Author Topic: Post clean up second opinion  (Read 7500 times)

0 Members and 1 Guest are viewing this topic.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Post clean up second opinion
« on: September 11, 2012, 11:01:35 PM »
Hello,

A laptop with a fresh install was put into the hands of a teenager and returned to me within 10 days with an occasional bsod issue.

I ran MWB, found and removed 63 funmood.pup related items.
I ran SAS, found and removed several items related to babylon toolbar, dealcabby and playbryte.
I ran ESET, found and removed 8 items associated with the above.
I ran TDSSkiller, found nothing.
I ran aswMBR, detected items related to playbryte, used Revo to unistall that and dealcabby,
I reran aswMBR and it did not detect the above bet detected some volume information restore items, turned off system restore and rebooted to clear restore points.
I reran aswMBR and it detected nothing but did have the following listed in yellow:
 Service MpKsl6c47b8ef c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43CE331C-A64D-44ED-97BC-C3170F1C6BB9}\MpKsl6c47b8ef.sys **LOCKED** 32
I ran MWB again and it detected nothing.

I think, outside of an ac adapter error at boot, I have it cleaned up but would appreciate an expert opinion.

Here is the Security check log:

 Results of screen317's Security Check version 0.99.50 
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
 Microsoft Security Essentials   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.65.0.1400 
 CCleaner     
 Java 7 Update 7 
 Adobe Reader X (10.1.4)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````[/u]


Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.7.2
Run by ME at 16:40:27 on 2012-09-11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.452 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzutDtDtC0EyE0CtA0Bzy0D0B0DyE0BtAtBtN0D0Tzu0CtByDtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1964784783
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.7.2.0\bh\BabylonToolbar.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1346446056722
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346448561406
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{2F8F61AD-3B33-4E11-BB3E-64F221B3491A} : DhcpNameServer = 192.168.2.1
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 MpKsl6c47b8ef;MpKsl6c47b8ef;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{43ce331c-a64d-44ed-97bc-c3170f1c6bb9}\MpKsl6c47b8ef.sys [2012-9-11 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-9-11 116648]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-9-11 116648]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-11 23:02:09   29904   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{43ce331c-a64d-44ed-97bc-c3170f1c6bb9}\MpKsl6c47b8ef.sys
2012-09-11 21:50:14   --------   d-----w-   c:\windows\pss
2012-09-11 21:43:32   --------   d-----w-   c:\program files\CCleaner
2012-09-11 21:08:55   --------   d-----w-   c:\program files\VS Revo Group
2012-09-11 19:28:03   --------   d-----w-   c:\documents and settings\me\application data\SUPERAntiSpyware.com
2012-09-11 19:27:42   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-09-11 19:27:42   --------   d-----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-09-11 15:07:50   --------   d-----w-   c:\documents and settings\me\application data\Malwarebytes
2012-09-11 15:07:26   --------   d-----w-   c:\documents and settings\all users\application data\Malwarebytes
2012-09-11 15:07:23   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-09-11 15:07:23   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-09-11 15:07:14   7022536   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{43ce331c-a64d-44ed-97bc-c3170f1c6bb9}\mpengine.dll
2012-09-10 04:56:07   7022536   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-09-10 04:51:11   --------   d-----w-   c:\documents and settings\me\application data\Funmoods
2012-09-10 04:51:10   --------   d-----w-   c:\documents and settings\me\application data\BabylonToolbar
2012-09-10 04:35:58   --------   d-----w-   c:\program files\Funmoods
2012-09-10 04:35:58   --------   d-----w-   c:\documents and settings\me\local settings\application data\Wajam
2012-09-10 04:26:23   --------   d-----w-   c:\program files\BabylonToolbar
2012-09-10 04:26:02   --------   d-----w-   c:\documents and settings\me\local settings\application data\dealcabby
2012-09-10 04:25:59   --------   d-----w-   c:\documents and settings\me\application data\Babylon
2012-09-10 04:25:59   --------   d-----w-   c:\documents and settings\all users\application data\Babylon
2012-09-04 23:37:56   --------   d-----w-   c:\documents and settings\me\local settings\application data\Google
2012-09-04 23:37:31   --------   d-----w-   c:\documents and settings\me\local settings\application data\Deployment
2012-09-04 23:18:43   17136   ----a-w-   c:\windows\system32\mucltui.dll.mui
2012-09-04 23:18:42   275696   ----a-w-   c:\windows\system32\mucltui.dll
2012-08-31 23:50:50   --------   d-----w-   c:\windows\system32\Adobe
2012-08-31 23:48:58   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-08-31 23:45:04   --------   d-----w-   c:\program files\Microsoft Security Client
2012-08-31 22:59:57   --------   d-----w-   c:\windows\SxsCaPendDel
2012-08-31 22:42:06   --------   d-----w-   c:\windows\system32\XPSViewer
2012-08-31 22:41:47   89088   ----a-w-   c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-08-31 22:41:37   89088   -c----w-   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-08-31 22:41:37   597504   -c----w-   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-08-31 22:41:37   597504   ------w-   c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-08-31 22:41:37   575488   -c----w-   c:\windows\system32\dllcache\xpsshhdr.dll
2012-08-31 22:41:37   575488   ------w-   c:\windows\system32\xpsshhdr.dll
2012-08-31 22:41:37   117760   ------w-   c:\windows\system32\prntvpt.dll
2012-08-31 22:41:36   1676288   -c----w-   c:\windows\system32\dllcache\xpssvcs.dll
2012-08-31 22:41:36   1676288   ------w-   c:\windows\system32\xpssvcs.dll
2012-08-31 22:41:36   --------   d-----w-   C:\3816b72c9ecaa6cb1a
2012-08-31 22:38:04   --------   d-----w-   c:\documents and settings\me\local settings\application data\Sun
2012-08-31 22:30:21   73416   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-31 22:30:21   696520   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-31 22:27:53   821736   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-08-31 22:27:53   746984   ----a-w-   c:\windows\system32\deployJava1.dll
2012-08-31 22:27:53   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-08-31 22:27:49   93672   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 21:50:33   --------   d-----w-   c:\windows\Downloaded Installations
