TechSpot

Windows 7 laptop infected with sirefef.y Trojan

Solved
By David Summers
Aug 21, 2012
Topic Status:
Not open for further replies.
  1. I don't know how long my machine has been infected, but it had been behaving strangely in the days, maybe weeks prior to an actual diagnosis of the sirefef.y Trojan - ie playing strange music at times when I was online, and video camera malfunction. When I discovered that my Windows Security Essentials wouldn't function, I downloaded the current version and got it running. It wasn't long, however, when I fell into a loop whereby the computer would find the virus and then force restart after about a minute... which was never long enough to clean the virus. Initially it was the sirefef.w Trojan, but it appears that security essentials caught and cleaned that one... Now it's the y version, and I have had no success trying to isolate it and close it out in task manager prior to forced restart. Additionally, I have downloaded Malwarebytes’ Anti-Malware, GMER and DDS, and have started the scanning process multiple times with all three individually, as well as Microsoft Security Essentials – but none are able to finish the process before the virus does its thing – even in safe mode. Even DDS which isn’t supposed to take longer than 3 minutes has no time to complete its processes.



    Any assistance would be appreciated.



    Below is the log generated by the Farbar recovery scan tool:



    Scan result of Farbar Recovery Scan Tool Version: 15-08-2012

    Ran by SYSTEM at 21-08-2012 06:52:00

    Running from E:\

    Windows 7 Home Premium (X64) OS Language: English(US)

    The current controlset is ControlSet001



    ========================== Registry (Whitelisted) =============



    HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [368640 2010-01-17] (Alps Electric Co., Ltd.)

    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-28] (IDT, Inc.)

    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-06-30] (Intel Corporation)

    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [385560 2009-06-30] (Intel Corporation)

    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365080 2009-06-30] (Intel Corporation)

    HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)

    HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)

    HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)

    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)

    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)

    HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807600 2009-11-13] ()

    HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)

    HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)

    HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()

    HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)

    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)

    HKLM-x32\...\Run: [] [x]

    HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-24] (Ask)

    HKU\David Summers\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-09-18] (Google Inc.)

    HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)

    HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)

    HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-07] (Dell)

    HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)

    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

    Tcpip\..\Interfaces\{B087D8A2-424B-440D-80FC-E3B3A46D696C}: [NameServer]66.174.92.14 69.78.235.35

    Startup: C:\Users\David Summers\Start Menu\Programs\Startup\Dell Dock.lnk

    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

    Startup: C:\Users\David Summers\Start Menu\Programs\Startup\Dropbox.lnk

    ShortcutTarget: Dropbox.lnk -> (No File)

    Startup: C:\Users\David Summers\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

    ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk

    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk

    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)



    ==================== Services (Whitelisted) ======



    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)

    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

    2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.)



    ========================== Drivers (Whitelisted) =============



    3 PTUMWBus; C:\Windows\System32\Drivers\PTUMWBus.sys [70928 2010-07-20] (DEVGURU Co., LTD.)

    3 PTUMWCDF; C:\Windows\System32\Drivers\PTUMWCDF.sys [24976 2010-07-20] (DEVGURU Co., LTD.)

    3 PTUMWCSP; C:\Windows\System32\Drivers\PTUMWCSP.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))

    3 PTUMWFLT; C:\Windows\System32\Drivers\PTUMWFLT.sys [12688 2010-07-20] (DEVGURU Co., LTD.)

    3 PTUMWMdm; C:\Windows\System32\Drivers\PTUMWMdm.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))

    3 PTUMWNET; C:\Windows\System32\Drivers\PTUMWNET.sys [143888 2010-07-20] (DEVGURU Co., LTD.)

    3 PTUMWNSP; C:\Windows\System32\Drivers\PTUMWNSP.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))

    3 PTUMWVsp; C:\Windows\System32\Drivers\PTUMWVsp.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))

    3 SMSIVZAM5X64; \??\C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [43032 2009-05-25] (Smith Micro Inc.)



    ========================== NetSvcs (Whitelisted) ===========





    ============ One Month Created Files and Folders ==============



    2012-08-17 12:38 - 2012-08-17 12:38 - 00000000 ____D C:\Users\David Summers\Application Data\Malwarebytes

    2012-08-17 12:38 - 2012-08-17 12:38 - 00000000 ____D C:\Users\David Summers\AppData\Roaming\Malwarebytes

    2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

    2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

    2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Users\All Users\Malwarebytes

    2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes

    2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

    2012-08-17 12:35 - 2012-07-03 15:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

    2012-08-17 12:32 - 2012-08-17 12:07 - 00607260 ____R (Swearware) C:\Users\David Summers\Desktop\dds.com

    2012-08-17 12:32 - 2012-08-17 12:07 - 00302592 ____A C:\Users\David Summers\Desktop\4klg889o.exe

