TechSpot

Another Trojan infection

By iFIX Solutions
Sep 6, 2012
  1. Helping a friend out this time. Per the 5 steps here are the logs.

    TIA,
    Matt

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.09.06.12

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Owner :: TERRY-8538FA784 [administrator]

    9/6/2012 6:29:41 PM
    mbam-log-2012-09-06 (18-29-41).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 197888
    Time elapsed: 26 minute(s), 32 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 26
    HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
    HKCR\funmoods.funmoodsHlpr.1 (PUP.FunMoods) -> Quarantined and deleted successfully.
    HKCR\funmoods.funmoodsHlpr (PUP.FunMoods) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
    HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\escort.escortIEPane (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\funmoods.dskBnd (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\funmoodsApp.appCore (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\f (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
    HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.

    Registry Values Detected: 3
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: Funmoods Toolbar -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Owner\Local Settings\Application Data\{74ca1287-844d-836c-7459-9b9f515f40ea}\n. -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.

    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-09-06 19:07:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Hitachi_HDS721050CLA362 rev.JP2OA3MA
    Running: 02ex8t48.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwlcqpow.sys
    ---- Devices - GMER 1.0.15 ----
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Owner at 19:11:24 on 2012-09-06
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.560 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\SAiDownloader.exe
    C:\WINDOWS\system32\SAiLicSvr.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
    C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fptb-hpd05
    mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCyCyByC0AtCyE0C0D0C0CtDyEyEtN0D0Tzu0CtBtBzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=191287204
    mURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: {1036AD63-AEAC-460B-9060-C96005D4DC86} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Qwiklinx: {3e7c8b5a-96ab-438f-bf9b-782400655440} - c:\documents and settings\owner\application data\qwiklinx\Qwiklinx.dll
    BHO: Privacy Safeguard BHO: {a42d2eb4-dd31-4bb5-8aa5-8d4e04806dbe} - c:\program files\privacysafeguard\PrivacySafeGuard.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
    mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
    IE: &Search - http://tbedits.mapsgalaxy.com/one-t...B0C1-4D15-A16B-4097B85497F1&n=2012060418&cv=1
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{AF4F8BE6-AFC9-4CE6-ACDC-0D2ED240AB38} : DhcpNameServer = 192.168.1.1
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    R2 SAiDownloader;SAiDownloader;c:\windows\system32\SAiDownloader.exe [2011-11-17 438272]
    R2 SAiLicSvr;SAiLicSvr;c:\windows\system32\SAiLicSvr.exe [2012-4-7 86016]
    R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2011-9-22 374304]
    R2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\common files\safenet sentinel\sentinel security runtime\sntlsrtsrvr.exe [2011-9-22 292384]
    S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 40720]
    S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-6-17 10384]
    .
    =============== Created Last 30 ================
    .
    2012-09-07 00:08:297022536----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a1328506-0a9e-4751-b4b4-580df75a3d2b}\mpengine.dll