2012-08-31 21:41:24   --------   d-----w-   c:\documents and settings\me\local settings\application data\ATI
2012-08-31 21:40:11   216800   ----a-w-   c:\windows\system32\drivers\SynTP.sys
2012-08-31 21:40:11   147456   ----a-w-   c:\windows\system32\SynTPAPI.dll
2012-08-31 21:40:11   110592   ----a-w-   c:\windows\system32\SynTPCo4.dll
2012-08-31 21:40:10   196608   ----a-w-   c:\windows\system32\SynCtrl.dll
2012-08-31 21:40:10   163840   ----a-w-   c:\windows\system32\SynCOM.dll
2012-08-31 21:40:10   --------   d-----w-   c:\program files\Synaptics
2012-08-31 21:36:12   --------   d-----w-   c:\program files\ATI Technologies
2012-08-31 21:34:47   36864   ----a-w-   c:\windows\system32\drivers\AmdK8.sys
2012-08-31 21:34:46   --------   d-----w-   c:\program files\AMD
2012-08-31 21:33:57   --------   d-----w-   c:\windows\system32\ReinstallBackups
2012-08-31 21:33:43   729088   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2012-08-31 21:33:43   69715   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2012-08-31 21:33:43   5632   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2012-08-31 21:33:43   266240   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2012-08-31 21:33:43   192512   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2012-08-31 21:33:43   188548   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2012-08-31 21:33:42   311428   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2012-08-31 21:20:10   --------   d-sh--w-   c:\documents and settings\me\PrivacIE
2012-08-31 21:10:50   --------   d-sh--w-   c:\documents and settings\me\IETldCache
2012-08-31 21:06:16   521728   -c----w-   c:\windows\system32\dllcache\jsdbgui.dll
2012-08-31 21:05:52   6144   -c----w-   c:\windows\system32\dllcache\iecompat.dll
2012-08-31 21:05:37   --------   d-----w-   c:\windows\ie8updates
2012-08-31 21:05:33   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll
2012-08-31 21:05:33   629760   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2012-08-31 21:05:33   55296   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2012-08-31 21:05:33   247808   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2012-08-31 21:05:33   2000384   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2012-08-31 21:05:33   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2012-08-31 21:05:33   11111424   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2012-08-31 21:04:38   --------   dc-h--w-   c:\windows\ie8
2012-08-31 20:51:37   456320   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2012-08-31 20:50:48   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2012-08-31 20:50:48   272128   ------w-   c:\windows\system32\drivers\bthport.sys
2012-08-31 20:48:19   2148352   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2012-08-31 20:48:18   2192640   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2012-08-31 20:48:18   2026496   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2012-08-31 20:47:34   --------   d-sh--w-   c:\documents and settings\me\UserData
2012-08-31 20:46:37   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2012-08-31 20:46:08   3072   -c----w-   c:\windows\system32\dllcache\iacenc.dll
2012-08-31 20:46:08   3072   ------w-   c:\windows\system32\iacenc.dll
2012-08-31 20:44:20   26144   ----a-w-   c:\windows\system32\spupdsvc.exe
2012-08-31 20:44:20   --------   d-----w-   c:\windows\system32\PreInstall
2012-08-31 20:44:19   --------   d--h--w-   c:\windows\$hf_mig$
2012-08-31 20:39:51   6272   -c--a-w-   c:\windows\system32\dllcache\splitter.sys
2012-08-31 20:38:02   989952   ----a-r-   c:\windows\system32\drivers\HSF_DPV.sys
2012-08-31 20:38:02   94208   ----a-r-   c:\windows\system32\mdmxsdk.dll
2012-08-31 20:38:02   731136   ----a-r-   c:\windows\system32\drivers\HSF_CNXT.sys
2012-08-31 20:38:02   217088   ----a-w-   c:\windows\system32\UCI32M21.dll
2012-08-31 20:38:02   211200   ----a-r-   c:\windows\system32\drivers\HSFHWAZL.sys
2012-08-31 20:38:02   12672   ----a-r-   c:\windows\system32\drivers\mdmxsdk.sys
2012-08-31 20:38:02   --------   d-----w-   c:\program files\CONEXANT
2012-08-31 20:28:19   --------   d-----w-   c:\windows\system32\SoftwareDistribution
2012-08-31 20:27:58   45568   ----a-r-   c:\windows\system32\drivers\bcm4sbxp.sys
2012-08-31 20:27:54   --------   d-----w-   c:\program files\Broadcom
2012-08-31 20:27:19   --------   d-----w-   C:\dell
2012-08-31 19:14:45   26368   -c--a-w-   c:\windows\system32\dllcache\usbstor.sys
.
==================== Find3M  ====================
.
2012-07-06 13:58:51   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-04 14:05:18   139784   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49:33   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49:32   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43   385024   ------w-   c:\windows\system32\html.iec
2012-06-28 21:33:04   81920   ------w-   c:\windows\system32\ieencode.dll
.
============= FINISH: 16:41:12.64 ===============