    2012-08-17 12:31 - 2012-08-17 12:05 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\David Summers\Desktop\mbam-setup-1.62.0.1300.exe

    2012-08-16 09:36 - 2012-08-21 08:17 - 00019074 ____A C:\Users\David Summers\Desktop\yorkyt.exe.log

    2012-08-16 09:36 - 2012-08-16 09:23 - 01415784 ____A C:\Users\David Summers\Desktop\yorkyt.exe

    2012-08-16 09:32 - 2012-08-16 09:26 - 74900016 ____A (Microsoft Corporation) C:\Users\David Summers\Desktop\msert.exe

    2012-08-16 08:40 - 2012-08-16 08:40 - 00005176 ____A C:\Windows\System32\PerfStringBackup.TMP

    2012-08-15 17:02 - 2012-08-15 17:03 - 00000000 ____D C:\FRST

    2012-08-13 12:36 - 2012-08-13 12:36 - 00006704 ____N C:\bootsqm.dat

    2012-08-13 12:34 - 2012-08-13 12:34 - 00000000 __SHD C:\found.000

    2012-08-12 20:37 - 2012-08-12 20:37 - 00001945 ____A C:\Windows\epplauncher.mif

    2012-08-12 04:16 - 2012-08-12 20:37 - 00000000 ____D C:\Program Files\Microsoft Security Client

    2012-08-12 04:16 - 2012-08-12 04:16 - 00743856 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

    2012-08-12 04:16 - 2012-08-12 04:16 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

    2012-08-12 04:07 - 2012-08-12 04:07 - 00000000 ____D C:\Users\David Summers\Desktop\Court

    2012-08-09 22:43 - 2012-08-09 22:44 - 00000000 ____D C:\Users\David Summers\My Documents\Dell WebCam Central

    2012-08-09 22:43 - 2012-08-09 22:44 - 00000000 ____D C:\Users\David Summers\Documents\Dell WebCam Central

    2012-08-09 22:43 - 2012-08-09 22:43 - 00000000 ____D C:\Users\David Summers\Application Data\Creative

    2012-08-09 22:43 - 2012-08-09 22:43 - 00000000 ____D C:\Users\David Summers\AppData\Roaming\Creative

    2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk

    2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\All Users\Desktop\Skype.lnk



    ============ 3 Months Modified Files ========================



    2012-08-21 08:28 - 2009-07-13 23:51 - 00072444 ____A C:\Windows\setupact.log

    2012-08-21 08:26 - 2011-05-25 08:22 - 00000418 ____A C:\Windows\Tasks\Free File Viewer Update Checker.job

    2012-08-21 08:26 - 2010-09-18 18:26 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

    2012-08-21 08:26 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

    2012-08-21 08:17 - 2012-08-16 09:36 - 00019074 ____A C:\Users\David Summers\Desktop\yorkyt.exe.log

    2012-08-17 12:50 - 2010-09-18 18:26 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

    2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

    2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

    2012-08-17 12:07 - 2012-08-17 12:32 - 00607260 ____R (Swearware) C:\Users\David Summers\Desktop\dds.com

    2012-08-17 12:07 - 2012-08-17 12:32 - 00302592 ____A C:\Users\David Summers\Desktop\4klg889o.exe

    2012-08-17 12:05 - 2012-08-17 12:31 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\David Summers\Desktop\mbam-setup-1.62.0.1300.exe

    2012-08-16 09:26 - 2012-08-16 09:32 - 74900016 ____A (Microsoft Corporation) C:\Users\David Summers\Desktop\msert.exe

    2012-08-16 09:23 - 2012-08-16 09:36 - 01415784 ____A C:\Users\David Summers\Desktop\yorkyt.exe

    2012-08-16 08:40 - 2012-08-16 08:40 - 00005176 ____A C:\Windows\System32\PerfStringBackup.TMP

    2012-08-15 19:08 - 2012-07-03 07:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

    2012-08-15 10:05 - 2009-07-14 00:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT

    2012-08-13 18:23 - 2009-07-14 00:10 - 01292325 ____A C:\Windows\WindowsUpdate.log

    2012-08-13 12:36 - 2012-08-13 12:36 - 00006704 ____N C:\bootsqm.dat

    2012-08-12 20:37 - 2012-08-12 20:37 - 00001945 ____A C:\Windows\epplauncher.mif

    2012-08-12 04:16 - 2012-08-12 04:16 - 00743856 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

    2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk

    2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\All Users\Desktop\Skype.lnk

    2012-08-03 12:08 - 2012-07-03 07:45 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

    2012-08-03 12:08 - 2012-07-03 07:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

    2012-07-11 07:27 - 2009-07-13 23:45 - 00414656 ____A C:\Windows\System32\FNTCACHE.DAT

    2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    2012-07-03 15:46 - 2012-08-17 12:35 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