    2012-09-06 23:28:2022344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-09-06 23:28:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-08-27 03:10:107023536----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-08-27 03:08:05--------d-----w-c:\program files\Microsoft Security Client
    2012-08-17 05:22:37--------d-----w-c:\documents and settings\owner\local settings\application data\Mozilla
    2012-08-17 05:21:54--------d-----w-c:\documents and settings\all users\application data\Tarma Installer
    2012-08-17 05:21:43--------d-----w-C:\extensions
    2012-08-17 05:21:40--------d-----w-c:\documents and settings\owner\application data\Qwiklinx
    2012-08-17 05:21:39--------d-----w-c:\program files\Qwiklinx
    2012-08-17 05:21:04--------d-----w-c:\program files\PrivacySafeGuard
    2012-08-17 05:20:54--------d-----w-c:\documents and settings\owner\local settings\application data\Google
    2012-08-08 22:07:17--------d-----w-c:\documents and settings\owner\application data\COMcheck
    2012-08-08 22:06:38--------d-----w-c:\documents and settings\owner\local settings\application data\Check
    .
    ==================== Find3M ====================
    .
    2012-07-25 00:36:2412872----a-w-c:\windows\system32\bootdelete.exe
    2012-07-11 06:45:172228----a-w-c:\windows\system32\ASOROSet.bin
    2012-07-06 13:58:5178336----a-w-c:\windows\system32\browser.dll
    2012-07-04 14:05:18139784----a-w-c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40:151866112----a-w-c:\windows\system32\win32k.sys
    2012-07-02 17:49:33916992----a-w-c:\windows\system32\wininet.dll
    2012-07-02 17:49:3243520------w-c:\windows\system32\licmgr10.dll
    2012-07-02 17:49:321469440------w-c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05:43385024----a-w-c:\windows\system32\html.iec
    2012-06-04 22:55:46172440----a-w-c:\program files\39res.dll
    .
    ============= FINISH: 19:14:32.75 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/24/2010 8:54:15 PM
    System Uptime: 9/6/2012 6:19:03 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0JC474
    Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3059/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 466 GiB total, 426.737 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP573: 6/8/2012 4:27:22 PM - System Checkpoint
    RP574: 6/9/2012 4:49:59 PM - System Checkpoint
    RP575: 6/10/2012 4:50:26 PM - System Checkpoint
    RP576: 6/11/2012 9:07:04 AM - SpeedyPC Pro Backup
    RP577: 6/12/2012 11:26:11 AM - System Checkpoint
    RP578: 6/12/2012 11:38:38 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
    RP579: 6/13/2012 6:15:04 PM - System Checkpoint
    RP580: 6/14/2012 3:00:18 AM - Software Distribution Service 3.0
    RP581: 6/15/2012 10:39:19 AM - System Checkpoint
    RP582: 6/16/2012 12:40:13 PM - System Checkpoint
    RP583: 6/18/2012 10:12:50 AM - System Checkpoint
    RP584: 6/19/2012 10:51:10 AM - System Checkpoint
    RP585: 6/20/2012 3:05:14 PM - System Checkpoint
    RP586: 6/21/2012 3:55:40 PM - System Checkpoint
    RP587: 6/23/2012 10:43:50 AM - System Checkpoint
    RP588: 6/24/2012 11:19:20 AM - System Checkpoint
    RP589: 6/25/2012 11:35:23 AM - System Checkpoint
    RP590: 6/26/2012 12:25:50 PM - System Checkpoint
    RP591: 6/26/2012 1:43:33 PM - MyCleanPCPCOptimizer_BeforeFixingIssues
    RP592: 6/27/2012 2:14:48 PM - System Checkpoint
    RP593: 6/28/2012 2:31:00 PM - System Checkpoint
    RP594: 6/29/2012 8:23:08 AM - SpeedyPC Pro Backup
    RP595: 6/30/2012 9:05:36 AM - System Checkpoint
    RP596: 7/1/2012 9:55:09 AM - System Checkpoint
    RP597: 7/2/2012 8:21:59 AM - SpeedyPC Pro Backup
    RP598: 7/3/2012 8:26:21 AM - System Checkpoint
    RP599: 7/4/2012 8:44:13 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
    RP600: 7/9/2012 10:17:03 PM - System Checkpoint
    RP601: 7/10/2012 11:24:15 PM - System Checkpoint
    RP602: 7/11/2012 1:14:54 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
    RP603: 7/11/2012 2:58:07 AM - Software Distribution Service 3.0
    RP604: 7/12/2012 10:37:45 AM - System Checkpoint
    RP605: 7/13/2012 10:59:46 AM - System Checkpoint
    RP606: 7/14/2012 11:05:06 AM - System Checkpoint
    RP607: 7/15/2012 11:29:06 AM - System Checkpoint
    RP608: 7/16/2012 12:22:40 PM - System Checkpoint
    RP609: 7/17/2012 12:32:51 PM - System Checkpoint
    RP610: 7/17/2012 1:42:11 PM - MyCleanPCPCOptimizer_BeforeFixingIssues
    RP611: 7/18/2012 3:39:14 PM - System Checkpoint
    RP612: 7/19/2012 3:47:43 PM - System Checkpoint
    RP613: 7/20/2012 8:47:40 AM - SpeedyPC Pro Backup
    RP614: 7/21/2012 8:55:01 AM - System Checkpoint
    RP615: 7/22/2012 9:30:29 AM - System Checkpoint
    RP616: 7/23/2012 9:18:33 AM - SpeedyPC Pro Backup
    RP617: 7/24/2012 9:43:18 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
    RP618: 7/24/2012 9:56:13 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
    RP619: 7/24/2012 9:59:34 AM - SpeedyPC Pro Backup
    RP620: 7/24/2012 10:03:28 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
    RP621: 7/24/2012 7:24:40 PM - Removed Sentinel Protection Installer 7.6.5
    RP622: 7/24/2012 7:25:58 PM - Removed CyberDefender Framework
    RP623: 7/24/2012 7:54:16 PM - Software Distribution Service 3.0
    RP624: 7/26/2012 8:07:18 AM - Software Distribution Service 3.0
    RP625: 7/27/2012 9:50:29 AM - System Checkpoint
    RP626: 7/27/2012 11:52:00 AM - Installed Sentinel Protection Installer 7.1.1
    RP627: 7/27/2012 11:54:46 AM - Removed Sentinel Protection Installer 7.1.1
    RP628: 7/27/2012 12:08:38 PM - Software Distribution Service 3.0
    RP629: 7/28/2012 12:55:12 PM - System Checkpoint
    RP630: 7/28/2012 6:02:53 PM - Software Distribution Service 3.0
    RP631: 7/30/2012 2:44:53 PM - Software Distribution Service 3.0
    RP632: 7/31/2012 3:07:38 PM - System Checkpoint
    RP633: 8/1/2012 8:02:54 AM - Software Distribution Service 3.0
    RP634: 8/2/2012 10:16:45 AM - Software Distribution Service 3.0
    RP635: 8/3/2012 10:34:22 AM - System Checkpoint
    RP636: 8/3/2012 10:41:17 PM - Software Distribution Service 3.0
    RP637: 8/4/2012 11:26:27 PM - System Checkpoint
    RP638: 8/5/2012 12:43:12 PM - Software Distribution Service 3.0
    RP639: 8/6/2012 1:02:30 PM - System Checkpoint
    RP640: 8/7/2012 7:59:42 AM - Software Distribution Service 3.0
    RP641: 8/8/2012 8:35:06 AM - Software Distribution Service 3.0
    RP642: 8/9/2012 8:35:31 AM - Software Distribution Service 3.0
    RP643: 8/10/2012 8:49:26 AM - System Checkpoint
    RP644: 8/11/2012 7:30:25 AM - Software Distribution Service 3.0
    RP645: 8/12/2012 2:23:41 AM - Software Distribution Service 3.0
    RP646: 8/13/2012 3:23:23 AM - System Checkpoint
    RP647: 8/13/2012 7:30:46 AM - Software Distribution Service 3.0
    RP648: 8/14/2012 7:31:03 AM - Software Distribution Service 3.0
    RP649: 8/15/2012 9:03:55 AM - Software Distribution Service 3.0
    RP650: 8/16/2012 2:56:21 AM - Software Distribution Service 3.0
    RP651: 8/16/2012 10:15:14 AM - Software Distribution Service 3.0
    RP652: 8/17/2012 11:43:39 AM - System Checkpoint
    RP653: 8/17/2012 2:21:30 PM - Removed iTunes
    RP654: 8/17/2012 2:48:46 PM - Software Distribution Service 3.0
    RP655: 8/18/2012 2:48:13 PM - Software Distribution Service 3.0
    RP656: 8/19/2012 3:08:19 PM - System Checkpoint
    RP657: 8/20/2012 7:15:36 AM - Software Distribution Service 3.0
    RP658: 8/21/2012 7:48:42 AM - Software Distribution Service 3.0
    RP659: 8/22/2012 8:39:01 AM - Software Distribution Service 3.0
    RP660: 8/23/2012 8:38:44 AM - Software Distribution Service 3.0
    RP661: 8/24/2012 8:44:41 AM - System Checkpoint
    RP662: 8/25/2012 6:52:11 AM - Software Distribution Service 3.0
    RP663: 8/26/2012 3:41:04 PM - System Checkpoint
    RP664: 8/27/2012 4:04:28 PM - System Checkpoint
    RP665: 8/28/2012 4:28:05 PM - System Checkpoint
    RP666: 8/29/2012 4:33:27 PM - System Checkpoint
    RP667: 8/30/2012 5:07:12 PM - System Checkpoint
    RP668: 9/1/2012 10:30:26 AM - System Checkpoint
    RP669: 9/2/2012 10:34:46 AM - System Checkpoint
    RP670: 9/3/2012 10:35:59 AM - System Checkpoint
    RP671: 9/3/2012 7:30:54 PM - Removed Bonjour
    RP672: 9/3/2012 7:31:43 PM - Removed Apple Application Support
    RP673: 9/3/2012 7:33:55 PM - Removed Apple Mobile Device Support
    RP674: 9/3/2012 7:34:36 PM - Removed Apple Software Update
    RP675: 9/4/2012 8:11:00 PM - System Checkpoint
    RP676: 9/6/2012 12:22:48 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.3)
    COMcheck 3.9.1.3 (Current User)
    Compatibility Pack for the 2007 Office system
    Conexant D850 56K V.9x DFVc Modem
    Corel Graphics - Windows Shell Extension
    CorelDRAW Graphics Suite X5
    CorelDRAW Graphics Suite X5 - BR
    CorelDRAW Graphics Suite X5 - Capture
    CorelDRAW Graphics Suite X5 - Common
    CorelDRAW Graphics Suite X5 - Connect
    CorelDRAW Graphics Suite X5 - Custom Data
    CorelDRAW Graphics Suite X5 - Draw
    CorelDRAW Graphics Suite X5 - EN
    CorelDRAW Graphics Suite X5 - ES
    CorelDRAW Graphics Suite X5 - Filters
    CorelDRAW Graphics Suite X5 - FontNav
    CorelDRAW Graphics Suite X5 - FR
    CorelDRAW Graphics Suite X5 - IPM
    CorelDRAW Graphics Suite X5 - KPT Collection
    CorelDRAW Graphics Suite X5 - PHOTO-PAINT
    CorelDRAW Graphics Suite X5 - Photozoom Plugin
    CorelDRAW Graphics Suite X5 - Redist
    CorelDRAW Graphics Suite X5 - Setup Files
    CorelDRAW Graphics Suite X5 - VBA
    CorelDRAW Graphics Suite X5 - VideoBrowser
    CorelDRAW Graphics Suite X5 - VSTA
    CorelDRAW Graphics Suite X5 - WT
    CorelDRAW(R) Graphics Suite X5
    erLT
    FAS for Peachtree
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
    HP Deskjet 3050 J610 series Basic Device Software
    HP Deskjet 3050 J610 series Help
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Java Auto Updater
    Java(TM) 6 Update 29
    Linksys Wireless-G PCI Adapter
    Malwarebytes Anti-Malware version 1.62.0.1300
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office Outlook 2003
    Microsoft Office XP Professional
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual Studio Tools for Applications 2.0 - ENU
    Microsoft Visual Studio Tools for Applications 2.0 Runtime
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Peachtree Complete Accounting 2006
    Privacy SafeGuard version 1.1
    QBFC3.0
    Qwiklinx
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB923789)
    Sentinel Protection Installer 7.6.5
    SigmaTel Audio
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2718704)
    Vinyl Express LXi1
    Visual Basic for Applications (R) Core
    Visual Basic for Applications (R) Core - English
    WebFldrs XP
    Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00)
    Windows Internet Explorer 8
    Windows XP Service Pack 3
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/6/2012 12:12:05 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.New Signature Version: Previous Signature Version: 1.135.390.0Update Source: Microsoft Update ServerUpdate Stage: SearchSource Path: Default URLSignature Type: AntiVirusUpdate Type: FullUser: NT AUTHORITY\SYSTEMCurrent Engine Version: Previous Engine Version: 1.1.8704.0Error code: 0x80070424Error description: The specified service does not exist as an installed service.
    .
    ==== End Of File ===========================
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello!

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
     
  3. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    Sorry for the delayed response. I have been dealing with a break in at work. I am completing your instructions now.
     
  4. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    I ran AdwCleaner with no issue. I started ComboFix and walked away for a few minutes. I came back to a BSOD. Now it won't boot at all. I can't even get the F8 screen to come up. Any suggestions? Got it to boot in normal mode. About to run ComboFix again.
     
  5. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    Finally got combo to run to completion in Safe mode.

    # AdwCleaner v2.000 - Logfile created 09/08/2012 at 11:38:54
    # Updated 30/08/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Owner - TERRY-8538FA784
    # Boot Mode : Normal
    # Running from : C:\iFIX Solutions (Matt)\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Found : C:\Documents and Settings\Owner\Local Settings\Application Data\funmoods-speeddial.crx
    Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer
    Folder Found : C:\Documents and Settings\Owner\Application Data\Qwiklinx
    Folder Found : C:\Documents and Settings\Owner\My Documents\ShopToWin
    Folder Found : C:\Program Files\Qwiklinx

    ***** [Registry] *****

    Key Found : HKCU\Software\AppDataLow\Software\Freecause
    Key Found : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Found : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13D095-45C3-4271-9475-F3B48227DD9F}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
    Key Found : HKCU\Software\Qwiklinx
    Key Found : HKCU\Software\Zugo
    Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{E2C1A522-B8E1-45D1-B316-F5625004A28C}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Found : HKLM\SOFTWARE\Classes\QwiklinxBHO
    Key Found : HKLM\SOFTWARE\Classes\QwiklinxBHO.1
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{204C0025-C26A-43E2-853C-D8A8EB1BCE51}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dnfaglepmjgohnkcoieaijlheabmcdeo
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2E497885-E60B-420A-832D-0148B392E058}_is1
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E497885-E60B-420A-832D-0148B392E058}_is1
    Key Found : HKLM\Software\Tarma Installer
    Key Found : HKU\S-1-5-21-776561741-706699826-1801674531-1003\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCyCyByC0AtCyE0C0D0C0CtDyEyEtN0D0Tzu0CtBtBzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=191287204

    -\\ Mozilla Firefox v [Unable to get version]

    Profile name : default
    File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xm1i2oid.default\prefs.js

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [6027 octets] - [08/09/2012 11:38:54]

