USED INFECTED USB

[hassaan123]

Hello,
         I used a usb at work and later found out that it was infected. It had the auto run and shortcut viruses etc. I wont be using it again but eversince my pc stops randomly at times and its much slower now. Actually alot slower. The logs are pasted.

ADW LOG

# AdwCleaner v2.306 - Logfile created 08/14/2013 at 00:19:27
# Updated 19/07/2013 by Xplode
# Operating system : Windows 8 Single Language  (64 bits)
# User : hassaan - MYPC
# Boot Mode : Normal
# Running from : C:\Users\hassaan\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16384

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\hassaan\AppData\Roaming\Mozilla\Firefox\Profiles\x3jt7h3g.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1345 octets] - [14/08/2013 00:19:27]

########## EOF - C:\AdwCleaner[S1].txt - [1405 octets] ##########





MBAM LOG
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.13.05

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16384
hassaan :: MYPC [administrator]

Protection: Disabled

8/14/2013 12:23:04 AM
mbam-log-2013-08-14 (00-23-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213082
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\hassaan\LOCALS~1\Temp\ccavnhopi.exe -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




Security checkup log

 Results of screen317's Security Check version 0.99.72 
   x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Flash Player    11.7.700.224 
 Mozilla Firefox 22.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````[/u]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
******************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*********************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[hassaan123]

the usb is still not working fine even after running that tool. It has the shortcut virus.




Secondly when my pc boots up, this pops up everytime.





JRT LOG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.4.5 (08.13.2013:1)
OS: Windows 8 Single Language x64
Ran by hassaan on Wed 08/14/2013 at 10:35:37.89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

    Value Name          Type                             Value Data                     
========================================================================================
    Pokki    REG_EXPAND_SZ    C:\Windows\system32\rundll32.exe "%LOCALAPPDATA%\Pokki\Engine\LaunchDeskband.dll",RunLaunchDeskband




