Funmoods Search - cannot rid

Started by Grandms, September 14, 2012, 01:43:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1 2 3
User actions

Grandms

September 14, 2012, 01:43:35 PM
On Tuesday, Sept. 11, I downloaded a .zip file from Foxit Reader that is supposed to help render any graphics more clearly.  However, I could not open with the XP "opener" or with 7-zip.  So I searched for a program that would open it.  I found one with a name something like Universal File Opener and clicked to download it.  Immediately, I started getting warnings from WinPatrol about new programs and new startups.  I clicked Do No Allow on each one, but that did no good.  I had at least five new programs installed on my computer, and my home page was hijacked on Chrome, Internet Explorer, and Firefox.  Using Revo Uninstaller, I was able to get rid of several of these unwanted programs.  I was able to remove Funmoods Search from both IE and FF and thought I had it gone completely.  However, when I open Chrome, my home page opens and also a tab for Funmoods Search at the same time.  I opened the list of search engines for Chrome and found Funmoods listed, but I cannot delete it.  I am afraid that this is more than just a search engine, so I'd like to rid myself of this thing before damage is done.  I use this computer for online purchases and banking.  Windows XP-SP3 fully updated, running Avast AV, Malwarebytes, SuperAntiSpyware, and Windows firewall.  I have already run full scans with these programs, and I need help that is beyond what I can do alone.  Thanks for any help you can offer.

Corrine

#1
September 14, 2012, 02:53:48 PM
Hi, Grandms.

Without seeing a log, I am unable to determine where Funmoods is located on your computer.  Please do the following:

Download DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1
Link 2
  • Double-Click dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Please download AdwCleaner by Xplode to your Desktop.

  •   Double-click AdwCleaner.exe to run the tool.
  •   Click Search.
  •   A logfile will automatically open after the scan has finished.
  •   Please post the contents of that logfile with your next response.
Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., R1



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Grandms

#2
September 14, 2012, 04:08:23 PM
Here are the logs you requested:

Edit Note:  Logs copy/pasted from attachments for ease of reading.

