Solved Another Trojan infection

[iFIX Solutions]

Helping a friend out this time. Per the 5 steps here are the logs.

TIA,
Matt

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.06.12

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: TERRY-8538FA784 [administrator]

9/6/2012 6:29:41 PM
mbam-log-2012-09-06 (18-29-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197888
Time elapsed: 26 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 26
HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCR\funmoods.funmoodsHlpr.1 (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCR\funmoods.funmoodsHlpr (PUP.FunMoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\escort.escortIEPane (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.dskBnd (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\f (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: Funmoods Toolbar -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Owner\Local Settings\Application Data\{74ca1287-844d-836c-7459-9b9f515f40ea}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.

(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-09-06 19:07:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Hitachi_HDS721050CLA362 rev.JP2OA3MA
Running: 02ex8t48.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwlcqpow.sys
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 19:11:24 on 2012-09-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.560 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\SAiDownloader.exe
C:\WINDOWS\system32\SAiLicSvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-hpd05
mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCyCyByC0AtCyE0C0D0C0CtDyEyEtN0D0Tzu0CtBtBzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=191287204
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {1036AD63-AEAC-460B-9060-C96005D4DC86} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Qwiklinx: {3e7c8b5a-96ab-438f-bf9b-782400655440} - c:\documents and settings\owner\application data\qwiklinx\Qwiklinx.dll
BHO: Privacy Safeguard BHO: {a42d2eb4-dd31-4bb5-8aa5-8d4e04806dbe} - c:\program files\privacysafeguard\PrivacySafeGuard.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: &Search - http://tbedits.mapsgalaxy.com/one-t...B0C1-4D15-A16B-4097B85497F1&n=2012060418&cv=1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AF4F8BE6-AFC9-4CE6-ACDC-0D2ED240AB38} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 SAiDownloader;SAiDownloader;c:\windows\system32\SAiDownloader.exe [2011-11-17 438272]
R2 SAiLicSvr;SAiLicSvr;c:\windows\system32\SAiLicSvr.exe [2012-4-7 86016]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2011-9-22 374304]
R2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\common files\safenet sentinel\sentinel security runtime\sntlsrtsrvr.exe [2011-9-22 292384]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 40720]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-6-17 10384]
.
=============== Created Last 30 ================
.
2012-09-07 00:08:297022536----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a1328506-0a9e-4751-b4b4-580df75a3d2b}\mpengine.dll
2012-09-06 23:28:2022344----a-w-c:\windows\system32\drivers\mbam.sys
2012-09-06 23:28:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-08-27 03:10:107023536----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-27 03:08:05--------d-----w-c:\program files\Microsoft Security Client
2012-08-17 05:22:37--------d-----w-c:\documents and settings\owner\local settings\application data\Mozilla
2012-08-17 05:21:54--------d-----w-c:\documents and settings\all users\application data\Tarma Installer
2012-08-17 05:21:43--------d-----w-C:\extensions
2012-08-17 05:21:40--------d-----w-c:\documents and settings\owner\application data\Qwiklinx
2012-08-17 05:21:39--------d-----w-c:\program files\Qwiklinx
2012-08-17 05:21:04--------d-----w-c:\program files\PrivacySafeGuard
2012-08-17 05:20:54--------d-----w-c:\documents and settings\owner\local settings\application data\Google
2012-08-08 22:07:17--------d-----w-c:\documents and settings\owner\application data\COMcheck
2012-08-08 22:06:38--------d-----w-c:\documents and settings\owner\local settings\application data\Check
.
==================== Find3M ====================
.
2012-07-25 00:36:2412872----a-w-c:\windows\system32\bootdelete.exe
2012-07-11 06:45:172228----a-w-c:\windows\system32\ASOROSet.bin
2012-07-06 13:58:5178336----a-w-c:\windows\system32\browser.dll
2012-07-04 14:05:18139784----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:151866112----a-w-c:\windows\system32\win32k.sys