~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\torch
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\torch
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FB9AE199-EC6A-42D6-AA95-96BCF13E1391}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{FB9AE199-EC6A-42D6-AA95-96BCF13E1391}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\hassaan\appdata\local\torch"



~~~ FireFox

Emptied folder: C:\Users\hassaan\AppData\Roaming\mozilla\firefox\profiles\x3jt7h3g.default\minidumps [1 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/14/2013 at 10:41:01.33
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


COMBOFIX LOG

ComboFix 13-08-13.03 - hassaan 08/14/2013  10:50:49.1.4 - x64
Microsoft Windows 8 Single Language  6.2.9200.0.1252.1.2057.18.3992.2686 [GMT 5:00]
Running from: c:\users\hassaan\Desktop\ComboFix.exe
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\hassaan\AppData\Roaming\IHelper
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\info\Contacts_0.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\info\Contacts_1.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\info\Contacts_2.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\info\Contacts_3.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\info\Contacts_4.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\info\Contacts_5.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\info\Contacts_6.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\info\Contacts_7.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\ArtworkDB
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\Books.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\DCIM_APPLE.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\iTunesCDB
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\iTunesCDB.unzip
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\MediaLibrary.sqlitedb-shm
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\MediaLibrary.sqlitedb-wal
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\MediaLibrary.sqlitedb
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\Photos.sqlite
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\Purchases.plist
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\system\Recordings.db
c:\users\hassaan\AppData\Roaming\IHelper\06a33effacfd719f9dd32e8c5a529c55ea333bc9\user\IMG_1508.JPG
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-14 to 2013-08-14  )))))))))))))))))))))))))))))))
.
.
2013-08-14 05:55 . 2013-08-14 05:55   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-08-14 05:35 . 2013-08-14 05:35   --------   d-----w-   c:\windows\ERUNT
2013-08-14 05:32 . 2013-08-14 05:32   --------   d-----w-   c:\programdata\Panda Security
2013-08-14 05:32 . 2013-08-14 05:32   --------   d-----w-   c:\program files (x86)\Panda USB Vaccine
2013-08-13 18:42 . 2013-08-05 11:14   78161360   ----a-w-   c:\windows\system32\MRT.exe
2013-08-13 18:39 . 2013-08-13 18:39   --------   d-----w-   c:\program files\CCleaner
2013-08-13 18:17 . 2013-08-13 18:17   --------   d-----w-   c:\users\hassaan\AppData\Roaming\Malwarebytes
2013-08-13 18:17 . 2013-08-13 18:17   --------   d-----w-   c:\programdata\Malwarebytes
2013-08-13 18:17 . 2013-08-13 18:17   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2013-08-13 18:17 . 2013-04-04 09:50   25928   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-08-13 18:17 . 2013-08-13 18:17   --------   d-----w-   c:\users\hassaan\AppData\Local\Programs
2013-08-13 18:12 . 2013-08-13 18:29   --------   d-----w-   C:\MSI
2013-07-25 04:33 . 2013-07-25 04:33   --------   d-----w-   c:\users\hassaan\AppData\Roaming\IDT
2013-07-19 07:26 . 2013-07-19 15:11   --------   d-----w-   c:\program files (x86)\Kepard
2013-07-18 07:59 . 2013-07-18 07:59   --------   d-----w-   c:\users\hassaan\AppData\Local\Google
2013-07-18 05:52 . 2013-08-14 05:29   --------   d-----w-   c:\programdata\TorchCrashHandler
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-10 15:14 . 2013-07-05 04:07   17536   ----a-w-   c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-07-04 14:28 . 2012-07-26 08:13   22240   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-06-27 09:57 . 2013-06-28 04:31   172920   ----a-w-   c:\windows\system32\drivers\idmwfp.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2012-10-01 15:38   1720976   ----a-w-   c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2012-10-01 15:38   1720976   ----a-w-   c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2012-10-01 15:38   1720976   ----a-w-   c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-06-21 19875432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BtTray"="c:\program files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe" [2012-08-02 363520]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-07-09 580512]
"HP CoolSense"="c:\program files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe" [2011-08-26 1342008]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-15 152392]
.
c:\users\hassaan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Send to OneNote.lnk - c:\program files\Microsoft Office\Office15\ONENOTEM.EXE /tsr [2012-10-1 185992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
R1 jjehnhuz;jjehnhuz;c:\windows\system32\drivers\jjehnhuz.sys;c:\windows\SYSNATIVE\drivers\jjehnhuz.sys

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe

R2 TorchCrashHandler;Torch Crash Handler;c:\users\hassaan\AppData\Local\Torch\Update\TorchCrashHandler.exe;c:\users\hassaan\AppData\Local\Torch\Update\TorchCrashHandler.exe

R3 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys;c:\windows\SYSNATIVE\DRIVERS\idmwfp.sys

R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

R3 SmbDrv;SmbDrv;c:\windows\System32\drivers\Smb_driver_AMDASF.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_AMDASF.sys

