Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Small.CA virus - action center says I'm infected, but scans are clean


  • This topic is locked This topic is locked
13 replies to this topic

#1 cdp1276

cdp1276

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:07:59 PM

Posted 25 October 2013 - 10:26 AM

I just happened to notice that back in August my Windows Action Center told me that I had this virus - Win32/Small.CA.

 

I have McAfee enterprise and since ran Malwarebytes + Spyhunter scans which came back clean and I'm not having any system issues. However wanted to ask the experts to make sure that I'm clean.

 

I am not sure if I have the virus or not.

 

I would be really grateful for any advice. Thanks very much in advance.

 

Here is my DDS log - I have also attached the attach.txt as requested.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16720
Run by cprosser at 10:57:42 on 2013-10-25
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.16319.11950 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\AirPrint\airprint.exe
C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\splwow64.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\AIM\aim.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\coreshredder.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\HP\HP Officejet Pro 8600\bin\HPNetworkCommunicator.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\HP Officejet Pro 8600\bin\HPNetworkCommunicator.exe
C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: HP ProtectTools Security Manager Extension: {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpOtsPluginIe8.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [HP Officejet Pro 8600 (NET)] "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN19M1K1HF05KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [Display] C:\Program Files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe
mRun: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\cprosser\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\Windows\System32\RunDll32.exe
StartupFolder: C:\Users\cprosser\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~2.LNK - C:\Windows\System32\RunDll32.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\PowerChute Personal Edition\Display.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\smartprintsetup.exe
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{D56BA07A-59FE-4399-8C14-B730051546B7} : DHCPNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Notify: DeviceNP - DeviceNP.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages =  DPPassFilter scecli
x64-mWinlogon: Userinit = C:\Windows\System32\userinit.exe,C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe,
x64-BHO: TubeSaver-1: {11111111-1111-1111-1111-110411151160} -
x64-BHO: HP ProtectTools Security Manager Extension: {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpOtsPluginIe8.dll
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe"
x64-Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Documents and Settings\cprosser\Application Data\Mozilla\Firefox\Profiles\bjxmnmvm.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_168.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 fltsrv;Acronis Storage Filter Management;C:\Windows\System32\drivers\fltsrv.sys [2012-1-14 137312]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2011-4-15 466944]
R0 SbAlg;SbAlg;C:\Windows\System32\drivers\SbAlg.sys [2009-6-4 60160]
R0 SbFsLock;SbFsLock;C:\Windows\System32\drivers\SbFsLock.sys [2010-8-2 15688]
R0 vididr;Acronis Virtual Disk;C:\Windows\System32\drivers\vididr.sys [2012-5-27 211552]
R0 vidsflt67;Acronis Disk Storage Filter (67);C:\Windows\System32\drivers\vsflt67.sys [2012-5-27 146528]
R1 RsvLock;RsvLock;C:\Windows\System32\drivers\RsvLock.sys [2010-8-2 58184]
R2 ac.sharedstore;ActivIdentity Shared Store Service;C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-6-3 277032]
R2 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2012-5-27 3459024]
R2 AirPrint;Apple AirPrint for Windows;C:\Program Files (x86)\AirPrint\airprint.exe -s --> C:\Program Files (x86)\AirPrint\airprint.exe -s [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-11-16 238080]
R2 APC Data Service;APC Data Service;C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe [2012-1-24 21880]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]
R2 HpFkCryptService;Drive Encryption Service;C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2010-8-2 281192]
R2 HPFSService;File Sanitizer for HP ProtectTools;C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2010-5-6 298496]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-5-23 13336]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2012-8-23 13672]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [2009-4-29 19720]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-1-16 103744]
R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe [2009-4-29 176872]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [2009-4-29 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2011-4-15 78992]
R2 syncagentsrv;Acronis Sync Agent Service;C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [2012-4-27 5914912]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-3-11 2320920]
R3 afcdp;afcdp;C:\Windows\System32\drivers\afcdp.sys [2012-5-27 367200]
R3 DEBridge;DEBridge;C:\Program Files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe [2010-8-2 704512]
R3 e1kexpress;Intel® Network Connections Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2013-10-1 497424]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2011-3-11 56344]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2011-4-15 120096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HP ProtectTools Service;HP ProtectTools Service;C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-3-16 36864]
S3 DAMDrv;DAMDrv;C:\Windows\System32\drivers\DAMDrv64.sys [2010-3-8 40760]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\Windows\SysWOW64\flcdlock.exe [2010-4-28 362040]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2011-4-15 76696]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-16 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-16 57856]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-5-20 1255736]
