Funmoods Search - cannot rid

R-C · September 18, 2012, 05:33:35 PM

Corrine I am over here hiding under my desk I am afraid of that funmoods!! LOL
Man it seems like everyone suddenly has this darn thing.
I think LzD is going to be seeing a lot of the GW peeps if this keeps spreading like wildfire!
Ok now I am going back under cover LOL :tease:

Grandms I sure hope you are right and it is finally all gone you have been a trooper!!

Corrine · September 18, 2012, 05:54:31 PM

@R-C -- yes, the stupid Funmoods/Babylon, etc. are a royal pain. Extreme caution is needed when installing 3rd party software programs. As to GW folks, they are all most welcome here!!!

Hi, Grandms. :dance:

It took a bit but I certainly hope we've obliterated it.

As I mentioned earlier, ESET wasn't able to remove leftovers from Magical Jelly Bean Keyfinder which does not appear to be listed in your installed files. There also appears to be a leftover file from "Ultimate File Viewer PDF Printer". Let's take care of those files now and then we'll do a proper "clean up" of the files I had you download.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code Select


File::
c:\windows\system32\ufvppm.dll
C:\Program setup files\KeyFinderInstaller.exe
C:\Program setup files\PhotobieInstaller.exe

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Grandms · September 18, 2012, 06:19:52 PM

ComboFix 12-09-14.03 - HP_Administrator 09/18/2012 14:05:22.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2481 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator.DESKTOP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator.DESKTOP\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\program setup files\KeyFinderInstaller.exe"
"c:\program setup files\PhotobieInstaller.exe"
"c:\windows\system32\ufvppm.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program setup files\KeyFinderInstaller.exe
c:\program setup files\PhotobieInstaller.exe
c:\windows\system32\ufvppm.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-08-18 to 2012-09-18 )))))))))))))))))))))))))))))))
.
.
2012-09-18 02:06 . 2012-09-18 02:06   --------   d-----w-   C:\_OTL
2012-09-11 20:39 . 2011-12-26 16:41   176128   ----a-w-   c:\windows\VPDAgent.exe
2012-09-11 20:02 . 2012-09-11 20:02   --------   d-----w-   c:\program files\LSI SoftModem
2012-09-11 19:51 . 2005-08-03 22:29   819200   ----a-w-   c:\program files\Windows Media Player\wmsetsdk.exe
2012-09-11 19:51 . 2005-08-03 22:29   47616   ----a-w-   c:\program files\Windows Media Player\msoobci.dll
2012-09-06 20:18 . 2012-09-06 20:18   --------   d-----w-   c:\windows\Performance
2012-09-06 20:18 . 2012-09-06 20:18   --------   d-----w-   c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Microsoft Corporation
2012-09-06 20:17 . 2012-09-06 20:17   --------   d-----w-   c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-09-01 01:01 . 2012-09-01 01:01   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-09-01 01:00 . 2012-09-01 01:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2012-08-25 18:57 . 2012-08-25 18:57   --------   d-----w-   c:\program files\MSXML 4.0
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-14 14:35 . 2012-09-14 14:35   45056   ----a-w-   c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2012-09-14 14:35 . 2012-09-14 14:35   44032   ----a-w-   c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2012-09-07 21:04 . 2011-12-29 03:44   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-09-01 01:01 . 2003-04-11 05:04   93672   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2012-09-01 01:01 . 2012-04-28 16:20   821736   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-09-01 01:01 . 2011-12-28 22:03   746984   ----a-w-   c:\windows\system32\deployJava1.dll
2012-08-22 16:00 . 2012-03-30 00:00   696520   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-22 16:00 . 2011-12-30 01:37   73416   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 09:13 . 2011-12-28 21:51   355632   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2011-12-28 21:51   729752   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2011-12-28 21:51   54232   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2011-12-28 21:51   35928   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2012-08-21 09:13 . 2011-12-28 21:51   97608   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2012-08-21 09:13 . 2011-12-28 21:51   89624   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2012-08-21 09:13 . 2011-12-28 21:51   21256   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:13 . 2011-12-28 21:51   25256   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2012-08-21 09:12 . 2011-12-28 17:17   41224   ----a-w-   c:\windows\avastSS.scr
2012-08-21 09:12 . 2011-12-28 21:51   227648   ----a-w-   c:\windows\system32\aswBoot.exe
2012-07-06 13:58 . 2011-12-28 03:54   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-04 14:05 . 2011-12-28 04:20   139784   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2011-12-28 04:24   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2004-08-10 11:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2011-12-28 04:20   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-07-02 17:49 . 2011-12-28 04:11   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 12:05 . 2011-12-28 04:20   385024   ------w-   c:\windows\system32\html.iec
2012-06-25 20:04 . 2012-06-25 20:04   1394248   ----a-w-   c:\windows\system32\msxml4.dll
2009-10-10 01:44 . 2009-10-10 01:44   4637952   ----a-w-   c:\program files\Common Files\lpuninstall.exe
2012-09-11 01:56 . 2012-09-11 01:56   266720   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-15_00.36.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-18 18:12 . 2012-09-18 18:12   16384 c:\windows\Temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12   121528   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{0CD3BB5C-BBCA-11D2-8C20-00C04FBBCFF9}\A94AAB13.exe [2012-5-7 30720]
OpenDNSCrypt.lnk - c:\windows\Installer\{E811D3DC-A647-4744-9CA6-BD4707D2808B}\_41100329364C94A5913B21.exe [2012-6-15 4710]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [12/30/2011 10:47 PM 50312]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [12/30/2011 10:47 PM 43784]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/28/2011 5:51 PM 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/28/2011 5:51 PM 355632]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [12/30/2011 10:47 PM 16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [12/30/2011 10:47 PM 185864]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 7:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/28/2011 5:51 PM 21256]
R2 DNSCrypt;OpenDNSCrypt;c:\program files\OpenDNS\DNSCrypt\OpenDNSCryptService.exe [5/17/2012 10:23 AM 14336]
R2 EaseUS Agent;EaseUS Agent;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [2/1/2012 10:11 PM 61064]
R2 Guard Agent;Guard Agent;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [2/1/2012 10:11 PM 23176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/29/2012 8:00 PM 250568]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [1/6/2012 11:25 PM 163616]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 8:41 PM 114144]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
S4 Agent;VPDAgent;c:\windows\VPDAgent.exe [9/11/2012 4:39 PM 176128]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 16:00]
.
2012-09-18 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-10 09:12]
.
2012-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3771264329-85329873-2648820128-1008Core.job
- c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-29 01:53]
.
2012-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3771264329-85329873-2648820128-1008UA.job
- c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-29 01:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://abcnews.go.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A61EAB09-9A69-4329-B570-42C37AD13A84}: NameServer = 127.0.0.1
FF - ProfilePath - c:\documents and settings\HP_Administrator.DESKTOP\Application Data\Mozilla\Firefox\Profiles\lk87sgw5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://z1.invisionfree.com/IBBS_ComputerHelp/index.php?
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{27310A4F-6A97-43C0-928C-FE5313B9949B} - c:\documents and settings\All Users\Application Data\{5BD198FE-6337-4D45-AAF8-F81D83B87D05}\FFOv2011-8_Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-18 14:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3771264329-85329873-2648820128-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(524)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
c:\program files\OpenDNS\DNSCrypt\OpenDNSInterface.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\OpenDNS\DNSCrypt\dnscrypt-proxy.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2012-09-18 14:17:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-18 18:17
ComboFix2.txt 2012-09-15 15:50
ComboFix3.txt 2012-09-15 00:39
.
Pre-Run: 461,368,778,752 bytes free
Post-Run: 461,378,596,864 bytes free
.
- - End Of File - - 392892DBB8C0685288FE3E0B9BE3A79C