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\System32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys

R3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys;c:\windows\SYSNATIVE\DRIVERS\WUDFRd.sys

S0 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe

S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe

S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

S3 BtAudioBusSrv;IVT Bluetooth Audio Bus Service;c:\windows\System32\Drivers\BtAudioBus.sys;c:\windows\SYSNATIVE\Drivers\BtAudioBus.sys

S3 BthL2caScoIfSrv;Bluetooth Profile Interface Driver Service;c:\windows\System32\Drivers\BtL2caScoIf.sys;c:\windows\SYSNATIVE\Drivers\BtL2caScoIf.sys

S3 BthLEEnum;Bluetooth Low Energy Driver;c:\windows\system32\DRIVERS\BthLEEnum.sys;c:\windows\SYSNATIVE\DRIVERS\BthLEEnum.sys

S3 btUrbFilterDrv;IVT URB Bluetooth Filter Driver Service;c:\windows\System32\Drivers\IvtUrbBtFlt.sys;c:\windows\SYSNATIVE\Drivers\IvtUrbBtFlt.sys

S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys

S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys

S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsBaStor.sys

S3 rtbth;RTBTH Bluetooth Device Driver;c:\windows\System32\drivers\rtbth.sys;c:\windows\SYSNATIVE\drivers\rtbth.sys

S3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys

S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys

S3 WirelessButtonDriver;HP Wireless Button Driver Service;c:\windows\System32\drivers\WirelessButtonDriver64.sys;c:\windows\SYSNATIVE\drivers\WirelessButtonDriver64.sys

.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
apphost   REG_MULTI_SZ      apphostsvc
iissvcs   REG_MULTI_SZ      w3svc was
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2012-10-01 15:37   2322576   ----a-w-   c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2012-10-01 15:37   2322576   ----a-w-   c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2012-10-01 15:37   2322576   ----a-w-   c:\progra~1\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-11-15 23:07   23496   ----a-w-   c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-07-28 170304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-07-28 398656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-07-28 440640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-07-21 1425408]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{88DDEC8B-1690-4023-B4CA-06BF673A694C}: NameServer = 8.8.8.8 8.8.4.4
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
FF - ProfilePath - c:\users\hassaan\AppData\Roaming\Mozilla\Firefox\Profiles\x3jt7h3g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.pk/
FF - ExtSQL: 2013-07-04 19:45; [email protected]; c:\users\hassaan\AppData\Roaming\IDM\idmmzcc5
FF - ExtSQL: 2013-07-04 19:49; {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}; c:\users\hassaan\AppData\Roaming\Mozilla\Firefox\Profiles\x3jt7h3g.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi
FF - ExtSQL: 2013-07-24 12:32; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\hassaan\AppData\Roaming\Mozilla\Firefox\Profiles\x3jt7h3g.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Pokki - %LOCALAPPDATA%\Pokki\Engine\LaunchDeskband.dll
Wow6432Node-HKLM-Run-Kepard - c:\program files (x86)\Kepard\Kepard.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{B8019B54-F9BE-490A-9619-6D06F18F129F} - c:\program files (x86)\InstallShield Installation Information\{B8019B54-F9BE-490A-9619-6D06F18F129F}\setup.exe
AddRemove-Torch - c:\users\hassaan\AppData\Local\Torch\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2013-08-14  10:57:11
ComboFix-quarantined-files.txt  2013-08-14 05:57
.
Pre-Run: 408,208,388,096 bytes free
Post-Run: 408,196,120,576 bytes free
.
- - End Of File - - 93A3003D755C09217C0222148781706A
D41D8CD98F00B204E9800998ECF8427E

[SuperDave]

You need to scan your USB stick or re-format it. Use your AV to scan it and also scan it with this scanner.

Please download and run MicroSoft Safety Scanner. This will take about 20 minutes to run and will produce a log if your computer was infected. Please post the log. This scanner only has a shelf life of 10 days so you will need to download a new one if you want to run a scan after the trial period has expired.
***************************************

• Download RogueKiller on the desktop
  
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• Pre-scan will start. Let it finish.
• Click on SCAN button.
  
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  

[hassaan123]

Microsoft safety scanner didnt find anything.


RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : hassaan [Admin rights]
Mode : Scan -- Date : 08/23/2013 00:48:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH] pokki.exe -- C:\Users\hassaan\AppData\Local\Pokki\Engine\pokki.exe [7] -> KILLED [TermProc]
[SUSP PATH] pokki.exe -- C:\Users\hassaan\AppData\Local\Pokki\Engine\pokki.exe [7] -> KILLED [TermThr]
[SUSP PATH] pokki.exe -- C:\Users\hassaan\AppData\Local\Pokki\Engine\pokki.exe [7] -> KILLED [TermThr]
[SUSP PATH] pokki.exe -- C:\Users\hassaan\AppData\Local\Pokki\Engine\pokki.exe [7] -> KILLED [TermThr]

¤¤¤ Registry Entries : 6 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=172.25.10.3:80;ftp=172.25.10.3:80) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[FF][PROXY] x3jt7h3g.default : user_pref("network.proxy.hxxp", "172.25.10.3"); -> FOUND
[FF][PROXY] x3jt7h3g.default : user_pref("network.proxy.hxxp_port", 80); -> FOUND
[FF][PROXY] x3jt7h3g.default : user_pref("network.proxy.type", 1); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST500LT012-9WS142 +++++
--- User ---
[MBR] c7b320d253a5b015cb7191dc83c18baf
[BSP] a331926d80c1088d7089ee702371a9a3 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 476940 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08232013_004826.txt >>

[SuperDave]

Please run RogueKiller again and delete those items.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply