Browser Hijack?

Hello, logs attached since the "Am I still having problems?" question couldn't really be answered for this problem.

I ran the scans as directed and though I itched to remove for some of them, I didn't, as directed and just Ignored.

Problem started - went to CNET's download.com for a file extension renamer, downloaded Extension Renamer, scanned the download with Comodo Internet Security, nothing found so installed. NO warnings during install and no indication from the software installation that it was also installing something called "FunMood" which is apparently a form of browser hijack.

Discovered that real quick when the software was a dud, errored out and didn't perform functions, uninstalled and went back out to see if there was something else, well opening the browser definitely gave me a clue since my homepage was changed as well as my search bar choice.

Came here right away and started. Had trouble with MGTools, had to uninstall Comodo since it WAS the reason. Anyways, any help advice very appreciated - I know it's a holiday and I'm sorry to be bugging anyone.

Thanks for your help

 

Hello SMCSS

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Double-click JRT.exe
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Please attach JRT.txt to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  baseservices
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Hello thisisu,

Thanks for the reply.

Comodo Internet Security Suite was uninstalled earlier due to it preventing MGTools from being downloaded, even when shut down. It has not been reinstalled yet and there are no other antivirus or firewalls installed.

Ran JRT and OTL as directed.

Logs attached.

(What is the OTL Extras file and should I just junk it?)

 

Noted. Thanks for letting me know.

Just some extra information which is mostly covered via MGtools. Yes you can delete it.

__

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Vsedsvmrt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klif.sys -- (TSP)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Boot | Stopped] -- system32\ZoneLabs\srescan.sys -- (srescan)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- L:\Programs\Mozilla Firefox\SABProcEnum.sys -- (SABProcEnum)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Rassm60sscn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms -- (PCD5SRVC{085326CB-51A3560A-05010003})
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS -- (ATIXPGAA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
IE - HKU\S-1-5-21-3690524133-3388676238-1894572229-1008\..\URLSearchHook: ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
IE - HKU\S-1-5-21-3690524133-3388676238-1894572229-1008\..\SearchScopes,DefaultScope = {8EEAC88A-079B-4b2c-80C1-7836F79EB40A}
FF - prefs.js..browser.search.defaultthis.engineName: "Swag Bucks Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}"
[2012/01/09 06:29:35 | 000,000,000 | ---D | M] (Swag Bucks Community Toolbar) -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\9piblfeu.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
[2012/11/08 02:54:24 | 000,000,000 | ---D | M] (Swag Bucks Community Toolbar) -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\g2mjfgvq.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
[2012/10/13 14:53:36 | 000,000,000 | ---D | M] ("TimeLineRemove.Com") -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\Firefox\Profiles\g2mjfgvq.default\extensions\jid0-YxzrUsJ0WOiOaU89TngAzLcIs18@jetpack
[2012/11/17 06:42:13 | 000,237,291 | ---- | M] () (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\firefox\profiles\g2mjfgvq.default\extensions\jid0-k75TfRGfOXPHfEZmJ9cKu5eCgLc@jetpack.xpi
[2012/11/21 10:37:25 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\mozilla\firefox\profiles\9piblfeu.default\searchplugins\Funmoods.xml
CHR - plugin: Coupons Inc., Coupon Printer Manager  (Disabled) = C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\plugins\npMozCouponPrinter.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager  (Disabled) = L:\Programs\FireFox_10-2011\plugins\npCouponPrinter.dll
[30 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\hppapml0.exe:SummaryInformation
@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:58CF2C8C
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE2C623F
[COLOR="DarkRed"]:files[/COLOR]
dir /s "C:\Documents and Settings\HP_Administrator\Desktop\cleanfunmoods" /c
dir C:\WINDOWS\System32\*.tmp /c
C:\WINDOWS\pchealth\helpctr\binaries\pchsvc(3).dll
C:\WINDOWS\pchealth\helpctr\binaries\pchsvc(4).dll
C:\WINDOWS\pchealth\helpctr\binaries\pchsvc(5).dll
C:\WINDOWS\pchealth\helpctr\binaries\*.tmp
dir /s C:\WINDOWS\$NtUninstallKB909394$ /c
[COLOR="DarkRed"]:commands[/COLOR]
[createrestorepoint]
[emptyjava]
[emptyflash]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif - Perform another Scan with OTL
Post the latest OTL.txt for review

 

Okay then.

Ran OTL as directed. File attached

What in heaven's name was all of that that was removed?

 

:-D

Can you post the newest OTL.txt (Scan log) please?

 

Hi thisisu,

That is the most recent OTL file

http://img27.imageshack.us/img27/7/otl11222012.png

 

Okay, I see this little bit extra there now...

Just open and scan as is?

 

Yes

 

Okay, here's the OTL scan log file

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKLM\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
FF - prefs.js..browser.search.defaultthis.engineName: "Swag Bucks Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}"
[COLOR="DarkRed"]:reg[/COLOR]
[hkey_local_machine\software\microsoft\internet explorer\searchscopes]
"defaultscope"="{0633ee93-d776-472f-a0ff-e1416b8b2e3a}"
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Okay, ran the last OTL action - RunFix with your text pasted in.

Was a little surprised to see an entry regarding Apple Safari - where is THAT coming from I wonder....

At any rate, the log is attached.

 

Code:

User: HP_Administrator
->Apple Safari cache emptied: 28301312 bytes

I guess at one point this computer had Safari installed. Maybe wasn't fully uninstalled as cache related folders were detected by OTL.

Is Funmoods still hijacking your browsers? How are things running now?

 

Everything seems fine now, Start Pages and Search Bar choices as they should be.

Computer MUCH speedier as well.

Anything else to do?

 

Glad to hear it

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

[I am unaware of what this is. Did we disable my Disk Emulation software?]

Never mind, I see where that is and I'm not running Disk Emulation software. Will continue with the rest.

 

thisisu,

Okay, everything up and running, reinstalled my Comodo Internet Security and it all seems to be working fine thus far.

Thank you very much for your time and working me through this.

Much appreciated!

 

My pleasure, SMCSS
Regards