    2012-06-29 10:52 - 2012-06-26 07:52 - 00017435 ____H C:\Users\David Summers\Desktop\~WRL0004.tmp

    2012-06-11 22:02 - 2012-07-11 07:21 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    2012-06-02 17:19 - 2012-06-18 18:26 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

    2012-06-02 17:19 - 2012-06-18 18:26 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

    2012-06-02 17:19 - 2012-06-18 18:26 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

    2012-06-02 17:19 - 2012-06-18 18:25 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

    2012-06-02 17:19 - 2012-06-18 18:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

    2012-06-02 17:19 - 2012-06-18 18:25 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

    2012-06-02 17:15 - 2012-06-18 18:26 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

    2012-06-02 17:15 - 2012-06-18 18:25 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

    2012-06-02 17:15 - 2012-06-18 18:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe



    ZeroAccess:

    C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}

    C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\@

    C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\L

    C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\n

    C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U

    C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\00000001.@

    C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\800000cb.@



    ZeroAccess:

    C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}

    C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\@

    C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\L

    C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U



    ========================= Known DLLs (Whitelisted) ============





    ========================= Bamital & volsnap Check ============



    C:\Windows\System32\winlogon.exe => MD5 is legit

    C:\Windows\System32\wininit.exe => MD5 is legit

    C:\Windows\SysWOW64\wininit.exe => MD5 is legit

    C:\Windows\explorer.exe => MD5 is legit

    C:\Windows\SysWOW64\explorer.exe => MD5 is legit

    C:\Windows\System32\svchost.exe => MD5 is legit

    C:\Windows\SysWOW64\svchost.exe => MD5 is legit

    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

    C:\Windows\System32\User32.dll => MD5 is legit

    C:\Windows\SysWOW64\User32.dll => MD5 is legit

    C:\Windows\System32\userinit.exe => MD5 is legit

    C:\Windows\SysWOW64\userinit.exe => MD5 is legit

    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit



    ==================== EXE ASSOCIATION =====================



    HKLM\...\.exe: exefile => OK

    HKLM\...\exefile\DefaultIcon: %1 => OK

    HKLM\...\exefile\open\command: "%1" %* => OK



    ========================= Memory info ======================



    Percentage of memory in use: 14%

    Total physical RAM: 4056.36 MB

    Available physical RAM: 3474.73 MB

    Total Pagefile: 4054.51 MB

    Available Pagefile: 3470.74 MB

    Total Virtual: 8192 MB

    Available Virtual: 8191.9 MB



    ======================= Partitions =========================



    1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:365.89 GB) NTFS

    2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.14 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    3 Drive e: () (Removable) (Total:7.45 GB) (Free:0.53 GB) FAT32

    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS



    Disk ### Status Size Free Dyn Gpt

    -------- ------------- ------- ------- --- ---

    Disk 0 Online 465 GB 0 B

    Disk 1 No Media 0 B 0 B

    Disk 2 Online 7629 MB 0 B



    Partitions of Disk 0:

    ===============



    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    Partition 1 OEM 39 MB 31 KB

    Partition 2 Primary 14 GB 40 MB

    Partition 3 Primary 451 GB 14 GB



    ==================================================================================



    Disk: 0

    Partition 1

    Type : DE

    Hidden: Yes

    Active: No



    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 5 FAT Partition 39 MB Healthy Hidden



    ==================================================================================



    Disk: 0

    Partition 2

    Type : 07

    Hidden: No

    Active: Yes



    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 1 D RECOVERY NTFS Partition 14 GB Healthy



    ==================================================================================



    Disk: 0

    Partition 3

    Type : 07

    Hidden: No

    Active: No



    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 2 C OS NTFS Partition 451 GB Healthy



    ==================================================================================



    Partitions of Disk 2:

    ===============



    Partition ### Type Size Offset

    ------------- ---------------- ------- -------

    Partition 1 Primary 7629 MB 16 KB



    ==================================================================================



    Disk: 2

    Partition 1

    Type : 0B

    Hidden: No

    Active: No



    Volume ### Ltr Label Fs Type Size Status Info

    ---------- --- ----------- ----- ---------- ------- --------- --------

    * Volume 4 E FAT32 Removable 7629 MB Healthy



    ==================================================================================



    Last Boot: 2012-08-09 10:17



    ======================= End Of Log ==========================
    barkaroo likes this.
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
  3. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    Wow... The scan took about 15 minutes... Was expecting a longer log,

    Farbar Recovery Scan Tool Version: 15-08-2012

    Ran by SYSTEM at 2012-08-22 05:50:34

    Running from E:\



    ================== Search: "services.exe" ===================



    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

    [2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB



    C:\Windows\System32\services.exe

    [2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06



    ====== End Of Search ======
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  5. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    This is the log:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012

    Ran by SYSTEM at 2012-08-22 12:31:22 Run:1

    Running from E:\



    ==============================================



    C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b} moved successfully.

