Chrome riddled with adware and persistent extensions

[Berramos]

Hi, guys... My girlfriend handed me her friend's laptop so I could try and see what's wrong with it. I ran MBAM and AdwCleaner, both of them found thousands of stuff and I applied the fixes offered by both programs.

Most of the adware seem to be now gone, but at least two occurences still persist on Chrome: when I check the extensions tab, I get ShopDrop and UTubeNoAdsa, as in the following screen capture:



I still don't know what ShopDrop does exactly, but even if I remove it, it'll be back next time I start Chrome. As for the other one, I can't remove it at all due to that weird "Installed by enterprise policy", and it's the one giving me more trouble. Thanks to that extension, every website I access, even this forum, is filled with ads everywere.

Hope you guys can help me...

As instructed, I've already backed up my registry using ERUNT and produced the DDS and aswMBR logs. Additionally, as I've seen from another thread with someone suffering from the same ShopDrop problem, I'll also attach the OTL log.

Thanks in advance for the help!

DDS log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.51.2
Run by Usuário at 14:06:27 on 2014-04-12
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.55.1046.18.3494.1164 [GMT -3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\PROGRA~1\GbPlugin\GbpSv.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Dell Wireless\Ath_CoexAgent.exe
C:\Program Files\Dell Wireless\Bluetooth Suite\adminservice.exe
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Scpad\scpVista.exe
C:\Program Files\ShowMyPCService\tvnserver.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Samsung\Kies\Kies.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Samsung\Kies\KiesAirMessage.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Usuário\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Usuário\AppData\Roaming\uTorrent\uTorrent.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = Preserve
uDefault_Page_URL = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
BHO: ssh2 Class: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - c:\program files\scpad\scpsssh2.dll
BHO: ShopDrop: {423B6CB1-FB03-614B-B696-E70E2EC50D50} - c:\programdata\shopdrop\VmfcmlpIFR.dll
BHO: GreatSoavee4U: {6390ECC8-0EA0-08F4-2661-3EB8A0E346F9} - c:\programdata\greatsoavee4u\tvd54iHVQ.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: GbIehObj Class: {C41A1C0E-EA6C-11D4-B1B8-444553540000} - c:\program files\gbplugin\gbieh.dll
BHO: GbIehObj Class: {C41A1C0E-EA6C-11D4-B1B8-444553540007} - c:\program files\gbplugin\gbiehabn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Facebook Update] "c:\users\usuário\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [KiesPreload] c:\program files\samsung\kies\Kies.exe /preload
uRun: [KiesAirMessage] c:\program files\samsung\kies\KiesAirMessage.exe -startup
uRun: [] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\usuário\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [uTorrent] "c:\users\usuário\appdata\roaming\utorrent\uTorrent.exe" /MINIMIZED
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - c:\program files\dell wireless\bluetooth suite\IEPlugIn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} - hxxps://cpne.bradesco.com.br/certifexp.cab
DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{3AFA1C98-903D-4407-80F6-99066A6DECE5} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3AFA1C98-903D-4407-80F6-99066A6DECE5}\351634166716C63616E64756 : DHCPNameServer = 192.168.70.5 192.168.0.3
TCP: Interfaces\{3AFA1C98-903D-4407-80F6-99066A6DECE5}\74353402659435944514E44554 : DHCPNameServer = 201.17.0.65 201.17.0.95 201.6.4.116
TCP: Interfaces\{3AFA1C98-903D-4407-80F6-99066A6DECE5}\746545D263433343 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3AFA1C98-903D-4407-80F6-99066A6DECE5}\84F44554C404659647F6279616 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{3AFA1C98-903D-4407-80F6-99066A6DECE5}\C4F6274684F64756C6F52314 : DHCPNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GbPluginAbn - c:\program files\gbplugin\gbiehAbn.dll
Notify: GbPluginBb - c:\program files\gbplugin\gbieh.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\suptab\SEARCH~1.DLL
SSODL: WebCheck - <orphaned>
SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - c:\program files\scpad\scpLIB.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: GbPluginObj Class - {E37CB5F0-51F5-4395-A808-5FA49E399F83} - c:\program files\gbplugin\gbieh.dll
SEH: GbPluginObj Class - {E37CB5F0-51F5-4395-A808-5FA49E399007} - c:\program files\gbplugin\gbiehabn.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-10-15 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-10-15 180760]
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [2012-7-3 46392]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-10-15 776976]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2013-10-15 411552]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2012-9-4 50296]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-10-15 67824]
R2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files\dell wireless\Ath_CoexAgent.exe [2012-2-14 135168]