2012-07-02 17:49:33916992----a-w-c:\windows\system32\wininet.dll
2012-07-02 17:49:3243520------w-c:\windows\system32\licmgr10.dll
2012-07-02 17:49:321469440------w-c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43385024----a-w-c:\windows\system32\html.iec
2012-06-04 22:55:46172440----a-w-c:\program files\39res.dll
.
============= FINISH: 19:14:32.75 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/24/2010 8:54:15 PM
System Uptime: 9/6/2012 6:19:03 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0JC474
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3059/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 426.737 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP573: 6/8/2012 4:27:22 PM - System Checkpoint
RP574: 6/9/2012 4:49:59 PM - System Checkpoint
RP575: 6/10/2012 4:50:26 PM - System Checkpoint
RP576: 6/11/2012 9:07:04 AM - SpeedyPC Pro Backup
RP577: 6/12/2012 11:26:11 AM - System Checkpoint
RP578: 6/12/2012 11:38:38 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
RP579: 6/13/2012 6:15:04 PM - System Checkpoint
RP580: 6/14/2012 3:00:18 AM - Software Distribution Service 3.0
RP581: 6/15/2012 10:39:19 AM - System Checkpoint
RP582: 6/16/2012 12:40:13 PM - System Checkpoint
RP583: 6/18/2012 10:12:50 AM - System Checkpoint
RP584: 6/19/2012 10:51:10 AM - System Checkpoint
RP585: 6/20/2012 3:05:14 PM - System Checkpoint
RP586: 6/21/2012 3:55:40 PM - System Checkpoint
RP587: 6/23/2012 10:43:50 AM - System Checkpoint
RP588: 6/24/2012 11:19:20 AM - System Checkpoint
RP589: 6/25/2012 11:35:23 AM - System Checkpoint
RP590: 6/26/2012 12:25:50 PM - System Checkpoint
RP591: 6/26/2012 1:43:33 PM - MyCleanPCPCOptimizer_BeforeFixingIssues
RP592: 6/27/2012 2:14:48 PM - System Checkpoint
RP593: 6/28/2012 2:31:00 PM - System Checkpoint
RP594: 6/29/2012 8:23:08 AM - SpeedyPC Pro Backup
RP595: 6/30/2012 9:05:36 AM - System Checkpoint
RP596: 7/1/2012 9:55:09 AM - System Checkpoint
RP597: 7/2/2012 8:21:59 AM - SpeedyPC Pro Backup
RP598: 7/3/2012 8:26:21 AM - System Checkpoint
RP599: 7/4/2012 8:44:13 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
RP600: 7/9/2012 10:17:03 PM - System Checkpoint
RP601: 7/10/2012 11:24:15 PM - System Checkpoint
RP602: 7/11/2012 1:14:54 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
RP603: 7/11/2012 2:58:07 AM - Software Distribution Service 3.0
RP604: 7/12/2012 10:37:45 AM - System Checkpoint
RP605: 7/13/2012 10:59:46 AM - System Checkpoint
RP606: 7/14/2012 11:05:06 AM - System Checkpoint
RP607: 7/15/2012 11:29:06 AM - System Checkpoint
RP608: 7/16/2012 12:22:40 PM - System Checkpoint
RP609: 7/17/2012 12:32:51 PM - System Checkpoint
RP610: 7/17/2012 1:42:11 PM - MyCleanPCPCOptimizer_BeforeFixingIssues
RP611: 7/18/2012 3:39:14 PM - System Checkpoint
RP612: 7/19/2012 3:47:43 PM - System Checkpoint
RP613: 7/20/2012 8:47:40 AM - SpeedyPC Pro Backup
RP614: 7/21/2012 8:55:01 AM - System Checkpoint
RP615: 7/22/2012 9:30:29 AM - System Checkpoint
RP616: 7/23/2012 9:18:33 AM - SpeedyPC Pro Backup
RP617: 7/24/2012 9:43:18 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
RP618: 7/24/2012 9:56:13 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
RP619: 7/24/2012 9:59:34 AM - SpeedyPC Pro Backup
RP620: 7/24/2012 10:03:28 AM - MyCleanPCPCOptimizer_BeforeFixingIssues
RP621: 7/24/2012 7:24:40 PM - Removed Sentinel Protection Installer 7.6.5
RP622: 7/24/2012 7:25:58 PM - Removed CyberDefender Framework
RP623: 7/24/2012 7:54:16 PM - Software Distribution Service 3.0
RP624: 7/26/2012 8:07:18 AM - Software Distribution Service 3.0
RP625: 7/27/2012 9:50:29 AM - System Checkpoint
RP626: 7/27/2012 11:52:00 AM - Installed Sentinel Protection Installer 7.1.1
RP627: 7/27/2012 11:54:46 AM - Removed Sentinel Protection Installer 7.1.1
RP628: 7/27/2012 12:08:38 PM - Software Distribution Service 3.0
RP629: 7/28/2012 12:55:12 PM - System Checkpoint
RP630: 7/28/2012 6:02:53 PM - Software Distribution Service 3.0
RP631: 7/30/2012 2:44:53 PM - Software Distribution Service 3.0
RP632: 7/31/2012 3:07:38 PM - System Checkpoint
RP633: 8/1/2012 8:02:54 AM - Software Distribution Service 3.0
RP634: 8/2/2012 10:16:45 AM - Software Distribution Service 3.0
RP635: 8/3/2012 10:34:22 AM - System Checkpoint
RP636: 8/3/2012 10:41:17 PM - Software Distribution Service 3.0
RP637: 8/4/2012 11:26:27 PM - System Checkpoint
RP638: 8/5/2012 12:43:12 PM - Software Distribution Service 3.0
RP639: 8/6/2012 1:02:30 PM - System Checkpoint
RP640: 8/7/2012 7:59:42 AM - Software Distribution Service 3.0
RP641: 8/8/2012 8:35:06 AM - Software Distribution Service 3.0