Corrine



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.7.2
Run by HP_Administrator at 11:55:55 on 2012-09-14
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3006.2274 [GMT -4:00]
.
AV: PC Cleaner Pro *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\OpenDNS\DNSCrypt\OpenDNSInterface.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\OpenDNS\DNSCrypt\OpenDNSCryptService.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\OpenDNS\DNSCrypt\dnscrypt-proxy.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files\Java\jre7\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\HP_Administrator.DESKTOP\Programs\Art Plus\ePix\epix.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://abcnews.go.com
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uURLSearchHooks: H - No File
BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
BHO: Do Not Track Plus: {6e45f3e8-2683-4824-a6be-08108022fb36} - c:\program files\donottrackplus\ScriptHost.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {91397D20-1446-11D4-8AF4-0040CA1127B6} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [Google Update] "c:\documents and settings\hp_administrator.desktop\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{0cd3bb5c-bbca-11d2-8c20-00c04fbbcff9}\A94AAB13.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\opendn~1.lnk - c:\windows\installer\{e811d3dc-a647-4744-9ca6-bd4707d2808b}\_41100329364C94A5913B21.exe
IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341943831515
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A61EAB09-9A69-4329-B570-42C37AD13A84} : NameServer = 127.0.0.1
TCP: Interfaces\{A61EAB09-9A69-4329-B570-42C37AD13A84} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator.desktop\application data\mozilla\firefox\profiles\lk87sgw5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://z1.invisionfree.com/IBBS_ComputerHelp/index.php?
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\hp_administrator.desktop\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\sticky password\npSPAutofill.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584&q=
FF - user.js: extensions.funmoods.id - 0013D30E42EE00EA
FF - user.js: extensions.funmoods.instlDay - 15594
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2216:40:39
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - adknlg
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - adknlg
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
FF - user.js: extensions.autoDisableScopes - 14
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
============= SERVICES / DRIVERS ===============
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2011-12-30 50312]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2011-12-30 43784]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-28 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-28 355632]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2011-12-30 16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2011-12-30 185864]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-28 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-28 44808]
R2 DNSCrypt;OpenDNSCrypt;c:\program files\opendns\dnscrypt\OpenDNSCryptService.exe [2012-5-17 14336]
R2 EaseUS Agent;EaseUS Agent;c:\program files\easeus\todo backup\bin\Agent.exe [2012-2-1 61064]
R2 Guard Agent;Guard Agent;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2012-2-1 23176]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 250568]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [2012-1-6 163616]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 114144]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Agent;VPDAgent;c:\windows\VPDAgent.exe [2012-9-11 176128]
.
=============== Created Last 30 ================
.
2012-09-11 20:42:26   --------   d-----w-   c:\program files\OApps
2012-09-11 20:41:55   --------   d-----w-   c:\documents and settings\all users\application data\Tarma Installer
2012-09-11 20:39:57   176128   ----a-w-   c:\windows\VPDAgent.exe
2012-09-11 20:39:42   61440   ----a-w-   c:\windows\system32\ufvppm.dll
2012-09-11 20:02:58   --------   d-----w-   c:\program files\LSI SoftModem
2012-09-11 19:51:35   819200   ----a-w-   c:\program files\windows media player\wmsetsdk.exe
2012-09-11 19:51:35   47616   ----a-w-   c:\program files\windows media player\msoobci.dll
2012-09-11 19:51:01   --------   d-----w-   c:\windows\RegisteredPackages
2012-09-06 20:18:51   --------   d-----w-   c:\windows\Performance
2012-09-06 20:18:37   --------   d-----w-   c:\documents and settings\hp_administrator.desktop\local settings\application data\Microsoft Corporation
2012-09-06 20:17:00   --------   d-----w-   c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-09-01 01:01:38   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-08-25 18:57:39   --------   d-----w-   c:\program files\MSXML 4.0
2012-08-17 20:01:18   --------   d-----w-   c:\documents and settings\hp_administrator.desktop\local settings\application data\Programs
.
==================== Find3M  ====================
.
