Solved Windows 7 laptop infected with sirefef.y Trojan

Status
Not open for further replies.

David Summers

Posts: 16   +1
I don't know how long my machine has been infected, but it had been behaving strangely in the days, maybe weeks prior to an actual diagnosis of the sirefef.y Trojan - ie playing strange music at times when I was online, and video camera malfunction. When I discovered that my Windows Security Essentials wouldn't function, I downloaded the current version and got it running. It wasn't long, however, when I fell into a loop whereby the computer would find the virus and then force restart after about a minute... which was never long enough to clean the virus. Initially it was the sirefef.w Trojan, but it appears that security essentials caught and cleaned that one... Now it's the y version, and I have had no success trying to isolate it and close it out in task manager prior to forced restart. Additionally, I have downloaded Malwarebytes’ Anti-Malware, GMER and DDS, and have started the scanning process multiple times with all three individually, as well as Microsoft Security Essentials – but none are able to finish the process before the virus does its thing – even in safe mode. Even DDS which isn’t supposed to take longer than 3 minutes has no time to complete its processes.



Any assistance would be appreciated.



Below is the log generated by the Farbar recovery scan tool:



Scan result of Farbar Recovery Scan Tool Version: 15-08-2012

Ran by SYSTEM at 21-08-2012 06:52:00

Running from E:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001



========================== Registry (Whitelisted) =============



HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [368640 2010-01-17] (Alps Electric Co., Ltd.)

HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-28] (IDT, Inc.)

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-06-30] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [385560 2009-06-30] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365080 2009-06-30] (Intel Corporation)

HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)

HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807600 2009-11-13] ()

HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()

HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)

HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-24] (Ask)

HKU\David Summers\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-09-18] (Google Inc.)

HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)

HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)

HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-07] (Dell)

HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\..\Interfaces\{B087D8A2-424B-440D-80FC-E3B3A46D696C}: [NameServer]66.174.92.14 69.78.235.35

Startup: C:\Users\David Summers\Start Menu\Programs\Startup\Dell Dock.lnk

ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\David Summers\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

Startup: C:\Users\David Summers\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)



==================== Services (Whitelisted) ======



2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.)



========================== Drivers (Whitelisted) =============



3 PTUMWBus; C:\Windows\System32\Drivers\PTUMWBus.sys [70928 2010-07-20] (DEVGURU Co., LTD.)

3 PTUMWCDF; C:\Windows\System32\Drivers\PTUMWCDF.sys [24976 2010-07-20] (DEVGURU Co., LTD.)

3 PTUMWCSP; C:\Windows\System32\Drivers\PTUMWCSP.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))

3 PTUMWFLT; C:\Windows\System32\Drivers\PTUMWFLT.sys [12688 2010-07-20] (DEVGURU Co., LTD.)

3 PTUMWMdm; C:\Windows\System32\Drivers\PTUMWMdm.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))

3 PTUMWNET; C:\Windows\System32\Drivers\PTUMWNET.sys [143888 2010-07-20] (DEVGURU Co., LTD.)

3 PTUMWNSP; C:\Windows\System32\Drivers\PTUMWNSP.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))

3 PTUMWVsp; C:\Windows\System32\Drivers\PTUMWVsp.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))

3 SMSIVZAM5X64; \??\C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [43032 2009-05-25] (Smith Micro Inc.)



========================== NetSvcs (Whitelisted) ===========





============ One Month Created Files and Folders ==============



2012-08-17 12:38 - 2012-08-17 12:38 - 00000000 ____D C:\Users\David Summers\Application Data\Malwarebytes

2012-08-17 12:38 - 2012-08-17 12:38 - 00000000 ____D C:\Users\David Summers\AppData\Roaming\Malwarebytes

2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes

2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-17 12:35 - 2012-07-03 15:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-17 12:32 - 2012-08-17 12:07 - 00607260 ____R (Swearware) C:\Users\David Summers\Desktop\dds.com

2012-08-17 12:32 - 2012-08-17 12:07 - 00302592 ____A C:\Users\David Summers\Desktop\4klg889o.exe

2012-08-17 12:31 - 2012-08-17 12:05 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\David Summers\Desktop\mbam-setup-1.62.0.1300.exe