RP642: 8/9/2012 8:35:31 AM - Software Distribution Service 3.0
RP643: 8/10/2012 8:49:26 AM - System Checkpoint
RP644: 8/11/2012 7:30:25 AM - Software Distribution Service 3.0
RP645: 8/12/2012 2:23:41 AM - Software Distribution Service 3.0
RP646: 8/13/2012 3:23:23 AM - System Checkpoint
RP647: 8/13/2012 7:30:46 AM - Software Distribution Service 3.0
RP648: 8/14/2012 7:31:03 AM - Software Distribution Service 3.0
RP649: 8/15/2012 9:03:55 AM - Software Distribution Service 3.0
RP650: 8/16/2012 2:56:21 AM - Software Distribution Service 3.0
RP651: 8/16/2012 10:15:14 AM - Software Distribution Service 3.0
RP652: 8/17/2012 11:43:39 AM - System Checkpoint
RP653: 8/17/2012 2:21:30 PM - Removed iTunes
RP654: 8/17/2012 2:48:46 PM - Software Distribution Service 3.0
RP655: 8/18/2012 2:48:13 PM - Software Distribution Service 3.0
RP656: 8/19/2012 3:08:19 PM - System Checkpoint
RP657: 8/20/2012 7:15:36 AM - Software Distribution Service 3.0
RP658: 8/21/2012 7:48:42 AM - Software Distribution Service 3.0
RP659: 8/22/2012 8:39:01 AM - Software Distribution Service 3.0
RP660: 8/23/2012 8:38:44 AM - Software Distribution Service 3.0
RP661: 8/24/2012 8:44:41 AM - System Checkpoint
RP662: 8/25/2012 6:52:11 AM - Software Distribution Service 3.0
RP663: 8/26/2012 3:41:04 PM - System Checkpoint
RP664: 8/27/2012 4:04:28 PM - System Checkpoint
RP665: 8/28/2012 4:28:05 PM - System Checkpoint
RP666: 8/29/2012 4:33:27 PM - System Checkpoint
RP667: 8/30/2012 5:07:12 PM - System Checkpoint
RP668: 9/1/2012 10:30:26 AM - System Checkpoint
RP669: 9/2/2012 10:34:46 AM - System Checkpoint
RP670: 9/3/2012 10:35:59 AM - System Checkpoint
RP671: 9/3/2012 7:30:54 PM - Removed Bonjour
RP672: 9/3/2012 7:31:43 PM - Removed Apple Application Support
RP673: 9/3/2012 7:33:55 PM - Removed Apple Mobile Device Support
RP674: 9/3/2012 7:34:36 PM - Removed Apple Software Update
RP675: 9/4/2012 8:11:00 PM - System Checkpoint
RP676: 9/6/2012 12:22:48 PM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.3)
COMcheck 3.9.1.3 (Current User)
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Corel Graphics - Windows Shell Extension
CorelDRAW Graphics Suite X5
CorelDRAW Graphics Suite X5 - BR
CorelDRAW Graphics Suite X5 - Capture
CorelDRAW Graphics Suite X5 - Common
CorelDRAW Graphics Suite X5 - Connect
CorelDRAW Graphics Suite X5 - Custom Data
CorelDRAW Graphics Suite X5 - Draw
CorelDRAW Graphics Suite X5 - EN
CorelDRAW Graphics Suite X5 - ES
CorelDRAW Graphics Suite X5 - Filters
CorelDRAW Graphics Suite X5 - FontNav
CorelDRAW Graphics Suite X5 - FR
CorelDRAW Graphics Suite X5 - IPM
CorelDRAW Graphics Suite X5 - KPT Collection
CorelDRAW Graphics Suite X5 - PHOTO-PAINT
CorelDRAW Graphics Suite X5 - Photozoom Plugin
CorelDRAW Graphics Suite X5 - Redist
CorelDRAW Graphics Suite X5 - Setup Files
CorelDRAW Graphics Suite X5 - VBA
CorelDRAW Graphics Suite X5 - VideoBrowser
CorelDRAW Graphics Suite X5 - VSTA
CorelDRAW Graphics Suite X5 - WT
CorelDRAW(R) Graphics Suite X5
erLT
FAS for Peachtree
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
HP Deskjet 3050 J610 series Basic Device Software
HP Deskjet 3050 J610 series Help
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Java Auto Updater
Java(TM) 6 Update 29
Linksys Wireless-G PCI Adapter
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Outlook 2003
Microsoft Office XP Professional
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Studio Tools for Applications 2.0 Runtime
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Peachtree Complete Accounting 2006
Privacy SafeGuard version 1.1
QBFC3.0
Qwiklinx
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923789)
Sentinel Protection Installer 7.6.5
SigmaTel Audio
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2718704)
Vinyl Express LXi1
Visual Basic for Applications (R) Core
Visual Basic for Applications (R) Core - English
WebFldrs XP
Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00)
Windows Internet Explorer 8
Windows XP Service Pack 3
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
9/6/2012 12:12:05 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.New Signature Version: Previous Signature Version: 1.135.390.0Update Source: Microsoft Update ServerUpdate Stage: SearchSource Path: Default URLSignature Type: AntiVirusUpdate Type: FullUser: NT AUTHORITY\SYSTEMCurrent Engine Version: Previous Engine Version: 1.1.8704.0Error code: 0x80070424Error description: The specified service does not exist as an installed service.
.
==== End Of File ===========================