Corrine · September 18, 2012, 07:46:21 PM

Excellent! ComboFix found a remnant of Free File Opener.

Please do the following to uninstall AdwCleaner.

Double-click AdwCleaner.exe to run the tool.
Click Uninstall
Confirm with yes

Next, please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.

Finally, OTL CleanUp will handle the remaining programs.

Double-click OTL.exe to run it. (Windows Vista and Windows 7 users: Right-click on OTL.exe select "Run As Administrator" to run it. If prompted by UAC, please allow it.)
Press the CleanUp button.
When done, you will be prompted to reboot your system to finish file removal... please select OK to reboot your computer.

If you did not reboot your computer normally, please do so now, before continuing.

As I know you have antivirus software, anti-malware programs, and a firewall, you have that part covered. Unfortunately, "free" programs are not always free and come with an undesirable payload. In addition, using P2P programs adds to the additional opportunity for malware. I again encourage you to uninstall Shareaza.

Please let me know if you have any questions.

Grandms · September 19, 2012, 07:49:17 PM

Again, thank you, thank you, thank you. I have also made a small donation to the developer of combofix.

Corrine · September 20, 2012, 06:18:21 PM

You're welcome, welcome, welcome, Grandms! I'm so glad we were able to finally get Funmoods off your computer. I'm sure sUBs appreciates the donation, regardless of how small. I am constantly amazed at the number of hours he devotes not only to developing ComboFix but also to explaining things to us in the background.