2012-08-16 09:36 - 2012-08-21 08:17 - 00019074 ____A C:\Users\David Summers\Desktop\yorkyt.exe.log

2012-08-16 09:36 - 2012-08-16 09:23 - 01415784 ____A C:\Users\David Summers\Desktop\yorkyt.exe

2012-08-16 09:32 - 2012-08-16 09:26 - 74900016 ____A (Microsoft Corporation) C:\Users\David Summers\Desktop\msert.exe

2012-08-16 08:40 - 2012-08-16 08:40 - 00005176 ____A C:\Windows\System32\PerfStringBackup.TMP

2012-08-15 17:02 - 2012-08-15 17:03 - 00000000 ____D C:\FRST

2012-08-13 12:36 - 2012-08-13 12:36 - 00006704 ____N C:\bootsqm.dat

2012-08-13 12:34 - 2012-08-13 12:34 - 00000000 __SHD C:\found.000

2012-08-12 20:37 - 2012-08-12 20:37 - 00001945 ____A C:\Windows\epplauncher.mif

2012-08-12 04:16 - 2012-08-12 20:37 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-08-12 04:16 - 2012-08-12 04:16 - 00743856 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-08-12 04:16 - 2012-08-12 04:16 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

2012-08-12 04:07 - 2012-08-12 04:07 - 00000000 ____D C:\Users\David Summers\Desktop\Court

2012-08-09 22:43 - 2012-08-09 22:44 - 00000000 ____D C:\Users\David Summers\My Documents\Dell WebCam Central

2012-08-09 22:43 - 2012-08-09 22:44 - 00000000 ____D C:\Users\David Summers\Documents\Dell WebCam Central

2012-08-09 22:43 - 2012-08-09 22:43 - 00000000 ____D C:\Users\David Summers\Application Data\Creative

2012-08-09 22:43 - 2012-08-09 22:43 - 00000000 ____D C:\Users\David Summers\AppData\Roaming\Creative

2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk

2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\All Users\Desktop\Skype.lnk



============ 3 Months Modified Files ========================



2012-08-21 08:28 - 2009-07-13 23:51 - 00072444 ____A C:\Windows\setupact.log

2012-08-21 08:26 - 2011-05-25 08:22 - 00000418 ____A C:\Windows\Tasks\Free File Viewer Update Checker.job

2012-08-21 08:26 - 2010-09-18 18:26 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-08-21 08:26 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-21 08:17 - 2012-08-16 09:36 - 00019074 ____A C:\Users\David Summers\Desktop\yorkyt.exe.log

2012-08-17 12:50 - 2010-09-18 18:26 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-17 12:07 - 2012-08-17 12:32 - 00607260 ____R (Swearware) C:\Users\David Summers\Desktop\dds.com

2012-08-17 12:07 - 2012-08-17 12:32 - 00302592 ____A C:\Users\David Summers\Desktop\4klg889o.exe

2012-08-17 12:05 - 2012-08-17 12:31 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\David Summers\Desktop\mbam-setup-1.62.0.1300.exe

2012-08-16 09:26 - 2012-08-16 09:32 - 74900016 ____A (Microsoft Corporation) C:\Users\David Summers\Desktop\msert.exe

2012-08-16 09:23 - 2012-08-16 09:36 - 01415784 ____A C:\Users\David Summers\Desktop\yorkyt.exe

2012-08-16 08:40 - 2012-08-16 08:40 - 00005176 ____A C:\Windows\System32\PerfStringBackup.TMP

2012-08-15 19:08 - 2012-07-03 07:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-15 10:05 - 2009-07-14 00:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-08-13 18:23 - 2009-07-14 00:10 - 01292325 ____A C:\Windows\WindowsUpdate.log

2012-08-13 12:36 - 2012-08-13 12:36 - 00006704 ____N C:\bootsqm.dat

2012-08-12 20:37 - 2012-08-12 20:37 - 00001945 ____A C:\Windows\epplauncher.mif

2012-08-12 04:16 - 2012-08-12 04:16 - 00743856 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk

2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\All Users\Desktop\Skype.lnk

2012-08-03 12:08 - 2012-07-03 07:45 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-03 12:08 - 2012-07-03 07:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-07-11 07:27 - 2009-07-13 23:45 - 00414656 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-07-03 15:46 - 2012-08-17 12:35 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-06-29 10:52 - 2012-06-26 07:52 - 00017435 ____H C:\Users\David Summers\Desktop\~WRL0004.tmp