2012-09-14 14:35:05   45056   ----a-w-   c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2012-09-14 14:35:04   44032   ----a-w-   c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2012-09-07 21:04:46   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-09-01 01:01:15   93672   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2012-09-01 01:01:11   821736   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-09-01 01:01:11   746984   ----a-w-   c:\windows\system32\deployJava1.dll
2012-08-22 16:00:08   73416   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-22 16:00:08   696520   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-21 09:13:15   729752   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:12:33   41224   ----a-w-   c:\windows\avastSS.scr
2012-07-06 13:58:51   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-04 14:05:18   139784   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49:33   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49:32   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43   385024   ------w-   c:\windows\system32\html.iec
2012-06-25 20:04:24   1394248   ----a-w-   c:\windows\system32\msxml4.dll
2009-10-10 01:44:03   4637952   ----a-w-   c:\program files\common files\lpuninstall.exe
.
============= FINISH: 11:56:31.14 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/28/2011 4:31:29 PM
System Uptime: 9/14/2012 9:21:54 AM (2 hours ago)
.
Motherboard: MSI |  | ALBACORE
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 2188/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 459 GiB total, 430.292 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.407 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP316: 9/12/2012 5:06:56 PM - System Checkpoint
RP317: 9/14/2012 10:33:22 AM - System Checkpoint
.
==== Installed Programs ======================
.
ABBYY FineReader 5.0 Sprint
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Aiseesoft DVD Ripper 6.2.26
ArtPlus ePix - Wallpaper Calendar
Auslogics Disk Defrag
avast! Free Antivirus
BDlot DVD Clone Ultimate 3.1.2
Belarc Advisor 8.2
CCleaner
Compatibility Pack for the 2007 Office system
DNSCrypt
Do Not Track Plus Add-on 1.0.5289.0208
Doro 1.71
DVDFab 8.1.7.5 (07/04/2012) Qt
EaseUS Todo Backup Free 4.0
EPSON Copy Utility
EPSON PERF 3170Guide
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
ESET Online Scanner v3
FileHelp Assistant
Foxit Reader
Free File Opener
Glary Utilities Pro 2.41.0.1358
Google Chrome
Greeting Cards Deluxe
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB961118)
HP Deskjet 5700
Ideal DVD Copy V4.1.2
ImgBurn
Inpaint 4.3
IrfanView (remove only)
Java 7 Update 7
Java Auto Updater
JavaFX 2.1.1
K-Lite Codec Pack 7.0.0 (Standard)
LSI PCI Soft Modem
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB2604042)
Microsoft .NET Framework 1.0 Hotfix (KB2656378)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Home Publishing 2000
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Picture It! Photo 2002
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Web Publishing Wizard 1.52
Microsoft Works
Mozilla Firefox 15.0.1 (x86 en-GB)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB973685)
Music Manager
My Family Tree
NOOK for PC
Paint.NET v3.5.10
PDF Creator Pilot 4.3
PDF24 Creator 4.9.0
Python 2.7.3
RedNotebook 1.3
Revo Uninstaller 1.94
ScanToWeb
Scribus 1.4.0
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Serif CraftArtist
Serif PhotoPlus 8.0
Serif PhotoPlus 8.0 Resource CD-ROM
Serif PhotoPlus Association File Formats
Shareaza 2.5.5.0
SimplyGoodPictures
SpywareBlaster 4.6
Sticky Password 5.0.8.254
SUPERAntiSpyware
The Print Shop® 6.0 Deluxe
The Weather Channel App
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC 9.0 Runtime
VLC media player 2.0.2
Windows 7 Upgrade Advisor
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinPatrol
WinX DVD Copy Pro 3.4.3
WinX DVD Ripper Platinum 6.8.5
WModem Driver Installer
ZoneAlarm LTD Toolbar
.
==== Event Viewer Messages From Past Week ========
.
9/13/2012 1:30:09 PM, error: Distributed Link Tracking Client [12507]  - The volume ID for C: has been reset, since it was a duplicate of that on L:.  This volume ID is used by Distributed Link Tracking to automatically repair file links, such as Shell Shortcuts and OLE links, when for some reason those links become broken.
9/12/2012 10:36:20 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Antivirus service.
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The Secunia Update Agent service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The Secunia PSI Agent service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The Pml Driver HPZ12 service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The Guard Agent service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The EaseUS Agent service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The Ati HotKey Poller service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7034]  - The Agere Modem Call Progress Audio service terminated unexpectedly.  It has done this 1 time(s).
9/11/2012 8:34:01 PM, error: Service Control Manager [7031]  - The SAS Core Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
9/11/2012 6:30:45 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  fasttx2k
.
==== End Of File ===========================