    ########## EOF - C:\AdwCleaner[R1].txt - [6087 octets] ##########


    ComboFix 12-09-08.02 - Administrator 09/08/2012 13:04:21.3.2 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.780 [GMT -5:00]
    Running from: c:\ifix solutions (matt)\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\All Users\Application Data\ism_0_llatsni.pad
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Owner\My Documents\ShopToWin
    c:\program files\PrivacySafeGuard\PrIVacysafeguard.dll
    c:\windows\system32\Cache
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\5be2640284b847ce.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\a54a4d5a134fde6e.fb
    c:\windows\system32\Cache\a8556537add6dfc5.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\bfa74bc3c57a1f5c.fb
    c:\windows\system32\Cache\c4d28dca2e7648be.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\Cache\e0de16f883bea794.fb
    .
    -- Previous Run --
    .
    c:\windows\system32\drivers\i8042prt.sys was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\i8042prt.sys
    .
    --------
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-08 to 2012-09-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-08 17:58 . 2012-09-08 17:59--------d-----w-c:\documents and settings\Administrator
    2012-09-08 17:35 . 2008-04-14 08:4852480-c--a-w-c:\windows\system32\dllcache\i8042prt.sys
    2012-09-08 17:35 . 2008-04-14 08:4852480----a-w-c:\windows\system32\drivers\i8042prt.sys
    2012-09-07 18:23 . 2012-09-07 18:2356200----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A1328506-0A9E-4751-B4B4-580DF75A3D2B}\offreg.dll
    2012-09-07 00:08 . 2012-08-23 07:157022536----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A1328506-0A9E-4751-B4B4-580DF75A3D2B}\mpengine.dll
    2012-09-06 23:28 . 2012-09-06 23:28--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-09-06 23:28 . 2012-07-03 18:4622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-08-27 03:10 . 2012-08-20 06:537023536----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-27 03:08 . 2012-08-27 03:08--------d-----w-c:\program files\Microsoft Security Client
    2012-08-26 19:20 . 2012-08-26 19:20--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
    2012-08-17 05:22 . 2012-08-17 05:22--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
    2012-08-17 05:21 . 2012-08-17 19:25--------d-----w-c:\documents and settings\All Users\Application Data\Tarma Installer
    2012-08-17 05:21 . 2012-08-17 05:21--------d-----w-C:\extensions
    2012-08-17 05:21 . 2012-08-17 05:21--------d-----w-c:\documents and settings\Owner\Application Data\Qwiklinx
    2012-08-17 05:21 . 2012-08-17 05:21--------d-----w-c:\program files\Qwiklinx
    2012-08-17 05:21 . 2012-09-08 17:35--------d-----w-c:\program files\PrivacySafeGuard
    2012-08-17 05:20 . 2012-08-17 05:20--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Google
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-25 00:36 . 2012-07-25 00:3612872----a-w-c:\windows\system32\bootdelete.exe
    2012-07-06 13:58 . 2004-08-04 10:0078336----a-w-c:\windows\system32\browser.dll
    2012-07-04 14:05 . 2010-11-25 02:47139784----a-w-c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40 . 2004-08-04 10:001866112----a-w-c:\windows\system32\win32k.sys
    2012-07-02 17:49 . 2006-03-04 03:33916992----a-w-c:\windows\system32\wininet.dll
    2012-07-02 17:49 . 2004-08-04 10:0043520------w-c:\windows\system32\licmgr10.dll
    2012-07-02 17:49 . 2004-08-04 10:001469440------w-c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05 . 2004-08-04 10:00385024----a-w-c:\windows\system32\html.iec
    2012-06-04 22:55 . 2012-07-25 00:27172440----a-w-c:\program files\39res.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
    "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2010-12-11 819200]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    .
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/6/2012 6:28 PM 655944]
    S2 SAiDownloader;SAiDownloader;c:\windows\system32\SAiDownloader.exe [11/17/2011 10:46 PM 438272]
    S2 SAiLicSvr;SAiLicSvr;c:\windows\system32\SAiLicSvr.exe [4/7/2012 7:19 PM 86016]
    S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [9/22/2011 1:03 AM 374304]
    S2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [9/22/2011 1:00 AM 292384]
    S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [6/17/2009 11:55 AM 40720]
    S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [6/17/2009 11:55 AM 10384]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/6/2012 6:28 PM 22344]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCyCyByC0AtCyE0C0D0C0CtDyEyEtN0D0Tzu0CtBtBzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=191287204
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-08 13:18
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(996)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2012-09-08 13:21:58
    ComboFix-quarantined-files.txt 2012-09-08 18:21
    .
    Pre-Run: 458,610,032,640 bytes free
    Post-Run: 458,586,800,128 bytes free
    .
    - - End Of File - - 9EFDD7237CAA6D8FAF83263A02F4AA1E
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Remove the Adware.
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  7. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    # AdwCleaner v2.000 - Logfile created 09/08/2012 at 14:58:28
    # Updated 30/08/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Owner - TERRY-8538FA784
    # Boot Mode : Normal
    # Running from : C:\iFIX Solutions (Matt)\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\funmoods-speeddial.crx
    Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
    Folder Deleted : C:\Documents and Settings\Owner\Application Data\Qwiklinx
    Folder Deleted : C:\Program Files\Qwiklinx

