Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Security Pro + zeroaccess rootkit symptoms found (rkill, FRST)


  • This topic is locked This topic is locked
24 replies to this topic

#1 Black Monday

Black Monday

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 12 November 2013 - 07:27 PM

As the good mama's boy I am, I am trying to ridd my mother's computer from a particularly malicious infection.

 

After a good amount of hours spent, I have managed to ridd the system of the Antivirus Security Pro malware, taking away all the annoying popups et al. Malwarebytes was used to try to clean out all there was.

 

Unfortunately some problems persist, and an infection is still preventing downloads from the web (and consequently e.g. upgrades to windows security essentials.

 

Rkill identifies the problem as ''zeroaccess rootkit symptoms found''.

 

Googling this took me to the following entry at this forum. I have run farbar recovery scan tool including drivers MD5 as instructed, and it did pick up on quite a few things. The question is how to write a proper fixlist.

 

I am extremely greatful for any help I can get in this regard. All I can really offer in return is topay it back or forward in terms of microsoft excel help, as that is an area of expertize.

 

Anyway, here is the log from farbar (also attached, felt I had mixed messages there as to custom on this forum):

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2013 01
Ran by SYSTEM on MININT-5BPMVLA on 13-11-2013 00:42:37
Running from G:\Sikkerhet
Windows 7 Starter (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [8555040 2010-04-06] (Realtek Semiconductor)
HKLM\...\Run: [ETDWare] - C:\Program Files\Elantech\ETDCtrl.exe [1891720 2010-03-25] (ELAN Microelectronics Corp.)
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-11] (Oracle Corporation)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuschd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [AS2014] - C:\ProgramData\d97Xd97X\d97Xd97X.exe
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\ProgramData\d97Xd97X\d97Xd97X.exe -sm,
HKU\jubajuba\...\Run: [msnmsgr] - "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
HKU\jubajuba\...\Run: [Google Update] - [x]
 
========================== Services (Whitelisted) =================
 
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] (Microsoft Corporation)
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2c568ee7-5781-4788-e48d-a2ef386e3c9f}\   \...\???\{2c568ee7-5781-4788-e48d-a2ef386e3c9f}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
S3 btwampfl; C:\Windows\System32\drivers\btwampfl.sys [286248 2010-03-05] (Broadcom Corporation.)
S3 cmusbser; C:\Windows\System32\DRIVERS\cmusbser.sys [87040 2006-12-13] (Cmotech Co.,Ltd)
S3 ETD; C:\Windows\System32\DRIVERS\ETD.sys [109056 2010-03-31] (ELAN Microelectronics Corp.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 rtport; C:\windows\system32\drivers\rtport.sys [15656 2010-11-19] (Windows ® 2003 DDK 3790 provider)
S1 SABI; C:\windows\system32\Drivers\SABI.sys [10752 2009-05-27] (SAMSUNG ELECTRONICS)
S1 lfajgqoc; \??\C:\windows\system32\drivers\lfajgqoc.sys [x]
 