Here is the Attach log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/31/2012 9:33:24 AM
System Uptime: 9/11/2012 4:00:32 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0WY383
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Socket M2/S1G1 | 1795/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 142.333 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.4)
Adobe Shockwave Player 11.6
AMD Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Babylon toolbar on IE
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
CCleaner
Conexant HDA D330 MDC V.92 Modem
Dell Touchpad
Dell Wireless WLAN Card Utility
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Java 7 Update 7
Java Auto Updater
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 Redistributable
Revo Uninstaller 1.94
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2722913)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SigmaTel Audio
SUPERAntiSpyware
swMSM
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2718704)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
.
==== Event Viewer Messages From Past Week ========
.
9/9/2012 9:26:25 PM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/9/2012 10:27:40 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AmdK8 Fips MpFilter
9/9/2012 10:26:27 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/9/2012 10:14:20 AM, error: Dhcp [1002]  - The IP address lease 192.168.2.8 for the Network Card with network address 001E4C3B9DBD has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/9/2012 10:13:13 AM, error: System Error [1003]  - Error code 1000000a, parameter1 e8f43340, parameter2 00000002, parameter3 00000000, parameter4 80523a24.
9/7/2012 6:08:15 PM, error: Dhcp [1002]  - The IP address lease 192.168.2.9 for the Network Card with network address 001E4C3B9DBD has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/5/2012 8:46:57 PM, error: Dhcp [1002]  - The IP address lease 192.168.2.6 for the Network Card with network address 001E4C3B9DBD has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/5/2012 6:19:02 PM, error: Dhcp [1002]  - The IP address lease 192.168.2.12 for the Network Card with network address 001E4C3B9DBD has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/4/2012 8:22:52 PM, error: Dhcp [1002]  - The IP address lease 192.168.2.14 for the Network Card with network address 001E4C3B9DBD has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/4/2012 4:17:50 PM, error: Dhcp [1002]  - The IP address lease 192.168.2.145 for the Network Card with network address 001E4C3B9DBD has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/11/2012 9:48:23 AM, error: System Error [1003]  - Error code 100000d1, parameter1 98706faf, parameter2 00000007, parameter3 00000000, parameter4 f7393021.
9/11/2012 9:01:35 AM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'.  It has stopped monitoring the volume.
9/11/2012 8:01:47 AM, error: Service Control Manager [7034]  - The Dell Wireless WLAN Tray Service service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 7:50:41 AM, error: Dhcp [1002]  - The IP address lease 192.168.2.10 for the Network Card with network address 001E4C3B9DBD has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
9/11/2012 2:57:49 PM, error: ACPIEC [1]  - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period.  This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.  The EC driver will retry the failed transaction if possible.
9/11/2012 2:47:29 PM, error: Service Control Manager [7034]  - The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 2:47:29 PM, error: Service Control Manager [7034]  - The Ati HotKey Poller service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 2:47:29 PM, error: Service Control Manager [7031]  - The SAS Core Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
9/11/2012 2:47:29 PM, error: Service Control Manager [7031]  - The Microsoft Antimalware Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/11/2012 2:47:29 PM, error: Service Control Manager [7031]  - The Microsoft .NET Framework NGEN v4.0.30319_X86 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/11/2012 10:19:15 AM, error: atapi [9]  - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
.
==== End Of File ===========================


