I ran a boot scan on my sister’s computer, which has had some irritating problems of late, including adware popups whenever a new URL is accessed. The boot scan found two files that it could neither remove nor repair, so I told it to “ignore”, wrote down the files, and reran the scan on bootup. However, the files don’t seem to exist. Could they be hidden?
windows\system32\drivers\blds.exe infected with Win32:sefnit-HT [TRO]
windows\system32\drivers\Bleservicectrl.exe infected with win32:sirefef-PL (this wasn’t a trojan, but I forgot to write down what it was–4 letters, beginning with R, if that’s any help.

A flash scan of Malwarebytes finds one error, which it cannot remove, even though it says it successfully removed it.
Registry Data Items Detected: 1
HKCR\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32| (Hijack.SHELL32) → Bad: (\?\globalroot\Device\HarddiskVolume1\DOCUME~1\sherrie\LOCALS~1\Temp\snkbwtx\sbcvpeq\wow.dll) Good: (SHELL32.dll) → No action taken.

And I still get popup ads everywhere.

I’m not sure what to do at this point.

follow instructions and attach logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done, removal experts will be notified and help you
when finish, all tools used will be removed

Okay, I ran the scans and here are the results.

Edited to add: When the system reboots, I get the following message on startup: “MindSpark Toolbar Platform SearchScope Monitor has encountered a problem and needs to close. We are sorry for the inconvenience.”
I’ve searched for MindSpark in Add Remove Programs and in a search of the entire system, including hidden files. Nothing, but a search of the registry shows it’s one of the toolbars on the browser. I know nothing of this program and whether it’s safe.

Looking through the logs briefly, it looks like you have a virus called 0Access (ZA, ZeroAccess etc). I would suggest not doing anything unless instructed by a qualified person…

Edit: I’ve notified Essexboy. It’s 11:15AM his time so he might help during lunch

you have a enormous amount of crap in Your browsers…

Not my browsers, my sister’s. No matter what I tell her, she wants all that stuff. You should see the the crap she gets in her email–and she signs up for all of it.

She should not do something that. ;D

Now you can see what happens. The brother of an friend meant to download garbage and now the laptop
is completely unusable.

maybe she is lonley … like to get mail ;D

then i can recomend Outlook.com as mail, since it has a very Nice autoclean up function …like all ad/mails older then 10 days are auto deleted (can be adjusted)

Hi there it is badly infected…

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-50482452-473883480-1633469887-1005\..\SearchScopes\{06AC4086-5DB5-AC5C-0D5E-176C65E4619F}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298580&CUI=UN21843310762661075&UM=2
IE - HKU\S-1-5-21-50482452-473883480-1633469887-1005\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=C2AF001F3CC11832&affID=121232&tsp=4985
IE - HKU\S-1-5-21-50482452-473883480-1633469887-1005\..\SearchScopes\{3C68018D-1284-450A-A75F-AE0FA6E77F28}: "URL" = http://websearch.ask.com/custom/java/redirect?client=ie&tb=ORJ&o=100000030&src=crm&q={searchTerms}&locale=&apn_ptnrs=TV&apn_dtid=OSJ000
IE - HKU\S-1-5-21-50482452-473883480-1633469887-1005\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://www.searchya.com/?q={searchTerms}&f=4&a=SearchooD&cd=2XzuyEtN2Y1L1QzutDtDtC0FtA0C0CtCtCzztAtBzy0EtA0CtN0D0Tzu0CyDyEyEtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1O1L1I1PtF1F1C1N1V0F1L1C1P1O1F2V&cr=957155967&ir=
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://www.searchya.com/?q={searchTerms}&f=4&a=SearchooD&cd=2XzuyEtN2Y1L1QzutDtDtC0FtA0C0CtCtCzztAtBzy0EtA0CtN0D0Tzu0CyDyEyEtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1O1L1I1PtF1F1C1N1V0F1L1C1P1O1F2V&cr=957155967&ir=
FF - prefs.js..CT3279141.browser.search.defaultthis.engineName: "true"
FF - prefs.js..CT3289663.browser.search.defaultthis.engineName: "true"
FF - prefs.js..CT3298580.browser.search.defaultthis.engineName: "true"
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultthis.engineName: "InternetHelper3.1 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3289663&CUI=UN24047443842237616&UM=2&SearchSource=3&q={searchTerms}&sspv=TB_CER"
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-tyc9"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-tyc9"
FF - prefs.js..extensions.enabledAddons: %7B635abd67-4fe9-1b23-4f01-e679fa7484c1%7D:3.1.0.20130818030116
FF - prefs.js..keyword.URL: "http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?st=kwd&ptb=E21F0073-44EB-415B-9E41-2CD66250777C&n=77ee622c&ind=2012111404&id=XPxdm333YYus&ptnrS=XPxdm333YYus&si=telestreamer-2-v1&searchfor="
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\64ffxtbr@TelevisionFanatic.com: C:\Program Files\TelevisionFanatic\bar\1.bin [2013/10/09 18:20:09 | 000,000,000 | ---D | M]
[2013/08/17 09:17:19 | 000,000,000 | ---D | M] (TopArcadeHits) -- C:\Documents and Settings\sherrie\Application Data\Mozilla\Firefox\Profiles\s3o7vdx0.default\extensions\{0113D088-8ED1-468C-B225-585A9C53B5E3}
[2013/09/24 16:32:12 | 000,000,000 | ---D | M] (MixiDJ V44) -- C:\Documents and Settings\sherrie\Application Data\Mozilla\Firefox\Profiles\s3o7vdx0.default\extensions\{90a1b331-c2b4-4933-9f63-ba7b84d60d58}
[2012/11/14 08:50:54 | 000,000,000 | ---D | M] (TelevisionFanatic) -- C:\Documents and Settings\sherrie\Application Data\Mozilla\Firefox\Profiles\s3o7vdx0.default\extensions\64ffxtbr@TelevisionFanatic.com
[2013/06/24 06:07:53 | 000,000,000 | ---D | M] (WebCake) -- C:\Documents and Settings\sherrie\Application Data\Mozilla\Firefox\Profiles\s3o7vdx0.default\extensions\plugin@getwebcake.com
[2013/02/08 18:53:16 | 000,002,333 | ---- | M] () -- C:\Documents and Settings\sherrie\Application Data\Mozilla\Firefox\Profiles\s3o7vdx0.default\searchplugins\askcom.xml
[2013/06/28 15:49:38 | 000,001,043 | ---- | M] () -- C:\Documents and Settings\sherrie\Application Data\Mozilla\Firefox\Profiles\s3o7vdx0.default\searchplugins\conduit.xml
[2013/06/27 19:56:34 | 000,002,409 | ---- | M] () -- C:\Documents and Settings\sherrie\Application Data\Mozilla\Firefox\Profiles\s3o7vdx0.default\searchplugins\SearchYa!.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {878B8524-AED5-4870-9A96-A515440DAC75} - No CLSID value found.
O3 - HKU\S-1-5-21-50482452-473883480-1633469887-1005\..\Toolbar\WebBrowser: (TelevisionFanatic) - {C98D5B61-B0EA-4D48-9839-1079D352D880} - C:\Program Files\TelevisionFanatic\bar\1.bin\64bar.dll File not found
O4 - HKLM..\Run: [TelevisionFanatic Search Scope Monitor] C:\Program Files\TelevisionFanatic\bar\1.bin\64SrchMn.exe (MindSpark)
[2013/10/11 18:00:00 | 000,000,258 | ---- | M] () -- C:\WINDOWS\tasks\TrustedInstaller Update.job
[2013/10/11 17:45:29 | 000,000,398 | ---- | M] () -- C:\WINDOWS\tasks\ProgramUpdateCheck.job
[2013/10/11 17:45:17 | 000,000,258 | ---- | M] () -- C:\WINDOWS\tasks\TrustedInstaller Update 2.job