R2 AtherosSvc;AtherosSvc;c:\program files\dell wireless\bluetooth suite\AdminService.exe [2011-3-31 72864]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-4-6 50344]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2013-4-29 233472]
R2 GbpSv;Gbp Service;c:\progra~1\gbplugin\GbpSv.exe [2013-10-27 452136]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2012-2-14 13336]
R2 scpVista;scpVista;c:\program files\scpad\scpVista.exe [2013-5-27 360640]
R2 tvnserver;TightVNC Server;c:\program files\showmypcservice\tvnserver.exe [2010-7-8 815704]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2012-2-14 2656280]
R3 aswStm;aswStm;c:\windows\system32\drivers\aswstm.sys [2014-1-2 67264]
R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\drivers\btath_flt.sys [2011-3-31 34976]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2011-3-31 259232]
R3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\drivers\btath_bus.sys [2011-3-31 24736]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\drivers\btath_hcrp.sys [2011-3-31 175776]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\drivers\btath_lwflt.sys [2011-3-31 49312]
R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\drivers\btath_rcp.sys [2011-3-31 141088]
R3 BtFilter;BtFilter;c:\windows\system32\drivers\btfilter.sys [2011-3-31 243360]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2013-4-29 37344]
R3 IntcDAud;Áudio do vídeo Intel(R);c:\windows\system32\drivers\IntcDAud.sys [2012-2-14 269824]
R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2012-2-14 41088]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\GbpNdisrd.sys [2012-7-4 31088]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-2-14 391272]
S2 892cc6a3;Performance Optimizer;c:\windows\system32\rundll32.exe [2009-7-13 44544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\drivers\lgandnetdiag.sys [2011-9-6 23040]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-4-29 83864]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 46192]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\GbpNdisrd.sys [2012-7-4 31088]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-2-26 15872]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2014-4-11 27192]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-4-29 181912]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-2-26 52224]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\wat\WatAdminSvc.exe [2012-2-14 1343400]
.
=============== Created Last 30 ================
.
2014-04-12 17:06:28 -------- d-----w- c:\users\usußrio\appdata\local\Microsoft
2014-04-12 15:23:13 -------- d-----w- C:\_OTL
2014-04-12 04:53:21 -------- d-----w- C:\AdwCleaner
2014-04-12 00:29:43 7969936 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e3c19dff-9f9f-4a9a-91ae-86e09ff6c2d5}\mpengine.dll
2014-04-12 00:28:15 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-12 00:27:30 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-12 00:27:30 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-12 00:27:30 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-12 00:27:30 -------- d-----w- c:\programdata\Malwarebytes
2014-04-12 00:27:30 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-12 00:20:36 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2014-04-12 00:20:36 -------- d-----w- c:\programdata\VS Revo Group
2014-04-12 00:20:33 -------- d-----w- c:\program files\VS Revo Group
2014-04-12 00:14:51 -------- d-----w- c:\users\usuário\appdata\roaming\uTorrent
2014-04-07 00:50:30 43152 ----a-w- c:\windows\avastSS.scr
2014-03-31 20:37:16 -------- d-----w- c:\windows\system32\MRT
2014-03-31 17:50:54 -------- d-----w- c:\program files\Uninstaller
2014-03-31 17:47:28 -------- d-----w- c:\program files\High-QualityB
2014-03-16 19:37:57 -------- d-----w- c:\programdata\DigiSaver
.
==================== Find3M ====================
.
2014-04-12 15:29:50 31088 ----a-w- c:\windows\system32\drivers\GbpNdisrd.sys
2014-04-07 00:50:31 81768 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-04-07 00:50:31 776976 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-04-07 00:50:31 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-04-07 00:50:31 67264 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-04-07 00:50:31 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-04-07 00:50:31 180760 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-03-16 19:38:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-16 19:38:14 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-12 00:42:33 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601
.
CreateFile("\\.\PHYSICALDRIVE0"): O arquivo já está sendo usado por outro processo.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Rapid Storage Technology driver
1 ntkrnlpa!IofCallDriver[0x82E3A55A] -> \Device\Harddisk0\DR0[0x8814D298]
3 CLASSPNP[0x8C98C59E] -> ntkrnlpa!IofCallDriver[0x82E3A55A] -> [0x865F6318]
5 ACPI[0x83EC53D4] -> ntkrnlpa!IofCallDriver[0x82E3A55A] -> \Device\Ide\IAAStorageDevice-1[0x86637028]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
.
============= FINISH: 14:07:31,64 ===============

[shelf life]

See this link.