Fake AV Virus: Computer Won't Boot After Running Malwarebytes to Remove It

[monkeys37]

The other day I contracted one of those fake anti-virus viruses, "Internet Security - Designed to Protect".  After re-starting my computer in Safe Mode, I ran Malwarebytes, which found three results.  I removed them all and attempted to re-start.  At this point my computer will make it past the "Starting Windows" screen, but never to the log-on screen.  It hangs on a black screen with only a cursor indefinitely.  The only thing I seem to be able to do at that point is to turn the comp off and then on again, and then use startup-repair to run system restore.  At that point my computer will boot up normally, but once I'm back into Windows the virus takes over again.  I only have that one restore point sadly.  

 

 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium 

Boot Device: \Device\HarddiskVolume1

Install Date: 9/13/2011 1:14:21 PM

System Uptime: 7/22/2013 9:21:14 PM (0 hours ago)

.

Motherboard: LENOVO |  | Base Board Product Name

Processor: Intel® Pentium® CPU B940 @ 2.00GHz | CPU1 | 1995/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 422 GiB total, 249.944 GiB free.

D: is FIXED (NTFS) - 29 GiB total, 26.883 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is CDROM ()

H: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: Security Processor Loader Driver

Device ID: ROOT\LEGACY_SPLDR\0000

Manufacturer: 

Name: Security Processor Loader Driver

PNP Device ID: ROOT\LEGACY_SPLDR\0000

Service: spldr

.

==== System Restore Points ===================

.

RP205: 7/18/2013 - Scheduled Checkpoint

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX 64-bit

Adobe Reader X (10.1.7)

Any Video Converter 3.5.5

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Applet

ASPCA Reminder by We-Care.com v4.0.19.1

Atheros Client Installation Program

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

Atomic Alarm Clock 5.85

Avidemux 2.5

Avidemux 2.6

BeerSmith 2

Boilsoft Video Joiner 6.55

Boilsoft Video Splitter 6.32

Bonjour

calibre

CCProxy 7.3

Conduit Engine

Conexant HD Audio

D3DX10

DAEMON Tools Lite

DealPly

Easy Thumbnails (Remove only)

Energy Management

FileZilla Client 3.6.0.2

foobar2000 v1.1.8

Free Alarm Clock 2.3.3

Free Download Manager 3.0

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

Haali Media Splitter

HandBrake 0.9.5

iLivid

Image Grabber II

Image Grabber II.NET

Intel® Control Center

Intel® Management Engine Components

Intel® Processor Graphics

Intel® Rapid Storage Technology

Internet Download Manager

iTunes

Java Auto Updater

Java 6 Update 22

Java 6 Update 35

JDownloader 0.9

Junk Mail filter update

Last.fm Scrobbler 2.1.35

Lenovo DirectShare

Lenovo EasyCamera

Lenovo EE Boot Optimizer

Lenovo Games Console

Lenovo OneKey Recovery

Lenovo Smile Dock

Lenovo YouCam

Magic ISO Maker v5.5 (build 0281)

MagicDisc 2.7.106

Malwarebytes Anti-Malware version 1.70.0.1100

McAfee Security Scan Plus

Media Player Classic - Home Cinema v1.5.2.3456 x64

Mesh Runtime

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Office 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Mimo

Mozilla Firefox 20.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSVCRT_amd64

Music Alarm Clock

Oasis2Service 1.0

ooVoo

OpenOffice.org 3.3

Photo DVD Slideshow Pro 8.33

PhotoScape

Picasa 3

Power2Go

Project64 1.6

QuickTime

RapidShare Manager 2

RAR Password Cracker

Realtek USB 2.0 Reader Driver

Search-Results Toolbar

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Shopping4Causes Shopping Plugin

Sid Meier's Civilization III: Complete

SMPlayer 0.8.3

SoulSeek 157 NS 13e

Steam

Strongvault Online Backup

Synaptics Pointing Device Driver

Thumbnail me 2.1

Thumbnail me 3.0

TouchCopy 09

Ultra Video Splitter 5.1.0713

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

UserGuide

VeriFace

Video Thumbnails Maker by Scorp (remove only)

VLC media player 2.0.5

Westwood Shared Internet Components

WhiteSmoke Bar Toolbar

WhiteSmokeTranslator

Windows Driver Package - Lenovo (ACPIVPC) System  (12/02/2010 6.1.0.1)

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinRAR 4.01 (64-bit)

XviD v1.3.0 CVS

Xvid Video Codec

.

