My son's computer (64-bit WIn7) has a persistent adware infection (bogus new tabs open up upon clicking links in Chrome, FF, & IE). I ran Malwarebytes and AdwCleaner, and they nab a bunch of bogus plugins, scheduled tasks, etc.
But they get regenerated soon thereafter.
AdwCleaner detects a "cwmf service" that does not show up in the Services applet in Win7's Computer Management UI, but fails to remove it. A search of the Registry for "cmw" shows that there are two drivers installed, cmwf.sys and cmwr.sys, with driver files of those names appearing in c:\windows\system32\drivers. The registry entries are in the following keys:
Same set of keys in HKLM\System\ControlSet002 and HKLM\System\CurrentControlSet
The Safeboot keys seem to guarantee that I won't be able to remove the drivers even when booting in safe mode.
I tried removing the Safeboot\Minimal keys -- but no matter what I do with Registry permissions, I get "Error while deleting key".
I tried doing a System Restore to a system restore point prior to the creation date on the driver files (1/7/15, about 9 pm North American EST), but System Restore hung in the "Preparing to restore your system" phase.
I did Google searches for "cmwf.sys" and "cmwr.sys" and found only a single blog post about a similar infection involving those drivers, unfortunately in French -- at http://forum.malekal.com/infection-boxore-cmwf-cmwr-sys-t50445.html
My French is good enough to determine that the solution suggested was to use Farbar FRST to remove the drivers and related registry entries -- but it's not good enough to make sure I get all the details right. And I'm not sure whether FRST will be able to bypass whatever is protecting the registry keys that cause the drivers to load in safe mode.
Is this something new?
I need help with this one...
Many thanks in advance.