# AdwCleaner v2.001 - Logfile created 09/14/2012 at 12:00:36
# Updated 09/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : HP_Administrator - DESKTOP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\HP_Administrator.DESKTOP\My Documents\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found : C:\Program Files\OApps

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Freecause
Key Found : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{625F420E-A4A9-4B40-BC23-716C1C43893A}
Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Found : HKLM\Software\Tarma Installer

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584

-\\ Mozilla Firefox v15.0.1 (en-GB)

-\\ Google Chrome v21.0.1180.89

-\\ Chromium v [Unable to get version]

-\\ Opera v [Unable to get version]

*************************

AdwCleaner[R1].txt - [2394 octets] - [14/09/2012 12:00:36]

########## EOF - C:\AdwCleaner[R1].txt - [2454 octets] ##########

R-C

#3
September 14, 2012, 04:42:03 PM
Glad to see you made it here Grandms. Corrine she posted on another thread on GW about funmoods. Seems that thing is popping up all over suddenly.
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Corrine

#4
September 14, 2012, 05:11:17 PM
GW Topic:  http://ths.gardenweb.com/forums/load/comphelp/msg0916480627780.html?11

Please rescan with AdwCleaner.

  • Double-click AdwCleaner.exe to run the tool.
  • Click Delete.
  • Everything that was found will be deleted.
  • Save and open files and approve the reboot.  A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., S1

In addition to the AdwCleaner log, please provide a new DDS log.  (I won't need the Attach.txt this time.)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Grandms

#5
September 14, 2012, 06:04:07 PM
Sorry I did not copy and paste on previous reply; just occurred to do so after I had hit "Post"

# AdwCleaner v2.001 - Logfile created 09/14/2012 at 13:45:08
# Updated 09/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : HP_Administrator - DESKTOP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\HP_Administrator.DESKTOP\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Program Files\OApps

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{625F420E-A4A9-4B40-BC23-716C1C43893A}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\Software\Tarma Installer

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584 --> hxxp://www.google.com

-\\ Mozilla Firefox v15.0.1 (en-GB)

-\\ Google Chrome v21.0.1180.89

-\\ Chromium v [Unable to get version]