==== Event Viewer Messages From Past Week ========

.

7/22/2013 9:22:17 PM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.

7/22/2013 9:22:17 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

7/22/2013 9:22:17 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

7/22/2013 9:22:16 PM, Error: Microsoft-Windows-DNS-Client [1012]  - There was an error while attempting to read the local hosts file.

7/22/2013 9:22:15 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

7/22/2013 9:22:10 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

7/22/2013 9:21:54 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  BPntDrv discache spldr Wanarpv6

7/22/2013 9:21:54 PM, Error: Service Control Manager [7003]  - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

7/22/2013 9:21:54 PM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

7/22/2013 9:21:54 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.

7/22/2013 9:19:43 PM, Error: Service Control Manager [7024]  - The HomeGroup Listener service terminated with service-specific error %%-2147023143.

7/22/2013 9:19:02 PM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.

7/17/2013 9:07:34 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.

7/17/2013 9:07:34 PM, Error: Service Control Manager [7000]  - The Windows Live ID Sign-in Assistant service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.

7/17/2013 11:27:42 PM, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

7/15/2013 9:12:17 PM, Error: Tcpip [4199]  - The system detected an address conflict for IP address 10.0.0.3 with the system having network hardware address 00-26-C6-12-4F-82. Network operations on this system may be disrupted as a result.

.

==== End Of File =========================== 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK

Internet Explorer: 9.0.8112.16448  BrowserJavaVersion: 1.6.0_35

Run by Drew at 21:27:54 on 2013-07-22

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4040.3086 [GMT -4:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

\\?\C:\windows\system32\wbem\WMIADAP.EXE

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uURLSearchHooks: {ba14329e-9550-4989-b3f2-9732e92d17cc} - <orphaned>

uURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned>

uURLSearchHooks: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dll

uURLSearchHooks: FCToolbarURLSearchHook Class: {510d1394-0c87-5494-3d87-139eeea50884} - C:\Program Files (x86)\Shopping4Causes Shopping Plugin\Helper.dll

uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>

mURLSearchHooks: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dll

mWinlogon: Userinit = userinit.exe,

BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll

BHO: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dll

BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll

BHO: Search-Results Toolbar: {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\Program Files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\searchresultsDx.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Shopping4Causes Shopping Plugin: {9892FCDD-7DEB-3584-ED05-DAE051C1E4E8} - C:\Program Files (x86)\Shopping4Causes Shopping Plugin\Toolbar.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll

BHO: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: WhiteSmoke Bar Toolbar: {167D9323-F7CC-48F5-948A-6F012831A69F} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dll

TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll

TB: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dll

TB: Search-Results Toolbar: {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\Program Files (x86)\Search Results Toolbar\Datamngr\SRTOOL~1\searchresultsDx.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [Free Download Manager] C:\PROGRA~2\FREEDO~1\fdm.exe -autorun

uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"  /MINIMIZED

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [skinClock] C:\Program Files (x86)\Atomic Alarm Clock\AtomicAlarmClock.exe

uRun: [FreeAC] C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe -autorun

uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe

uRun: [jdiNQqhyasYS.exe] C:\ProgramData\jdiNQqhyasYS.exe

uRun: [iDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot

uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

uRun: [drivermgr] C:\Users\Drew\AppData\Roaming\devicemgrpro.exe

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [WhiteSmoke] rundll32.exe C:\Users\Drew\AppData\Local\WhiteSmoke\ogitvtna.dll,DSCSeek

uRun: [internet Security] C:\Users\Drew\AppData\Roaming\midefender.exe

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [331BigDog] C:\Program Files (x86)\USB Camera\VM331_STI.EXE

mRun: [updateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"

mRun: [YouCam Mirage] "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe"

mRun: [YouCam Tray] "C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe" /s

mRun: [VeriFaceManager] C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe

mRun: [updatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Music Alarm Clock] C:\PROGRA~2\MUSICA~1\mac.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [sMessaging] C:\Users\Drew\AppData\Local\Strongvault Online Backup\SMessaging.exe

mRun: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE

StartupFolder: C:\Users\Drew\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-Explorer: HideSCAHealth = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Add to Google Photos Screensa&ver - C:\windows\System32\GPhotos.scr/200

IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm

IE: Download all with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - C:\Program Files (x86)\Free Download Manager\dllink.htm

IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

LSP: mswsock.dll

TCP: NameServer = 10.0.0.1

TCP: Interfaces\{6FD77A59-A8F7-489A-BF1E-785539B41571} : DHCPNameServer = 10.0.0.1