2012-06-11 22:02 - 2012-07-11 07:21 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-02 17:19 - 2012-06-18 18:26 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 17:19 - 2012-06-18 18:26 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 17:19 - 2012-06-18 18:26 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 17:19 - 2012-06-18 18:25 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 17:19 - 2012-06-18 18:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 17:19 - 2012-06-18 18:25 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 17:15 - 2012-06-18 18:26 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 17:15 - 2012-06-18 18:25 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 17:15 - 2012-06-18 18:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe



ZeroAccess:

C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}

C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\@

C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\L

C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\n

C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U

C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\00000001.@

C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\800000cb.@



ZeroAccess:

C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}

C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\@

C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\L

C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U



========================= Known DLLs (Whitelisted) ============





========================= Bamital & volsnap Check ============



C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit



==================== EXE ASSOCIATION =====================



HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK



========================= Memory info ======================



Percentage of memory in use: 14%

Total physical RAM: 4056.36 MB

Available physical RAM: 3474.73 MB

Total Pagefile: 4054.51 MB

Available Pagefile: 3470.74 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB



======================= Partitions =========================



1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:365.89 GB) NTFS

2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.14 GB) NTFS ==>[System with boot components (obtained from reading drive)]

3 Drive e: () (Removable) (Total:7.45 GB) (Free:0.53 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS



Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 Online 7629 MB 0 B



Partitions of Disk 0:

===============



Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 40 MB

Partition 3 Primary 451 GB 14 GB



==================================================================================



Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No



Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 FAT Partition 39 MB Healthy Hidden



==================================================================================



Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes



Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy



==================================================================================



Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No



Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 451 GB Healthy



==================================================================================



Partitions of Disk 2:

===============



Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7629 MB 16 KB



==================================================================================



Disk: 2

Partition 1

Type : 0B

Hidden: No

Active: No



Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E FAT32 Removable 7629 MB Healthy



==================================================================================



Last Boot: 2012-08-09 10:17



======================= End Of Log ==========================
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

frst2.jpg


When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.
 
Wow... The scan took about 15 minutes... Was expecting a longer log,

Farbar Recovery Scan Tool Version: 15-08-2012

Ran by SYSTEM at 2012-08-22 05:50:34

Running from E:\



================== Search: "services.exe" ===================



C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB



C:\Windows\System32\services.exe

[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06



====== End Of Search ======
 
FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
This is the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012

Ran by SYSTEM at 2012-08-22 12:31:22 Run:1

Running from E:\



==============================================



C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b} moved successfully.

C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b} moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe



==== End of Fixlog ====


I restarted the machine, and it hasn't shut itself down after two minutes (very good thing) but after about five minutes, a 'Windows Activation' notice popped up indicating that an unauthorized change was made to windows, and an option to fix it online. Additionally, after a few more minutes, a Microsoft Security Essentials notice popped up indicating Windows did not pass genuine validation. I havent done anything with either notice.
 
Good, they might be fake notices, or something bad may have happened internally. But, we'll get it checked out.

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
A curious thing is happening... I have disabled real time scanning on Microsoft Security Essentials and restarted my machine, but about 20 minutes after starting the (renamed) Combofix program, I get a message saying that it has detected that MSE is still doing real time scanning. I have started Combofix twice now, the second time in safe mode, but I'm still getting this message. Should I ignore it? It's telling me to proceed at my own risk. Should I attempt to remove MSE entirely? Could it be the virus mimicking MSE? Please advise.
 
Ok... I labeled the application to iexplore.exe and it worked... Took awhile though, like over an hour for the whole process.