-\\ Opera v [Unable to get version]

*************************

AdwCleaner[R1].txt - [2523 octets] - [14/09/2012 12:00:36]
AdwCleaner[S1].txt - [2893 octets] - [14/09/2012 13:45:08]

########## EOF - C:\AdwCleaner[S1].txt - [2953 octets] ##########


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.7.2
Run by HP_Administrator at 14:00:29 on 2012-09-14
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3006.2310 [GMT -4:00]
.
AV: PC Cleaner Pro *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\OpenDNS\DNSCrypt\OpenDNSInterface.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
C:\Program Files\Java\jre7\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://abcnews.go.com
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uURLSearchHooks: H - No File
BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
BHO: Do Not Track Plus: {6e45f3e8-2683-4824-a6be-08108022fb36} - c:\program files\donottrackplus\ScriptHost.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {91397D20-1446-11D4-8AF4-0040CA1127B6} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [Google Update] "c:\documents and settings\hp_administrator.desktop\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{0cd3bb5c-bbca-11d2-8c20-00c04fbbcff9}\A94AAB13.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\opendn~1.lnk - c:\windows\installer\{e811d3dc-a647-4744-9ca6-bd4707d2808b}\_41100329364C94A5913B21.exe
IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341943831515
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A61EAB09-9A69-4329-B570-42C37AD13A84} : NameServer = 127.0.0.1
TCP: Interfaces\{A61EAB09-9A69-4329-B570-42C37AD13A84} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator.desktop\application data\mozilla\firefox\profiles\lk87sgw5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://z1.invisionfree.com/IBBS_ComputerHelp/index.php?
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\hp_administrator.desktop\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\sticky password\npSPAutofill.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584&q=
FF - user.js: extensions.funmoods.id - 0013D30E42EE00EA
FF - user.js: extensions.funmoods.instlDay - 15594
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2216:40:39
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - adknlg
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - adknlg
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
FF - user.js: extensions.autoDisableScopes - 14
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
============= SERVICES / DRIVERS ===============
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2011-12-30 50312]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2011-12-30 43784]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-28 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-28 355632]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2011-12-30 16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2011-12-30 185864]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-28 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-28 44808]
R2 DNSCrypt;OpenDNSCrypt;c:\program files\opendns\dnscrypt\OpenDNSCryptService.exe [2012-5-17 14336]
R2 EaseUS Agent;EaseUS Agent;c:\program files\easeus\todo backup\bin\Agent.exe [2012-2-1 61064]
R2 Guard Agent;Guard Agent;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2012-2-1 23176]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 250568]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [2012-1-6 163616]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 114144]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Agent;VPDAgent;c:\windows\VPDAgent.exe [2012-9-11 176128]
.
=============== Created Last 30 ================
.
2012-09-11 20:39:57   176128   ----a-w-   c:\windows\VPDAgent.exe
2012-09-11 20:39:42   61440   ----a-w-   c:\windows\system32\ufvppm.dll
2012-09-11 20:02:58   --------   d-----w-   c:\program files\LSI SoftModem
2012-09-11 19:51:35   819200   ----a-w-   c:\program files\windows media player\wmsetsdk.exe
2012-09-11 19:51:35   47616   ----a-w-   c:\program files\windows media player\msoobci.dll
2012-09-11 19:51:01   --------   d-----w-   c:\windows\RegisteredPackages
2012-09-06 20:18:51   --------   d-----w-   c:\windows\Performance
2012-09-06 20:18:37   --------   d-----w-   c:\documents and settings\hp_administrator.desktop\local settings\application data\Microsoft Corporation
2012-09-06 20:17:00   --------   d-----w-   c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-09-01 01:01:38   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-08-25 18:57:39   --------   d-----w-   c:\program files\MSXML 4.0
2012-08-17 20:01:18   --------   d-----w-   c:\documents and settings\hp_administrator.desktop\local settings\application data\Programs
.
==================== Find3M  ====================
.
2012-09-14 14:35:05   45056   ----a-w-   c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2012-09-14 14:35:04   44032   ----a-w-   c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2012-09-07 21:04:46   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-09-01 01:01:15   93672   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2012-09-01 01:01:11   821736   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-09-01 01:01:11   746984   ----a-w-   c:\windows\system32\deployJava1.dll
2012-08-22 16:00:08   73416   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-22 16:00:08   696520   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-21 09:13:15   729752   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:12:33   41224   ----a-w-   c:\windows\avastSS.scr
2012-07-06 13:58:51   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-04 14:05:18   139784   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49:33   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49:32   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43   385024   ------w-   c:\windows\system32\html.iec
2012-06-25 20:04:24   1394248   ----a-w-   c:\windows\system32\msxml4.dll
2009-10-10 01:44:03   4637952   ----a-w-   c:\program files\common files\lpuninstall.exe
.
============= FINISH: 14:01:07.46 ===============







