Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected from fake installer


  • Please log in to reply
9 replies to this topic

#1 WardenRo

WardenRo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 18 February 2014 - 02:28 AM

Hello everyone. I am using Microsoft Windows 7.

 

Thursday February 13th I got infected by a fake installer. At the end something popped up in the bottom right taskbar about 30 days until encryption expiration.

 

Anyway, I knew at that point that something was wrong so tried to disinfect but I can't seem to do it properly. In the weekend I kept having "iexplore.exe" processes pop up (although I'm using exclusively FIrefox) and they kept restarting. Now I saw some "twunk_32.exe" (or something like that) processes linked to "twain.dll".

 

TDSS found a rootkit initially, then I removed the original "twunk" processes with Malwarebytes. The said processes reappeared after I left the computer over night to scan with Norton Internet Security.

 

I also have some encrypted folders in C:\, "Documents and Settings" for example, with a small lock icon and I cannot open them.

 

Any idea how I can solve this?



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:39 AM

Posted 18 February 2014 - 02:23 PM

Hello, what did tdss remove,

The Twunk is part of a Digital image application you installed.

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
.
.
.
ADW Cleaner

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • .
    .
    .

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    .
    .
    .
    .
    • Last run ESET.
      • Hold down Control and click on this link to open ESET OnlineScan in a new window.
      • Click the esetonlinebtn.png button.
      • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the esetsmartinstaller_enu.png icon on your desktop.
      • Check "YES, I accept the Terms of Use."
      • Click the Start button.
      • Accept any security warnings from your browser.
      • Under scan settings, check "Scan Archives" and "Remove found threats"
      • Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
      • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      • When the scan completes, click List Threats
      • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      • Click the Back button.
      • Click the Finish button.
      • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 WardenRo

WardenRo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 18 February 2014 - 04:39 PM

Thank you very much for the assistance. I think FF was forced to run through a proxy :( . Time to change all my passwords...

 

I don't remember what rootkit TDSSKiller removed, but Norton just contained "wincrt.exe" earlier, this file was also cleaned previously during my attempts to fix the issue.

 

The "twunk_32.exe" process was removed as Malwarebytes removed a virus, so it wasn't something I was using :).

 

I ran ESET previously but will do so again now. Meanwhile, here are the other three logs:

 

MiniToolBox by Farbar  Version: 23-01-2014
Ran by Radu (administrator) on 18-02-2014 at 23:18:44
Running from "D:\Browser downloads"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.http", "172.22.7.20"
"network.proxy.http_port", 80
"network.proxy.socks_remote_dns", true
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
#         Any other entries you had go here (new line no # no space);  
127.0.0.1 localhost
127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

========================= IP Configuration: ================================

Atheros AR9285 Wireless Network Adapter = Wireless Network Connection (Connected)
JMicron PCI Express Gigabit Ethernet Adapter = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Radu-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 22-25-D3-CF-22-80
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : energydot.ro
   Description . . . . . . . . . . . : JMicron PCI Express Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : E0-CB-4E-4A-69-E0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
   Physical Address. . . . . . . . . : 00-25-D3-CF-22-80
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e83b:bbda:6bd1:9dd5%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, February 18, 2014 9:13:00 AM
   Lease Expires . . . . . . . . . . : Wednesday, February 19, 2014 7:03:37 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 184559059
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-0A-24-1F-00-25-D3-CF-22-80
   DNS Servers . . . . . . . . . . . : 193.231.252.1
                                       213.154.124.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{296218E3-E164-46E4-B472-67C92F3E640D}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{EA694DF2-3308-4B44-88DC-36EB4D9F0BA5}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:2491:3cb3:43e5:7cab(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2491:3cb3:43e5:7cab%14(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.energydot.ro:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Reusable ISATAP Interface {5B79F98A-15E0-440E-970F-7FFF7AF83A51}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  193.231.252.1

Name:    google.com
Addresses:  2a00:1450:400d:804::1009
      173.194.39.165
      173.194.39.166
      173.194.39.167
      173.194.39.168
      173.194.39.169
      173.194.39.174
      173.194.39.160
      173.194.39.161
      173.194.39.162
      173.194.39.163
      173.194.39.164


