Funmoods - How do I get rid of this?

kona

kona

Member
I don't know how this Search Engine directed software got onto my pc but it's driving me crazy. I've searched online to find out how to get rid of it but it looks so complicated that I've given up. One site said don't try it unless you know what you're doing because you can damage your OS. Okay....that brings me here. What do you good folks suggest?

Thoughts?

Gary
 
voyagerfan99

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
It's not that complicated. Just remove it from Add/Remove Programs (XP) or Programs and Features (Vista/7/8).

Then follow these instructions:

Please download AdwCleaner by Xplode onto your Desktop.

•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Delete.
•Confirm each time with OK
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
 
Last edited:
kona

kona

Member
Thanks Voyager. I did look for the program in my Control Panel Add / Remove Files and it, Funmoods, was not there. I will download Adwcleaner and follow the steps you suggested.

Gary
 
kona

kona

Member
Voyager:
Before I answered your post a few minutes ago....I had launched Malwarebytes and it did find 22 items. When the scan finished I looked at what had been found and all 22 items were Funmoods. I selected and removed all of them. I'm going to reboot now and see if that solved the problem.
This is the log from Malwarebytes:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.08.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Gary :: GARY-D2CD6F4C18 [administrator]

Protection: Enabled

6/8/2013 10:19:35 AM
mbam-log-2013-06-08 (10-19-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 292872
Time elapsed: 30 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 16
HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Funmoods (PUP.FunMoods) -> Quarantined and deleted successfully.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs|Tabs (PUP.FunMoods) -> Data: http://searchfunmoods.com/?f=2&a=do...tAtDyBtN1L2XzutBtFtBtFtDtFtAyEyE&cr=641526143 -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.FunMoods) -> Bad: (http://searchfunmoods.com/?f=1&a=do...tAtDyBtN1L2XzutBtFtBtFtDtFtAyEyE&cr=641526143) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gary\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gary\Local Settings\Application Data\funmoods-speeddial_sf.crx (PUP.FunMoods) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.FunMoods) -> Quarantined and deleted successfully.

(end)
 
kona

kona

Member
Okay - Funmoods seems to be gone. But, when I'm on the desktop where the problem was occurring in the first place (my daughter's desktop on my PC) I can't open a separate (second or third.... browser tab). I can open the IE browser (it's very slow on her desktop location on my pc but fast when I go onto mine) but when I try to open a second or subsequent tab I get a 'cancelled' message.
Is there a setting somewhere in the tools/options tab within IE that I have to enable??

Gary
 
voyagerfan99

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
Let's try resetting Internet Explorer.

Go to All Programs>Accesories>System Tools>Internet Explorer (No Ad-Ons)

Once IE is running, click the gear and go into Internet Options. Go to the far right tab (Advanced) then choose "Reset". That reset IE back to defaults. See if it behaves then.
 
kona

kona

Member
Voyager
I did what you asked.
Still - thought - when I have a page open....such as this one right now.....and I click on the tab to the right of the open browser name (Computer Forum = Reply to Topic) to try to open a second browser page I get a message saying "Navigation Cancelled".

Gary
 
voyagerfan99

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
Let's get John's attention. Maybe he can help out a little more.
 
kona

kona

Member
As an aside:
Who the hell is putting together Funmoods software - does anyone here know? I'd like to talk to him/her/them. What is going on some people's lives that they have to do this? Just saying..........

Gary
 
voyagerfan99

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
It usually comes in as a 3rd party add-on when you install some software through other installers.
 
johnb35

johnb35

Administrator
Staff member
So everything works correctly on your login but not your daughters? It sounds like you share a computer and have different logins, is that correct? Also, did you run adaware cleaner from her login or yours?

If so, then it sounds like she may have something going on with her account. We can try doing a deeper scan with combofix or you can try just creating a new account for her and transferring data over.

If you would like to run combofix, do the following.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
kona

kona

Member
John - nice to chat with you again........but it's always when I have a problem...I do appreciate it.

Here are the results of the ComboFix and HijackThis scans..

OOps - it looks like I can't post the CoboFix log - it's 19.7kb and don't have room for it. How do I delete my other attchements to make room?