Not sure how to read those yet.

Thank you.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20704
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Post clean up second opinion
« Reply #1 on: September 12, 2012, 01:20:19 AM »
Hi, 4on4off.

In case you didn't see this in the SecurityCheck log:

`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)



There's still remnants of Funmoods and also Babylon, which can manage to hide additional bits.  Let's got the full route with ComboFix.  Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Post clean up second opinion
« Reply #2 on: September 12, 2012, 01:52:01 AM »
Hi Corrine,

Yeah, I noticed that defrag warning but figured I would wait until I made sure it was all clear.

Here is the Combofix log:

ComboFix 12-09-11.02 - ME 09/11/2012  19:41:48.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.492 [GMT -7:00]
Running from: c:\documents and settings\ME\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2012-08-12 to 2012-09-12  )))))))))))))))))))))))))))))))
.
.
2012-08-31 22:41 . 2012-08-31 22:41   --------   d-----w-   C:\3816b72c9ecaa6cb1a
2012-08-31 20:27 . 2012-08-31 20:27   --------   d-----w-   C:\dell
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-06 13:58 . 2008-04-14 12:00   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-03 13:40 . 2008-04-14 12:00   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2008-04-14 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2008-04-14 12:00   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2008-04-14 12:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2008-04-14 12:00   385024   ------w-   c:\windows\system32\html.iec
2012-06-28 21:33 . 2012-06-28 21:33   81920   ------w-   c:\windows\system32\ieencode.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-09-04 23:37   116648   ----atw-   c:\documents and settings\ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 11:54 AM 116608]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2012 2:43 PM 116648]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2012 2:43 PM 116648]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-11 21:43]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-11 21:43]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-879983540-1801674531-1004Core.job
- c:\documents and settings\ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-04 23:37]
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-879983540-1801674531-1004UA.job
- c:\documents and settings\ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-04 23:37]
.
2012-09-12 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-27 00:03]
.
2012-09-12 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-27 00:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-87652847.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-11 19:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-09-11  19:46:12
ComboFix-quarantined-files.txt  2012-09-12 02:46
.
Pre-Run: 152,763,998,208 bytes free
Post-Run: 152,801,816,576 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - A880F9715BFBB8F96818B37E4580C5B2


Thanks for putting up with me. Still learning how to understand what these scans are telling me.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20704
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Post clean up second opinion
« Reply #3 on: September 12, 2012, 12:48:40 PM »
Hi, 4on4off.