ComboFix 12-08-22.03 - David Summers 08/23/2012 14:01:01.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4056.2683 [GMT -7:00]

Running from: c:\users\David Summers\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Outdated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Outdated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{06468FFD-FF7E-4300-A2F6-D30163763D39}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{08A0F5D3-3C8B-4C73-B759-E5E483C0FC96}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{11670815-9E53-4326-94DF-1AB35FB0CF85}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{373C2F0C-871E-45E4-B8A3-DB69228064BC}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3A4A6636-4D55-41A3-AD1D-038F07A9E702}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{444520C4-3F4C-4016-965D-D2412BD42078}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4BC1D76A-A112-492F-A1A5-73BAA816645E}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5043551E-73BA-4A96-B78D-055711F07332}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{52351992-4E81-4D92-913D-D67C728A37BD}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{58793BA1-662B-40C7-806D-C2141C91D82F}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6BE57805-C0B6-4A5F-9E53-0CCBC2E5D0FA}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6C33CA68-2296-458C-8427-AAC887996B10}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6EEEAB47-4FB1-48FE-BEDA-E4661FC7790F}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{88458FEC-4B08-4DB1-A316-454DA43A9CD9}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8FC5F7A1-A504-48F5-B9D5-F8C3A134E252}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B6EA1FF6-7228-439D-A76D-5E25077E8662}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C686F443-355D-45AE-9CA3-4E22A975FEED}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D4AC299C-1A30-45ED-A1AD-B835AFFA242B}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D791E24F-9BB0-49DA-9347-60BD94566200}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E148D1E2-204C-46F0-93C4-D2F704ECD159}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E7BB829D-D88E-41C6-A05F-6043144B8321}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{EE04AF75-7FB0-4176-ACEC-8439092A31DD}.xps

c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F31CF414-D436-49F4-B419-C774A3EDD29D}.xps

.

.

((((((((((((((((((((((((( Files Created from 2012-07-23 to 2012-08-23 )))))))))))))))))))))))))))))))

.

.

2012-08-23 21:16 . 2012-08-23 21:16 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2520E821-4AE8-466C-A993-E70942E669C2}\offreg.dll

2012-08-17 17:38 . 2012-08-17 17:38 -------- d-----w- c:\users\David Summers\AppData\Roaming\Malwarebytes

2012-08-17 17:35 . 2012-08-17 17:35 -------- d-----w- c:\programdata\Malwarebytes

2012-08-17 17:35 . 2012-08-17 17:35 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-08-17 17:35 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-16 13:40 . 2012-08-23 13:31 5176 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2012-08-15 22:02 . 2012-08-15 22:03 -------- d-----w- C:\FRST

2012-08-13 17:34 . 2012-08-13 17:34 -------- d-----w- C:\found.000

2012-08-12 09:16 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2520E821-4AE8-466C-A993-E70942E669C2}\mpengine.dll

2012-08-12 09:16 . 2012-08-13 01:37 -------- d-----w- c:\program files\Microsoft Security Client

2012-08-12 09:16 . 2012-08-12 09:16 -------- d-----w- c:\program files (x86)\Microsoft Security Client

2012-08-10 03:43 . 2012-08-10 03:43 -------- d-----w- c:\users\David Summers\AppData\Roaming\Creative

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-03 17:08 . 2012-07-03 12:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-03 17:08 . 2012-07-03 12:45 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-12 03:02 . 2012-07-11 12:21 3147264 ----a-w- c:\windows\system32\win32k.sys

2012-06-02 22:19 . 2012-06-18 23:25 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-18 23:26 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-18 23:26 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-18 23:26 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-18 23:25 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 22:19 . 2012-06-18 23:25 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-18 23:26 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-18 23:25 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 22:15 . 2012-06-18 23:25 99840 ----a-w- c:\windows\system32\wudriver.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-08-24 05:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-18 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]

"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]

"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]

"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 887976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-08 559616]

"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]

.

c:\users\David Summers\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]

Dropbox.lnk - c:\users\David Summers\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-18 136176]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-18 136176]

R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [2010-07-20 70928]

R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [2010-07-20 24976]

R3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\DRIVERS\PTUMWCSP.sys [2010-07-20 173328]

R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [2010-07-20 12688]

R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [2010-07-20 173328]

R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [2010-07-20 143888]

R3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\DRIVERS\PTUMWNSP.sys [2010-07-20 173328]

R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [2010-07-20 173328]

R3 SMSIVZAM5X64;SMSIVZAM5X64 NDIS Protocol Driver;c:\progra~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [2009-05-25 43032]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-19 1255736]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-14 249648]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-05-08 215552]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-05-20 393728]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-03 17:08]

.

2012-08-23 c:\windows\Tasks\Free File Viewer Update Checker.job

- c:\program files (x86)\FreeFileViewer\FFVCheckForUpdates.exe [2011-05-25 23:50]

.