 

[Jay Pfoutz]

Hello!

Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

 

[iFIX Solutions]

Sorry for the delayed response. I have been dealing with a break in at work. I am completing your instructions now.

 

[iFIX Solutions]

I ran AdwCleaner with no issue. I started ComboFix and walked away for a few minutes. I came back to a BSOD. Now it won't boot at all. I can't even get the F8 screen to come up. Any suggestions? Got it to boot in normal mode. About to run ComboFix again.

 

[iFIX Solutions]

Finally got combo to run to completion in Safe mode.

# AdwCleaner v2.000 - Logfile created 09/08/2012 at 11:38:54
# Updated 30/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - TERRY-8538FA784
# Boot Mode : Normal
# Running from : C:\iFIX Solutions (Matt)\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Documents and Settings\Owner\Local Settings\Application Data\funmoods-speeddial.crx
Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found : C:\Documents and Settings\Owner\Application Data\Qwiklinx
Folder Found : C:\Documents and Settings\Owner\My Documents\ShopToWin
Folder Found : C:\Program Files\Qwiklinx

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Freecause
Key Found : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Found : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Found : HKCU\Software\Qwiklinx
Key Found : HKCU\Software\Zugo
Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E2C1A522-B8E1-45D1-B316-F5625004A28C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Found : HKLM\SOFTWARE\Classes\QwiklinxBHO
Key Found : HKLM\SOFTWARE\Classes\QwiklinxBHO.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{204C0025-C26A-43E2-853C-D8A8EB1BCE51}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dnfaglepmjgohnkcoieaijlheabmcdeo
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2E497885-E60B-420A-832D-0148B392E058}_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E497885-E60B-420A-832D-0148B392E058}_is1
Key Found : HKLM\Software\Tarma Installer
Key Found : HKU\S-1-5-21-776561741-706699826-1801674531-1003\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCyCyByC0AtCyE0C0D0C0CtDyEyEtN0D0Tzu0CtBtBzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=191287204