:Files
C:\Documents and Settings\sherrie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
C:\WINDOWS\tasks\At*.job
C:\RECYCLER\S-1-5-18\$7b5384bab1f14f80cda8a4886996ec03

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Essex’s Here! He’ll help you out with your sisters computer. Thanks Essex for responding. Was I correct about ZA? (PM on that answer)

Note: Follow Essex’s directions, what I asked you to do was the preliminary anaylsis. He is much more advanced then I am when it comes to viruses

Yes it is a variant on the normal ZA

OTL has been running for about 40 minutes, maybe more. The OTL window went blank, mouse works but hover shows hourglass. What is the normal time it should take, and is the blank window normal? I’m sending this from my own computer, not the one I’m working on, since I didn’t think I should be running any other programs while OTL is in progress.

No icons left on the desktop, btw, nor the taskbar, but Rocketdock (which I forgot to close) is still showing. It looks like it tried to reboot and stopped.

you may need to uninstall Malwarebytes … it sometimes block OTL run

Truly, the computer is a mess. I did a hard shutdown and then powered up a minute later, reran OTL, and it ran fine. Rebooted when needed, and then turned off Avast and Malwarebytes and all other unnecessary programs. Ran Combofix, but it warned me that Microsoft Security Essentials was running. One of the reasons I installed Avast on her computer was that MSE wouldn’t run, so I uninstalled it using Revo Uninstaller Pro, reinstalled it, and again had to uninstall it because it wouldn’t install properly. I can’t find it listed under processes, can’t find it in services, or anywhere else when I run msconfig. So, I stopped Combofix, rebooted the machine, and again used Revo to uninstall. It wouldn’t uninstall, and even in safe mode as Administrator I can’t delete the subdirectories; in fact, I can’t even get into them. I’ll probably just edit the registry using instructions i found here: http://support.microsoft.com/kb/2483120.

if MSE was removed you should have ignored the warning and let Combofix run … it sometimes (often) give this warning, also when you have disabled your AV

anyway Essexboy will be back and continue help you tomorrow…

I’m not sure it was removed. Revo usually deletes every file and registry entry, but it was unable to do so. Also, I can’t turn the Microsoft firewall on, and don’t currently have a firewall running, except for the default firewall at the DLS modem. At any rate, I’m not going to try removing the MSClient directory until I hear from essexboy.

Thank you all for your help with this.

Combofix is taking the data from security centre, in this case please proceed with combofix and accept the warning

I ran combofix. During the running, it requested permission to download a Microsoft console program, without which it could not fix any errors. I ciicked ok, it downloaded and installed, and then Combofix continued to run. When it completed, it said it would reboot and not to reboot manually. Again, the computer is hanging. No reboot after quite a while. Occasional momentary disk activity. So…what do I do now? Power it down? No way to reboot anyway, and no way to get to the log. All security programs were disabled before I ran combofix.

force a restart…
when you have turned it on again… wait 10 minutes and do a normal restart

I had to power down the computer after 3 hours. Waited a bit, then powered up, at which time Combofix created its log, attached. I then attempted a restart. No go. Would not restart, would not shut down completely, and again I had to power down, though when I tried to start the browser, it said the application wasn’t starting because Windows was shutting down. Again powered up, and copied the log onto a flash drive. The computer found new hardware, including the disk drive, While I’m typing this, that computer is updating avast and malwarebytes.

Okay, now avast is asking for a restart, and it just succeeded. I waited a few minutes, and it shut down properly.