2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-18 23:26]

.

2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-18 23:26]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-01-18 368640]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-30 165912]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-30 385560]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-30 365080]

"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]

"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]

"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = https://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105

TCP: Interfaces\{B087D8A2-424B-440D-80FC-E3B3A46D696C}: NameServer = 66.174.92.14 69.78.235.35

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Toolbar-Locked - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,

89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b

"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,

d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,

27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,

ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3

"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,

aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,

d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:bf,67,51,f1,23,41,cd,01

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

c:\program files (x86)\Dell DataSafe Local Backup\Toaster.exe

c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe

.

**************************************************************************

.

Completion time: 2012-08-23 14:41:08 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-23 21:41

.

Pre-Run: 394,632,609,792 bytes free

Post-Run: 395,337,818,112 bytes free

.

- - End Of File - - ABCC5CD33E2A550A50BDA2CB09348530
 
Sometimes it won't disable it completely. And sometimes ComboFix is a little too sensitive, because it depends on the WMI console to tell it about antivirus settings.

ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    ClearJavaCache::
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
 
One note before the logs: My computer has apparently lost the code associated with my copy of Windows 7 (which happened after the initial fixlist), and I keep getting messages saying it is ‘not genuine’ – should I look up the number and reenter, or will this be restored at the end of this whole process?

Below is the ADWCleaner log. The Combofix log which was generated with the new instructions is over 12 times as long as the original one I posted. Posting limitations will require this new one to be posted in probably 5-6 postings. Is this how I need to handle it?







# AdwCleaner v1.801 - Logfile created 08/24/2012 at 09:22:54

# Updated 14/08/2012 by Xplode

# Operating system : Windows 7 Home Premium (64 bits)

# User : David Summers - DAVIDSUMMERS

# Boot Mode : Normal

# Running from : C:\Users\David Summers\Desktop\adwcleaner.exe

# Option [Search]





***** [Services] *****





***** [Files / Folders] *****



Folder Found : C:\Users\David Summers\AppData\LocalLow\AskToolbar

Folder Found : C:\Program Files (x86)\Ask.com

Folder Found : C:\Program Files (x86)\Free Offers from Freeze.com

Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}



***** [Registry] *****



Key Found : HKCU\Software\APN

Key Found : HKCU\Software\AppDataLow\Software\AskToolbar

Key Found : HKCU\Software\Ask.com

Key Found : HKCU\Software\Conduit

Key Found : HKLM\SOFTWARE\APN

Key Found : HKLM\SOFTWARE\AskToolbar

Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Found : HKLM\SOFTWARE\Conduit

Key Found : HKLM\SOFTWARE\Freeze.com

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

[x64] Key Found : HKCU\Software\APN

[x64] Key Found : HKCU\Software\AppDataLow\Software\AskToolbar

[x64] Key Found : HKCU\Software\Ask.com

[x64] Key Found : HKCU\Software\Conduit

[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

[x64] Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

[x64] Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

[x64] Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

[x64] Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

[x64] Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar

[x64] Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF



***** [Registre - GUID] *****



Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

[x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

[x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

[x64] Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

[x64] Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]



***** [Internet Browsers] *****



-\\ Internet Explorer v9.0.8112.16421



[OK] Registry is clean.



*************************



AdwCleaner[R1].txt - [5329 octets] - [24/08/2012 09:22:54]



########## EOF - C:\AdwCleaner[R1].txt - [5457 octets] ##########
 
Remove the Adware.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
Please post the log.


MGADiag
  1. Please download MGADiag and save it to your desktop.
  2. Double click the
    dmjdiag.png
    icon on your desktop.
  3. Push Continue
  4. Push Save
  5. Go to Start -> Run and type in "Notepad"
  6. Go to Edit -> Paste in notepad.
  7. x out all of the numbers and letters in the line beginning with "Windows Product Key:"
  8. Copy and paste that log here.
 