========================== Drivers MD5 =======================
 
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys F81BB7E487EDCEAB630A7EE66CF23913
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D320BF87125326F996D4904FE24300FC
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 46387FB17B086D16DEA267D5BE23A2F2
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bxvbdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60x.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bcmwl6.sys 9E209171C51B1D750F53777253B80E81
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\BrSerIb.sys 08C7E41FF10F56E83B4F10B5E8B1E8B6
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\BrUsbSIb.sys 2132A117160F2A96A13C044AE9BCED91
C:\Windows\system32\drivers\BthEnum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bthpan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BTHport.sys 1153DE2E4F5941E10C399CB5592F78A1
C:\Windows\System32\Drivers\BTHUSB.sys C81E9413A25A439F436B1D4B6A0CF9E9
C:\Windows\System32\drivers\btwampfl.sys 7061FE1715E5ADED120FE4C608609357
C:\Windows\System32\drivers\btwaudio.sys A95B2FB3CA7B555B5CB306153F48CED8
C:\Windows\System32\DRIVERS\btwavdt.sys 1F9CD885F1C548BE93962CCABDB632E4
C:\Windows\System32\DRIVERS\btwl2cap.sys DE53089F0678CB5F0AFEB867ACB0FB05
C:\Windows\System32\DRIVERS\btwrchid.sys A2D6C7B7B62A6C42DCB01204A6BD6FC2
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cmusbser.sys 631155CE46B7DA2AAC47EEDF7EE42EBE
C:\Windows\System32\Drivers\cng.sys 42F158036BD4C2FF3122BF142E60E6FD
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys 71BC35067CABC02C9453AEAA42B2E43E
C:\Windows\system32\DRIVERS\evbdx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ETD.sys DF4F000CFC05DEC947D928A8F3ADCD7A
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legitB
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fssfltr.sys 491E9D9A26A745F6AE7D570849F4BD87
C:\Windows\System32\Drivers\Fs_Rec.sys 7DAE5EBCC80E45D3253F4923DC424D05
C:\Windows\System32\DRIVERS\fvevol.sys E306A24D9694C724FA2491278BF50FDB
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HdAudio.sys A5EF29D5315111C80A5C1ABAD14C8972
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys D483687EACE0C065EE772481A96E05F5
C:\Windows\system32\drivers\iaStorV.sys 5CD5F9A5444E6CDCB0AC89BD62D8B76E
C:\Windows\System32\DRIVERS\igdkmd32.sys D0074897C6BC132F3980EA4654BF7FB9
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHDA.sys F4427E5DF32CDE359B2E2E5512D18001
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys B7895B4182C0D16F6EFADEB8081E8D36
C:\Windows\System32\Drivers\ksecpkg.sys 5FE1ABF1AF591A3458C9CF24ED9A4D35
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\MpFilter.sys E77DC03DD3C8E5A388BF9EED2A28F3D1
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys 21F4B24ACFC79A483515BD986DD9043F
C:\Windows\System32\DRIVERS\mrxsmb.sys 5D16C921E3671636C0EBA3BBAAC5FD25
C:\Windows\System32\DRIVERS\mrxsmb10.sys 6D17A4791ACA19328C685D256349FEFC
C:\Windows\System32\DRIVERS\mrxsmb20.sys B81F204D146000BE76651A50670A5E9E
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 8C9C922D71F1CD4DEF73F186416B7896
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\NisDrvWFP.sys 32FF06EC6D946EF791D98D6C838A3090
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys 5E43D2B0EE64123D4880DFA6626DEFDE
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys B3E25EE28883877076E0E1FF877D02E0
C:\Windows\system32\drivers\nvstor.sys 4380E59A170D88C4F1022EFF6719A8A4
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys 3F34A1B4C5F6475F320C275E63AFCE9B
C:\Windows\system32\DRIVERS\parvdm.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpvideominiport.sys 65375DF758CA1872AB7EBBBA457FD5E6
C:\Windows\System32\Drivers\RDPWD.sys F031683E6D1FEA157ABB2FF260B51E61
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rfcomm.sys CB928D9E6DAF51879DD6BA8D02F01321
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt86win7.sys 7DFD48E24479B68B258D8770121155A0
C:\windows\system32\drivers\rtport.sys 41CE6B172542A9A227E34A45881E1D2A
C:\windows\system32\Drivers\SABI.sys 6E5FBB7CBAEC47038B945D5E9B144A64
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys E4C2764065D66EA1D2D3EBC28FE99C46
C:\Windows\System32\DRIVERS\srv2.sys 03F0545BD8D4C77FA0AE1CEEDFCC71AB
C:\Windows\System32\DRIVERS\srvnet.sys BE6BD660CAA6F291AE06A718A4FA8ABC
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serscan.sys EDB05BD63148796F23EA78506404A538
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys CA59F7C570AF70BC174F477CFE2D9EE3
C:\Windows\System32\DRIVERS\tcpip.sys CA59F7C570AF70BC174F477CFE2D9EE3
C:\Windows\System32\drivers\tcpipreg.sys 3EEBD3BD93DA46A26E89893C7AB2FF3B
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 2C2C5AFE7EE4F620D69C23C0617651A8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys B37B08F2E5EEB1A37E448E09BACE1101
C:\Windows\System32\drivers\tsusbflt.sys 9CE253214ACAA5A7D323327D2055EFAA
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys BD9C55D7023C5DE374507ACC7A14E2AC
C:\Windows\system32\drivers\usbcir.sys 2352AB5F9F8F097BF9D41D5A4718A041
C:\Windows\system32\drivers\usbehci.sys F92DE757E4B7CE9C07C5E65423F3AE3B
C:\Windows\System32\DRIVERS\usbhub.sys 8DC94AEC6A7E644A06135AE7506DC2E9
C:\Windows\system32\drivers\usbohci.sys E185D44FAC515A18D9DEDDC23C2CDF44
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbscan.sys FC6B21DB4B5B398AB93DBE59CBF11036
C:\Windows\System32\DRIVERS\USBSTOR.SYS F991AB9CC6B908DB552166768176896A
C:\Windows\system32\drivers\usbuhci.sys 68DF884CF41CDADA664BEB01DAF67E3D
C:\Windows\System32\Drivers\usbvideo.sys DE014425522610BEDCA3821BB8C0F1D5
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\viac7.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys 7090D3436EEB4E7DA3373090A23448F7
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys 25944D2CC49E0A6C581D02A74B7D6645
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys A67E5F9A400F3BD1BE3D80613B45F708
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WSDPrint.sys 553F6CCD7C58EB98D4A8FBDAF283D7A9
C:\Windows\System32\drivers\WudfPf.sys 06E6F32C8D0A3F66D956F57B43A2E070
C:\Windows\System32\DRIVERS\WUDFRd.sys 867C301E8B790040AE9CF6486E8041DF
C:\Windows\System32\DRIVERS\yk62x86.sys 49D10B542DACFBB0E2EBF3E59F83EF21
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-11-13 00:42 - 2013-11-13 00:42 - 00000000 ____D C:\FRST
2013-11-12 15:22 - 2013-11-12 15:27 - 00003892 _____ C:\Users\jubajuba\Desktop\Rkill.txt
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\x86
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\NisDrv
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\nb-no
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\mpfilter
2013-11-12 14:46 - 2013-10-23 08:01 - 00185664 _____ (Microsoft Corporation) C:\Windows\System32\config\EppManifest.dll
2013-11-12 14:46 - 2013-10-23 05:55 - 00008864 _____ (Microsoft Corporation) C:\Windows\System32\config\setupres.dll
2013-11-12 14:35 - 2013-11-12 14:36 - 00000000 ____D C:\Windows\TempE0580CA0-9BFF-7EDF-486A-0932C0CD364A-Signatures
2013-11-12 12:26 - 2013-11-12 12:26 - 00000000 ____D C:\Users\jubajuba\AppData\Roaming\Malwarebytes
2013-11-12 12:25 - 2013-11-12 12:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-04 01:39 - 2013-11-04 01:39 - 00000000 ____D C:\Users\jubajuba\AppData\Local\Macromedia
2013-10-31 04:50 - 2013-10-31 04:50 - 00000000 ____D C:\Program Files\Google
2013-10-23 07:21 - 2013-10-23 07:21 - 00045728 _____ (Microsoft Corporation) C:\Windows\System32\config\setupres.dll.mui
2013-10-23 07:21 - 2013-10-23 07:21 - 00039072 _____ (Microsoft Corporation) C:\Windows\System32\config\MpEvMsg.dll.mui
2013-10-23 07:21 - 2013-10-23 07:21 - 00009376 _____ (Microsoft Corporation) C:\Windows\System32\config\shellext.dll.mui
2013-10-23 07:10 - 2013-10-23 07:10 - 00094368 _____ (Microsoft Corporation) C:\Windows\System32\config\MsMpRes.dll.mui
2013-10-23 07:07 - 2013-10-23 07:07 - 00051360 _____ (Microsoft Corporation) C:\Windows\System32\config\MpAsDesc.dll.mui
2013-10-23 05:55 - 2013-10-23 05:55 - 00016544 _____ (Microsoft Corporation) C:\Windows\System32\config\msseooberes.dll.mui
 
==================== One Month Modified Files and Folders =======
 
2013-11-13 00:42 - 2013-11-13 00:42 - 00000000 ____D C:\FRST
2013-11-12 15:27 - 2013-11-12 15:22 - 00003892 _____ C:\Users\jubajuba\Desktop\Rkill.txt
2013-11-12 15:24 - 2010-08-10 14:56 - 02095740 _____ C:\Windows\WindowsUpdate.log
2013-11-12 15:07 - 2011-07-02 12:46 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-12 15:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-11-12 14:51 - 2009-07-13 20:34 - 00010272 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-12 14:51 - 2009-07-13 20:34 - 00010272 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\x86
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\NisDrv
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\nb-no
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\mpfilter
2013-11-12 14:46 - 2013-04-17 23:15 - 00001912 _____ C:\Windows\epplauncher.mif
2013-11-12 14:46 - 2013-04-17 23:11 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-12 14:43 - 2009-07-13 20:39 - 00081213 _____ C:\Windows\setupact.log
2013-11-12 14:36 - 2013-11-12 14:35 - 00000000 ____D C:\Windows\TempE0580CA0-9BFF-7EDF-486A-0932C0CD364A-Signatures
2013-11-12 14:34 - 2011-02-25 15:37 - 00000000 ____D C:\Program Files\Windows Live
2013-11-12 14:15 - 2011-06-27 09:46 - 00000000 ____D C:\Users\jubajuba\Tracing
2013-11-12 14:06 - 2011-02-27 00:34 - 00241060 _____ C:\Windows\PFRO.log
2013-11-12 14:06 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-11-12 12:26 - 2013-11-12 12:26 - 00000000 ____D C:\Users\jubajuba\AppData\Roaming\Malwarebytes
2013-11-12 12:25 - 2013-11-12 12:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-04 01:39 - 2013-11-04 01:39 - 00000000 ____D C:\Users\jubajuba\AppData\Local\Macromedia
2013-10-31 04:50 - 2013-10-31 04:50 - 00000000 ____D C:\Program Files\Google
2013-10-31 04:50 - 2011-04-21 14:03 - 00000000 ____D C:\Users\jubajuba\AppData\Local\Google
2013-10-31 04:16 - 2013-05-29 13:53 - 00000000 ____D C:\Users\jubajuba\AppData\Local\CrashDumps
2013-10-23 08:01 - 2013-11-12 14:46 - 00185664 _____ (Microsoft Corporation) C:\Windows\System32\config\EppManifest.dll
2013-10-23 07:21 - 2013-10-23 07:21 - 00045728 _____ (Microsoft Corporation) C:\Windows\System32\config\setupres.dll.mui
2013-10-23 07:21 - 2013-10-23 07:21 - 00039072 _____ (Microsoft Corporation) C:\Windows\System32\config\MpEvMsg.dll.mui
2013-10-23 07:21 - 2013-10-23 07:21 - 00009376 _____ (Microsoft Corporation) C:\Windows\System32\config\shellext.dll.mui
2013-10-23 07:10 - 2013-10-23 07:10 - 00094368 _____ (Microsoft Corporation) C:\Windows\System32\config\MsMpRes.dll.mui
2013-10-23 07:07 - 2013-10-23 07:07 - 00051360 _____ (Microsoft Corporation) C:\Windows\System32\config\MpAsDesc.dll.mui
2013-10-23 05:55 - 2013-11-12 14:46 - 00008864 _____ (Microsoft Corporation) C:\Windows\System32\config\setupres.dll
2013-10-23 05:55 - 2013-10-23 05:55 - 00016544 _____ (Microsoft Corporation) C:\Windows\System32\config\msseooberes.dll.mui
2013-10-22 10:41 - 2011-04-18 12:52 - 00000000 ____D C:\Users\jubajuba\AppData\Local\CMO_V2_D-50
2013-10-22 03:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-10-16 13:20 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-10-14 10:49 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\twain_32
 
