauncher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsHook]
2011-03-11 01:06 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyMon]
2011-03-11 01:06 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotkeyService]
2011-03-11 01:06 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesAirMessage]
2012-11-01 16:16 577536 ----a-w- c:\program files\Samsung\Kies\KiesAirMessage.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPreload]
2012-11-12 14:45 968120 ----a-w- c:\program files\Samsung\Kies\Kies.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2012-11-12 14:45 309688 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 09:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperHybridEngine]
2011-03-11 01:06 34728 ----a-w- c:\windows\System32\AsusSender.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2013-05-01 19:04 802136 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 NisSrv;NisSrv;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [x]
S2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-22 10:14]
.
2013-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2908918139-2372157502-4132180202-1000Core.job
- c:\users\xc8963\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-15 02:21]
.
2013-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2908918139-2372157502-4132180202-1000UA.job
- c:\users\xc8963\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-15 02:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://asus.msn.com
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 190.15.222.2 190.15.221.2 192.168.2.254
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-05-25  21:28:48
ComboFix-quarantined-files.txt  2013-05-25 23:28
ComboFix2.txt  2013-05-25 02:50
.
Pre-Run: 37,930,266,624 bytes free
Post-Run: 37,920,522,240 bytes free
.
- - End Of File - - B5BE23882B1FA2A9CF55EBF24B041A91


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 25 May 2013 - 08:50 PM




Hello Igloo_nachos

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • •Internet access
    •Windows Update
    •Windows Firewall
9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
When you are complete please send me both reports

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Igloo_nachos

Igloo_nachos
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 26 May 2013 - 08:29 PM

Hi Gringo,

 

Malware rootkit found nothing and thus didn't produce a report.

 

Internet access, firewall and update is all working fine.  After running both I still can't access MSE, still throwing the same error:

 

Windows cannot access the specified device, path or file.  You may not have the appropriate permissions to access the item.

 

aswMBR report:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-26 22:06:43
-----------------------------
22:06:43.816    OS Version: Windows 6.1.7601 Service Pack 1
22:06:43.816    Number of processors: 4 586 0x1C0A
22:06:43.819    ComputerName: KRILL  UserName: 
22:06:45.946    Initialize success
22:10:35.423    AVAST engine defs: 13052601
22:11:14.504    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:11:14.511    Disk 0 Vendor: Hitachi_ ES2O Size: 305245MB BusType: 3
22:11:14.656    Disk 0 MBR read successfully
22:11:14.667    Disk 0 MBR scan
22:11:15.082    Disk 0 Windows 7 default MBR code
22:11:15.103    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       102400 MB offset 2048
22:11:15.334    Disk 0 Partition 2 00     1B   Hidd FAT32 MSDOS5.0    15360 MB offset 209717248
22:11:15.589    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       187467 MB offset 241174528
22:11:15.651    Disk 0 Partition 4 00     EF      EFI FAT                16 MB offset 625106944
22:11:15.724    Disk 0 scanning sectors +625139712
22:11:16.145    Disk 0 scanning C:\windows\system32\drivers
22:11:43.239    Service scanning
22:12:47.836    Modules scanning
22:13:09.942    Disk 0 trace - called modules:
22:13:09.962    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys 
22:13:09.964    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f62030]
22:13:09.965    3 CLASSPNP.SYS[86b8059e] -> nt!IofCallDriver -> [0x844357d0]
22:13:09.967    5 ACPI.sys[864993d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8442e028]
22:13:10.709    AVAST engine scan C:\windows
22:13:18.886    AVAST engine scan C:\windows\system32
22:19:17.096    AVAST engine scan C:\windows\system32\drivers
22:19:41.880    AVAST engine scan C:\Users\xc8963
22:25:31.775    AVAST engine scan C:\ProgramData
22:25:44.830    File: C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll  **INFECTED** Win32:Dropper-gen [Drp]
22:26:29.820    Scan finished successfully
22:30:48.312    Disk 0 MBR has been saved successfully to "C:\Users\xc8963\Desktop\MBR.dat"
22:30:48.355    The log file has been saved successfully to "C:\Users\xc8963\Desktop\aswMBR.txt"
22:30:53.807    Verifying
22:31:03.834    Disk 0 Windows 601 MBR fixed successfully
23:25:06.873    Verifying
23:25:16.896    Disk 0 Windows 601 MBR fixed successfully
23:25:32.217    Disk 0 MBR has been saved successfully to "C:\Users\xc8963\Desktop\MBR.dat"
23:25:32.234    The log file has been saved successfully to "C:\Users\xc8963\Desktop\aswMBR1.txt"
 
 

Thanks again



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 26 May 2013 - 08:49 PM

did you run the fix damage tool included with MBAR?
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Igloo_nachos

Igloo_nachos
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 26 May 2013 - 09:01 PM

I thought I might also mention that I have been closing the following processes each time I boot incase they were messing with my system and after a reboot they are still there.  I realise maybe they might not have been getting detected because of this since they are still popping up:

 

hkcmd.exe  -  hkcmd module

igfxpers.exe - persistence module

igfxsrvc.exe - igfxsrvc module

igfxtray.exe - igfxTray module

 

Cheers



Yes I did and it added this to the log:

 

23:25:06.873    Verifying
23:25:16.896    Disk 0 Windows 601 MBR fixed successfully


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 26 May 2013 - 09:19 PM

did it help with MSE?
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Igloo_nachos

Igloo_nachos
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 26 May 2013 - 09:35 PM

No it's unaffected, I can't uninstall it or open it



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 26 May 2013 - 10:07 PM

I would like you to go here - http://support.microsoft.com/kb/2438651 and click on the run now check under uninstall and see if MSE is listed


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Igloo_nachos

Igloo_nachos
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 28 May 2013 - 04:29 PM

Hi Gringo,

 

No it's not listed.  Sorry for the delay but as I can't download anything I need to use someone elses device to download and then transfer onto my computer.  When I download files it says 'virus scan failed' and I can not access the file.

 

It's asking me for a product code?


Edited by Igloo_nachos, 28 May 2013 - 04:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users