'funmoods' taken over browser

Hello, I think my laptop is infected. I have worked through your instructions and have done the scans as best I can. Please could someone look at them for me?

Problems started [I think] when I downloaded VLC player and something called 'funmoods' installed itself and a tool bar which took over my browser [FireFox]. I had unticked the boxes to say I did not want to install it.

I uninstalled it using Revo Uninstaller on advanced settings, but it was still there.

I ran AVG including rootkits but it found nothing.

It has taken over my browser and become the default even though I have tried a few times to reset igoogle as my default.

I worked through 'redirection problems' but I'm sorry that I made a mistake with TDS killer. It found 3 suspicious objects 2 of which I copied to quarantine by mistake. They were 'athr' and 'UI Assistant Service.' It also found Realtek87B which I skipped.

I then worked through Run & Read Me First. I had problems with HitmanPro. It worked through and found 4 malcious software but at the end it said trial licence as not active and so I had no 'ignore' button to press or the 'export scan results to XML file' option. I think they were all 'hj' files. I could see no way forward to thought I should start again and rescan, which I did but it found nothing this time. I am sorry I obviously messed this up!

The logs I asked to be saved to my desktop did not appear there but I found them by going through Windows Explorer to desktop there.

I am not aware of anything else at the minute.

I hope I have managed the other scans OK. I have attached them and would really appreciate your advice.

I will attach 4 logs here and put the others on another thread.

Thanks very much, Jan

 

Here are the other logs.

Thanks in advance, appreciate your help.

Jan

 

Hello Jan

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Thanks for a speed reply.

Here are the scan results.

Jan

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyDzyzz0BtD0AyB0DtDzytN0D0Tzu0CtCzzyCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1089152610
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyDzyzz0BtD0AyB0DtDzytN0D0Tzu0CtCzzyCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1089152610
IE - HKU\S-1-5-21-1056451159-3155794725-1610596075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://mystart.incredimail.com/
IE - HKU\S-1-5-21-1056451159-3155794725-1610596075-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyDzyzz0BtD0AyB0DtDzytN0D0Tzu0CtCzzyCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1089152610
IE - HKU\S-1-5-21-1056451159-3155794725-1610596075-1000\..\SearchScopes,Backup.Old.DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
IE - HKU\S-1-5-21-1056451159-3155794725-1610596075-1000\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
IE - HKU\S-1-5-21-1056451159-3155794725-1610596075-1000\..\SearchScopes\{4BC2625D-78F0-B54D-D0A5-06CB9D045628}: "URL" = http://mystart.incredimail.com/?search={searchTerms}&loc=search_box_fs
IE - HKU\S-1-5-21-1056451159-3155794725-1610596075-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyDzyzz0BtD0AyB0DtDzytN0D0Tzu0CtCzzyCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1089152610
FF - prefs.js..backup.old.browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..backup.old.browser.search.selectedEngine: "MyStart Search"
FF - prefs.js..keyword.URL: "http://mystart.incredimail.com/?loc=ff_address_bar_fs&search="
[2012/07/04 20:23:14 | 000,000,000 | ---D | M] (Funmoods.com) -- C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\rh0c2sll.default\extensions\ffxtlbr@funmoods.com
[2012/06/15 20:21:56 | 000,002,030 | ---- | M] () -- C:\Users\Asus\AppData\Roaming\Mozilla\Firefox\Profiles\rh0c2sll.default\searchplugins\MyStart Search.xml
[2012/07/04 20:16:32 | 000,384,844 | ---- | C] () -- C:\Users\Asus\AppData\Local\funmoods-speeddial.crx
[2012/07/04 20:16:31 | 000,031,465 | ---- | C] () -- C:\Users\Asus\AppData\Local\funmoods.crx
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:0B4227B4
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files\Funmoods
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4BC2625D-78F0-B54D-D0A5-06CB9D045628}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[COLOR="DarkRed"]:commands[/COLOR]
[reboot]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Done that, here is the log

Jan

 

Are you still having trouble with Funmoods?

 

Hi, I think 'Funmoods' may have gone now. I can open igoogle as my homepage again. Not sure what else it was affecting to check any other things.

Jan

 

Are you having any other malware related issues?