TCP: Interfaces\{6FD77A59-A8F7-489A-BF1E-785539B41571}\14175716F416B6D27657563747 : DHCPNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{6FD77A59-A8F7-489A-BF1E-785539B41571}\C49626271627970275962756C656373702143636563737 : DHCPNameServer = 8.8.4.4 8.8.8.8

TCP: Interfaces\{6FD77A59-A8F7-489A-BF1E-785539B41571}\E6F6274786261697D27657563747 : DHCPNameServer = 208.67.222.222 208.67.220.220 208.67.220.222

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

AppInit_DLLs= C:\PROGRA~3\Wincert\WIN32C~1.DLL c:\progra~3\browse~1\261095~1.52\{c16c1~1\browse~1.dll

SSODL: WebCheck - <orphaned>

SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-BHO: DataMngr: {C1ED9DA0-AFD0-4b90-AC6A-D3874F591014} - C:\Program Files (x86)\Search Results Toolbar\Datamngr\x64\BrowserConnection.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [igfxTray] C:\windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\windows\System32\igfxpers.exe

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe

x64-Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe

x64-Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe

x64-Run: [robrob] rundll32.exe "C:\Users\Drew\AppData\Local\Temp\robrob.dll",CompileShader

x64-Run: [bretfv] rundll32.exe "C:\Users\Drew\AppData\Local\Temp\bretfv.dll",DAE

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Drew\AppData\Roaming\Mozilla\Firefox\Profiles\qsouyu6a.default-1358905436809\

FF - prefs.js: browser.search.selectedEngine - Search Results

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll

FF - plugin: C:\windows\SysWOW64\npmproxy.dll

FF - ExtSQL: !HIDDEN! 2012-03-29 23:15; {821E6AC5-7A16-11E1-826D-B8AC6F996F26}; C:\Users\Drew\AppData\Local\{821E6AC5-7A16-11E1-826D-B8AC6F996F26}

FF - ExtSQL: !HIDDEN! 2013-02-09 12:16; {1FD91A9C-410C-4090-BBCC-55D3450EF433}; C:\Program Files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension

.

============= SERVICES / DRIVERS ===============

.

R0 fbfmon;fbfmon;C:\windows\System32\drivers\fbfmon.sys [2011-7-14 57952]

R0 LHDmgr;LHDmgr;C:\windows\System32\drivers\LhdX64.sys [2011-7-14 39008]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\System32\drivers\dtsoftbus01.sys [2012-6-30 283200]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\System32\drivers\AcpiVpc.sys [2010-10-25 29792]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2011-7-14 76912]

R3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-4-25 52736]

S1 BPntDrv;BPntDrv;C:\windows\System32\drivers\BPntDrv.sys [2011-7-14 13408]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-7-14 13336]

S2 IDMWFP;IDMWFP;C:\windows\System32\drivers\idmwfp.sys [2011-9-15 145008]

S2 Oasis2Service;Oasis2Service;C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [2010-12-22 46080]

S2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-14 2656280]

S3 clwvd;CyberLink WebCam Virtual Driver;C:\windows\System32\drivers\clwvd.sys [2011-1-28 31088]

S3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2011-7-14 317440]

S3 mbamchameleon;mbamchameleon;C:\windows\System32\drivers\mbamchameleon.sys [2013-7-17 36680]

S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\rtsuvstor.sys [2011-7-14 299520]

S3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 vm331avs;Digital Camera 1;C:\windows\System32\drivers\vm331avs.sys [2011-7-14 228224]

S3 vmuvcflt;Vimicro USB Camera Filter;C:\windows\System32\drivers\vmuvcflt.sys [2011-7-14 8320]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-9-17 1255736]

S3 wsvd;wsvd;C:\windows\System32\drivers\wsvd.sys [2009-7-21 121840]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2013-07-22 23:18:39 -------- d-----w- C:\Program Files (x86)\ESET

2013-07-18 01:08:18 36680 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys

2013-07-16 01:47:01 840704 ----a-w- C:\Users\Drew\AppData\Roaming\midefender.exe

2013-07-16 01:47:00 121344 ----a-w- C:\Users\Drew\icq.exe

.

==================== Find3M  ====================

.

.

============= FINISH: 21:30:21.59 ===============

 

 

 

This is the malwarebytes log: 

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.07.17.09

 

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Drew :: DREW-PC [administrator]

 

7/22/2013 9:22:41 PM

MBAM-log-2013-07-22 (22-01-10).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 427093

Time elapsed: 38 minute(s), 23 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> No action taken.