Files to move or delete:
====================
ZeroAccess:
C:\Users\jubajuba\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install
 
 
Some content of TEMP:
====================
C:\Users\jubajuba\AppData\Local\Temp\APNStub.exe
C:\Users\jubajuba\AppData\Local\Temp\dsHostCheckerSetup.exe
C:\Users\jubajuba\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\jubajuba\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\jubajuba\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\Backup => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
8
Restore point made on: 2013-10-05 03:03:57
Restore point made on: 2013-10-08 10:00:47
Restore point made on: 2013-10-10 14:36:33
Restore point made on: 2013-10-14 11:02:21
Restore point made on: 2013-10-15 13:54:51
Restore point made on: 2013-10-19 02:36:33
Restore point made on: 2013-10-26 02:46:09
Restore point made on: 2013-10-30 11:31:05
 
==================== Memory info =========================== 
 
Percentage of memory in use: 39%
Total physical RAM: 1013.3 MB
Available physical RAM: 612.51 MB
Total Pagefile: 1013.3 MB
Available Pagefile: 618.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.85 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:85 GB) (Free:51.4 GB) NTFS
Drive d: () (Fixed) (Total:127.79 GB) (Free:127.56 GB) NTFS
Drive f: (RECOVERY) (Fixed) (Total:20 GB) (Free:6.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (A-DATA UFD) (Removable) (Total:1.88 GB) (Free:1.74 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 233 GB) (Disk ID: AD76995E)
Partition 1: (Not Active) - (Size=20 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=85 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=128 GB) - (Type=OF Extended)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 04DD5721)
Partition 1: (Active) - (Size=2 GB) - (Type=06)
 
 
LastRegBack: 2013-10-22 03:53
 
==================== End Of Log ============================

Attached Files

  • Attached File  FRST.txt   27.72KB   3 downloads


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:03 PM

Posted 12 November 2013 - 09:31 PM


Hello Black Monday

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
HKLM\...\Run: [AS2014] - C:\ProgramData\d97Xd97X\d97Xd97X.exe
HKU\jubajuba\...\Run: [Google Update] - [x] 
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2c568ee7-5781-4788-e48d-a2ef386e3c9f}\ \...\???\{2c568ee7-5781-4788-e48d-a2ef386e3c9f}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
S1 lfajgqoc; \??\C:\windows\system32\drivers\lfajgqoc.sys [x] 
C:\Users\jubajuba\AppData\Local\Google\Desktop\Install 
C:\Program Files\Google\Desktop\Install
C:\Users\jubajuba\AppData\Local\Temp\APNStub.exe 
C:\Users\jubajuba\AppData\Local\Temp\dsHostCheckerSetup.exe 
C:\Users\jubajuba\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe 
C:\Users\jubajuba\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe 
C:\Users\jubajuba\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe 
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client
DeleteJunctionsIndirectory: C:\Windows\system64
cmd: Dir /b /a:l "C:\Program Files" /s
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system



Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Black Monday

Black Monday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 13 November 2013 - 10:52 AM

Many thanks for the fast reply, Gringo!

 

I ran the procedure like planned and got the log below. Upon restart, I quickly checked and found out that the machine still cannot download anything. That is to say, firefox (and probably other browsers) can download the file, but it immediately disappears upon download completion. (And antivirus software cannot update)

 

Microsoft Security Essentials starting upon restart by default quickly identified three pieces of malware:

Rogue:Win32/Winwebsec - Serious - 13 nov 2013

Rogue:Win32/Winwebsec - Serious - 31 oct 2013

Trojan:Win32/Sirefef!cfg - Serious . 31 oct 2013

 

So far they are quarantined, but I have not clicked to remove all and restart as the program suggests, in order to follow your rules above.

 

Below is the FRST scan log. Thanks again for the help!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2013 01
Ran by SYSTEM on MININT-5CLE41O on 13-11-2013 16:03:00
Running from G:\Sikkerhet
Windows 7 Starter (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [8555040 2010-04-06] (Realtek Semiconductor)
HKLM\...\Run: [ETDWare] - C:\Program Files\Elantech\ETDCtrl.exe [1891720 2010-03-25] (ELAN Microelectronics Corp.)
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-11] (Oracle Corporation)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuschd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\ProgramData\d97Xd97X\d97Xd97X.exe -sm,
HKU\jubajuba\...\Run: [msnmsgr] - "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
HKU\jubajuba\...\Run: [Google Update] - [x]

========================== Services (Whitelisted) =================

S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] (Microsoft Corporation)
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2c568ee7-5781-4788-e48d-a2ef386e3c9f}\   \...\???\{2c568ee7-5781-4788-e48d-a2ef386e3c9f}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 btwampfl; C:\Windows\System32\drivers\btwampfl.sys [286248 2010-03-05] (Broadcom Corporation.)
S3 cmusbser; C:\Windows\System32\DRIVERS\cmusbser.sys [87040 2006-12-13] (Cmotech Co.,Ltd)
S3 ETD; C:\Windows\System32\DRIVERS\ETD.sys [109056 2010-03-31] (ELAN Microelectronics Corp.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 rtport; C:\windows\system32\drivers\rtport.sys [15656 2010-11-19] (Windows ® 2003 DDK 3790 provider)
S1 SABI; C:\windows\system32\Drivers\SABI.sys [10752 2009-05-27] (SAMSUNG ELECTRONICS)