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Deleted : HKCU\Software\Qwiklinx
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E2C1A522-B8E1-45D1-B316-F5625004A28C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dnfaglepmjgohnkcoieaijlheabmcdeo
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2E497885-E60B-420A-832D-0148B392E058}_is1
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E497885-E60B-420A-832D-0148B392E058}_is1
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCyCyByC0AtCyE0C0D0C0CtDyEyEtN0D0Tzu0CtBtBzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=191287204 --> hxxp://www.google.com

    -\\ Mozilla Firefox v [Unable to get version]

    Profile name : default
    File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xm1i2oid.default\prefs.js

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [6156 octets] - [08/09/2012 11:38:54]
    AdwCleaner[S1].txt - [5170 octets] - [08/09/2012 14:58:28]

    ########## EOF - C:\AdwCleaner[S1].txt - [5230 octets] ##########
    ComboFix 12-09-08.02 - Owner 09/08/2012 15:04:40.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.615 [GMT -5:00]
    Running from: c:\ifix solutions (matt)\ComboFix.exe
    Command switches used :: c:\ifix solutions (matt)\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-08 to 2012-09-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-08 17:58 . 2012-09-08 17:59--------d-----w-c:\documents and settings\Administrator
    2012-09-08 17:35 . 2008-04-14 08:4852480-c--a-w-c:\windows\system32\dllcache\i8042prt.sys
    2012-09-08 17:35 . 2008-04-14 08:4852480----a-w-c:\windows\system32\drivers\i8042prt.sys
    2012-09-07 18:23 . 2012-09-07 18:2356200----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A1328506-0A9E-4751-B4B4-580DF75A3D2B}\offreg.dll
    2012-09-07 00:08 . 2012-08-23 07:157022536----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A1328506-0A9E-4751-B4B4-580DF75A3D2B}\mpengine.dll
    2012-09-06 23:28 . 2012-09-06 23:28--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-09-06 23:28 . 2012-07-03 18:4622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-08-27 03:10 . 2012-08-20 06:537023536----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-27 03:08 . 2012-08-27 03:08--------d-----w-c:\program files\Microsoft Security Client
    2012-08-26 19:20 . 2012-08-26 19:20--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
    2012-08-17 05:22 . 2012-08-17 05:22--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
    2012-08-17 05:21 . 2012-08-17 05:21--------d-----w-C:\extensions
    2012-08-17 05:21 . 2012-09-08 17:35--------d-----w-c:\program files\PrivacySafeGuard
    2012-08-17 05:20 . 2012-08-17 05:20--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Google
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-25 00:36 . 2012-07-25 00:3612872----a-w-c:\windows\system32\bootdelete.exe
    2012-07-06 13:58 . 2004-08-04 10:0078336----a-w-c:\windows\system32\browser.dll
    2012-07-04 14:05 . 2010-11-25 02:47139784----a-w-c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40 . 2004-08-04 10:001866112----a-w-c:\windows\system32\win32k.sys
    2012-07-02 17:49 . 2006-03-04 03:33916992----a-w-c:\windows\system32\wininet.dll
    2012-07-02 17:49 . 2004-08-04 10:0043520------w-c:\windows\system32\licmgr10.dll
    2012-07-02 17:49 . 2004-08-04 10:001469440------w-c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05 . 2004-08-04 10:00385024----a-w-c:\windows\system32\html.iec
    2012-06-04 22:55 . 2012-07-25 00:27172440----a-w-c:\program files\39res.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-09-08_18.18.21 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-09-08 20:00 . 2012-09-08 20:0016384 c:\windows\temp\Perflib_Perfdata_740.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
    "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2010-12-11 819200]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    .
    R2 SAiDownloader;SAiDownloader;c:\windows\system32\SAiDownloader.exe [11/17/2011 10:46 PM 438272]
    R2 SAiLicSvr;SAiLicSvr;c:\windows\system32\SAiLicSvr.exe [4/7/2012 7:19 PM 86016]
    R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [9/22/2011 1:03 AM 374304]
    R2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [9/22/2011 1:00 AM 292384]
    S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [6/17/2009 11:55 AM 40720]
    S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [6/17/2009 11:55 AM 10384]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/6/2012 6:28 PM 22344]
    S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/6/2012 6:28 PM 655944]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
    - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fptb-hpd05
    mStart Page = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-08 15:11
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3024)
    c:\windows\system32\WININET.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2012-09-08 15:14:18
    ComboFix-quarantined-files.txt 2012-09-08 20:14
    ComboFix2.txt 2012-09-08 18:21
    .
    Pre-Run: 458,577,010,688 bytes free
    Post-Run: 458,572,095,488 bytes free
    .
    - - End Of File - - 1395BA15A38B8F5619088CAC3AD37C6E
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.