Pinging google.com [173.194.39.166] with 32 bytes of data:
Reply from 173.194.39.166: bytes=32 time=34ms TTL=53
Reply from 173.194.39.166: bytes=32 time=34ms TTL=53

Ping statistics for 173.194.39.166:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 34ms, Maximum = 34ms, Average = 34ms
Server:  dns2.rcs-rds.ro
Address:  193.231.252.1

Name:    yahoo.com
Addresses:  98.138.253.109
      98.139.183.24
      206.190.36.45


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=137ms TTL=50
Reply from 98.139.183.24: bytes=32 time=137ms TTL=50

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 137ms, Maximum = 137ms, Average = 137ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 16...22 25 d3 cf 22 80 ......Microsoft Virtual WiFi Miniport Adapter
 13...e0 cb 4e 4a 69 e0 ......JMicron PCI Express Gigabit Ethernet Adapter
 10...00 25 d3 cf 22 80 ......Atheros AR9285 Wireless Network Adapter
  1...........................Software Loopback Interface 1
 23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.102     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.102    281
    192.168.1.102  255.255.255.255         On-link     192.168.1.102    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.102    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.102    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.102    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 14     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 14     58 2001::/32                On-link
 14    306 2001:0:9d38:6abd:2491:3cb3:43e5:7cab/128
                                    On-link
 10    281 fe80::/64                On-link
 14    306 fe80::/64                On-link
 14    306 fe80::2491:3cb3:43e5:7cab/128
                                    On-link
 10    281 fe80::e83b:bbda:6bd1:9dd5/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    306 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/18/2014 09:04:33 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (02/16/2014 09:26:23 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (02/16/2014 09:24:26 PM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000041d
Fault offset: 0x74bd4f0d
Faulting process id: 0x1bf4
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (02/16/2014 09:18:01 PM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000041d
Fault offset: 0x74bd4f0d
Faulting process id: 0x16d0
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (02/16/2014 09:17:44 PM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000041d
Fault offset: 0x74bd4f0d
Faulting process id: 0x1fd4
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (02/15/2014 05:44:53 PM) (Source: Application Hang) (User: )
Description: The program winamp.exe version 5.5.7.2830 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: ecc

Start Time: 01cf2a64b5bfa0cd

Termination Time: 16

Application Path: C:\Program Files (x86)\Winamp\winamp.exe

Report Id: 1ae588ab-9658-11e3-8e00-e0cb4e4a69e0

Error: (02/15/2014 05:03:11 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (02/15/2014 01:58:52 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (02/15/2014 01:35:42 AM) (Source: Application Error) (User: )
Description: Faulting application name: CS6ServiceManager.exe, version: 3.0.0.389, time stamp: 0x4f5a20ec
Faulting module name: ntdll.dll, version: 6.1.7601.18229, time stamp: 0x51fb1072
Exception code: 0xc0000374
Fault offset: 0x000ce753
Faulting process id: 0xfac
Faulting application start time: 0xCS6ServiceManager.exe0
Faulting application path: CS6ServiceManager.exe1
Faulting module path: CS6ServiceManager.exe2
Report Id: CS6ServiceManager.exe3

Error: (02/06/2014 08:04:41 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 75318


System errors:
=============
Error: (02/18/2014 09:19:48 AM) (Source: Service Control Manager) (User: )
Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (02/18/2014 09:11:58 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (02/18/2014 01:50:01 AM) (Source: BugCheck) (User: )
Description: 0x00000116 (0xfffffa800bfc3010, 0xfffff88004db4408, 0x0000000000000000, 0x0000000000000002)C:\Windows\MEMORY.DMP021814-32027-01

Error: (02/18/2014 01:49:54 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 1:48:24 AM on ?2/?18/?2014 was unexpected.

Error: (02/17/2014 08:42:30 PM) (Source: ACPI) (User: )
Description: ACPI: ACPI BIOS is attempting to write to an illegal PCI Operation Region (0x4), Please contact your system vendor for technical assistance.

Error: (02/17/2014 08:42:30 PM) (Source: ACPI) (User: )
Description: ACPI: ACPI BIOS is attempting to write to an illegal PCI Operation Region (0x4), Please contact your system vendor for technical assistance.