Corrine

#6
September 14, 2012, 07:28:13 PM
That's ok, Grandms.  It is just easier to process whenthe logs are posted.

AdwCleaner took care of some of it but there are still leftovers.  Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:

  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click "Yes" to continue scanning for malware.

  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Grandms

#7
September 15, 2012, 12:41:55 AM
Here is the log from ComboFix:

ComboFix 12-09-14.03 - HP_Administrator 09/14/2012  20:32:04.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3006.2211 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator.DESKTOP\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator.DESKTOP\My Documents\ShopToWin
c:\documents and settings\HP_Administrator.DESKTOP\WINDOWS
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\sp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
D:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2012-08-15 to 2012-09-15  )))))))))))))))))))))))))))))))
.
.
2012-09-11 20:39 . 2011-12-26 16:41   176128   ----a-w-   c:\windows\VPDAgent.exe
2012-09-11 20:39 . 2011-12-26 16:46   61440   ----a-w-   c:\windows\system32\ufvppm.dll
2012-09-11 20:02 . 2012-09-11 20:02   --------   d-----w-   c:\program files\LSI SoftModem
2012-09-11 19:51 . 2005-08-03 22:29   819200   ----a-w-   c:\program files\Windows Media Player\wmsetsdk.exe
2012-09-11 19:51 . 2005-08-03 22:29   47616   ----a-w-   c:\program files\Windows Media Player\msoobci.dll
2012-09-06 20:18 . 2012-09-06 20:18   --------   d-----w-   c:\windows\Performance
2012-09-06 20:18 . 2012-09-06 20:18   --------   d-----w-   c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Microsoft Corporation
2012-09-06 20:17 . 2012-09-06 20:17   --------   d-----w-   c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-09-01 01:01 . 2012-09-01 01:01   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-09-01 01:00 . 2012-09-01 01:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2012-08-25 18:57 . 2012-08-25 18:57   --------   d-----w-   c:\program files\MSXML 4.0
2012-08-17 20:01 . 2012-08-17 20:01   --------   d-----w-   c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-14 14:35 . 2012-09-14 14:35   45056   ----a-w-   c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2012-09-14 14:35 . 2012-09-14 14:35   44032   ----a-w-   c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2012-09-07 21:04 . 2011-12-29 03:44   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-09-01 01:01 . 2003-04-11 05:04   93672   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2012-09-01 01:01 . 2012-04-28 16:20   821736   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-09-01 01:01 . 2011-12-28 22:03   746984   ----a-w-   c:\windows\system32\deployJava1.dll
2012-08-22 16:00 . 2012-03-30 00:00   696520   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-22 16:00 . 2011-12-30 01:37   73416   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 09:13 . 2011-12-28 21:51   355632   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2011-12-28 21:51   729752   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2011-12-28 21:51   54232   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2011-12-28 21:51   35928   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2012-08-21 09:13 . 2011-12-28 21:51   97608   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2012-08-21 09:13 . 2011-12-28 21:51   89624   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2012-08-21 09:13 . 2011-12-28 21:51   21256   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:13 . 2011-12-28 21:51   25256   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2012-08-21 09:12 . 2011-12-28 17:17   41224   ----a-w-   c:\windows\avastSS.scr
2012-08-21 09:12 . 2011-12-28 21:51   227648   ----a-w-   c:\windows\system32\aswBoot.exe
2012-07-06 13:58 . 2011-12-28 03:54   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-04 14:05 . 2011-12-28 04:20   139784   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2011-12-28 04:24   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2004-08-10 11:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2011-12-28 04:20   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-07-02 17:49 . 2011-12-28 04:11   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 12:05 . 2011-12-28 04:20   385024   ------w-   c:\windows\system32\html.iec
2012-06-25 20:04 . 2012-06-25 20:04   1394248   ----a-w-   c:\windows\system32\msxml4.dll
2009-10-10 01:44 . 2009-10-10 01:44   4637952   ----a-w-   c:\program files\Common Files\lpuninstall.exe
2012-09-11 01:56 . 2012-09-11 01:56   266720   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12   121528   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{0CD3BB5C-BBCA-11D2-8C20-00C04FBBCFF9}\A94AAB13.exe [2012-5-7 30720]
OpenDNSCrypt.lnk - c:\windows\Installer\{E811D3DC-A647-4744-9CA6-BD4707D2808B}\_41100329364C94A5913B21.exe [2012-6-15 4710]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [12/30/2011 10:47 PM 50312]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [12/30/2011 10:47 PM 43784]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/28/2011 5:51 PM 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/28/2011 5:51 PM 355632]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [12/30/2011 10:47 PM 16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [12/30/2011 10:47 PM 185864]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 7:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/28/2011 5:51 PM 21256]
R2 DNSCrypt;OpenDNSCrypt;c:\program files\OpenDNS\DNSCrypt\OpenDNSCryptService.exe [5/17/2012 10:23 AM 14336]
R2 EaseUS Agent;EaseUS Agent;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [2/1/2012 10:11 PM 61064]
R2 Guard Agent;Guard Agent;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [2/1/2012 10:11 PM 23176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/29/2012 8:00 PM 250568]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [1/6/2012 11:25 PM 163616]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 8:41 PM 114144]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
S4 Agent;VPDAgent;c:\windows\VPDAgent.exe [9/11/2012 4:39 PM 176128]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 16:00]
.
2012-09-14 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-10 09:12]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3771264329-85329873-2648820128-1008Core.job
- c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-29 01:53]
.
2012-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3771264329-85329873-2648820128-1008UA.job
- c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-29 01:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://abcnews.go.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A61EAB09-9A69-4329-B570-42C37AD13A84}: NameServer = 127.0.0.1
FF - ProfilePath - c:\documents and settings\HP_Administrator.DESKTOP\Application Data\Mozilla\Firefox\Profiles\lk87sgw5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://z1.invisionfree.com/IBBS_ComputerHelp/index.php?
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584&q=
FF - user.js: extensions.funmoods.id - 0013D30E42EE00EA
FF - user.js: extensions.funmoods.instlDay - 15594
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2216:40
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - adknlg
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - adknlg
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
FF - user.js: extensions.autoDisableScopes - 14
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{91397D20-1446-11D4-8AF4-0040CA1127B6} - (no file)
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-{007811BF-E310-4285-BFC6-55DB29B3EDDE} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{00781~1\Setup.exe
AddRemove-{2925CACB-1E25-43E4-96D7-E63C45A590B5} - c:\documents and settings\All Users\Application Data\{C0AAD0C9-F463-4F6D-AC34-D01169F94C3A}\UFVSetup.exe
AddRemove-{302A1E2E-DD58-4673-BC99-9CC10EC2637A} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{302A1~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-14 20:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3771264329-85329873-2648820128-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-09-14  20:39:19
ComboFix-quarantined-files.txt  2012-09-15 00:39
.
Pre-Run: 462,181,847,040 bytes free
Post-Run: 462,222,835,712 bytes free
.
- - End Of File - - 51BB868D95C4F2C798E56748ABB5975D


@Winchester73 - No I did not install PC Cleaner Pro.

Corrine

#8
September 15, 2012, 02:05:02 AM
Hi, Grandms.

A strong word of caution:  P2P programs such as Shareaza form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft as well as malware.