    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  9. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    Only other issue is IE seems very slow and laggy. There seems to be a lot of processes running in Task Manager as well.

    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0094980.dll a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0094986.dll probably a variant of Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0094989.dll probably a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0094994.dll probably a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0095000.dll a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0095012.DLL probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP623\A0095057.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095720.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095721.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095722.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095723.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095724.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095726.exe Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP653\A0095817.dll Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
     
  10. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    Even though MSE was installed I was getting a warning from Security center that there was no anti virus. I was also getting a popup for an adobe reader update. While waiting for you response I went ahed and uninstalled and re-installed MSE and installed the Adobe reader update. This fixed the issue with sercurity center reporting no AV. This is the only thing I have done that strayed from your instructions.
     
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall finish up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE
    You now have a clean restore point, to get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do some calculation and the display a dialogue box with TABS
    • Select the More Options Tab.
    • At the bottom will be a system restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  12. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    Internet Explorere still seems very slow. Even returning to this page to post replies it is very sluggish. The page loads initially very quickly. Then there is a long delay before I can scroll down on the page. This happens on all web pages. Perhaps it is nature of the beast on an older machine with 1GB ram, Windows XP and IE8. Other than that the machine seems fine.

    Results of screen317's Security Check version 0.99.50
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    CCleaner
    Java(TM) 6 Update 29
    Java version out of Date!
    Adobe Reader X (10.1.4)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 1%
    ````````````````````End of Log``````````````````````
     
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    XP and IE8 don't mix, by the way. I think Internet Explorer 7 was a stretch for XP. Version 8...even worse!

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems


    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
     
    iFIX Solutions likes this.
  14. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    Thanks DMJ. You guys are a real asset. I agree completely on IE8 and XP. Do you have a recommendation for a better browser to use on XP? I have also had issues with Firefox being slow on XP lately. Form what little research I have done it appears to be a Java issue that slows Firefox down. Thanks again for all your help!! Mark this one solved. I have looked and I don;t see a way to give you (+)Karma or something similar. I owe Broni the same for helping me last time.

    Matt
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    To be honest Google Chrome, Avant, or Maxthon. All three are easygoing browsers. Maxthon might be a bit much at times, but overall, they are good browsers for XP.
     
  16. iFIX Solutions

    iFIX Solutions TS Rookie Topic Starter Posts: 73

    Thanks Again. Mark this one Solved.
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    You're welcome. Marked as solved. √
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...