Please download AdwCleaner by Xplode to your Desktop.
  •   Double-click AdwCleaner.exe to run the tool.
  •   Click Search.
  •   A logfile will automatically open after the scan has finished.
  •   Please post the contents of that logfile with your next response.
Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., R1

Along with that log, I'd like to see a fresh DDS.txt (I don't need the Attach.txt log this time).

Thank you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Post clean up second opinion
« Reply #4 on: September 12, 2012, 02:13:55 PM »
Hello Corrine,

Here is the Adwcleaner log:

# AdwCleaner v2.001 - Logfile created 09/12/2012 at 08:04:51
# Updated 09/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : ME - XP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\ME\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Found : C:\Documents and Settings\ME\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Folder Found : C:\Program Files\Funmoods

***** [Registry] *****

Key Found : HKCU\Software\Funmoods
Key Found : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022442279}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066446679}
Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Found : HKLM\Software\Funmoods
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.89

*************************

AdwCleaner[R1].txt - [2779 octets] - [12/09/2012 08:04:51]

########## EOF - C:\AdwCleaner[R1].txt - [2839 octets] ##########


Here is the new DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.7.2
Run by ME at 8:06:08 on 2012-09-12
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.473 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1346446056722
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346448561406
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{2F8F61AD-3B33-4E11-BB3E-64F221B3491A} : DhcpNameServer = 192.168.2.1
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-9-11 116648]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-9-11 116648]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-12 15:00:21   7022536   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{10a5b8d1-fff1-4ff7-84ae-d538b7f26b15}\mpengine.dll
2012-09-12 02:40:53   --------   d-sha-r-   C:\cmdcons
2012-09-12 02:40:11   98816   ----a-w-   c:\windows\sed.exe
2012-09-12 02:40:11   518144   ----a-w-   c:\windows\SWREG.exe
2012-09-12 02:40:11   256000   ----a-w-   c:\windows\PEV.exe
2012-09-12 02:40:11   208896   ----a-w-   c:\windows\MBR.exe
2012-09-12 00:25:51   --------   d-sh--w-   c:\documents and settings\me\IECompatCache
2012-09-11 21:50:14   --------   d-----w-   c:\windows\pss
2012-09-11 21:43:32   --------   d-----w-   c:\program files\CCleaner
2012-09-11 21:08:55   --------   d-----w-   c:\program files\VS Revo Group
2012-09-11 19:28:03   --------   d-----w-   c:\documents and settings\me\application data\SUPERAntiSpyware.com
2012-09-11 19:27:42   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-09-11 19:27:42   --------   d-----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-09-11 15:07:50   --------   d-----w-   c:\documents and settings\me\application data\Malwarebytes
2012-09-11 15:07:26   --------   d-----w-   c:\documents and settings\all users\application data\Malwarebytes
2012-09-11 15:07:23   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-09-11 15:07:23   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-09-10 04:56:07   7022536   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-09-10 04:51:11   --------   d-----w-   c:\documents and settings\me\application data\Funmoods
2012-09-10 04:35:58   --------   d-----w-   c:\program files\Funmoods
2012-09-10 04:35:58   --------   d-----w-   c:\documents and settings\me\local settings\application data\Wajam
2012-09-10 04:26:02   --------   d-----w-   c:\documents and settings\me\local settings\application data\dealcabby
2012-09-10 04:25:59   --------   d-----w-   c:\documents and settings\me\application data\Babylon
2012-09-10 04:25:59   --------   d-----w-   c:\documents and settings\all users\application data\Babylon
2012-09-04 23:37:56   --------   d-----w-   c:\documents and settings\me\local settings\application data\Google
2012-09-04 23:37:31   --------   d-----w-   c:\documents and settings\me\local settings\application data\Deployment
2012-09-04 23:18:43   17136   ----a-w-   c:\windows\system32\mucltui.dll.mui
2012-09-04 23:18:42   275696   ----a-w-   c:\windows\system32\mucltui.dll
2012-08-31 23:50:50   --------   d-----w-   c:\windows\system32\Adobe
2012-08-31 23:48:58   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-08-31 23:45:04   --------   d-----w-   c:\program files\Microsoft Security Client
2012-08-31 22:59:57   --------   d-----w-   c:\windows\SxsCaPendDel
2012-08-31 22:42:06   --------   d-----w-   c:\windows\system32\XPSViewer
2012-08-31 22:41:47   89088   ----a-w-   c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-08-31 22:41:37   89088   -c----w-   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-08-31 22:41:37   597504   -c----w-   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-08-31 22:41:37   597504   ------w-   c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-08-31 22:41:37   575488   -c----w-   c:\windows\system32\dllcache\xpsshhdr.dll
2012-08-31 22:41:37   575488   ------w-   c:\windows\system32\xpsshhdr.dll
2012-08-31 22:41:37   117760   ------w-   c:\windows\system32\prntvpt.dll
2012-08-31 22:41:36   1676288   -c----w-   c:\windows\system32\dllcache\xpssvcs.dll
2012-08-31 22:41:36   1676288   ------w-   c:\windows\system32\xpssvcs.dll
2012-08-31 22:41:36   --------   d-----w-   C:\3816b72c9ecaa6cb1a