========================== Drivers MD5 =======================

C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys F81BB7E487EDCEAB630A7EE66CF23913
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D320BF87125326F996D4904FE24300FC
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 46387FB17B086D16DEA267D5BE23A2F2
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bxvbdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60x.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bcmwl6.sys 9E209171C51B1D750F53777253B80E81
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\BrSerIb.sys 08C7E41FF10F56E83B4F10B5E8B1E8B6
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\BrUsbSIb.sys 2132A117160F2A96A13C044AE9BCED91
C:\Windows\system32\drivers\BthEnum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bthpan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BTHport.sys 1153DE2E4F5941E10C399CB5592F78A1
C:\Windows\System32\Drivers\BTHUSB.sys C81E9413A25A439F436B1D4B6A0CF9E9
C:\Windows\System32\drivers\btwampfl.sys 7061FE1715E5ADED120FE4C608609357
C:\Windows\System32\drivers\btwaudio.sys A95B2FB3CA7B555B5CB306153F48CED8
C:\Windows\System32\DRIVERS\btwavdt.sys 1F9CD885F1C548BE93962CCABDB632E4
C:\Windows\System32\DRIVERS\btwl2cap.sys DE53089F0678CB5F0AFEB867ACB0FB05
C:\Windows\System32\DRIVERS\btwrchid.sys A2D6C7B7B62A6C42DCB01204A6BD6FC2
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cmusbser.sys 631155CE46B7DA2AAC47EEDF7EE42EBE
C:\Windows\System32\Drivers\cng.sys 42F158036BD4C2FF3122BF142E60E6FD
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys 71BC35067CABC02C9453AEAA42B2E43E
C:\Windows\system32\DRIVERS\evbdx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ETD.sys DF4F000CFC05DEC947D928A8F3ADCD7A
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legitB
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fssfltr.sys 491E9D9A26A745F6AE7D570849F4BD87
C:\Windows\System32\Drivers\Fs_Rec.sys 7DAE5EBCC80E45D3253F4923DC424D05
C:\Windows\System32\DRIVERS\fvevol.sys E306A24D9694C724FA2491278BF50FDB
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HdAudio.sys A5EF29D5315111C80A5C1ABAD14C8972
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys D483687EACE0C065EE772481A96E05F5
C:\Windows\system32\drivers\iaStorV.sys 5CD5F9A5444E6CDCB0AC89BD62D8B76E
C:\Windows\System32\DRIVERS\igdkmd32.sys D0074897C6BC132F3980EA4654BF7FB9
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHDA.sys F4427E5DF32CDE359B2E2E5512D18001
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys B7895B4182C0D16F6EFADEB8081E8D36
C:\Windows\System32\Drivers\ksecpkg.sys 5FE1ABF1AF591A3458C9CF24ED9A4D35
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\MpFilter.sys E77DC03DD3C8E5A388BF9EED2A28F3D1
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys 21F4B24ACFC79A483515BD986DD9043F
C:\Windows\System32\DRIVERS\mrxsmb.sys 5D16C921E3671636C0EBA3BBAAC5FD25
C:\Windows\System32\DRIVERS\mrxsmb10.sys 6D17A4791ACA19328C685D256349FEFC
C:\Windows\System32\DRIVERS\mrxsmb20.sys B81F204D146000BE76651A50670A5E9E
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 8C9C922D71F1CD4DEF73F186416B7896
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\NisDrvWFP.sys 32FF06EC6D946EF791D98D6C838A3090
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys 5E43D2B0EE64123D4880DFA6626DEFDE
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys B3E25EE28883877076E0E1FF877D02E0
C:\Windows\system32\drivers\nvstor.sys 4380E59A170D88C4F1022EFF6719A8A4
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys 3F34A1B4C5F6475F320C275E63AFCE9B
C:\Windows\system32\DRIVERS\parvdm.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpvideominiport.sys 65375DF758CA1872AB7EBBBA457FD5E6
C:\Windows\System32\Drivers\RDPWD.sys F031683E6D1FEA157ABB2FF260B51E61
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rfcomm.sys CB928D9E6DAF51879DD6BA8D02F01321
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt86win7.sys 7DFD48E24479B68B258D8770121155A0
C:\windows\system32\drivers\rtport.sys 41CE6B172542A9A227E34A45881E1D2A
C:\windows\system32\Drivers\SABI.sys 6E5FBB7CBAEC47038B945D5E9B144A64
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys E4C2764065D66EA1D2D3EBC28FE99C46
C:\Windows\System32\DRIVERS\srv2.sys 03F0545BD8D4C77FA0AE1CEEDFCC71AB
C:\Windows\System32\DRIVERS\srvnet.sys BE6BD660CAA6F291AE06A718A4FA8ABC
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serscan.sys EDB05BD63148796F23EA78506404A538
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys CA59F7C570AF70BC174F477CFE2D9EE3
C:\Windows\System32\DRIVERS\tcpip.sys CA59F7C570AF70BC174F477CFE2D9EE3
C:\Windows\System32\drivers\tcpipreg.sys 3EEBD3BD93DA46A26E89893C7AB2FF3B
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 2C2C5AFE7EE4F620D69C23C0617651A8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys B37B08F2E5EEB1A37E448E09BACE1101
C:\Windows\System32\drivers\tsusbflt.sys 9CE253214ACAA5A7D323327D2055EFAA
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys BD9C55D7023C5DE374507ACC7A14E2AC
C:\Windows\system32\drivers\usbcir.sys 2352AB5F9F8F097BF9D41D5A4718A041
C:\Windows\system32\drivers\usbehci.sys F92DE757E4B7CE9C07C5E65423F3AE3B
C:\Windows\System32\DRIVERS\usbhub.sys 8DC94AEC6A7E644A06135AE7506DC2E9
C:\Windows\system32\drivers\usbohci.sys E185D44FAC515A18D9DEDDC23C2CDF44
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbscan.sys FC6B21DB4B5B398AB93DBE59CBF11036
C:\Windows\System32\DRIVERS\USBSTOR.SYS F991AB9CC6B908DB552166768176896A
C:\Windows\system32\drivers\usbuhci.sys 68DF884CF41CDADA664BEB01DAF67E3D
C:\Windows\System32\Drivers\usbvideo.sys DE014425522610BEDCA3821BB8C0F1D5
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaagp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\viac7.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys 7090D3436EEB4E7DA3373090A23448F7
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys 25944D2CC49E0A6C581D02A74B7D6645
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys A67E5F9A400F3BD1BE3D80613B45F708
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WSDPrint.sys 553F6CCD7C58EB98D4A8FBDAF283D7A9
C:\Windows\System32\drivers\WudfPf.sys 06E6F32C8D0A3F66D956F57B43A2E070
C:\Windows\System32\DRIVERS\WUDFRd.sys 867C301E8B790040AE9CF6486E8041DF
C:\Windows\System32\DRIVERS\yk62x86.sys 49D10B542DACFBB0E2EBF3E59F83EF21