    C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b} moved successfully.

    C:\Windows\System32\services.exe moved successfully.

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe



    ==== End of Fixlog ====


    I restarted the machine, and it hasn't shut itself down after two minutes (very good thing) but after about five minutes, a 'Windows Activation' notice popped up indicating that an unauthorized change was made to windows, and an option to fix it online. Additionally, after a few more minutes, a Microsoft Security Essentials notice popped up indicating Windows did not pass genuine validation. I havent done anything with either notice.
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good, they might be fake notices, or something bad may have happened internally. But, we'll get it checked out.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  7. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    A curious thing is happening... I have disabled real time scanning on Microsoft Security Essentials and restarted my machine, but about 20 minutes after starting the (renamed) Combofix program, I get a message saying that it has detected that MSE is still doing real time scanning. I have started Combofix twice now, the second time in safe mode, but I'm still getting this message. Should I ignore it? It's telling me to proceed at my own risk. Should I attempt to remove MSE entirely? Could it be the virus mimicking MSE? Please advise.
  8. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    Ok... I labeled the application to iexplore.exe and it worked... Took awhile though, like over an hour for the whole process.

    ComboFix 12-08-22.03 - David Summers 08/23/2012 14:01:01.1.2 - x64

    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4056.2683 [GMT -7:00]

    Running from: c:\users\David Summers\Desktop\ComboFix.exe

    AV: Microsoft Security Essentials *Disabled/Outdated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

    SP: Microsoft Security Essentials *Disabled/Outdated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{06468FFD-FF7E-4300-A2F6-D30163763D39}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{08A0F5D3-3C8B-4C73-B759-E5E483C0FC96}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{11670815-9E53-4326-94DF-1AB35FB0CF85}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{373C2F0C-871E-45E4-B8A3-DB69228064BC}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3A4A6636-4D55-41A3-AD1D-038F07A9E702}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{444520C4-3F4C-4016-965D-D2412BD42078}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4BC1D76A-A112-492F-A1A5-73BAA816645E}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5043551E-73BA-4A96-B78D-055711F07332}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{52351992-4E81-4D92-913D-D67C728A37BD}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{58793BA1-662B-40C7-806D-C2141C91D82F}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6BE57805-C0B6-4A5F-9E53-0CCBC2E5D0FA}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6C33CA68-2296-458C-8427-AAC887996B10}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6EEEAB47-4FB1-48FE-BEDA-E4661FC7790F}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{88458FEC-4B08-4DB1-A316-454DA43A9CD9}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8FC5F7A1-A504-48F5-B9D5-F8C3A134E252}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B6EA1FF6-7228-439D-A76D-5E25077E8662}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C686F443-355D-45AE-9CA3-4E22A975FEED}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D4AC299C-1A30-45ED-A1AD-B835AFFA242B}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D791E24F-9BB0-49DA-9347-60BD94566200}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E148D1E2-204C-46F0-93C4-D2F704ECD159}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E7BB829D-D88E-41C6-A05F-6043144B8321}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{EE04AF75-7FB0-4176-ACEC-8439092A31DD}.xps

    c:\users\David Summers\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F31CF414-D436-49F4-B419-C774A3EDD29D}.xps

    .

    .

    ((((((((((((((((((((((((( Files Created from 2012-07-23 to 2012-08-23 )))))))))))))))))))))))))))))))

    .

    .

    2012-08-23 21:16 . 2012-08-23 21:16 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2520E821-4AE8-466C-A993-E70942E669C2}\offreg.dll

    2012-08-17 17:38 . 2012-08-17 17:38 -------- d-----w- c:\users\David Summers\AppData\Roaming\Malwarebytes

    2012-08-17 17:35 . 2012-08-17 17:35 -------- d-----w- c:\programdata\Malwarebytes

    2012-08-17 17:35 . 2012-08-17 17:35 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

    2012-08-17 17:35 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

    2012-08-16 13:40 . 2012-08-23 13:31 5176 ----a-w- c:\windows\system32\PerfStringBackup.TMP

    2012-08-15 22:02 . 2012-08-15 22:03 -------- d-----w- C:\FRST

    2012-08-13 17:34 . 2012-08-13 17:34 -------- d-----w- C:\found.000

    2012-08-12 09:16 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2520E821-4AE8-466C-A993-E70942E669C2}\mpengine.dll

    2012-08-12 09:16 . 2012-08-13 01:37 -------- d-----w- c:\program files\Microsoft Security Client

    2012-08-12 09:16 . 2012-08-12 09:16 -------- d-----w- c:\program files (x86)\Microsoft Security Client

    2012-08-10 03:43 . 2012-08-10 03:43 -------- d-----w- c:\users\David Summers\AppData\Roaming\Creative

    .