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Hello, my apologies for the delay in replying.
I thought that my notebook was behaing normally again, so started to work through your 'final steps'. I re-enabled Disk Emulation, removed MG and enabled system restore with no problems. Next I did windows updates. I knew some updates had failed recently but assumed this was due to the malware problems I was having. This time all the updates but one installed no problem. Windows 7 Service Pack 1 failed again, so I downloaded it from the windows site and installed it that way instead. Following this I started having lots of problems.
At first the notebook just would not boot up so I kept trying and eventually it did boot. I cannot remember exactly what the problems were that I was having, but I knew I needed to do a system restore to before installing SP1.
I tried to restore but got a message to say it was unable to restore with 'error 0x8000ffff'. Another message said 'a patch stopped laptop working'.
Eventually I managed to do a restore [although it again said it was unable to restore, it actually DID restore!].
I then tried to use my T-Mobile mobile broadband dongle but it would not and still will not open. The message is 'microsoft visual C++ runtime library. Runtime error Program C:...... This application has requested the runtime to terminate it in an unusual way'.
Then 'UIMain.exe has stopped working'
Can you help me with these problems please?
Many thanks, Jan

 

Sorry, but I forgot to add that I am unable to do a system restore at all now.
I get an error message to say "system restore does not appear to be functioning correctly on this system. A volume shadow copy service component encountered an unexpected error. Check the application event log for more information (0x800042302).
Jan

 

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

__

http://img706.imageshack.us/img706/3941/minitoolbox.gif Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• List Devices -> All
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

Thanks for such a quick reply.
I have attached both logs.
Jan

 

I think this is where you encountered problems. You don't need to bother with system restore at all prior to installing SP1.

Anyways, since it does not appear that SP1 is installed, try downloading and installing this: System Update Readiness Tool for Windows 7

__

Let me know if this was successful or not first and if not, give me the exact error message you received.

 

sorry, maybe I said that wrong! What I meant was that I was having problems so knew that I would have to do a system restore back to BEFORE I installed SP1.
I will download the tool you recommend now.
Thanks, Jan

 

The System Update Readiness Tool for Windows 7 seems to have downloaded OK. Do you want me to run it now? Are there any special instructions?
Thanks, Jan

 

Yes. Right-mouse click => Run as administrator

 

Hi, I saved it to my desktop last night and have now just tried to run it for the first time, but it came up with an error message
"intaller encounterd an error 0x80040154 class not registered"

I am using a BTOpenzone signal at the moment and although I found the signal and connected to it immediately, it took my notebook 45 mins to actually get to the log-in screen this morning. I closed Skype which seemed to help. Is this just because I only have 1GB of memory? It has always been slow but never this bad!

Thanks Jan

 

There seems to be many Windows problems not relating to malware.

Try the following:

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Step 2 tab and press the Do it button
• Your computer should reboot and perform a chkdsk
• Once you are back in Windows, reopen Repair_Windows.exe
• Now go to Step 3 and press the Do it button
• Be patient as this process completes as well, reboot when it is finished.
• Once you are back in Windows, reopen Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair MDAC/MS Jet
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Remove Temp Files
  • Repair Windows Updates
  • Set Windows Services To Default Startup
  • Repair MSI (Windows Installer)
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

After all of the above has been completed, retry running the Readiness Tool

 

Hi, I have done as requested.
For the Readiness Tool, on right click there was no option to "run as administrator" so I just opened and ran it as normal.
It asked me to install "Hotfix for Windows KB947821" which I have done.
What do I need to do next please?
Jan

 

Now download and run windows6.1-KB976932-X86.exe

__

This Windows 7 Service Pack 1 standalone installer compatible with your system. Let me know exactly what error message you receive, if any upon trying to run/install it.

 

If it happens to fail, don't run System Restore on your own. The installer however may want to rollback to SP0 if SP1 fails (allow it to do so). Just let me know which error message you received.

 

Hello again, not successful I'm afraid. I will try to explain exactly what happened. :cry
I ran W 6.1 KB976932x86.exe which prepared , installed and configured normally, but when the system rebooted it "failed to start" so I ran start up repair as recommended. ( I remember now that this is exactly what happened the last 2 times I tried to install SP1).
Start up repair asked if I wanted to use system restore but I said no because of your instruction If it happens to fail, don't run System Restore on your own.