Error: (02/16/2014 11:48:10 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (02/15/2014 05:13:12 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008, Server 2008 R2 for x64 (KB2901110).

Error: (02/15/2014 05:13:08 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (02/15/2014 02:18:08 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2013-12-24 02:17:28.623
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 02:17:28.514
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 02:13:35.509
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 02:13:35.400
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 02:11:36.917
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 02:11:36.792
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 01:43:53.262
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 01:43:53.169
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 01:39:03.039
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-24 01:39:02.898
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


=========================== Installed Programs ============================

µTorrent (Version: 3.3.2.30416)
Ableton Live 9 Suite (Version: 9.0.0.0)
Ace Poker Drills (Version: 1.0)
Acrobat.com (Version: 2.0.0)
Acrobat.com (Version: 2.0.0.0)
ActiveState ActivePython 2.7.2.5 (32-bit) (Version: 2.7.5)
Addictive Drums
Adobe After Effects CS5.5 (Version: 10.5)
Adobe AIR (Version: 2.5.1.17730)
Adobe Community Help (Version: 3.4.980)
Adobe Flash Player 11 Plugin (Version: 11.7.700.257)
Adobe Flash Player 12 ActiveX (Version: 12.0.0.44)
Adobe Photoshop CS6 (Version: 13.0)
Adobe Premiere Pro CS5.5 (Version: 5.5)
Adobe Reader XI (11.0.05) (Version: 11.0.05)
Adobe Shockwave Player 11.5 (Version: 11.5.6.606)
Adobe Story (Version: 1.0.571)
Apple Application Support (Version: 2.3.6)
Apple Mobile Device Support (Version: 7.0.0.117)
Apple Software Update (Version: 2.1.3.127)
Arturia Minimoog V v1.0
ATI Catalyst Install Manager (Version: 3.0.820.0)
ATK Package (Version: 1.0.0001)
Audacity 1.3.11 (Unicode)
Audacity 2.0.3 (Version: 2.0.3)
Bonjour (Version: 3.0.0.10)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2009.1118.1260.23275)
Catalyst Control Center Graphics Full Existing (Version: 2009.1118.1260.23275)
Catalyst Control Center Graphics Full New (Version: 2009.1118.1260.23275)
Catalyst Control Center Graphics Light (Version: 2009.1118.1260.23275)
Catalyst Control Center Graphics Previews Common (Version: 2009.1118.1260.23275)
Catalyst Control Center Graphics Previews Vista (Version: 2009.1118.1260.23275)
Catalyst Control Center InstallProxy (Version: 2011.0309.2206.39672)
Catalyst Control Center Localization All (Version: 2009.1118.1260.23275)
CCC Help Chinese Standard (Version: 2009.1118.1259.23275)
CCC Help Chinese Traditional (Version: 2009.1118.1259.23275)
CCC Help Czech (Version: 2009.1118.1259.23275)
CCC Help Danish (Version: 2009.1118.1259.23275)
CCC Help Dutch (Version: 2009.1118.1259.23275)
CCC Help English (Version: 2009.1118.1259.23275)
CCC Help Finnish (Version: 2009.1118.1259.23275)
CCC Help French (Version: 2009.1118.1259.23275)
CCC Help German (Version: 2009.1118.1259.23275)
CCC Help Greek (Version: 2009.1118.1259.23275)
CCC Help Hungarian (Version: 2009.1118.1259.23275)
CCC Help Italian (Version: 2009.1118.1259.23275)
CCC Help Japanese (Version: 2009.1118.1259.23275)
CCC Help Korean (Version: 2009.1118.1259.23275)
CCC Help Norwegian (Version: 2009.1118.1259.23275)
