First off, I’m learning as I’m going here, and appreciate any help!

On 1/20, I noticed my computer seemed to be using a lot of resources without a lot of programs running. I opened Win Task Manager and saw multiple copies of the same process running… I think it said chrome.exe, but not sure. I don’t use Google Chrome and I tried killing the processes, but they kept spawning faster than I could end them.

I ran MBAM at 10:22 and it found an IPH.Trojan.Clicker.W7 virus. I stopped the scan when that showed up and quarantined the files. At 10:40 I ran a full MBAM scan and it didn’t show any further infections.

After MBAM finished I ran Avast. First a boot scan, which found 17 infected files which I quarantined, then a full system scan, which showed everything clear.

When I rebooted my computer, I got a “Windows 7, Build 7601, This copy of Windows is not genuine message” in the lower right hand corner of my screen. I own a legitimate copy of Windows 7.

The next day, I ran MBAM and Avast scans over again as my system seemed slow upon boot and in opening programs. Nothing was found, but when I rebooted, I got the same “Build 7601” message.

On 1/23, whilst scanning again, Avast found the JS Agent Die Trojan, which it quarantined.

For the last few days, I’ve been running scans and researching the forums trying to figure out what is going on. MBAM and Avast haven’t found any additional infections, and I haven’t seen the Build 7601 message again upon reboot, but my system is running really slow. I have an old system that hasn’t been rebuilt, but it’s still running slowly even for that, and I’m concerned there is residual “bad stuff” the scans aren’t finding.

I read through your “Logs to assist in cleaning malware” sticky, and downloaded Farbar and ASWMBR. I ran the programs and those logs are attached. I’ve also attached the MBAM log from the first scan I did that found the Clicker W7 virus and a screen capture that shows all the stuff sitting in the Avast Virus Chest.

Again, thanks for your help.

Laurie

And the screen cap of the Avast Virus Chest.

run AdwCleaner as instructed here and attach log http://www.bleepingcomputer.com/download/adwcleaner/

the malware removal guys are in bed now, so check back tomorrow. They are usually here after work hours european time

Downloaded and run. The log is attached. The program says “Pending. Please uncheck elements you don’t want to remove.” I reviewed the log and can’t see anything I want to keep (not that I’d know for sure), so do I hit “clean” now?

Thanks.

Hit clean …

Hit clean, system re-booted, new log attached.

Thanks.

I just got an MBAM pop-up window saying it was putting a Trojan.FakeMS in quarantine. That’s the first time I’ve seen that one.

Right after that happened, I got a pop-up message in Internet Explorer (see attached file). I don’t know what it means, so I clicked the red x (and not OK) to close the window.

Update: After the MBAM pop-up window saying it was blocking Trojan.FakeMS, I ran another MBAM scan to see if something got through. I’m attaching the log from that scan.

Thanks.

If the Buid 7601 is in the bottom right hand corner (Right by the task bar) do the following

an an Elevated Command Prompt (Right click > Run as Admin)
Type “bcdedit /set testsigning off”

Take out the quotes, reboot.

Could you run a fresh FRST scan please and let me know the current problems

Yes the Build 7601 is in the lower right hand corner. I started having problems on 1/20, and only got the message the first two days. Nothing since then. I ran the command you indicated above. The message I received at the command prompt was “The operation competed successfully.” I then rebooted and got nothing else, only that my computer is running very slowly.

I researched the Build 7601 message last week. It looks like you get it if your version of Windows is illegal (mine isn’t) or if a hacker has swiped your license?? Not sure. I found info that said to run the command “slmgr.vbs /dlv” which I did. I didn’t take a screen cap of that info, but I ran that command again today and am attaching the file. I don’t know what rearm count means or trusted time.

Thanks for your help.

I reran Farbar. Logs attached. The problems I’m having are that my computer is running extremely slow… even for an old build. It takes longer to boot, and longer for the programs to load, to the point I think they are hung up, then they finally appear, so I’m concerned that something has rooted in and the cleaners aren’t removing it and that viruses are going to keep getting in every few days like they are now. I haven’t noticed unexplained excess system usage or odd processes running in Task Manager like I did the first day.

Also, I can’t uninstall Mozilla. I haven’t used that browser in a long time, didn’t update it (my stupid), and can see a bunch of it’s files sitting in the Virus Chest. Anyway, Avast is telling me to install updates for Mozilla and Java. Should I do that?

Lastly, I’m concerned about the Build 7601 message I got originally and that somebody swiped my license and at some point I won’t be able to boot-up.

Thanks for your help.

No worries about the licence, sometimes adware/malware may break the chain but your system is legit

Could you let me know how the computer is behaving after this, I am removing Firefox

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-2763884149-2680986346-4090123-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File FF DefaultSearchUrl: hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q= FF SearchEngineOrder.1: Google FF SelectedSearchEngine: Google FF Homepage: hxxp://www.google.com/firefox FF Keyword.URL: hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q= FF NetworkProxy: "type", 0 FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll () FF Plugin: @java.com/DTPlugin,version=1.6.0_39 -> C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.) FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll () FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_39 -> C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.) FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems) FF Plugin HKU\S-1-5-21-2763884149-2680986346-4090123-1001: @hulu.com/Hulu Desktop -> C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\npHDPlg.dll (Hulu LLC) FF Plugin HKU\S-1-5-21-2763884149-2680986346-4090123-1001: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101721.dll No File FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} [2013-03-21] FF HKLM-x32\...\Firefox\Extensions: [otis@digitalpersona.com] - C:\Program Files (x86)\DigitalPersona\Bin\FirefoxExt FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2011-04-28] 2015-01-24 02:10 - 2013-03-21 08:51 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox CustomCLSID: HKU\S-1-5-21-2763884149-2680986346-4090123-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\dps.dll No File HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DpHost => ""="Service" C:\Users\Laurie\AppData\Roaming\Mozilla EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Fix run, computer re-booted, log attached.

Is there any improvement in the speed ?

Very sorry to barge,

However, your aswMBR logs indicate that it has an issue with FRST, which is abnormal. The version you used (Or currectly are using) of FRST, could you upload to www.wikisend.com.

If you have a folder called FRST (Old), that is the one I need, if not, the one that you have is the one I need.

This will be going to the Virus Lab for Avast.

~Michael

Yes, so far things seem to have sped up. Thanks for your help. Thanks to everyone for their help… it is much appreciated!

What I would recommend is a disc defragment after the tools are removed

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

I saw that when it was scanning. It had issues with two files… the 32 bit FRST.exe and AutoHDR.exe. I just uploaded both the 32 and 64 bit Frst.exe files from my old folder at Wikisend.com. I’ve never used that site so I hope I did it right.

Essexboy, just so I understand, shall I run for 24 hours first to make sure all seems OK, then do Delfix, or should I run it right now?

Run it now and just monitor the system for the next day or so