.
=============== Created Last 30 ================
.
2013-10-25 07:01:59    75888    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A4F5BAE4-7F18-4CCE-92C6-8D5BE67AF43D}\offreg.dll
2013-10-25 07:00:48    10280728    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A4F5BAE4-7F18-4CCE-92C6-8D5BE67AF43D}\mpengine.dll
2013-10-25 00:13:30    --------    d-----w-    C:\Program Files\Enigma Software Group
2013-10-25 00:12:59    --------    d-----w-    C:\Windows\86CA3695A4124BAE92B649A60C2AC663.TMP
2013-10-25 00:12:57    --------    d-----w-    C:\Program Files (x86)\Common Files\Wise Installation Wizard
2013-10-24 23:48:20    --------    d-----w-    C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-10-24 23:48:20    --------    d-----w-    C:\Program Files\iTunes
2013-10-24 23:48:20    --------    d-----w-    C:\Program Files\iPod
2013-10-24 23:48:20    --------    d-----w-    C:\Program Files (x86)\iTunes
2013-10-24 02:18:53    --------    d-----w-    C:\Users\cprosser\AppData\Roaming\Malwarebytes
2013-10-24 02:18:38    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-10-24 02:18:37    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-10-24 02:18:37    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-24 02:18:09    --------    d-----w-    C:\Users\cprosser\AppData\Local\Programs
2013-10-24 01:29:51    10280728    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-10-09 10:45:56    983488    ----a-w-    C:\Windows\System32\drivers\dxgkrnl.sys
2013-10-09 10:45:56    124112    ----a-w-    C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2013-10-09 10:45:56    102608    ----a-w-    C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2013-10-09 10:45:55    461312    ----a-w-    C:\Windows\System32\scavengeui.dll
2013-10-09 10:45:53    99840    ----a-w-    C:\Windows\System32\drivers\usbccgp.sys
2013-10-09 10:45:53    7808    ----a-w-    C:\Windows\System32\drivers\usbd.sys
2013-10-09 10:45:53    52736    ----a-w-    C:\Windows\System32\drivers\usbehci.sys
2013-10-09 10:45:53    343040    ----a-w-    C:\Windows\System32\drivers\usbhub.sys
2013-10-09 10:45:53    325120    ----a-w-    C:\Windows\System32\drivers\usbport.sys
2013-10-09 10:45:53    30720    ----a-w-    C:\Windows\System32\drivers\usbuhci.sys
2013-10-09 10:45:52    25600    ----a-w-    C:\Windows\System32\drivers\usbohci.sys
2013-10-01 21:12:08    89888    ----a-w-    C:\Windows\System32\NicInstK.dll
2013-10-01 21:12:08    73480    ----a-w-    C:\Windows\System32\e1kmsg.dll
2013-10-01 21:12:08    497424    ----a-w-    C:\Windows\System32\drivers\e1k62x64.sys
2013-09-26 18:00:39    208760    ----a-w-    C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-10-08 20:16:17    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-08 20:16:17    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-09-22 23:28:06    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49    2876928    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-09-22 23:27:48    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-09-22 23:27:48    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-09-22 22:55:10    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-09-22 22:54:51    3959296    ----a-w-    C:\Windows\System32\jscript9.dll
2013-09-22 22:54:50    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-09-22 22:54:50    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-09-21 03:38:39    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-09-21 03:30:24    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-09-21 02:48:36    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-21 02:39:47    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-09-14 01:10:19    497152    ----a-w-    C:\Windows\System32\drivers\afd.sys
2013-09-08 02:30:37    1903552    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14    327168    ----a-w-    C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58    231424    ----a-w-    C:\Windows\SysWow64\mswsock.dll
2013-09-03 18:35:10    278800    ------w-    C:\Windows\System32\MpSigStub.exe
2013-08-29 02:17:48    5549504    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-08-29 02:16:35    1732032    ----a-w-    C:\Windows\System32\ntdll.dll
2013-08-29 02:16:28    243712    ----a-w-    C:\Windows\System32\wow64.dll
2013-08-29 02:16:14    859648    ----a-w-    C:\Windows\System32\tdh.dll
2013-08-29 02:13:28    878080    ----a-w-    C:\Windows\System32\advapi32.dll
2013-08-29 01:51:45    3969472    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51:45    3914176    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50:31    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-08-29 01:50:30    1292192    ----a-w-    C:\Windows\SysWow64\ntdll.dll
2013-08-29 01:50:16    619520    ----a-w-    C:\Windows\SysWow64\tdh.dll
2013-08-29 01:48:17    640512    ----a-w-    C:\Windows\SysWow64\advapi32.dll
2013-08-29 01:48:15    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2013-08-29 00:49:53    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-08-29 00:49:52    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-08-29 00:49:52    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-08-29 00:49:49    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-08-28 01:21:06    3155968    ----a-w-    C:\Windows\System32\win32k.sys
2013-08-05 02:25:45    155584    ----a-w-    C:\Windows\System32\drivers\ataport.sys
2013-08-02 02:14:57    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-08-02 02:13:34    424448    ----a-w-    C:\Windows\System32\KernelBase.dll
2013-08-02 01:50:42    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17    338432    ----a-w-    C:\Windows\System32\conhost.exe
2013-08-02 00:59:09    112640    ----a-w-    C:\Windows\System32\smss.exe
2013-08-02 00:43:05    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 10:58:20.46 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 PM