Adware Log:



# AdwCleaner v1.801 - Logfile created 08/24/2012 at 11:54:09

# Updated 14/08/2012 by Xplode

# Operating system : Windows 7 Home Premium (64 bits)

# User : David Summers - DAVIDSUMMERS

# Boot Mode : Normal

# Running from : C:\Users\David Summers\Desktop\adwcleaner.exe

# Option [Delete]





***** [Services] *****





***** [Files / Folders] *****



Folder Deleted : C:\Users\David Summers\AppData\LocalLow\AskToolbar

Folder Deleted : C:\Program Files (x86)\Ask.com

Folder Deleted : C:\Program Files (x86)\Free Offers from Freeze.com

Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}



***** [Registry] *****



Key Deleted : HKCU\Software\APN

Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar

Key Deleted : HKCU\Software\Ask.com

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKLM\SOFTWARE\APN

Key Deleted : HKLM\SOFTWARE\AskToolbar

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Conduit

Key Deleted : HKLM\SOFTWARE\Freeze.com

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

[x64] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF



***** [Registre - GUID] *****



Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

[x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

[x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

[x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}



***** [Internet Browsers] *****



-\\ Internet Explorer v9.0.8112.16421



[OK] Registry is clean.



*************************



AdwCleaner[R1].txt - [5414 octets] - [24/08/2012 09:22:54]

AdwCleaner[S1].txt - [3834 octets] - [24/08/2012 11:54:09]



########## EOF - C:\AdwCleaner[S1].txt - [3962 octets] ##########
 
MGADiag Log:



Diagnostic Report (1.9.0027.0):

-----------------------------------------

Windows Validation Data-->



Validation Code: 50

Cached Online Validation Code: N/A, hr = 0xc004f012

Windows Product Key: *****-*****-QCPVQ-KHRB8-RMV82

Windows Product Key Hash: +Rj3N34NLM2JqoBO/OzgzTZXgbY=

Windows Product ID: 00359-OEM-8992687-00095

Windows Product ID Type: 2

Windows License Type: OEM SLP

Windows OS version: 6.1.7600.2.00010300.0.0.003

ID: {FA7EE1E1-2507-4583-9DA0-4AF02DD324AA}(3)

Is Admin: Yes

TestCab: 0x0

LegitcheckControl ActiveX: N/A, hr = 0x80070002

Signed By: N/A, hr = 0x80070002

Product Name: Windows 7 Home Premium

Architecture: 0x00000009

Build lab: 7600.win7_gdr.120503-2030

TTS Error: T:20120822123426837-

Validation Diagnostic:

Resolution Status: N/A



Vista WgaER Data-->

ThreatID(s): N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002



Windows XP Notifications Data-->

Cached Result: N/A, hr = 0x80070002

File Exists: No

Version: N/A, hr = 0x80070002

WgaTray.exe Signed By: N/A, hr = 0x80070002

WgaLogon.dll Signed By: N/A, hr = 0x80070002



OGA Notifications Data-->

Cached Result: N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002

OGAExec.exe Signed By: N/A, hr = 0x80070002

OGAAddin.dll Signed By: N/A, hr = 0x80070002



OGA Data-->

Office Status: 109 N/A

OGA Version: N/A, 0x80070002

Signed By: N/A, hr = 0x80070002

Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3



Browser Data-->

Proxy settings: N/A

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)

Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Download signed ActiveX controls: Prompt

Download unsigned ActiveX controls: Disabled

Run ActiveX controls and plug-ins: Allowed

Initialize and script ActiveX controls not marked as safe: Disabled

Allow scripting of Internet Explorer Webbrowser control: Disabled

Active scripting: Allowed

Script ActiveX controls marked as safe for scripting: Allowed



File Scan Data-->



Other data-->

Office Details: <GenuineResults><MachineData><UGUID>{FA7EE1E1-2507-4583-9DA0-4AF02DD324AA}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010300.0.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-RMV82</PKey><PID>00359-OEM-8992687-00095</PID><PIDType>2</PIDType><SID>S-1-5-21-537569146-1648169935-3628921157</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1545 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A14</Version><SMBIOSVersion major="2" minor="4"/><Date>20091207000000.000000+000</Date></BIOS><HWID>84BB3607018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>WN09 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>



Spsys.log Content: U1BMRwEAAAAAAQAACAAAAMEnAAAAAAAAYWECAAAAAACksSQknYDNAWbXGpOihAOpMHzDmWxsjuog9DBDblgLI9EL37TZBjJBZeXr6kz74/Er0rWcVLvejDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAx4dZsxs/sxaQSZh6DCEuBHM5LMaoeaUuU/NXeBcByKUuCO0bAFo1/AeTNMp9LxazkzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM



Licensing Data-->

Software licensing service version: 6.1.7600.16385

Error: product key not found.