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-13 06:55 - 2013-11-13 06:55 - 00000000 ____D C:\Users\jubajuba\AppData\Local\Samsung
2013-11-13 00:42 - 2013-11-13 00:42 - 00000000 ____D C:\FRST
2013-11-12 15:22 - 2013-11-12 15:27 - 00003892 _____ C:\Users\jubajuba\Desktop\Rkill.txt
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\x86
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\NisDrv
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\nb-no
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\mpfilter
2013-11-12 14:46 - 2013-10-23 08:01 - 00185664 _____ (Microsoft Corporation) C:\Windows\System32\config\EppManifest.dll
2013-11-12 14:46 - 2013-10-23 05:55 - 00008864 _____ (Microsoft Corporation) C:\Windows\System32\config\setupres.dll
2013-11-12 14:35 - 2013-11-12 14:36 - 00000000 ____D C:\Windows\TempE0580CA0-9BFF-7EDF-486A-0932C0CD364A-Signatures
2013-11-12 12:26 - 2013-11-12 12:26 - 00000000 ____D C:\Users\jubajuba\AppData\Roaming\Malwarebytes
2013-11-12 12:25 - 2013-11-12 12:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-04 01:39 - 2013-11-04 01:39 - 00000000 ____D C:\Users\jubajuba\AppData\Local\Macromedia
2013-10-31 04:50 - 2013-10-31 04:50 - 00000000 ____D C:\Program Files\Google
2013-10-23 07:21 - 2013-10-23 07:21 - 00045728 _____ (Microsoft Corporation) C:\Windows\System32\config\setupres.dll.mui
2013-10-23 07:21 - 2013-10-23 07:21 - 00039072 _____ (Microsoft Corporation) C:\Windows\System32\config\MpEvMsg.dll.mui
2013-10-23 07:21 - 2013-10-23 07:21 - 00009376 _____ (Microsoft Corporation) C:\Windows\System32\config\shellext.dll.mui
2013-10-23 07:10 - 2013-10-23 07:10 - 00094368 _____ (Microsoft Corporation) C:\Windows\System32\config\MsMpRes.dll.mui
2013-10-23 07:07 - 2013-10-23 07:07 - 00051360 _____ (Microsoft Corporation) C:\Windows\System32\config\MpAsDesc.dll.mui
2013-10-23 05:55 - 2013-10-23 05:55 - 00016544 _____ (Microsoft Corporation) C:\Windows\System32\config\msseooberes.dll.mui

==================== One Month Modified Files and Folders =======

2013-11-13 06:59 - 2009-07-13 20:34 - 00010272 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-13 06:59 - 2009-07-13 20:34 - 00010272 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-13 06:55 - 2013-11-13 06:55 - 00000000 ____D C:\Users\jubajuba\AppData\Local\Samsung
2013-11-13 06:54 - 2011-07-02 12:46 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-13 06:52 - 2009-07-13 20:39 - 00081269 _____ C:\Windows\setupact.log
2013-11-13 00:42 - 2013-11-13 00:42 - 00000000 ____D C:\FRST
2013-11-12 15:27 - 2013-11-12 15:22 - 00003892 _____ C:\Users\jubajuba\Desktop\Rkill.txt
2013-11-12 15:24 - 2010-08-10 14:56 - 02095740 _____ C:\Windows\WindowsUpdate.log
2013-11-12 15:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\x86
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\NisDrv
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\nb-no
2013-11-12 14:46 - 2013-11-12 14:46 - 00000000 ____D C:\Windows\System32\config\mpfilter
2013-11-12 14:46 - 2013-04-17 23:15 - 00001912 _____ C:\Windows\epplauncher.mif
2013-11-12 14:46 - 2013-04-17 23:11 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-12 14:36 - 2013-11-12 14:35 - 00000000 ____D C:\Windows\TempE0580CA0-9BFF-7EDF-486A-0932C0CD364A-Signatures
2013-11-12 14:34 - 2011-02-25 15:37 - 00000000 ____D C:\Program Files\Windows Live
2013-11-12 14:15 - 2011-06-27 09:46 - 00000000 ____D C:\Users\jubajuba\Tracing
2013-11-12 14:06 - 2011-02-27 00:34 - 00241060 _____ C:\Windows\PFRO.log
2013-11-12 14:06 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-11-12 12:26 - 2013-11-12 12:26 - 00000000 ____D C:\Users\jubajuba\AppData\Roaming\Malwarebytes
2013-11-12 12:25 - 2013-11-12 12:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-11-04 01:39 - 2013-11-04 01:39 - 00000000 ____D C:\Users\jubajuba\AppData\Local\Macromedia
2013-10-31 04:50 - 2013-10-31 04:50 - 00000000 ____D C:\Program Files\Google
2013-10-31 04:50 - 2011-04-21 14:03 - 00000000 ____D C:\Users\jubajuba\AppData\Local\Google
2013-10-31 04:16 - 2013-05-29 13:53 - 00000000 ____D C:\Users\jubajuba\AppData\Local\CrashDumps
2013-10-23 08:01 - 2013-11-12 14:46 - 00185664 _____ (Microsoft Corporation) C:\Windows\System32\config\EppManifest.dll
2013-10-23 07:21 - 2013-10-23 07:21 - 00045728 _____ (Microsoft Corporation) C:\Windows\System32\config\setupres.dll.mui
2013-10-23 07:21 - 2013-10-23 07:21 - 00039072 _____ (Microsoft Corporation) C:\Windows\System32\config\MpEvMsg.dll.mui
2013-10-23 07:21 - 2013-10-23 07:21 - 00009376 _____ (Microsoft Corporation) C:\Windows\System32\config\shellext.dll.mui
2013-10-23 07:10 - 2013-10-23 07:10 - 00094368 _____ (Microsoft Corporation) C:\Windows\System32\config\MsMpRes.dll.mui
2013-10-23 07:07 - 2013-10-23 07:07 - 00051360 _____ (Microsoft Corporation) C:\Windows\System32\config\MpAsDesc.dll.mui
2013-10-23 05:55 - 2013-11-12 14:46 - 00008864 _____ (Microsoft Corporation) C:\Windows\System32\config\setupres.dll
2013-10-23 05:55 - 2013-10-23 05:55 - 00016544 _____ (Microsoft Corporation) C:\Windows\System32\config\msseooberes.dll.mui
2013-10-22 10:41 - 2011-04-18 12:52 - 00000000 ____D C:\Users\jubajuba\AppData\Local\CMO_V2_D-50
2013-10-22 03:05 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-10-16 13:20 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-10-14 10:49 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\twain_32

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\Backup => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

8
Restore point made on: 2013-10-05 03:03:57
Restore point made on: 2013-10-08 10:00:47
Restore point made on: 2013-10-10 14:36:33
Restore point made on: 2013-10-14 11:02:21
Restore point made on: 2013-10-15 13:54:51
Restore point made on: 2013-10-19 02:36:33
Restore point made on: 2013-10-26 02:46:09
Restore point made on: 2013-10-30 11:31:05

==================== Memory info ===========================

Percentage of memory in use: 40%
Total physical RAM: 1013.3 MB
Available physical RAM: 606.04 MB
Total Pagefile: 1013.3 MB
Available Pagefile: 609.35 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.21 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:85 GB) (Free:51.4 GB) NTFS
Drive d: () (Fixed) (Total:127.79 GB) (Free:127.56 GB) NTFS
Drive f: (RECOVERY) (Fixed) (Total:20 GB) (Free:6.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (A-DATA UFD) (Removable) (Total:1.88 GB) (Free:1.74 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: AD76995E)
Partition 1: (Not Active) - (Size=20 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=85 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=128 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 04DD5721)
Partition 1: (Active) - (Size=2 GB) - (Type=06)


LastRegBack: 2013-10-22 03:53

==================== End Of Log ============================



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:03 PM

Posted 13 November 2013 - 02:31 PM

Hello Black Monday



I need you to download this script I have made for you --> Attached File  fixlist.txt   603bytes   3 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Black Monday

Black Monday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 13 November 2013 - 02:42 PM

OK, done.