CCC Help Polish (Version: 2009.1118.1259.23275)
CCC Help Portuguese (Version: 2009.1118.1259.23275)
CCC Help Russian (Version: 2009.1118.1259.23275)
CCC Help Spanish (Version: 2009.1118.1259.23275)
CCC Help Swedish (Version: 2009.1118.1259.23275)
CCC Help Thai (Version: 2009.1118.1259.23275)
CCC Help Turkish (Version: 2009.1118.1259.23275)
ccc-core-static (Version: 2009.1118.1260.23275)
ccc-utility64 (Version: 2009.1118.1260.23275)
Conexant HD Audio (Version: 4.98.18.65)
CyberLink PowerDirector (Version: 8.0.1930)
DreamStation DXi2
Dropbox (Version: 2.0.22)
eLicenser Control
ETDWare PS/2-x64 7.0.5.9_WHQL
Fast Boot (Version: 1.0.4)
FFmpeg v0.6.2 for Audacity
Final Draft (Version: 8.0.1.89)
Final Effects Complete 6.0.0 64Bit (Version: 6.00.0000)
Free Video to iPhone Converter version 3.3.4.920
Full Tilt Poker.Eu (Version: 4.65.0.WIN.FullTilt.EU)
get_iplayer 4.6 (Version: 4.6)
Guitar Pro 5.2
iCloud (Version: 3.0.2.163)
ImTOO DVD Ripper Ultimate 6 (Version: 6.0.12.1105)
Intel® Management Engine Components (Version: 6.0.0.1179)
iPhone Backup Extractor (Version: 4.0.9.0)
iTunes (Version: 11.1.3.8)
iZotope Ozone 4 (Version: 4.00)
iZotope Vinyl (Version: 1.61)
JMicron Ethernet Adapter NDIS Driver (Version: 6.0.11.10)
JMicron Flash Media Controller Driver (Version: 1.0.33.2)
Leak Buster X NL (Version: 1.0)
Live 8.1
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Professional Plus 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86_x64 (Version: 80.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_ATL_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
MobileMe Control Panel (Version: 3.1.8.0)
MODEM Mobile Connection (Version: 1.0.0.1)
Mozilla Firefox 27.0.1 (x86 en-US) (Version: 27.0.1)
Mozilla Maintenance Service (Version: 27.0.1)
Native Instruments Massive (Version: 1.3.0.2050)
Native Instruments Service Center (Version: 2.2.6.676)
Norton Internet Security (Version: 21.1.0.18)
PDF Settings CS6 (Version: 11.0)
PokerStars.eu
PokerStove version 1.24
PokerTracker 4 (remove only)
PostgreSQL 9.0  (Version: 9.0)
Prophet-V2 2.5.1 (Version: 2.5.1)
PxMergeModule (Version: 1.00.0000)
QuickTime (Version: 7.74.80.86)
Radio Downloader (Version: 0.20.0.0)
Radmin Viewer 3.4 (Version: 3.40.0000)
Rapoo T6 Mouse Driver V1.1
Ray-Ban Virtual Mirror
Scrivener (Version: 102)
Skype™ 6.11 (Version: 6.11.102)
SMPlayer 0.8.6.0 (Version: 0.8.6.0)
SONAR X1 Producer (Version: 18.0)
SpeedFan (remove only)
SPL Analog Code Transient Designer VST RTAS v1.1
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
USB 2.0 UVC 1.3M WebCam
VCDS Release 11.11.0 (Version: 11.11.0)
Vegas Movie Studio HD Platinum 10.0 (Version: 10.0.179)
Waves Mercury Bundle (Version: 5.0)
WIDCOMM Bluetooth Software (Version: 6.2.0.9600)
Winamp (Version: 5.572 )
Winamp Detector Plug-in (Version: 1.0.0.1)
Windows Driver Package - Ross-Tech USB Driver Package (08/16/2011 2.08.14) (Version: 08/16/2011 2.08.14)
Windows XP Mode (Version: 1.3.7600.16423)
WinRAR archiver
Wireless Console 3 (Version: 3.0.14)
Yahoo! Messenger

========================= Memory info: ===================================

Percentage of memory in use: 66%
Total physical RAM: 3948.55 MB
Available physical RAM: 1341.45 MB
Total Pagefile: 7895.28 MB
Available Pagefile: 4199.86 MB
Total Virtual: 4095.88 MB
Available Virtual: 3974.68 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:146.39 GB) (Free:25.28 GB) NTFS
2 Drive d: () (Fixed) (Total:319.28 GB) (Free:38.01 GB) NTFS