Windows Activation Technologies-->

HrOffline: 0x00000000

HrOnline: 0x00000000

HealthStatus: 0x0000000000000000

Event Time Stamp: 6:20:2012 07:49

ActiveX: Registered, Version: 7.1.7600.16395

Admin Service: Registered, Version: 7.1.7600.16395

HealthStatus Bitmask Output:





HWID Data-->

HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEA6GEutr4q2jOcC3YOKB9UbeJFwCBGyg==



OEM Activation 1.0 Data-->

N/A



OEM Activation 2.0 Data-->

BIOS valid for OA 2.0: yes

Windows marker version: 0x20001

OEMID and OEMTableID Consistent: yes

BIOS Information:

ACPI Table Name OEMID Value OEMTableID Value

APIC DELL WN09

FACP DELL WN09

HPET DELL WN09

MCFG DELL WN09

SLIC DELL WN09

SSDT PmRef CpuPm
 
Licensing Data-->

Software licensing service version: 6.1.7600.16385

Error: product key not found.
Do you have the product key? Couldn't remember if you said that or not.

Remove the Adware.
  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
Please post the log.
 
I am still looking for my product key, but I can still function with it for the time being.
Also... for purposes of clarification, do you want me to try to post the second ComboFix log? It is running 111 pages in Word. I've made about 5 attempts to post it, but I haven't found the largest acceptable size to break it up into. 18 pages translates roughly into 50,000 characters, but even with 16-17 pages I'm getting error messages.

This is the latest log generated by AdwCleaner:

# AdwCleaner v1.801 - Logfile created 08/25/2012 at 10:53:19
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : David Summers - DAVIDSUMMERS
# Boot Mode : Normal
# Running from : C:\Users\David Summers\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Registre - GUID] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [5414 octets] - [24/08/2012 09:22:54]
AdwCleaner[S1].txt - [3955 octets] - [24/08/2012 11:54:09]
AdwCleaner[S2].txt - [676 octets] - [25/08/2012 10:53:19]
########## EOF - C:\AdwCleaner[S2].txt - [803 octets] ##########
 
Oops. I read so fast sometimes and try to answer all the questions I can. My apologies, just now saw this:

Below is the ADWCleaner log. The Combofix log which was generated with the new instructions is over 12 times as long as the original one I posted. Posting limitations will require this new one to be posted in probably 5-6 postings. Is this how I need to handle it?
If it is too difficult for you to post here, then the log can be uploaded to www.mediafire.com, which is a free cloud service that provides storage for documents, photos, etc. Please use that service to upload it, and then click on the Share button after it finishes upload and it will provide a download link. Post that in your next reply, please.
 
Looks good (surprisingly)...

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.
 
Here is the ESET log:

C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan deleted - quarantined
C:\FRST\Quarantine\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\800000cb.@ Win64/Sirefef.AH trojan cleaned by deleting - quarantined
C:\Users\David Summers\Documents\cqze.exe Win32/Adware.WinAntiVirus.AD application cleaned by deleting - quarantined
 
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
You guys are awesome.

The only continuing problems I'm having are: 1.) My webcam is still unresponsive. 2.) The product code got deleted early on, so I'm getting messages that my version of Windows is not 'genuine' but it still functions. I'm going to see if I can find my original paperwork. I looked around on the Microsoft site, but I didn't see any indication that they can walk you through an 'override' if you can't find your legitimately purchased code... and I'm certainly not paying for another.

Neither of these problems are going to keep me from using my laptop - like the virus was doing - so I'm good to go, unless you know of a way we can tackle the issues I've listed.

Thanks a ton!
 
Now, how is your webcam unresponsive..just not working? Will not move at a clear picture? Need more info on that please.

For the product key, please use the Magical Jelly Bean Keyfinder and see if it will find your product key. You should write it down, if this utility found it.
 
The webcam tells me "Please plug in a supported device" and shows me no image... makes me wonder if the driver software was compromised, as the camera is built into my laptop, and I've made no changes to it. The magical jelly bean turned up nothing. I'm going to look for my documentation around the house.
 
Status
Not open for further replies.
Back