 

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Internet Security (Trojan.FakeAV.sig) -> Data: C:\Users\Drew\AppData\Roaming\midefender.exe -> No action taken.

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 1

C:\Users\Drew\AppData\Roaming\midefender.exe (Trojan.FakeAV.sig) -> No action taken.

 

(end)

 

 

[MrCharlie]

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[monkeys37]

Thank you.  

 

 

RogueKiller V8.6.3 _x64_ [Jul 17 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Safe mode with network support

User : Drew [Admin rights]

Mode : Scan -- Date : 07/22/2013 22:16:47

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 19 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : jdiNQqhyasYS.exe (C:\ProgramData\jdiNQqhyasYS.exe [x]) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : drivermgr (C:\Users\Drew\AppData\Roaming\devicemgrpro.exe [x]) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : WhiteSmoke (rundll32.exe C:\Users\Drew\AppData\Local\WhiteSmoke\ogitvtna.dll,DSCSeek [x][-][x]) -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : Internet Security (C:\Users\Drew\AppData\Roaming\midefender.exe [-]) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Run : robrob (rundll32.exe "C:\Users\Drew\AppData\Local\Temp\robrob.dll",CompileShader [x][x][x]) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Run : bretfv (rundll32.exe "C:\Users\Drew\AppData\Local\Temp\bretfv.dll",DAE [x][-]) -> FOUND

[RUN][Rans.Gendarm] HKUS\S-1-5-19\[...]\Run : Update (rundll32.exe "C:\Users\Drew\AppData\Roaming\avidemux\avidemux\buhjtfc.dll",DllRegisterServer) -> FOUND

[RUN][Rans.Gendarm] HKUS\S-1-5-20\[...]\Run : Update (rundll32.exe "C:\Users\Drew\AppData\Roaming\avidemux\avidemux\buhjtfc.dll",DllRegisterServer) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3894102901-2258743077-2371195175-1000\[...]\Run : jdiNQqhyasYS.exe (C:\ProgramData\jdiNQqhyasYS.exe [x]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3894102901-2258743077-2371195175-1000\[...]\Run : drivermgr (C:\Users\Drew\AppData\Roaming\devicemgrpro.exe [x]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3894102901-2258743077-2371195175-1000\[...]\Run : WhiteSmoke (rundll32.exe C:\Users\Drew\AppData\Local\WhiteSmoke\ogitvtna.dll,DSCSeek [x][-][x]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3894102901-2258743077-2371195175-1000\[...]\Run : Internet Security (C:\Users\Drew\AppData\Roaming\midefender.exe [-]) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : SMessaging (C:\Users\Drew\AppData\Local\Strongvault Online Backup\SMessaging.exe [x][x][x]) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\Users\Drew\AppData\Local\{3eb85c4f-2d37-0150-c36e-ff57b7fdfc90}\n. [x]) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-3894102901-2258743077-2371195175-1000\$3eb85c4f2d370150c36eff57b7fdfc90\n. [x]) -> FOUND

[bROK VAL] HKCR\[...]\command :  () -> MISSING

[APPINIT][sUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (C:\PROGRA~3\Wincert\WIN64C~1.DLL C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll  [-][7][7]) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC_32\Desktop.ini [-] --> FOUND

[ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC_64\Desktop.ini [-] --> FOUND

[ZeroAccess][File] consrv.dll : C:\Windows\System32\consrv.dll [-] --> FOUND

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection : Rans.Gendarm|ZeroAccess ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: HITACHI HTS547550A9E384 +++++

--- User ---

[MBR] a31396f0e59089b2c0e1882dec192c57

[bSP] e5b6437cd56db50836de9f6db89337fa : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 200 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 411648 | Size: 431938 Mo

2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 885020672 | Size: 29692 Mo

3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 945829888 | Size: 15109 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_07222013_221647.txt >>

RKreport[0]_D_06222013_171532.txt;RKreport[0]_S_06222013_171422.txt

[MrCharlie]

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan also.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

We have to use FRST to deal with this infection, normal or safe mode is OK......

Please download Farbar Recovery Scan Tool and save it to a folder. (64bit version)

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

[monkeys37]

That sure sucks. I'll be reinstalling once I can get another copy of windows. Thank you for your help.

[MrCharlie]

OK......

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[monkeys37]

Thanks again, though the link you just posted opens a blank page in my phone.

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!