-\\ Mozilla Firefox v [Unable to get version]

Profile name : default
File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xm1i2oid.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [6027 octets] - [08/09/2012 11:38:54]

########## EOF - C:\AdwCleaner[R1].txt - [6087 octets] ##########


ComboFix 12-09-08.02 - Administrator 09/08/2012 13:04:21.3.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.780 [GMT -5:00]
Running from: c:\ifix solutions (matt)\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\ism_0_llatsni.pad
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\My Documents\ShopToWin
c:\program files\PrivacySafeGuard\PrIVacysafeguard.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\5be2640284b847ce.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a54a4d5a134fde6e.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\bfa74bc3c57a1f5c.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
.
-- Previous Run --
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\i8042prt.sys
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2012-08-08 to 2012-09-08 )))))))))))))))))))))))))))))))
.
.
2012-09-08 17:58 . 2012-09-08 17:59--------d-----w-c:\documents and settings\Administrator
2012-09-08 17:35 . 2008-04-14 08:4852480-c--a-w-c:\windows\system32\dllcache\i8042prt.sys
2012-09-08 17:35 . 2008-04-14 08:4852480----a-w-c:\windows\system32\drivers\i8042prt.sys
2012-09-07 18:23 . 2012-09-07 18:2356200----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A1328506-0A9E-4751-B4B4-580DF75A3D2B}\offreg.dll
2012-09-07 00:08 . 2012-08-23 07:157022536----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A1328506-0A9E-4751-B4B4-580DF75A3D2B}\mpengine.dll
2012-09-06 23:28 . 2012-09-06 23:28--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-09-06 23:28 . 2012-07-03 18:4622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-08-27 03:10 . 2012-08-20 06:537023536----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-27 03:08 . 2012-08-27 03:08--------d-----w-c:\program files\Microsoft Security Client
2012-08-26 19:20 . 2012-08-26 19:20--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
2012-08-17 05:22 . 2012-08-17 05:22--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2012-08-17 05:21 . 2012-08-17 19:25--------d-----w-c:\documents and settings\All Users\Application Data\Tarma Installer
2012-08-17 05:21 . 2012-08-17 05:21--------d-----w-C:\extensions
2012-08-17 05:21 . 2012-08-17 05:21--------d-----w-c:\documents and settings\Owner\Application Data\Qwiklinx
2012-08-17 05:21 . 2012-08-17 05:21--------d-----w-c:\program files\Qwiklinx
2012-08-17 05:21 . 2012-09-08 17:35--------d-----w-c:\program files\PrivacySafeGuard
2012-08-17 05:20 . 2012-08-17 05:20--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-25 00:36 . 2012-07-25 00:3612872----a-w-c:\windows\system32\bootdelete.exe
2012-07-06 13:58 . 2004-08-04 10:0078336----a-w-c:\windows\system32\browser.dll
2012-07-04 14:05 . 2010-11-25 02:47139784----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2004-08-04 10:001866112----a-w-c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2006-03-04 03:33916992----a-w-c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2004-08-04 10:0043520------w-c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2004-08-04 10:001469440------w-c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2004-08-04 10:00385024----a-w-c:\windows\system32\html.iec
2012-06-04 22:55 . 2012-07-25 00:27172440----a-w-c:\program files\39res.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2010-12-11 819200]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/6/2012 6:28 PM 655944]
S2 SAiDownloader;SAiDownloader;c:\windows\system32\SAiDownloader.exe [11/17/2011 10:46 PM 438272]
S2 SAiLicSvr;SAiLicSvr;c:\windows\system32\SAiLicSvr.exe [4/7/2012 7:19 PM 86016]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [9/22/2011 1:03 AM 374304]
S2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [9/22/2011 1:00 AM 292384]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [6/17/2009 11:55 AM 40720]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [6/17/2009 11:55 AM 10384]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/6/2012 6:28 PM 22344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCyCyByC0AtCyE0C0D0C0CtDyEyEtN0D0Tzu0CtBtBzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=191287204
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-08 13:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(996)
c:\windows\system32\WININET.dll
.
Completion time: 2012-09-08 13:21:58
ComboFix-quarantined-files.txt 2012-09-08 18:21
.
Pre-Run: 458,610,032,640 bytes free
Post-Run: 458,586,800,128 bytes free
.
- - End Of File - - 9EFDD7237CAA6D8FAF83263A02F4AA1E

 

[Jay Pfoutz]

Remove the Adware.