 

Here is the log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 10-11-2013 01
Ran by SYSTEM at 2013-11-13 20:39:55 Run:2
Running from G:\Sikkerhet
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\ProgramData\d97Xd97X\d97Xd97X.exe -sm,
HKU\jubajuba\...\Run: [Google Update] - [x]
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{2c568ee7-5781-4788-e48d-a2ef386e3c9f}\   \...\???\{2c568ee7-5781-4788-e48d-a2ef386e3c9f}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client
DeleteJunctionsIndirectory: C:\Windows\system64
cmd: Dir /b /a:l "C:\Program Files" /s


















*****************

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
HKU\jubajuba\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update => Value not found.
*etadpug => Unable to delete service
*etadpug => Service should be removed with FRST outside recovery mode.
Error: DeleteJunctionsInDirectory: C:\Program Files\Windows Defender => entry should be fixed outside recovery mode.
Error: DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client => entry should be fixed outside recovery mode.
Error: DeleteJunctionsIndirectory: C:\Windows\system64 => entry should be fixed outside recovery mode.

=========  Dir /b /a:l "C:\Program Files" /s =========

C:\Program Files\Microsoft Security Client\Backup
C:\Program Files\Microsoft Security Client\Drivers
C:\Program Files\Microsoft Security Client\en-us
C:\Program Files\Microsoft Security Client\nb-no
C:\Program Files\Windows Defender\MpAsDesc.dll
C:\Program Files\Windows Defender\MpClient.dll
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Windows Defender\MpCommu.dll
C:\Program Files\Windows Defender\MpEvMsg.dll
C:\Program Files\Windows Defender\MpOAV.dll
C:\Program Files\Windows Defender\MpRTP.dll
C:\Program Files\Windows Defender\MpSvc.dll
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpCom.dll
C:\Program Files\Windows Defender\MsMpLics.dll
C:\Program Files\Windows Defender\MsMpRes.dll
C:\Program Files\Windows Defender\nb-NO

========= End of CMD: =========


==== End of Fixlog ====



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:03 PM

Posted 13 November 2013 - 08:36 PM

Hello


Please rerun the fix in normal mode and not in recovery


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Black Monday

Black Monday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 14 November 2013 - 03:53 PM

Hi again, Gringo and thanks for your continued help.

 

I attempted to run FRST in normal mode, but it crashed during fix. I also tried to run rkill first (maybe I shouldn't have, sorry), and though it did stop a lot of mad processes FRST still crashed during fix.

 

Any suggestions?



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:03 PM

Posted 14 November 2013 - 08:24 PM





Hello Black Monday

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • •Internet access
    •Windows Update
    •Windows Firewall
9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.


--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from MBAR and Roguekiller and also let me know how the computer is doing at this time.

Gringo






When you are complete please send me both reports

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Black Monday

Black Monday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 16 November 2013 - 06:48 PM

Thanks again, Gringo.

 

I did as you asked:

 

Ran MB anti rootkit. Updated. Scanned. It found one piece of malware. Cleaned it out, restarted. Ran it again: Nothing this time.

 

Checked the functionality: Firewall seems to be working again. Was possible to download from the internet again. Updated with Windows updater and restarted the system.

 

Turned off all the programs in task manager (not all processes). Ran RougeKiller. It found two items it wanted to delete. Deleted them and ran the report.

 

Now I'm not sure where I find the report from MB Anti Rootkit. As for RougeKiller: Both reports it created on my desktop began with RKreport[0]. One called RKreport[0]_D_11172013_003522 the other RKreport[0]_S_11172013_003318. Pasting the report from the former as this was the one that popped up in notepad when I ran the report, and thus the one you seemed to want (see below). How sure can I be that the system now is functioning well? Perhaps time to run Windows Security Essentials?

 

Here is the report mentioned:

 

RogueKiller V8.7.8 [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : jubajuba [Admin rights]
Mode : Remove -- Date : 11/17/2013 00:35:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HM250HI +++++
--- User ---
[MBR] d77792da6b83652a85088b2d4ace58b4
[BSP] 539b3ceb8f1504a553d1c07fa7dd62ba : KIWI Image system MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 20480 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 41945088 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 42149888 | Size: 87040 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 220407808 | Size: 130853 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_11172013_003522.txt >>
RKreport[0]_S_11172013_003318.txt

 

Thanks again!



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:03 PM

Posted 16 November 2013 - 06:57 PM



Hello Black Monday

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Black Monday

Black Monday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 16 November 2013 - 07:35 PM

Thanks for the quick reply.

 

Ran both programs, and reports are below.

 

System seems to be running fine, except I believe Microsoft Security Essentials got screwed up from MB anti rootkit or thereabouts. I get a message at startup each time with the message box heading: "Microsoft Security Client" and text: "An error has occurred in the program during initialization. If this problem continues, please contact your system administrator. Error code: 0x80073b01". I guess uninstalling MSE and giving it a clean install should do the trick?

 

Logs as follows:

 

# AdwCleaner v3.012 - Report created 17/11/2013 at 01:10:12
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Starter Service Pack 1 (32 bits)
# Username : jubajuba - JUBAJUBA-PC
# Running from : C:\Users\jubajuba\Desktop\Anti\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
File Deleted : C:\Users\jubajuba\AppData\Roaming\Mozilla\Firefox\Profiles\qyatt302.default\searchplugins\Askcom.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [1]
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16736


-\\ Mozilla Firefox v25.0 (nb-NO)

[ File : C:\Users\jubajuba\AppData\Roaming\Mozilla\Firefox\Profiles\qyatt302.default\prefs.js ]

Line Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Line Deleted : user_pref("browser.search.order.1", "Ask.com");

-\\ Google Chrome v

[ File : C:\Users\jubajuba\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2350 octets] - [17/11/2013 01:04:51]
AdwCleaner[S0].txt - [2307 octets] - [17/11/2013 01:10:12]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2367 octets] ##########
 

Second log (JRT):

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Starter x86
Ran by jubajuba on 17.11.2013 at  1:14:28,19
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AB14007C-6D58-4BB6-A414-78634027053B}



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 17.11.2013 at  1:19:36,49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:03 PM

Posted 18 November 2013 - 12:39 PM


Hello Black Monday

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Black Monday

Black Monday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 18 November 2013 - 06:47 PM

Done. Seems the error log is in Norwegian, so let me know if you need help understanding the meaning.

 

System seems to be running fine, except for the aforementioned error message probably related to Microsoft Security Essentials, mentioned before.

 

Here is the log:

 