It attempted repairs but could not repair automatically. This was the error message:-
"Problem Signatures
problem event name start up repair off-line
problem sig 01 6.1.7600.16385
02 6.1.7600.16385
03 unknown
04 34
05 Auto Failover
06 1
07 Bad Patch
OS Version 6.1.7600.2.0.0.256.1
Locale ID 1033"
Again it failed to start and said that a hardware or software change could have caused the problem.
Before resorting to system restore I ran a standard test in Windows memory diagnostics but did not see any result from that.
Icould not find safe mode to try booting from.
The only way to reboot the notebook was to try a system restore otherwise I could not get back to you for help. (system restore showed my time zone as GMT -8.00). I tried to restore to before installing SP1 but it did not restore successfully with an unspecified error of 0x8000ffff.
I then tried to restore to before a critical W update (next on the list). This again said the update was unsuccessful, but booted up as normal!
That is the situation now. I do not know if the last restore actually took me back to before the critical update or not.
I am sorry this is turning into such a problem, but I really do appreciate your help.
Jan

 

On this part I need more details. I understand why the system suggested Startup Repair as a resolution but what I really want to know is what error code you received when trying to boot into Normal Mode.

See example of the information I am seeking

 

Hi, I didn't get a screen like that at all. I got no blue screens.
All it did was apparently start to boot as normal, going through the usual things like going into F2 for start-up and F? for BIOS, but then just had a dialogue box to say something like
"this computer failed start. A recent hardware or software change may have caused a problem"
Then I got the options of
"run start up repair (recommended) or start windows normally"
start windows normally just goes in a loop round back to "computer faild to start"
Start up repair ran but and attempted repairs but said "cannot repair automatically, and gave the PROBLEM SIGNATURES I gave in my last post.
At no time have I had a blue screen.
I tried to take some pictures of some screens, but the pics would not attach to the post.
Sorry I have no more information.
Jan

 

Here is a tutorial on how to stop that reboot loop so you can see the bluescreen: Disable Automatic Restart From the Advanced Boot Options Menu in Windows 7
Note: There are multiple pages here.
http://0.tqn.com/d/pcsupport/1/5/z/7/-/-/disable-automatic-restart-system-failure-02.jpg

 

Hello, I did exactly as you said and followed the instructions, but the laptop just booted up normally and there was no blue screen. Sorry.
What do I do next please?
Jan

 

Is Service Pack 1 installed?

If not, then retry running windows6.1-KB976932-X86.exe

.. and this time if the system fails to boot up after SP1 installation, let me know which bluescreen you get by using that F8 => Disable automatic restart on system failiure option

 

Hi, once again many thanks for your time and help.

Service Pack 1 is not installed, but I am going away for a few days so will follow your instructions when I get home again.

Does the "disable automatic restart" setting hold or do I have to do it each time I boot? So that I don't mess it up please could you tell me exactly when to do the F8 option? What if I still do not get a blue screen?: :confused

Thanks, Jan

 

Read this: How To Disable the Automatic Restart on System Failure in Windows 7
Follow the Here's How: instructions in that link.

If you follow the instructions in the above link, you shouldn't even need to use the F8 method.

F8 is to be pressed before the Windows logo appears and after the ASUS splash screen (very first screen you see when you turn on the laptop)

 

Hello again, I have now followed the laest instructions. I installed SP1 again and this time did get the blue screen......STOP: 0x0000007B (0x80786B50, 0xC0000034, 0x00000000, 0x00000000)

I tried Start Up Repair which failed.....all tests completed successfully with error codes of 0x0.
Also said "a patch is prventing the system from starting".
System files integrity check & repair result = failed.....error code 0xa.

I tried system restore to before installing SP1 which failed 0x8000ffff.
I kept trying system retores going back one at a time which all failed with errors of 0x8000ffff or 0x800700b7.

After trying 5 different restore points which all failed I tried a restrt and the laptop opened saying system restore WAS successful!.

I do not know exactly which restore point did work.

Hope this will help you to help me.

Jan

 

Hi,

So the laptop boots up now but SP1 still isn't installed right? 0x7b is a pretty generic BSOD but we know now it can be caused from a failed service pack install.

I am honestly out of ideas at this point. You can try the Software forum for additional help. If I think of anything else I will post back.

 

Hi, well thanks very much anyway for all the time and effort you have put into trying to help me. I really do appreciate it.

I don't know if I feel up to starting all over again with the software forum.

Would taking the notebook back to factory settings be an option? Would that just create a fresh start without any of these problems?

Once again thanks very much,

Jan

 

That's an option too but remember that this also removes your documents, pictures, music, videos, etc and restores the computer to the state of when it was first purchased. If you have anything you'd like to save, back it up to another storage device (flash drive, CD/DVDs, external hard drive) before doing a factory reset.

You're welcome. Sorry we couldn't reach a resolution here.