2012-08-31 22:38:04   --------   d-----w-   c:\documents and settings\me\local settings\application data\Sun
2012-08-31 22:30:21   73416   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-31 22:30:21   696520   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-31 22:27:53   821736   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-08-31 22:27:53   746984   ----a-w-   c:\windows\system32\deployJava1.dll
2012-08-31 22:27:53   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-08-31 22:27:49   93672   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 21:50:33   --------   d-----w-   c:\windows\Downloaded Installations
2012-08-31 21:41:24   --------   d-----w-   c:\documents and settings\me\local settings\application data\ATI
2012-08-31 21:40:11   216800   ----a-w-   c:\windows\system32\drivers\SynTP.sys
2012-08-31 21:40:11   147456   ----a-w-   c:\windows\system32\SynTPAPI.dll
2012-08-31 21:40:11   110592   ----a-w-   c:\windows\system32\SynTPCo4.dll
2012-08-31 21:40:10   196608   ----a-w-   c:\windows\system32\SynCtrl.dll
2012-08-31 21:40:10   163840   ----a-w-   c:\windows\system32\SynCOM.dll
2012-08-31 21:40:10   --------   d-----w-   c:\program files\Synaptics
2012-08-31 21:36:12   --------   d-----w-   c:\program files\ATI Technologies
2012-08-31 21:34:47   36864   ----a-w-   c:\windows\system32\drivers\AmdK8.sys
2012-08-31 21:34:46   --------   d-----w-   c:\program files\AMD
2012-08-31 21:33:57   --------   d-----w-   c:\windows\system32\ReinstallBackups
2012-08-31 21:33:43   729088   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2012-08-31 21:33:43   69715   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2012-08-31 21:33:43   5632   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2012-08-31 21:33:43   266240   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2012-08-31 21:33:43   192512   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2012-08-31 21:33:43   188548   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2012-08-31 21:33:42   311428   ----a-w-   c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2012-08-31 21:20:10   --------   d-sh--w-   c:\documents and settings\me\PrivacIE
2012-08-31 21:10:50   --------   d-sh--w-   c:\documents and settings\me\IETldCache
2012-08-31 21:06:16   521728   -c----w-   c:\windows\system32\dllcache\jsdbgui.dll
2012-08-31 21:05:52   6144   -c----w-   c:\windows\system32\dllcache\iecompat.dll
2012-08-31 21:05:37   --------   d-----w-   c:\windows\ie8updates
2012-08-31 21:05:33   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll
2012-08-31 21:05:33   629760   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2012-08-31 21:05:33   55296   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2012-08-31 21:05:33   247808   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2012-08-31 21:05:33   2000384   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2012-08-31 21:05:33   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2012-08-31 21:05:33   11111424   -c----w-   c:\windows\system32\dllcache\ieframe.dll
2012-08-31 21:04:38   --------   dc-h--w-   c:\windows\ie8
2012-08-31 20:51:37   456320   -c----w-   c:\windows\system32\dllcache\mrxsmb.sys
2012-08-31 20:50:48   272128   -c----w-   c:\windows\system32\dllcache\bthport.sys
2012-08-31 20:50:48   272128   ------w-   c:\windows\system32\drivers\bthport.sys
2012-08-31 20:48:19   2148352   -c----w-   c:\windows\system32\dllcache\ntkrnlmp.exe
2012-08-31 20:48:18   2192640   -c----w-   c:\windows\system32\dllcache\ntoskrnl.exe
2012-08-31 20:48:18   2026496   -c----w-   c:\windows\system32\dllcache\ntkrpamp.exe
2012-08-31 20:47:34   --------   d-sh--w-   c:\documents and settings\me\UserData
2012-08-31 20:46:37   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2012-08-31 20:46:08   3072   -c----w-   c:\windows\system32\dllcache\iacenc.dll
2012-08-31 20:46:08   3072   ------w-   c:\windows\system32\iacenc.dll
2012-08-31 20:44:20   26144   ----a-w-   c:\windows\system32\spupdsvc.exe
2012-08-31 20:44:20   --------   d-----w-   c:\windows\system32\PreInstall
2012-08-31 20:44:19   --------   d--h--w-   c:\windows\$hf_mig$
2012-08-31 20:39:51   6272   -c--a-w-   c:\windows\system32\dllcache\splitter.sys
2012-08-31 20:38:02   989952   ----a-r-   c:\windows\system32\drivers\HSF_DPV.sys
2012-08-31 20:38:02   94208   ----a-r-   c:\windows\system32\mdmxsdk.dll
2012-08-31 20:38:02   731136   ----a-r-   c:\windows\system32\drivers\HSF_CNXT.sys
2012-08-31 20:38:02   217088   ----a-w-   c:\windows\system32\UCI32M21.dll
2012-08-31 20:38:02   211200   ----a-r-   c:\windows\system32\drivers\HSFHWAZL.sys
2012-08-31 20:38:02   12672   ----a-r-   c:\windows\system32\drivers\mdmxsdk.sys
2012-08-31 20:38:02   --------   d-----w-   c:\program files\CONEXANT
2012-08-31 20:28:19   --------   d-----w-   c:\windows\system32\SoftwareDistribution
2012-08-31 20:27:58   45568   ----a-r-   c:\windows\system32\drivers\bcm4sbxp.sys
2012-08-31 20:27:54   --------   d-----w-   c:\program files\Broadcom
2012-08-31 20:27:19   --------   d-----w-   C:\dell
2012-08-31 19:14:45   26368   -c--a-w-   c:\windows\system32\dllcache\usbstor.sys
.
==================== Find3M  ====================
.
2012-07-06 13:58:51   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-04 14:05:18   139784   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49:33   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49:32   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43   385024   ------w-   c:\windows\system32\html.iec
2012-06-28 21:33:04   81920   ------w-   c:\windows\system32\ieencode.dll
.
============= FINISH:  8:07:54.51 ===============