ComboFix 13-11-18.01 - jubajuba 18.11.2013  23:56:42.1.2 - x86
Microsoft Windows 7 Starter   6.1.7601.1.1252.47.1044.18.1013.452 [GMT 1:00]
Kjører fra: c:\users\jubajuba\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Opprettet nytt gjenopprettingspunkt
.
.
(((((((((((((((((((((((((((((((((((((((   Andre slettinger   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\PFRO.log
.
.
(((((((((((((((((((((((((((   Filer Opprettet Fra 2013-10-18 til 2013-11-18  )))))))))))))))))))))))))))))))))
.
.
2013-11-18 23:08 . 2013-11-18 23:10    --------    d-----w-    c:\users\jubajuba\AppData\Local\temp
2013-11-18 23:08 . 2013-11-18 23:08    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-11-18 22:45 . 2013-11-08 01:15    7772552    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B333FF5D-7BD6-4168-B51A-8767E4394A8F}\mpengine.dll
2013-11-17 00:28 . 2013-11-17 00:28    6429    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2013-11-17 00:28 . 2013-11-17 00:28    63115    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2013-11-17 00:28 . 2013-11-17 00:28    4599    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2013-11-17 00:28 . 2013-11-17 00:28    9310    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2013-11-17 00:28 . 2013-11-17 00:28    8646    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2013-11-17 00:28 . 2013-11-17 00:28    5927    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2013-11-17 00:28 . 2013-11-17 00:28    8613    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2013-11-17 00:28 . 2013-11-17 00:28    1651    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2013-11-17 00:27 . 2013-11-17 00:27    6910    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2013-11-17 00:27 . 2013-11-17 00:27    8288    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2013-11-17 00:27 . 2013-11-17 00:27    6208    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2013-11-17 00:27 . 2013-11-17 00:27    18541    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2013-11-17 00:27 . 2013-11-17 00:27    51852    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-11-17 00:27 . 2013-11-17 00:27    20719    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-11-17 00:27 . 2013-11-17 00:27    23327    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-11-17 00:27 . 2013-11-17 00:27    8782    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-11-17 00:27 . 2013-11-17 00:27    7271    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-11-17 00:14 . 2013-11-17 00:14    --------    d-----w-    c:\windows\ERUNT
2013-11-17 00:04 . 2013-11-17 00:10    --------    d-----w-    C:\AdwCleaner
2013-11-16 22:40 . 2013-11-16 22:40    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-11-16 22:40 . 2013-10-26 01:54    272496    ----a-w-    c:\program files\Mozilla Firefox\browser\components\browsercomps.dll
2013-11-16 22:40 . 2013-10-26 01:53    108144    ----a-w-    c:\program files\Mozilla Firefox\webapprt-stub.exe
2013-11-16 22:40 . 2013-10-26 01:53    170960    ----a-w-    c:\program files\Mozilla Firefox\webapp-uninstaller.exe
2013-11-16 22:40 . 2013-10-26 01:53    28272    ----a-w-    c:\program files\Mozilla Firefox\plugin-hang-ui.exe
2013-11-16 22:40 . 2013-10-26 01:53    130672    ----a-w-    c:\program files\Mozilla Firefox\mozglue.dll
2013-11-16 22:40 . 2013-10-26 01:53    194552    ----a-w-    c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2013-11-16 22:40 . 2013-10-26 01:53    119408    ----a-w-    c:\program files\Mozilla Firefox\maintenanceservice.exe
2013-11-16 22:40 . 2013-10-26 01:53    3459696    ----a-w-    c:\program files\Mozilla Firefox\gkmedias.dll
2013-11-16 22:40 . 2010-03-18 16:15    770384    ----a-w-    c:\program files\Mozilla Firefox\msvcr100.dll
2013-11-16 22:40 . 2010-03-18 16:15    421200    ----a-w-    c:\program files\Mozilla Firefox\msvcp100.dll
2013-11-16 22:40 . 2013-10-26 01:53    75376    ----a-w-    c:\program files\Mozilla Firefox\breakpadinjector.dll
2013-11-16 22:05 . 2013-10-04 01:58    152576    ----a-w-    c:\windows\system32\SmartcardCredentialProvider.dll
2013-11-16 22:05 . 2013-10-04 01:56    168960    ----a-w-    c:\windows\system32\credui.dll
2013-11-16 22:05 . 2013-10-04 01:56    1796096    ----a-w-    c:\windows\system32\authui.dll
2013-11-16 20:42 . 2013-11-16 21:57    105176    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-16 20:41 . 2013-11-16 21:56    75992    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-11-16 20:32 . 2013-10-15 23:20    7796464    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-13 15:29 . 2013-11-13 15:30    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-11-13 15:29 . 2013-04-04 13:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-11-13 14:55 . 2013-11-13 14:55    --------    d-----w-    c:\users\jubajuba\AppData\Local\Samsung
2013-11-13 08:42 . 2013-11-13 08:42    --------    d-----w-    C:\FRST
2013-11-12 22:35 . 2013-11-12 22:36    --------    d-----w-    c:\windows\TempE0580CA0-9BFF-7EDF-486A-0932C0CD364A-Signatures
2013-11-12 20:26 . 2013-11-12 20:26    --------    d-----w-    c:\users\jubajuba\AppData\Roaming\Malwarebytes
2013-11-12 20:25 . 2013-11-12 20:25    --------    d-----w-    c:\programdata\Malwarebytes
2013-11-12 20:25 . 2013-11-12 20:25    --------    d-----w-    c:\users\jubajuba\AppData\Local\Programs
2013-11-04 09:39 . 2013-11-04 09:39    --------    d-----w-    c:\users\jubajuba\AppData\Local\Macromedia
2013-10-31 12:50 . 2013-10-31 12:50    --------    d-----w-    c:\program files\Google
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-15 18:36 . 2013-10-15 18:36    163504    ----a-w-    c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2013-10-08 17:52 . 2013-10-07 12:36    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-08 17:52 . 2011-07-02 22:08    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-27 08:53 . 2013-09-27 08:53    214696    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-09-27 08:53 . 2013-09-27 08:53    104768    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2013-09-14 00:48 . 2013-10-10 19:19    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-09-08 02:07 . 2013-10-10 19:19    1294272    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03 . 2013-10-10 19:19    231424    ----a-w-    c:\windows\system32\mswsock.dll
2013-08-29 01:51 . 2013-10-10 19:19    3969472    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51 . 2013-10-10 19:19    3914176    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50 . 2013-10-10 19:19    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2013-08-29 01:50 . 2013-10-10 19:19    619520    ----a-w-    c:\windows\system32\tdh.dll
2013-08-29 01:48 . 2013-10-10 19:19    640512    ----a-w-    c:\windows\system32\advapi32.dll
2013-08-28 01:04 . 2013-10-10 19:18    2348544    ----a-w-    c:\windows\system32\win32k.sys
2013-08-28 00:57 . 2013-10-10 19:18    434688    ----a-w-    c:\windows\system32\scavengeui.dll
.
.
((((((((((((((((((((((((((((((((   Oppstartspunkter I Registeret   )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke  
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-04-07 8555040]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-03-25 1891720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-18 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-18 150552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-4-7 828704]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [2009-07-14 265088]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [2009-07-13 11904]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-03-06 286248]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 33320]
R3 cmusbser;Cmotech USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-09-27 104768]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-10-23 280288]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-01 109056]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-07-08 322336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc
HPService    REG_MULTI_SZ       HPSLPSVC
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
2013-11-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-07 17:52]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.nydalen.oslovo.no/
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send bilde til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send side til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 193.213.112.4 130.67.15.198 10.0.0.138
FF - ProfilePath - c:\users\jubajuba\AppData\Roaming\Mozilla\Firefox\Profiles\qyatt302.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - ExtSQL: 2013-11-17 00:52; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\jubajuba\AppData\Roaming\Mozilla\Firefox\Profiles\qyatt302.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: !HIDDEN! 2013-06-09 20:51; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - TOMME PEKERE FJERNET - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LÅSTE REGISTERNØKLER ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tidspunkt ferdig: 2013-11-19  00:15:21
ComboFix-quarantined-files.txt  2013-11-18 23:15
.
Pre-Run: 60 146 208 768 byte ledig
Post-Run: 64 161 914 880 byte ledig
.
- - End Of File - - AFDF0E594A97174626DAB66AEB524E42
2E5DEBB2116B3417023E0D6562D7ED07
 



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:03 PM

Posted 18 November 2013 - 08:34 PM


Hello Black Monday

Go ahead and uninstall MSe and reinstall and let me know if it starts working


At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Black Monday

Black Monday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 19 November 2013 - 06:45 PM

Thanks again!