========================= Users: ========================================

User accounts for \\RADU-PC

Administrator            Guest                    postgres                 
Radu                     


**** End of log ****
 

# AdwCleaner v3.019 - Report created 18/02/2014 at 23:24:26
# Updated 17/02/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Radu - RADU-PC
# Running from : D:\Browser downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Radu\AppData\Roaming\Mozilla\Firefox\Profiles\x3ttg6iy.default\StumbleUpon

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\FLEXnet

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7601.17514


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\Radu\AppData\Roaming\Mozilla\Firefox\Profiles\x3ttg6iy.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [4559 octets] - [15/02/2014 02:16:05]
AdwCleaner[R1].txt - [985 octets] - [16/02/2014 21:18:39]
AdwCleaner[R2].txt - [1121 octets] - [18/02/2014 23:23:47]
AdwCleaner[S0].txt - [4535 octets] - [15/02/2014 02:17:52]
AdwCleaner[S1].txt - [1008 octets] - [18/02/2014 23:24:26]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1068 octets] ##########
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Windows 7 Professional x64
Ran by Radu on Tue 02/18/2014 at 23:27:27.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] "hkey_current_user\software\classes\typelib\{006ad7b2-968a-11de-88c9-5bde55d89593}"



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Radu\AppData\Roaming\mozilla\firefox\profiles\x3ttg6iy.default\minidumps [159 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/18/2014 at 23:36:06.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:39 AM

Posted 18 February 2014 - 08:20 PM

OK, there are a couple steps to do but we need to wait for the EST results.


BTW
wincrt.exe
Command: C:\Windows\System32\wincrt.exe

Description:

Trojan that display fake security warnings on your computer. This Trojan is part of the Smitfraud family of malware. You should use the guide below to remove this infection and other malware typically installed with it.

Edited by boopme, 18 February 2014 - 08:20 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 WardenRo

WardenRo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 19 February 2014 - 02:07 PM

Thanks again for the update.

 

Right now I'm running ESET, it takes quite a while, but it already found 4 files infected, three of which are "Win32/Kryptik.BVGS.trojan" and "Win32/Kryptik.BVJM.trojan".

 

I will post the export from ESET when it finishes.

 

Just to confirm - should I NOT clean using ESET at the end of the scan?



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:39 AM

Posted 19 February 2014 - 02:34 PM

You can clean these are bad,
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 WardenRo

WardenRo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 19 February 2014 - 03:31 PM

Ok, thanks for confirming.

 

ESET finished:

 

C:\Program Files\Windows XP Mode\Security\Manager\temp\tmp1C27.exe    multiple threats    deleted - quarantined
C:\Users\Radu\AppData\Roaming\Adobe\acupx217.dll    a variant of Win32/Kryptik.BVGS trojan    cleaned by deleting - quarantined
C:\Users\Radu\AppData\Roaming\wincrt\m_bin\mservices.exe    a variant of Win32/Kryptik.BVJM trojan    cleaned by deleting - quarantined
C:\Windows\pss\EPUHelp.exe.Startup    a variant of Win32/Kryptik.BVGS trojan    cleaned by deleting - quarantined
 

What should I do now?



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:39 AM

Posted 19 February 2014 - 04:30 PM

Do you still have the lock Icon on some folders?

If so look at Remove the Lock Icon from a Folder


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 WardenRo

WardenRo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 19 February 2014 - 05:23 PM

Yes, I still have the lock on some folders, luckily on some folders that I don't think I'm using.

 

I tried to add the appropriate access to my username but I receive an "Access Denied" message. The problem is that even the SYSTEM account doesn't have access to the said folders.

 

EDIT: Actually, it seems to only affect the "C:\Documents and Settings" folder, which is not used in Windows 7 :)

 

Would it be safe to say that now the infection is completely removed?


Edited by WardenRo, 19 February 2014 - 05:26 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:39 AM

Posted 19 February 2014 - 08:32 PM

Hello, as these Kryptik are password stealing Trojans and contain backdoor functionality that allows unauthorized access and control of an affected computer, we should still get a deeper look to be sure.

Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users