I see some left over babylon and funmoods items there.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20704
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Post clean up second opinion
« Reply #5 on: September 12, 2012, 04:12:13 PM »
Right you are, 4on4off.  With your family, your eyes are getting better accustomed to spotting those things.  :)

Let's start with Combofix. Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
DDS::
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



I'd like you to use AdwCleaner to remove all those remnants. 
    Please rescan with AdwCleaner.
  • Double-click AdwCleaner.exe to run the tool.
  • Click Delete.
  • Everything that was found will be deleted.
  • Save and open files and approve the reboot.  A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., S1


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Post clean up second opinion
« Reply #6 on: September 12, 2012, 05:23:04 PM »
They certainly seem to supply me with many learning opportunities but I don't mind. I always find it interesting to try to get to the bottom of it.

It amazes me that no matter how many tools I use there always seems to be something a little deeper which requires steps I do not yet have the knowledge to execute on my own.

Here is the new ComboFix log:

ComboFix 12-09-12.03 - ME 09/12/2012  11:00:19.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.381 [GMT -7:00]
Running from: c:\documents and settings\ME\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ME\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2012-08-12 to 2012-09-12  )))))))))))))))))))))))))))))))
.
.
2012-08-31 22:41 . 2012-08-31 22:41   --------   d-----w-   C:\3816b72c9ecaa6cb1a
2012-08-31 20:27 . 2012-08-31 20:27   --------   d-----w-   C:\dell
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-06 13:58 . 2008-04-14 12:00   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-03 13:40 . 2008-04-14 12:00   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2008-04-14 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2008-04-14 12:00   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2008-04-14 12:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2008-04-14 12:00   385024   ------w-   c:\windows\system32\html.iec
2012-06-28 21:33 . 2012-06-28 21:33   81920   ------w-   c:\windows\system32\ieencode.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-09-12_02.44.56   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-12 14:57 . 2012-09-12 14:57   16384              c:\windows\Temp\Perflib_Perfdata_7e8.dat
- 2008-04-14 12:00 . 2012-09-12 02:39   75728              c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-09-12 15:02   75728              c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-09-12 15:02   472800              c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2012-09-12 02:39   472800              c:\windows\system32\perfh009.dat
+ 2008-03-21 01:06 . 2009-06-25 20:20   1485176              c:\windows\system32\LegitCheckControl.DLL
+ 2012-09-12 15:01 . 2008-03-21 01:06   1480232              c:\windows\LastGood\system32\LegitCheckControl.DLL
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-09-04 23:37   116648   ----atw-   c:\documents and settings\ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKslcfe347c9;MpKslcfe347c9;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3AB571AC-77D8-4045-A28F-8578C9079CC0}\MpKslcfe347c9.sys [9/12/2012 8:13 AM 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 11:54 AM 116608]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2012 2:43 PM 116648]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2012 2:43 PM 116648]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLCFE347C9
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-11 21:43]
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-11 21:43]
.
2012-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-879983540-1801674531-1004Core.job
- c:\documents and settings\ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-04 23:37]
.
2012-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-879983540-1801674531-1004UA.job
- c:\documents and settings\ME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-04 23:37]
.
2012-09-12 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-27 00:03]
.
2012-09-12 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-27 00:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-12 11:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-09-12  11:05:24
ComboFix-quarantined-files.txt  2012-09-12 18:05
ComboFix2.txt  2012-09-12 02:46
.
Pre-Run: 152,675,381,248 bytes free
Post-Run: 152,728,186,880 bytes free
.
- - End Of File - - 2CF3D52A7CACB93D279C06A60C21722A

Here is the new Adwcleaner log:

# AdwCleaner v2.001 - Logfile created 09/12/2012 at 11:08:15
# Updated 09/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : ME - XP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\ME\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\ME\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Program Files\Funmoods

***** [Registry] *****

Key Deleted : HKCU\Software\Funmoods
Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022442279}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066446679}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\Software\Funmoods
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Google Chrome v21.0.1180.89

*************************

AdwCleaner[R1].txt - [2908 octets] - [12/09/2012 08:04:51]
AdwCleaner[S1].txt - [3151 octets] - [12/09/2012 11:08:15]

########## EOF - C:\AdwCleaner[S1].txt - [3211 octets] ##########




Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20704
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Post clean up second opinion
« Reply #7 on: September 12, 2012, 06:41:54 PM »
Quote from: 4on4off
It amazes me that no matter how many tools I use there always seems to be something a little deeper which requires steps I do not yet have the knowledge to execute on my own.

There are many other specialized tools too, usually as a result of some sneaky change by malware. 

Please do the following to uninstall AdwCleaner.
  •   Double-click AdwCleaner.exe to run the tool.
  •   Click Uninstall
  •   Confirm with yes
Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


You can delete the programs you downloaded to provide the logs (DDS and Security Check).   

Before returning this computer, I suggest that you install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

Now it appears that the last thing to deal with (for now) is the ac adapter problem as well as a serious sit-down discussion on safe surfing, particularly after what you went through to recover this computer. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Post clean up second opinion
« Reply #8 on: September 12, 2012, 07:07:57 PM »

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


You can delete the programs you downloaded to provide the logs (DDS and Security Check).   

Before returning this computer, I suggest that you install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

Now it appears that the last thing to deal with (for now) is the ac adapter problem as well as a serious sit-down discussion on safe surfing, particularly after what you went through to recover this computer.

Thank you for walking me through the final steps of getting this thing back on track.

The spywareblaster will be good for this machine since kids tend to ignore the warnings and get caught by the nasties out there sooner or later. I have had good luck with my own kids learning what to watch out for and hopefully we can get her up to speed as well.

As far as the cord, I thought she told me she purchased a new one but it turns out she hasn't yet. Between the bios update and a new cord hopefully that will be resolved.

Thanks again.

4


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20704
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Post clean up second opinion
« Reply #9 on: September 12, 2012, 07:28:39 PM »
You're most welcome!

(For those interested, it was a long process recovering this machine.  Determination paid off!  Windows xp home advanced boot menu loop.)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.