• Please close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with OK.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Please post the log.

ComboFix Script

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
  

  ClearJavaCache::

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
• Please post the contents of the log in your next reply.

 

[iFIX Solutions]

# AdwCleaner v2.000 - Logfile created 09/08/2012 at 14:58:28
# Updated 30/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - TERRY-8538FA784
# Boot Mode : Normal
# Running from : C:\iFIX Solutions (Matt)\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\funmoods-speeddial.crx
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\Owner\Application Data\Qwiklinx
Folder Deleted : C:\Program Files\Qwiklinx

***** [Registry] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Qwiklinx
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E2C1A522-B8E1-45D1-B316-F5625004A28C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dnfaglepmjgohnkcoieaijlheabmcdeo
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2E497885-E60B-420A-832D-0148B392E058}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E497885-E60B-420A-832D-0148B392E058}_is1
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzutDtDtCyCyByC0AtCyE0C0D0C0CtDyEyEtN0D0Tzu0CtBtBzytN1L2XzutBtFtCtFtCtFtAtCtB&cr=191287204 --> hxxp://www.google.com

-\\ Mozilla Firefox v [Unable to get version]

Profile name : default
File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xm1i2oid.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [6156 octets] - [08/09/2012 11:38:54]
AdwCleaner[S1].txt - [5170 octets] - [08/09/2012 14:58:28]

########## EOF - C:\AdwCleaner[S1].txt - [5230 octets] ##########
ComboFix 12-09-08.02 - Owner 09/08/2012 15:04:40.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.615 [GMT -5:00]
Running from: c:\ifix solutions (matt)\ComboFix.exe
Command switches used :: c:\ifix solutions (matt)\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-08 to 2012-09-08 )))))))))))))))))))))))))))))))
.
.
2012-09-08 17:58 . 2012-09-08 17:59--------d-----w-c:\documents and settings\Administrator
2012-09-08 17:35 . 2008-04-14 08:4852480-c--a-w-c:\windows\system32\dllcache\i8042prt.sys
2012-09-08 17:35 . 2008-04-14 08:4852480----a-w-c:\windows\system32\drivers\i8042prt.sys
2012-09-07 18:23 . 2012-09-07 18:2356200----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A1328506-0A9E-4751-B4B4-580DF75A3D2B}\offreg.dll
2012-09-07 00:08 . 2012-08-23 07:157022536----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A1328506-0A9E-4751-B4B4-580DF75A3D2B}\mpengine.dll
2012-09-06 23:28 . 2012-09-06 23:28--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-09-06 23:28 . 2012-07-03 18:4622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-08-27 03:10 . 2012-08-20 06:537023536----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-27 03:08 . 2012-08-27 03:08--------d-----w-c:\program files\Microsoft Security Client
2012-08-26 19:20 . 2012-08-26 19:20--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
2012-08-17 05:22 . 2012-08-17 05:22--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2012-08-17 05:21 . 2012-08-17 05:21--------d-----w-C:\extensions
2012-08-17 05:21 . 2012-09-08 17:35--------d-----w-c:\program files\PrivacySafeGuard
2012-08-17 05:20 . 2012-08-17 05:20--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-25 00:36 . 2012-07-25 00:3612872----a-w-c:\windows\system32\bootdelete.exe
2012-07-06 13:58 . 2004-08-04 10:0078336----a-w-c:\windows\system32\browser.dll
2012-07-04 14:05 . 2010-11-25 02:47139784----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2004-08-04 10:001866112----a-w-c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2006-03-04 03:33916992----a-w-c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2004-08-04 10:0043520------w-c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2004-08-04 10:001469440------w-c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2004-08-04 10:00385024----a-w-c:\windows\system32\html.iec
2012-06-04 22:55 . 2012-07-25 00:27172440----a-w-c:\program files\39res.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-08_18.18.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-08 20:00 . 2012-09-08 20:0016384 c:\windows\temp\Perflib_Perfdata_740.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2010-12-11 819200]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 SAiDownloader;SAiDownloader;c:\windows\system32\SAiDownloader.exe [11/17/2011 10:46 PM 438272]
R2 SAiLicSvr;SAiLicSvr;c:\windows\system32\SAiLicSvr.exe [4/7/2012 7:19 PM 86016]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [9/22/2011 1:03 AM 374304]
R2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [9/22/2011 1:00 AM 292384]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [6/17/2009 11:55 AM 40720]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [6/17/2009 11:55 AM 10384]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/6/2012 6:28 PM 22344]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/6/2012 6:28 PM 655944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-hpd05
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-08 15:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3024)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-09-08 15:14:18
ComboFix-quarantined-files.txt 2012-09-08 20:14
ComboFix2.txt 2012-09-08 18:21
.
Pre-Run: 458,577,010,688 bytes free
Post-Run: 458,572,095,488 bytes free
.
- - End Of File - - 1395BA15A38B8F5619088CAC3AD37C6E