ComboFix 13-06-08.02 - Gary 06/08/2013 22:03:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2220 [GMT -7:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gary\Application Data\OneTab\OnETab.dll
c:\documents and settings\Gary\Application Data\PriceGong
c:\documents and settings\Gary\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Gary\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Rosemary\Application Data\PriceGong
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\2256.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Rosemary\Application Data\PriceGong\Data\z.txt
c:\windows\system32\PowerToyReadme.htm
c:\windows\tmp
c:\windows\tmp\dd_vcredistMSI0A02.txt
c:\windows\tmp\dd_vcredistMSI2790.txt
c:\windows\tmp\dd_vcredistUI0A02.txt
c:\windows\tmp\dd_vcredistUI2790.txt
c:\windows\tmp\qtsingleapp-koboex-f4a6-0-lockfile
.
.
((((((((((((((((((((((((( Files Created from 2013-05-09 to 2013-06-09 )))))))))))))))))))))))))))))))
.
.
2013-06-09 04:48 . 2013-06-09 04:48 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{85828CDA-4323-4A4C-8822-A7EE540DF37A}\MpKsl16751333.sys
2013-06-08 19:46 . 2013-06-08 19:46 -------- d-sh--w- c:\documents and settings\ALLISON\IECompatCache
2013-06-08 15:06 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{85828CDA-4323-4A4C-8822-A7EE540DF37A}\mpengine.dll
2013-06-06 18:38 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-31 00:46 . 2013-05-31 00:55 -------- d-----w- c:\documents and settings\Rosemary\Application Data\vlc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-15 04:02 . 2012-11-02 19:53 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-15 04:02 . 2012-11-02 19:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-02 15:28 . 2012-11-02 21:08 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-16 22:17 . 2008-04-14 12:42 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2008-04-14 12:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-16 22:17 . 2008-04-14 12:41 43520 ------w- c:\windows\system32\licmgr10.dll
2013-04-12 23:28 . 2008-04-14 07:07 385024 ------w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2008-04-14 08:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 21:50 . 2012-11-02 19:59 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-04 12:35 . 2013-04-26 15:27 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-16 20:11 . 2013-01-25 03:35 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files\uTorrentControl_v2\prxtbuTo1.dll" [2013-05-20 231712]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
2013-05-20 09:21 231712 ----a-w- c:\program files\uTorrentControl_v2\prxtbuTo1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files\uTorrentControl_v2\prxtbuTo1.dll" [2013-05-20 231712]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7473B6BD-4691-4744-A82B-7854EB3D70B6}"= "c:\program files\uTorrentControl_v2\prxtbuTo1.dll" [2013-05-20 231712]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2009-01-12 2908160]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-11-05 39408]
"Facebook Update"="c:\documents and settings\Gary\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2013-03-01 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2009-01-17 90112]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-12-22 295072]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Gary\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/2/2012 5:46 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/2/2012 5:46 PM 361032]
R1 MpKsl16751333;MpKsl16751333;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{85828CDA-4323-4A4C-8822-A7EE540DF37A}\MpKsl16751333.sys [6/8/2013 9:48 PM 29904]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/2/2012 5:46 PM 21256]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/2/2012 12:59 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/2/2012 12:59 PM 701512]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 9:31 PM 38608]
R2 WajamUpdater;WajamUpdater;c:\program files\Wajam\Updater\WajamUpdater.exe [10/5/2012 8:08 AM 109064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/2/2012 12:59 PM 22856]
R3 WFLR6654;WinFast TV2000 XP Expert (FM1236MK3);c:\windows\system32\drivers\wfeaglxt.sys [11/2/2012 2:48 PM 433792]
S1 ccmrssud;ccmrssud;\??\c:\windows\system32\drivers\ccmrssud.sys --> c:\windows\system32\drivers\ccmrssud.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 1:55 PM 161536]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL16751333
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-02 04:02]
.
2013-06-09 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-03 22:50]
.
2013-06-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-515967899-2147271927-682003330-1004Core.job
- c:\documents and settings\Gary\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-03-01 02:00]
.
2013-06-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-515967899-2147271927-682003330-1004UA.job
- c:\documents and settings\Gary\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-03-01 02:00]
.
2013-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 06:38]
.
2013-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 06:38]
.
2013-06-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 19:11]
.
2013-06-01 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-515967899-2147271927-682003330-1004.job
- c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2012-11-30 04:33]
.
2013-06-08 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-515967899-2147271927-682003330-1004.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2012-11-30 04:31]
.
2013-06-08 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-515967899-2147271927-682003330-1004.job
- c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2012-11-30 04:31]
.
2013-06-09 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-515967899-2147271927-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-06-08 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-515967899-2147271927-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-06-09 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-515967899-2147271927-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-06-08 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-515967899-2147271927-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-06-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-2147271927-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-06-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-2147271927-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 23:30]
.
2013-06-09 c:\windows\Tasks\User_Feed_Synchronization-{A6CE507B-BB34-4002-8EE5-A5F6775BB409}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.ca/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 64.59.160.15 64.59.161.69
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files\TurboTax 2012\ic2012pp.dll
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\tptxpxqc.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxps://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=100000027&locale=en_US&apn_uid=6F579782-BC02-4951-AFCE-CBF7554E1973&apn_ptnrs=%5EU3&apn_sauid=612EB5E6-CD7E-4124-A850-B85297077307&apn_dtid=%5EOSJ000%5EYY%5ECA&&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
HKLM-Run-NWEReboot - (no file)
AddRemove-RealPlayer 16.0 - c:\program files\real\realplayer\Update\r1puninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-08 22:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.


Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 9:45:14 PM, on 6/8/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

FIREFOX: 18.0.1 (en-US)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Google\Update\1.3.21.145\GoogleCrashHandler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Wajam\Updater\WajamUpdater.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\FRWCUVW6\HijackThis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
R3 - URLSearchHook: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTo1.dll
O2 - BHO: OneTab Add-on - {16ADEA98-D215-4F51-80AF-5E5ED660B9C0} - C:\Documents and Settings\Gary\Application Data\OneTab\OneTab.dll
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
O2 - BHO: uTorrentControl_v2 - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTo1.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Wajam IE BHO - {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files\Wajam\IE\priam_bho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTo1.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Facebook Update] "C:\Documents and Settings\Gary\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKUS\S-1-5-21-515967899-2147271927-682003330-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Rosemary')
O4 - HKUS\S-1-5-21-515967899-2147271927-682003330-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Rosemary')
O4 - HKUS\S-1-5-21-515967899-2147271927-682003330-1007\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Rosemary')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1351879282989
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1351891621265
O18 - Protocol: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files\TurboTax 2012\ic2012pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: RealNetworks Downloader Resolver Service - Unknown owner - C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WajamUpdater - Wajam - C:\Program Files\Wajam\Updater\WajamUpdater.exe

--
End of file - 11743 bytes
 

Attachments

  • hijackthisJUNE8 2013 GARY.txt
    11.5 KB · Views: 24
Last edited by a moderator:
johnb35

johnb35

Administrator
Staff member
Please don't attach your logs to your post, just include them in your reply as they are easier to do when included in the reply.

OK, since you haven't ran adware cleaner yet please do so now on her accout login.

Please download AdwCleaner by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Delete.
•Confirm each time with OK
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.



The first thing I saw was that you have 2 antivirus programs installed.

Avast
Microsoft Security Essentials

You need to uninstall one of them as you can't have 2 antivirus programs installed at the same time. Its up to you which one you keep but you must uninstall one of them.

Looks like you ran the hijackthis scan before running combofix so please do the following and post a new hijackthis log after running combofix. Also hijackthis must be ran from its own program folder, you ran it from a temp file. Please redownload it from here http://www.filehippo.com/download_hijackthis/download/977401f430f892662f302243ff61e113/ and install the program and run it from the desktop icon.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
Driver::

ccmrssud

File::

c:\windows\system32\drivers\ccmrssud.sys
c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-515967899-2147271927-682003330-1004Core.job
c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-515967899-2147271927-682003330-1004UA.job
c:\windows\Tasks\RealDownloaderDownloaderScheduled TaskS-1-5-21-515967899-2147271927-682003330-1004.job
c:\windows\Tasks\RealDownloaderRealUpgradeLogonTas kS-1-5-21-515967899-2147271927-682003330-1004.job
c:\windows\Tasks\RealDownloaderRealUpgradeSchedule dTaskS-1-5-21-515967899-2147271927-682003330-1004.job
c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-515967899-2147271927-682003330-1004.job
c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-515967899-2147271927-682003330-1007.job
c:\windows\Tasks\RealPlayerRealUpgradeScheduledTas kS-1-5-21-515967899-2147271927-682003330-1004.job
c:\windows\Tasks\RealPlayerRealUpgradeScheduledTas kS-1-5-21-515967899-2147271927-682003330-1007.job
c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-2147271927-682003330-1004.job
c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-2147271927-682003330-1004.job


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


After all that is ran, I need you to post a log that combofix creates but doesn't show you. Navigate to C:\Qoobox and in that folder will be a file named add-remove programs.txt Open that file and copy and paste the contents back here.


So I will need the following logs when you return.

1. adware cleaner
2. combofix
3. hijackthis
4. add-remove programs list
 
Last edited:
You must log in or register to reply here.
Top