 

OK, done. MSE seems to be working well after i reinstalled. Ran combofix in the way you mentioned, and here is the log:

 

ComboFix 13-11-19.01 - jubajuba 20.11.2013   0:18.2.2 - x86
Microsoft Windows 7 Starter   6.1.7601.1.1252.47.1044.18.1013.434 [GMT 1:00]
Kjører fra: c:\users\jubajuba\Desktop\ComboFix.exe
Command switches brukt :: c:\users\jubajuba\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Opprettet nytt gjenopprettingspunkt
.
.
(((((((((((((((((((((((((((   Filer Opprettet Fra 2013-10-19 til 2013-11-19  )))))))))))))))))))))))))))))))))
.
.
2013-11-19 23:30 . 2013-11-19 23:30    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-11-19 22:45 . 2013-11-19 22:45    62576    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{71EE4626-3E4D-47AA-9043-D698064CC429}\offreg.dll
2013-11-19 22:45 . 2013-11-19 22:45    40392    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{71EE4626-3E4D-47AA-9043-D698064CC429}\MpKsl3fa3f185.sys
2013-11-19 22:32 . 2013-10-17 10:14    719224    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4CACBC4-80D9-420C-8944-45ECA29A8665}\gapaengine.dll
2013-11-19 22:31 . 2013-11-18 00:28    7772552    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{71EE4626-3E4D-47AA-9043-D698064CC429}\mpengine.dll
2013-11-19 22:27 . 2013-11-19 22:28    --------    d-----w-    c:\program files\Microsoft Security Client
2013-11-19 22:06 . 2013-11-19 22:06    --------    d-----w-    c:\programdata\Oracle
2013-11-19 22:03 . 2013-11-19 22:03    --------    d-----w-    c:\program files\Common Files\Java
2013-11-19 22:03 . 2013-10-08 06:50    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-11-19 21:27 . 2013-11-19 21:27    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2013-11-18 23:15 . 2013-11-19 23:30    --------    d-----w-    c:\users\jubajuba\AppData\Local\temp
2013-11-17 00:14 . 2013-11-17 00:14    --------    d-----w-    c:\windows\ERUNT
2013-11-17 00:04 . 2013-11-17 00:10    --------    d-----w-    C:\AdwCleaner
2013-11-16 22:40 . 2013-11-19 21:51    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-11-16 22:05 . 2013-10-04 01:58    152576    ----a-w-    c:\windows\system32\SmartcardCredentialProvider.dll
2013-11-16 22:05 . 2013-10-04 01:56    168960    ----a-w-    c:\windows\system32\credui.dll
2013-11-16 22:05 . 2013-10-04 01:56    1796096    ----a-w-    c:\windows\system32\authui.dll
2013-11-16 20:42 . 2013-11-16 21:57    105176    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-16 20:41 . 2013-11-16 21:56    75992    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-11-13 15:29 . 2013-11-13 15:30    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-11-13 15:29 . 2013-04-04 13:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-11-13 14:55 . 2013-11-13 14:55    --------    d-----w-    c:\users\jubajuba\AppData\Local\Samsung
2013-11-13 08:42 . 2013-11-13 08:42    --------    d-----w-    C:\FRST
2013-11-12 22:35 . 2013-11-12 22:36    --------    d-----w-    c:\windows\TempE0580CA0-9BFF-7EDF-486A-0932C0CD364A-Signatures
2013-11-12 20:26 . 2013-11-12 20:26    --------    d-----w-    c:\users\jubajuba\AppData\Roaming\Malwarebytes
2013-11-12 20:25 . 2013-11-12 20:25    --------    d-----w-    c:\programdata\Malwarebytes
2013-11-12 20:25 . 2013-11-12 20:25    --------    d-----w-    c:\users\jubajuba\AppData\Local\Programs
2013-11-04 09:39 . 2013-11-04 09:39    --------    d-----w-    c:\users\jubajuba\AppData\Local\Macromedia
2013-10-31 12:50 . 2013-10-31 12:50    --------    d-----w-    c:\program files\Google
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-19 10:21 . 2011-03-01 09:09    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-10-15 18:36 . 2013-10-15 18:36    163504    ----a-w-    c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2013-10-08 17:52 . 2013-10-07 12:36    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-10-08 17:52 . 2011-07-02 22:08    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-27 08:53 . 2013-09-27 08:53    214696    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-09-27 08:53 . 2013-09-27 08:53    104768    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2013-09-14 00:48 . 2013-10-10 19:19    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-09-08 02:07 . 2013-10-10 19:19    1294272    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03 . 2013-10-10 19:19    231424    ----a-w-    c:\windows\system32\mswsock.dll
2013-08-29 01:51 . 2013-10-10 19:19    3969472    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51 . 2013-10-10 19:19    3914176    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50 . 2013-10-10 19:19    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2013-08-29 01:50 . 2013-10-10 19:19    619520    ----a-w-    c:\windows\system32\tdh.dll
2013-08-29 01:48 . 2013-10-10 19:19    640512    ----a-w-    c:\windows\system32\advapi32.dll
2013-08-28 01:04 . 2013-10-10 19:18    2348544    ----a-w-    c:\windows\system32\win32k.sys
2013-08-28 00:57 . 2013-10-10 19:18    434688    ----a-w-    c:\windows\system32\scavengeui.dll
.
.
((((((((((((((((((((((((((((((((   Oppstartspunkter I Registeret   )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke  
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-04-07 8555040]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-03-25 1891720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-18 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-18 150552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-4-7 828704]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [2009-07-14 265088]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [2009-07-13 11904]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-03-06 286248]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 33320]
R3 cmusbser;Cmotech USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2013-11-19 108032]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-09-27 104768]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-10-23 280288]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
S1 MpKsl3fa3f185;MpKsl3fa3f185;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{71EE4626-3E4D-47AA-9043-D698064CC429}\MpKsl3fa3f185.sys [2013-11-19 40392]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-01 109056]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-07-08 322336]
.
.
--- Andre tjenester/drivere lastet i minnet ---
.
*NewlyCreated* - MPFILTER
*NewlyCreated* - MPKSL3FA3F185
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc
HPService    REG_MULTI_SZ       HPSLPSVC
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
2013-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-07 17:52]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.nydalen.oslovo.no/
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send bilde til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send side til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 193.213.112.4 130.67.15.198 10.0.0.138
FF - ProfilePath - c:\users\jubajuba\AppData\Roaming\Mozilla\Firefox\Profiles\qyatt302.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - ExtSQL: 2013-11-17 00:52; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\jubajuba\AppData\Roaming\Mozilla\Firefox\Profiles\qyatt302.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: !HIDDEN! 2013-06-09 20:51; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
.
--------------------- LÅSTE REGISTERNØKLER ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------
.
- - - - - - - > 'Explorer.exe'(232)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
.
Tidspunkt ferdig: 2013-11-20  00:35:29
ComboFix-quarantined-files.txt  2013-11-19 23:35
ComboFix2.txt  2013-11-18 23:15
.
Pre-Run: 64 197 537 792 byte ledig
Post-Run: 64 144 101 376 byte ledig
.
- - End Of File - - AF9BF4149727E76A11BCBE2B39249E70
2E5DEBB2116B3417023E0D6562D7ED07
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users