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2012-08-03 17:08 . 2012-07-03 12:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

    2012-08-03 17:08 . 2012-07-03 12:45 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

    2012-06-12 03:02 . 2012-07-11 12:21 3147264 ----a-w- c:\windows\system32\win32k.sys

    2012-06-02 22:19 . 2012-06-18 23:25 38424 ----a-w- c:\windows\system32\wups.dll

    2012-06-02 22:19 . 2012-06-18 23:26 2428952 ----a-w- c:\windows\system32\wuaueng.dll

    2012-06-02 22:19 . 2012-06-18 23:26 57880 ----a-w- c:\windows\system32\wuauclt.exe

    2012-06-02 22:19 . 2012-06-18 23:26 44056 ----a-w- c:\windows\system32\wups2.dll

    2012-06-02 22:19 . 2012-06-18 23:25 186752 ----a-w- c:\windows\system32\wuwebv.dll

    2012-06-02 22:19 . 2012-06-18 23:25 701976 ----a-w- c:\windows\system32\wuapi.dll

    2012-06-02 22:15 . 2012-06-18 23:26 2622464 ----a-w- c:\windows\system32\wucltux.dll

    2012-06-02 22:15 . 2012-06-18 23:25 36864 ----a-w- c:\windows\system32\wuapp.exe

    2012-06-02 22:15 . 2012-06-18 23:25 99840 ----a-w- c:\windows\system32\wudriver.dll

    .

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]

    .

    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

    .

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

    2011-08-24 05:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]

    .

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    .

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

    2011-12-05 19:17 94208 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

    .

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

    2011-12-05 19:17 94208 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

    .

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

    2011-12-05 19:17 94208 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

    .

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-18 39408]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

    "Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]

    "PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]

    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]

    "Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]

    "DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

    "ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 887976]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

    "c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-08 559616]

    "Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]

    .

    c:\users\David Summers\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]

    Dropbox.lnk - c:\users\David Summers\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]

    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]

    .

    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "ConsentPromptBehaviorAdmin"= 5 (0x5)

    "ConsentPromptBehaviorUser"= 3 (0x3)

    "EnableUIADesktopToggle"= 0 (0x0)

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

    @=""

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

    @="Service"

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

    @="Driver"

    .

    R2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]

    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-18 136176]

    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]

    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]

    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-18 136176]

    R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]

    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]

    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

    R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [2010-07-20 70928]

    R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [2010-07-20 24976]

    R3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\DRIVERS\PTUMWCSP.sys [2010-07-20 173328]

    R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [2010-07-20 12688]

    R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [2010-07-20 173328]

    R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [2010-07-20 143888]

    R3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\DRIVERS\PTUMWNSP.sys [2010-07-20 173328]

    R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [2010-07-20 173328]

    R3 SMSIVZAM5X64;SMSIVZAM5X64 NDIS Protocol Driver;c:\progra~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [2009-05-25 43032]

    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-19 1255736]

    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]

    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

    S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-14 249648]

    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]

    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-05-08 215552]

    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-05-20 393728]

    .

    .

    Contents of the 'Scheduled Tasks' folder

    .

    2012-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job

    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-03 17:08]

    .

    2012-08-23 c:\windows\Tasks\Free File Viewer Update Checker.job

    - c:\program files (x86)\FreeFileViewer\FFVCheckForUpdates.exe [2011-05-25 23:50]

    .

    2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-18 23:26]

    .

    2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-18 23:26]

    .

    .

    --------- X64 Entries -----------

    .

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

    2011-12-05 19:17 97792 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

    2011-12-05 19:17 97792 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

    2011-12-05 19:17 97792 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

    2011-12-05 19:17 97792 ----a-w- c:\users\David Summers\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-01-18 368640]

    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]

    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-30 165912]

    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-30 385560]

    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-30 365080]

    "Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]

    "QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]

    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

    "LoadAppInit_DLLs"=0x0

    .

    ------- Supplementary Scan -------

    .

    uLocal Page = c:\windows\system32\blank.htm

    uStart Page = https://www.google.com/

    mLocal Page = c:\windows\SysWOW64\blank.htm

    IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000

    IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105

    TCP: Interfaces\{B087D8A2-424B-440D-80FC-E3B3A46D696C}: NameServer = 66.174.92.14 69.78.235.35

    .

    - - - - ORPHANS REMOVED - - - -

    .

    Toolbar-Locked - (no file)

    Toolbar-Locked - (no file)

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

    .

    .

    .

    --------------------- LOCKED REGISTRY KEYS ---------------------

    .

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

    @Denied: (2) (LocalSystem)

    "{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,

    89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b

    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,

    d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54

    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,

    27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b

    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

    "{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,

    ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3

    "{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,

    aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83

    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

    "{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,

    d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b

    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

    .