It looks like ComboFix took care of PC Cleaner Pro.  Now, let's deal with the rest of Funmoods.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select

Firefox::
FF - ProfilePath - c:\documents and settings\HP_Administrator.DESKTOP\Application Data\Mozilla\Firefox\Profiles\lk87sgw5.default\
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCtA0DtAtD0EyEtB0E0EtDtD0E0AtN0D0Tzu0CtByDyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1825024584&q=
FF - user.js: extensions.funmoods.id - 0013D30E42EE00EA
FF - user.js: extensions.funmoods.instlDay - 15594
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2216:40
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - adknlg
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - adknlg
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0

DDS::
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {91397D20-1446-11D4-8AF4-0040CA1127B6} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File



  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Grandms

#9
September 15, 2012, 03:52:10 PM
ComboFix 12-09-14.03 - HP_Administrator 09/15/2012  11:43:31.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3006.2478 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator.DESKTOP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator.DESKTOP\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2012-08-15 to 2012-09-15  )))))))))))))))))))))))))))))))
.
.
2012-09-11 20:39 . 2011-12-26 16:41   176128   ----a-w-   c:\windows\VPDAgent.exe
2012-09-11 20:39 . 2011-12-26 16:46   61440   ----a-w-   c:\windows\system32\ufvppm.dll
2012-09-11 20:02 . 2012-09-11 20:02   --------   d-----w-   c:\program files\LSI SoftModem
2012-09-11 19:51 . 2005-08-03 22:29   819200   ----a-w-   c:\program files\Windows Media Player\wmsetsdk.exe
2012-09-11 19:51 . 2005-08-03 22:29   47616   ----a-w-   c:\program files\Windows Media Player\msoobci.dll
2012-09-06 20:18 . 2012-09-06 20:18   --------   d-----w-   c:\windows\Performance
2012-09-06 20:18 . 2012-09-06 20:18   --------   d-----w-   c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Microsoft Corporation
2012-09-06 20:17 . 2012-09-06 20:17   --------   d-----w-   c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-09-01 01:01 . 2012-09-01 01:01   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-09-01 01:00 . 2012-09-01 01:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2012-08-25 18:57 . 2012-08-25 18:57   --------   d-----w-   c:\program files\MSXML 4.0
2012-08-17 20:01 . 2012-08-17 20:01   --------   d-----w-   c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-14 14:35 . 2012-09-14 14:35   45056   ----a-w-   c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2012-09-14 14:35 . 2012-09-14 14:35   44032   ----a-w-   c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2012-09-07 21:04 . 2011-12-29 03:44   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-09-01 01:01 . 2003-04-11 05:04   93672   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2012-09-01 01:01 . 2012-04-28 16:20   821736   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-09-01 01:01 . 2011-12-28 22:03   746984   ----a-w-   c:\windows\system32\deployJava1.dll
2012-08-22 16:00 . 2012-03-30 00:00   696520   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-22 16:00 . 2011-12-30 01:37   73416   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 09:13 . 2011-12-28 21:51   355632   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2011-12-28 21:51   729752   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2011-12-28 21:51   54232   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2011-12-28 21:51   35928   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2012-08-21 09:13 . 2011-12-28 21:51   97608   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2012-08-21 09:13 . 2011-12-28 21:51   89624   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2012-08-21 09:13 . 2011-12-28 21:51   21256   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:13 . 2011-12-28 21:51   25256   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2012-08-21 09:12 . 2011-12-28 17:17   41224   ----a-w-   c:\windows\avastSS.scr
2012-08-21 09:12 . 2011-12-28 21:51   227648   ----a-w-   c:\windows\system32\aswBoot.exe
2012-07-06 13:58 . 2011-12-28 03:54   78336   ----a-w-   c:\windows\system32\browser.dll
2012-07-04 14:05 . 2011-12-28 04:20   139784   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2011-12-28 04:24   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2004-08-10 11:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2011-12-28 04:20   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-07-02 17:49 . 2011-12-28 04:11   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-07-02 12:05 . 2011-12-28 04:20   385024   ------w-   c:\windows\system32\html.iec
2012-06-25 20:04 . 2012-06-25 20:04   1394248   ----a-w-   c:\windows\system32\msxml4.dll
2009-10-10 01:44 . 2009-10-10 01:44   4637952   ----a-w-   c:\program files\Common Files\lpuninstall.exe
2012-09-11 01:56 . 2012-09-11 01:56   266720   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-09-15_00.36.34   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-15 15:10 . 2012-09-15 15:10   16384              c:\windows\Temp\Perflib_Perfdata_930.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12   121528   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{0CD3BB5C-BBCA-11D2-8C20-00C04FBBCFF9}\A94AAB13.exe [2012-5-7 30720]
OpenDNSCrypt.lnk - c:\windows\Installer\{E811D3DC-A647-4744-9CA6-BD4707D2808B}\_41100329364C94A5913B21.exe [2012-6-15 4710]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\EaseUS\\Todo Backup\\bin\\Agent.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [12/30/2011 10:47 PM 50312]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [12/30/2011 10:47 PM 43784]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/28/2011 5:51 PM 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/28/2011 5:51 PM 355632]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [12/30/2011 10:47 PM 16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [12/30/2011 10:47 PM 185864]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 7:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/28/2011 5:51 PM 21256]
R2 DNSCrypt;OpenDNSCrypt;c:\program files\OpenDNS\DNSCrypt\OpenDNSCryptService.exe [5/17/2012 10:23 AM 14336]
R2 EaseUS Agent;EaseUS Agent;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [2/1/2012 10:11 PM 61064]
R2 Guard Agent;Guard Agent;c:\program files\EaseUS\Todo Backup\bin\GuardAgent.exe [2/1/2012 10:11 PM 23176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/29/2012 8:00 PM 250568]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [1/6/2012 11:25 PM 163616]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 8:41 PM 114144]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
S4 Agent;VPDAgent;c:\windows\VPDAgent.exe [9/11/2012 4:39 PM 176128]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 16:00]
.
2012-09-15 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-10 09:12]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3771264329-85329873-2648820128-1008Core.job
- c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-29 01:53]
.
2012-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3771264329-85329873-2648820128-1008UA.job
- c:\documents and settings\HP_Administrator.DESKTOP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-29 01:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://abcnews.go.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A61EAB09-9A69-4329-B570-42C37AD13A84}: NameServer = 127.0.0.1
FF - ProfilePath - c:\documents and settings\HP_Administrator.DESKTOP\Application Data\Mozilla\Firefox\Profiles\lk87sgw5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://z1.invisionfree.com/IBBS_ComputerHelp/index.php?
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-15 11:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3771264329-85329873-2648820128-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2916)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-09-15  11:50:39
ComboFix-quarantined-files.txt  2012-09-15 15:50
ComboFix2.txt  2012-09-15 00:39
.
Pre-Run: 462,145,269,760 bytes free
Post-Run: 462,128,742,400 bytes free
.
- - End Of File - - 6DE56304D32CD8899AA43F21AF4E06AF