Posted 27 October 2013 - 08:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your DDS log is clean. Lets check further.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 cdp1276

cdp1276
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:07:59 PM

Posted 27 October 2013 - 12:10 PM

Hi nasdaq and thanks for responding to help. I'm glad I appear to be clean in the DDS files. I ran the first AdwCleaner.exe program. This is what it reported and I didn't press clean yet. I was concerned about a few of the programs and changes that it might make. I don't want to have an unusable computer or new problems that I don't have today. My concerns were with the Firefox user.js file as that contains customizations I believe so in removing that wont it break my Firefox?

 

My other concern is the MS software update utility. Isn't that an important part of the OS? Then lastly what about all these registry key changes? Will I be negatively impacted if I let this clean and remove those?

 

# AdwCleaner v3.010 - Report created 27/10/2013 at 12:48:23
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Running from : C:\Temp\curt\install\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\END
File Found : C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default.old\user.js
File Found : C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default\user.js
Folder Found C:\Program Files (x86)\Common Files\Software Update Utility
Folder Found C:\Users\cprosser\AppData\LocalLow\boost_interprocess

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\AppDataLow\Software\Crossrider
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\installedbrowserextensions
Key Found : HKCU\Software\InstalledThirdPartyPrograms
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\installedbrowserextensions
Key Found : [x64] HKCU\Software\InstalledThirdPartyPrograms
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Found : HKLM\SOFTWARE\Classes\dnUpdate
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660466156660}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Found : HKLM\Software\PIP
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660466156660}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Found : [x64] HKLM\SOFTWARE\InstalledThirdPartyPrograms
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default\prefs.js ]

Line Found : user_pref("extensions.crossrider.bic", "14183ff255bcea080e903357ada49440");

[ File : C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default.old\prefs.js ]


*************************

AdwCleaner[R0].txt - [3967 octets] - [27/10/2013 12:48:23]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4027 octets] ##########



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 PM

Posted 27 October 2013 - 01:01 PM

This tool is as safe as it can be.

The decision to run this tool is yours.
If on occasions you get some pop-ups then you should run it.
If not the let it go.

You may have noticed that items can be de-quarantined if something important is removed.

#5 cdp1276

cdp1276
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:07:59 PM

Posted 27 October 2013 - 01:06 PM

So if I'm not getting pop-ups during my browser sessions from what you see in this log, am I infected with anything? I would like the peace of mind and clean this. Just wanted your advice if you see it planning to remove anything that might cause an issue with a program or my OS and I should uncheck that part of cleaning?


Edited by cdp1276, 27 October 2013 - 01:28 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 PM

Posted 27 October 2013 - 01:32 PM

What you can do is copy you user.js file to Temporary folder.

Do the Delete function in the ADWCleaner. If somethings goes wrong you can de quarantine all that you will find in the quarantine function of the program.

Copy your saved copy of the user.js file the the firefox folder.
Restart the computer normally.