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

    @Denied: (2) (LocalSystem)

    "Timestamp"=hex:bf,67,51,f1,23,41,cd,01

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

    @Denied: (A 2) (Everyone)

    @="FlashBroker"

    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

    "Enabled"=dword:00000001

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

    @Denied: (A 2) (Everyone)

    @="Shockwave Flash Object"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

    "ThreadingModel"="Apartment"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

    @="0"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

    @="ShockwaveFlash.ShockwaveFlash.11"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

    @="1.0"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

    @="ShockwaveFlash.ShockwaveFlash"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

    @Denied: (A 2) (Everyone)

    @="Macromedia Flash Factory Object"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

    "ThreadingModel"="Apartment"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

    @="FlashFactory.FlashFactory.1"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

    @="1.0"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

    @="FlashFactory.FlashFactory"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

    @Denied: (A 2) (Everyone)

    @="IFlashBroker4"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

    @="{00020424-0000-0000-C000-000000000046}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    "Version"="1.0"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

    @Denied: (A) (Everyone)

    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

    @Denied: (A) (Everyone)

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

    "Key"="ActionsPane3"

    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

    @Denied: (A) (Users)

    @Denied: (A) (Everyone)

    @Allowed: (B 1 2 3 4 5) (S-1-5-20)

    "BlindDial"=dword:00000000

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

    @Denied: (Full) (Everyone)

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

    c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

    c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

    c:\program files (x86)\Dell DataSafe Local Backup\Toaster.exe

    c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe

    .

    **************************************************************************

    .

    Completion time: 2012-08-23 14:41:08 - machine was rebooted

    ComboFix-quarantined-files.txt 2012-08-23 21:41

    .

    Pre-Run: 394,632,609,792 bytes free

    Post-Run: 395,337,818,112 bytes free

    .

    - - End Of File - - ABCC5CD33E2A550A50BDA2CB09348530
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Sometimes it won't disable it completely. And sometimes ComboFix is a little too sensitive, because it depends on the WMI console to tell it about antivirus settings.

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  10. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    One note before the logs: My computer has apparently lost the code associated with my copy of Windows 7 (which happened after the initial fixlist), and I keep getting messages saying it is ‘not genuine’ – should I look up the number and reenter, or will this be restored at the end of this whole process?

    Below is the ADWCleaner log. The Combofix log which was generated with the new instructions is over 12 times as long as the original one I posted. Posting limitations will require this new one to be posted in probably 5-6 postings. Is this how I need to handle it?







    # AdwCleaner v1.801 - Logfile created 08/24/2012 at 09:22:54

    # Updated 14/08/2012 by Xplode

    # Operating system : Windows 7 Home Premium (64 bits)

    # User : David Summers - DAVIDSUMMERS

    # Boot Mode : Normal

    # Running from : C:\Users\David Summers\Desktop\adwcleaner.exe

    # Option [Search]





    ***** [Services] *****





    ***** [Files / Folders] *****



    Folder Found : C:\Users\David Summers\AppData\LocalLow\AskToolbar

    Folder Found : C:\Program Files (x86)\Ask.com

    Folder Found : C:\Program Files (x86)\Free Offers from Freeze.com

    Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}



    ***** [Registry] *****



    Key Found : HKCU\Software\APN

    Key Found : HKCU\Software\AppDataLow\Software\AskToolbar

    Key Found : HKCU\Software\Ask.com

    Key Found : HKCU\Software\Conduit

    Key Found : HKLM\SOFTWARE\APN

    Key Found : HKLM\SOFTWARE\AskToolbar

    Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

    Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

    Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

    Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

    Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

    Key Found : HKLM\SOFTWARE\Conduit

    Key Found : HKLM\SOFTWARE\Freeze.com

    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

    Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

    [x64] Key Found : HKCU\Software\APN

    [x64] Key Found : HKCU\Software\AppDataLow\Software\AskToolbar

    [x64] Key Found : HKCU\Software\Ask.com

    [x64] Key Found : HKCU\Software\Conduit

    [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

    [x64] Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

    [x64] Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

    [x64] Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

    [x64] Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

    [x64] Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar

    [x64] Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF



    ***** [Registre - GUID] *****



    Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

    Key Found : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

    Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

    Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

    [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

    [x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

    [x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

    [x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

    [x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

    [x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

    [x64] Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

    [x64] Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]



    ***** [Internet Browsers] *****



    -\\ Internet Explorer v9.0.8112.16421



    [OK] Registry is clean.



    *************************



    AdwCleaner[R1].txt - [5329 octets] - [24/08/2012 09:22:54]



    ########## EOF - C:\AdwCleaner[R1].txt - [5457 octets] ##########
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Remove the Adware.

    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.


    MGADiag
    1. Please download MGADiag and save it to your desktop.
    2. Double click the [​IMG] icon on your desktop.
    3. Push Continue
    4. Push Save
    5. Go to Start -> Run and type in "Notepad"
    6. Go to Edit -> Paste in notepad.
    7. x out all of the numbers and letters in the line beginning with "Windows Product Key:"
    8. Copy and paste that log here.
     