 

[Jay Pfoutz]

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

 

[iFIX Solutions]

Only other issue is IE seems very slow and laggy. There seems to be a lot of processes running in Task Manager as well.

C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0094980.dll a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0094986.dll probably a variant of Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0094989.dll probably a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0094994.dll probably a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0095000.dll a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP622\A0095012.DLL probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP623\A0095057.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095720.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095721.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095722.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095723.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095724.dll Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP652\A0095726.exe Win32/Toolbar.Funmoods application cleaned by deleting - quarantined
C:\System Volume Information\_restore{8F860BDE-8F90-465B-AB74-C07C6746C7C9}\RP653\A0095817.dll Win32/Adware.Yontoo.B application cleaned by deleting - quarantined

 

[iFIX Solutions]

Even though MSE was installed I was getting a warning from Security center that there was no anti virus. I was also getting a popup for an adobe reader update. While waiting for you response I went ahed and uninstalled and re-installed MSE and installed the Adobe reader update. This fixed the issue with sercurity center reporting no AV. This is the only thing I have done that strayed from your instructions.

 

[Jay Pfoutz]

Hi! Your logs appear to be clean. If there are no more issues, then we shall finish up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

• Select Start > All Programs > Accessories > System tools > System Restore.
• On the dialogue box that appears select Create a Restore Point
• Click NEXT
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
• In the Drop down box that appears select your main drive e.g. C
• Click OK
• The System will do some calculation and the display a dialogue box with TABS
• Select the More Options Tab.
• At the bottom will be a system restore box with a CLEANUP button click this
• Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

[iFIX Solutions]

Internet Explorere still seems very slow. Even returning to this page to post replies it is very sluggish. The page loads initially very quickly. Then there is a long delay before I can scroll down on the page. This happens on all web pages. Perhaps it is nature of the beast on an older machine with 1GB ram, Windows XP and IE8. Other than that the machine seems fine.

Results of screen317's Security Check version 0.99.50
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java(TM) 6 Update 29
Java version out of Date!
Adobe Reader X (10.1.4)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 1%
````````````````````End of Log``````````````````````

 

[Jay Pfoutz]

XP and IE8 don't mix, by the way. I think Internet Explorer 7 was a stretch for XP. Version 8...even worse!

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems


Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?

 

[iFIX Solutions]

Thanks DMJ. You guys are a real asset. I agree completely on IE8 and XP. Do you have a recommendation for a better browser to use on XP? I have also had issues with Firefox being slow on XP lately. Form what little research I have done it appears to be a Java issue that slows Firefox down. Thanks again for all your help!! Mark this one solved. I have looked and I don;t see a way to give you (+)Karma or something similar. I owe Broni the same for helping me last time.

Matt

 

[Jay Pfoutz]

To be honest Google Chrome, Avant, or Maxthon. All three are easygoing browsers. Maxthon might be a bit much at times, but overall, they are good browsers for XP.

 

[iFIX Solutions]

Thanks Again. Mark this one Solved.

 

[Jay Pfoutz]

You're welcome. Marked as solved. √