Corrine

#10
September 15, 2012, 07:10:26 PM
That seems to have done the trick, Grandms.  How is your computer now?

BTW, what are you using for a firewall?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Grandms

#11
September 15, 2012, 07:39:24 PM
When I open Chrome browser, I still get an additional tab popping up behind my home page with funmoods on it, and funmoods is still listed among the search engines for Chrome.

I was using Zone Alarm, but recently have been using the Windows Firewall.

Grandms

#12
September 15, 2012, 08:01:05 PM
Just need to add that when I open Internet Explorer, there is Funmoods as the default search engine.  The only browser where I cannot find it is Firefox.  How would it be if I deleted the current versions of Chrome and IE and then reinstalled?  Or would they keep the current settings anyway?  If I can feel safe about this thing, I guess I could just consider it an annoyance and try to overlook it, but I am so fearful that it may have some sinister "hooks" somewhere.  If it is so harmless, why cannot one go to their website and follow instructions there for removing?  I just does not remove.

Corrine

#13
September 15, 2012, 09:29:36 PM
Let's see if AdwCleaner is still showing something. 

  •   Double-click AdwCleaner.exe to run the tool.
  •   Click Search.
  •   A logfile will automatically open after the scan has finished.
  •   Please post the contents of that logfile with your next response.
Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., R1


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Grandms

#14
September 15, 2012, 10:55:08 PM
# AdwCleaner v2.001 - Logfile created 09/15/2012 at 18:53:16
# Updated 09/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : HP_Administrator - DESKTOP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\HP_Administrator.DESKTOP\My Documents\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-GB)

-\\ Google Chrome v21.0.1180.89

-\\ Chromium v [Unable to get version]

-\\ Opera v [Unable to get version]

*************************

AdwCleaner[R1].txt - [2523 octets] - [14/09/2012 12:00:36]
AdwCleaner[S1].txt - [3022 octets] - [14/09/2012 13:45:08]
AdwCleaner[R2].txt - [849 octets] - [15/09/2012 18:53:16]

########## EOF - C:\AdwCleaner[R2].txt - [908 octets] ##########
Print
Go Up Pages1 2 3
User actions