  12. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    Adware Log:



    # AdwCleaner v1.801 - Logfile created 08/24/2012 at 11:54:09

    # Updated 14/08/2012 by Xplode

    # Operating system : Windows 7 Home Premium (64 bits)

    # User : David Summers - DAVIDSUMMERS

    # Boot Mode : Normal

    # Running from : C:\Users\David Summers\Desktop\adwcleaner.exe

    # Option [Delete]





    ***** [Services] *****





    ***** [Files / Folders] *****



    Folder Deleted : C:\Users\David Summers\AppData\LocalLow\AskToolbar

    Folder Deleted : C:\Program Files (x86)\Ask.com

    Folder Deleted : C:\Program Files (x86)\Free Offers from Freeze.com

    Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}



    ***** [Registry] *****



    Key Deleted : HKCU\Software\APN

    Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar

    Key Deleted : HKCU\Software\Ask.com

    Key Deleted : HKCU\Software\Conduit

    Key Deleted : HKLM\SOFTWARE\APN

    Key Deleted : HKLM\SOFTWARE\AskToolbar

    Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

    Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd

    Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1

    Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF

    Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

    Key Deleted : HKLM\SOFTWARE\Conduit

    Key Deleted : HKLM\SOFTWARE\Freeze.com

    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

    Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

    [x64] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF



    ***** [Registre - GUID] *****



    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

    [x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

    [x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

    [x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}



    ***** [Internet Browsers] *****



    -\\ Internet Explorer v9.0.8112.16421



    [OK] Registry is clean.



    *************************



    AdwCleaner[R1].txt - [5414 octets] - [24/08/2012 09:22:54]

    AdwCleaner[S1].txt - [3834 octets] - [24/08/2012 11:54:09]



    ########## EOF - C:\AdwCleaner[S1].txt - [3962 octets] ##########
  13. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    MGADiag Log:



    Diagnostic Report (1.9.0027.0):

    -----------------------------------------

    Windows Validation Data-->



    Validation Code: 50

    Cached Online Validation Code: N/A, hr = 0xc004f012

    Windows Product Key: *****-*****-QCPVQ-KHRB8-RMV82

    Windows Product Key Hash: +Rj3N34NLM2JqoBO/OzgzTZXgbY=

    Windows Product ID: 00359-OEM-8992687-00095

    Windows Product ID Type: 2

    Windows License Type: OEM SLP

    Windows OS version: 6.1.7600.2.00010300.0.0.003

    ID: {FA7EE1E1-2507-4583-9DA0-4AF02DD324AA}(3)

    Is Admin: Yes

    TestCab: 0x0

    LegitcheckControl ActiveX: N/A, hr = 0x80070002

    Signed By: N/A, hr = 0x80070002

    Product Name: Windows 7 Home Premium

    Architecture: 0x00000009

    Build lab: 7600.win7_gdr.120503-2030

    TTS Error: T:20120822123426837-

    Validation Diagnostic:

    Resolution Status: N/A



    Vista WgaER Data-->

    ThreatID(s): N/A, hr = 0x80070002

    Version: N/A, hr = 0x80070002



    Windows XP Notifications Data-->

    Cached Result: N/A, hr = 0x80070002

    File Exists: No

    Version: N/A, hr = 0x80070002

    WgaTray.exe Signed By: N/A, hr = 0x80070002

    WgaLogon.dll Signed By: N/A, hr = 0x80070002



    OGA Notifications Data-->

    Cached Result: N/A, hr = 0x80070002

    Version: N/A, hr = 0x80070002

    OGAExec.exe Signed By: N/A, hr = 0x80070002

    OGAAddin.dll Signed By: N/A, hr = 0x80070002



    OGA Data-->

    Office Status: 109 N/A

    OGA Version: N/A, 0x80070002

    Signed By: N/A, hr = 0x80070002

    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3



    Browser Data-->

    Proxy settings: N/A

    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)

    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe

    Download signed ActiveX controls: Prompt

    Download unsigned ActiveX controls: Disabled

    Run ActiveX controls and plug-ins: Allowed

    Initialize and script ActiveX controls not marked as safe: Disabled

    Allow scripting of Internet Explorer Webbrowser control: Disabled

    Active scripting: Allowed

    Script ActiveX controls marked as safe for scripting: Allowed



    File Scan Data-->



    Other data-->

    Office Details: <GenuineResults><MachineData><UGUID>{FA7EE1E1-2507-4583-9DA0-4AF02DD324AA}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010300.0.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-RMV82</PKey><PID>00359-OEM-8992687-00095</PID><PIDType>2</PIDType><SID>S-1-5-21-537569146-1648169935-3628921157</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1545 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A14</Version><SMBIOSVersion major="2" minor="4"/><Date>20091207000000.000000+000</Date></BIOS><HWID>84BB3607018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>WN09 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>



    Spsys.log Content: U1BMRwEAAAAAAQAACAAAAMEnAAAAAAAAYWECAAAAAACksSQknYDNAWbXGpOihAOpMHzDmWxsjuog9DBDblgLI9EL37TZBjJBZeXr6kz74/Er0rWcVLvejDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAx4dZsxs/sxaQSZh6DCEuBHM5LMaoeaUuU/NXeBcByKUuCO0bAFo1/AeTNMp9LxazkzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM



    Licensing Data-->

    Software licensing service version: 6.1.7600.16385

    Error: product key not found.