#7 cdp1276

cdp1276
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:07:59 PM

Posted 27 October 2013 - 01:57 PM

OK, I ran the clean and rebooted. So far Firefox seems fine so I will delete the backup file I made of the user.js on my desktop. Should I run the AdwCleaner again or move to doing the Junkware Removal tool or do you think my system is clean now?

 

Here is the log:

 

# AdwCleaner v3.010 - Report created 27/10/2013 at 14:48:32
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Running from : C:\Temp\curt\install\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Common Files\Software Update Utility
Folder Deleted : C:\Users\cprosser\AppData\LocalLow\boost_interprocess
File Deleted : C:\END
File Deleted : C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default\user.js
File Deleted : C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default.old\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660466156660}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660466156660}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\installedbrowserextensions
Key Deleted : HKCU\Software\InstalledThirdPartyPrograms
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : [x64] HKLM\SOFTWARE\InstalledThirdPartyPrograms

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default\prefs.js ]

Line Deleted : user_pref("extensions.crossrider.bic", "14183ff255bcea080e903357ada49440");

[ File : C:\Users\cprosser\AppData\Roaming\Mozilla\Firefox\Profiles\37pbs1hr.default.old\prefs.js ]


*************************

AdwCleaner[R0].txt - [4155 octets] - [27/10/2013 12:48:23]
AdwCleaner[S0].txt - [3701 octets] - [27/10/2013 14:48:32]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3761 octets] ##########



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 PM

Posted 28 October 2013 - 07:19 AM

That was a good cleanup of the (PUP) Potentially Unwanted Program installed without your consent on your computer.

No need to run the JunkRemoval tool.

AdwCleaner has an uninstall function.
As for the JunkRemoval tool just delete it.

#9 cdp1276

cdp1276
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:07:59 PM

Posted 28 October 2013 - 07:26 AM

OK, so no need to run AdwCleaner again to make sure nothing was recreated and you feel I'm clean / safe now?



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 PM

Posted 28 October 2013 - 08:29 AM

No need to run the AdwCleaner for now.
This tool is updated often. If you want to keep it and run it later make sure you have the latest version.

We can never be 100% sure that it's all clean.
You can do this on-line scan when you will not need the computer for a few hours.

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#11 cdp1276

cdp1276
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:07:59 PM

Posted 01 November 2013 - 10:39 PM

I finally got a chance to complete this. I will add during this time I also removed by McAfee 8.7i install and replaced with MSE. I did a full scan with MSE and it found nothing. Here is the log from the ESET, and at the end I did have it delete the quarantined files:

 

C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHPXAM50\cortica_rollover_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHPXAM50\getdeal_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHPXAM50\luck_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHPXAM50\revizer_p_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHPXAM50\similar_web_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBYP0SQV\arcadi2_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBYP0SQV\coupish_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBYP0SQV\dealply_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBYP0SQV\icm1_5_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBYP0SQV\icm_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBYP0SQV\superfish_pricora_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQRGWP5K\50onred_ads_only_no_fb_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQRGWP5K\arcadi3_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQRGWP5K\corticas_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQRGWP5K\cortica_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQRGWP5K\ibario_pops_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQRGWP5K\intext_adv_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQRGWP5K\jollywallet_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PQRGWP5K\superfish_no_search_no_coupons_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VGYG3YYJ\ads_only_5_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VGYG3YYJ\arcadi2_sourceID_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VGYG3YYJ\coupons_intext_ads_5_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VGYG3YYJ\intext_5_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VGYG3YYJ\revizer_ws_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VGYG3YYJ\widdit_m[1].js    JS/Toolbar.Crossrider.A application    cleaned by deleting - quarantined
C:\Users\cprosser\AppData\Local\Temp\FLBFs1qk.exe.part    Win32/Toolbar.SearchSuite application    cleaned by deleting - quarantined
 

Any next steps or do I look good?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 PM

Posted 02 November 2013 - 07:19 AM

You are looking good.

You can delete the tools we used.
If you decide to keep them make sure you get the latest updates before running them.

#13 cdp1276

cdp1276
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:07:59 PM

Posted 02 November 2013 - 12:16 PM

Thanks nasdaq and really appreciate your help. I'm glad this wasn't as severe as I thought and was rather easy with your help to clean. I'm glad you view me as relatively clean and secure now.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 PM

Posted 02 November 2013 - 12:18 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users