    Windows Activation Technologies-->

    HrOffline: 0x00000000

    HrOnline: 0x00000000

    HealthStatus: 0x0000000000000000

    Event Time Stamp: 6:20:2012 07:49

    ActiveX: Registered, Version: 7.1.7600.16395

    Admin Service: Registered, Version: 7.1.7600.16395

    HealthStatus Bitmask Output:





    HWID Data-->

    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEA6GEutr4q2jOcC3YOKB9UbeJFwCBGyg==



    OEM Activation 1.0 Data-->

    N/A



    OEM Activation 2.0 Data-->

    BIOS valid for OA 2.0: yes

    Windows marker version: 0x20001

    OEMID and OEMTableID Consistent: yes

    BIOS Information:

    ACPI Table Name OEMID Value OEMTableID Value

    APIC DELL WN09

    FACP DELL WN09

    HPET DELL WN09

    MCFG DELL WN09

    SLIC DELL WN09

    SSDT PmRef CpuPm
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Do you have the product key? Couldn't remember if you said that or not.

    Remove the Adware.
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.
  15. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    I am still looking for my product key, but I can still function with it for the time being.
    Also... for purposes of clarification, do you want me to try to post the second ComboFix log? It is running 111 pages in Word. I've made about 5 attempts to post it, but I haven't found the largest acceptable size to break it up into. 18 pages translates roughly into 50,000 characters, but even with 16-17 pages I'm getting error messages.

    This is the latest log generated by AdwCleaner:

    # AdwCleaner v1.801 - Logfile created 08/25/2012 at 10:53:19
    # Updated 14/08/2012 by Xplode
    # Operating system : Windows 7 Home Premium (64 bits)
    # User : David Summers - DAVIDSUMMERS
    # Boot Mode : Normal
    # Running from : C:\Users\David Summers\Desktop\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****

    ***** [Registry] *****

    ***** [Registre - GUID] *****

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421
    [OK] Registry is clean.
    *************************
    AdwCleaner[R1].txt - [5414 octets] - [24/08/2012 09:22:54]
    AdwCleaner[S1].txt - [3955 octets] - [24/08/2012 11:54:09]
    AdwCleaner[S2].txt - [676 octets] - [25/08/2012 10:53:19]
    ########## EOF - C:\AdwCleaner[S2].txt - [803 octets] ##########
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Oops. I read so fast sometimes and try to answer all the questions I can. My apologies, just now saw this:

    If it is too difficult for you to post here, then the log can be uploaded to www.mediafire.com, which is a free cloud service that provides storage for documents, photos, etc. Please use that service to upload it, and then click on the Share button after it finishes upload and it will provide a download link. Post that in your next reply, please.
  17. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  19. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Looks good (surprisingly)...

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  21. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    Here is the ESET log:

    C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan deleted - quarantined
    C:\FRST\Quarantine\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\800000cb.@ Win64/Sirefef.AH trojan cleaned by deleting - quarantined
    C:\Users\David Summers\Documents\cqze.exe Win32/Adware.WinAntiVirus.AD application cleaned by deleting - quarantined
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  23. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    You guys are awesome.

    The only continuing problems I'm having are: 1.) My webcam is still unresponsive. 2.) The product code got deleted early on, so I'm getting messages that my version of Windows is not 'genuine' but it still functions. I'm going to see if I can find my original paperwork. I looked around on the Microsoft site, but I didn't see any indication that they can walk you through an 'override' if you can't find your legitimately purchased code... and I'm certainly not paying for another.

    Neither of these problems are going to keep me from using my laptop - like the virus was doing - so I'm good to go, unless you know of a way we can tackle the issues I've listed.

    Thanks a ton!
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Now, how is your webcam unresponsive..just not working? Will not move at a clear picture? Need more info on that please.

    For the product key, please use the Magical Jelly Bean Keyfinder and see if it will find your product key. You should write it down, if this utility found it.
  25. David Summers

    David Summers Newcomer, in training Topic Starter Posts: 16

    The webcam tells me "Please plug in a supported device" and shows me no image... makes me wonder if the driver software was compromised, as the camera is built into my laptop, and I've made no changes to it. The magical jelly bean turned up nothing. I'm going to look for my documentation around the house.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.