BleepingComputer.com: Constant Java Updates and Other Issues

Hello. I am new to this forum, and located it searching for information on how to deal with some constant issues I seem to be having with my Vista OS.

First, every single time I get on my pc, I get an update request for Java. Searching for information, I read that this is some form of trojan, which can not be deleted with normal AV software, such as AVG 2011. I have run scans, and nothing shows up, yet I continue to get these update reqs, along with some other problems.

• Constant Adobe update requests also.
  
• Intermittent pauses where typed words catch up in a few seconds.
  
• Random freezes where a restart has to be performed.
  
• A new quick launch button showing start-up programs that have been blocked.
  
• Scroll feature stops working from mouse roller.

From my readings, I see that Combofix has been used to successfully remove these issues. I also read that Combofix should not be used unless recommended by a helper on a forum. I don;t want to harm things any further than they may be already, so here I am!

Any advice would be greatly appreciated!!

This post has been edited by dasrev: 16 July 2011 - 01:19 AM

ComboFix usage, Questions, Help - Look here - http://www.bleepingcomputer.com/forums/topic273628.html

Louis

Welcome aboard

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer log
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

OK, so here is what you asked for, exactly as you stated to do them, and in the same order.

I prefer to have all logs pasted.

Results of screen317's Security Check version 0.99.7
Windows Vista Service Pack 1 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Actual Spy 3.0
Java™ 6 Update 23
Java™ SE Runtime Environment 6
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.3.181.26
Adobe Reader 9.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

=======================================================================

MiniToolBox by Farbar
Ran by Wayne (administrator) on 20-07-2011 at 22:30:05
Windows Vista ™ Home Premium Service Pack 1 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

::1 localhost

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Local Area Connection 2" nexthop=5.0.0.1
set interface interface="Loopback Pseudo-Interface 1" forwarding=disabled advertise=disabled mtu=1400 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection" forwarding=disabled advertise=disabled mtu=1400 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface interface="Wireless Network Connection" forwarding=disabled advertise=disabled mtu=1400 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection 2" forwarding=disabled advertise=disabled metric=9000 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Flurry-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : launchmodem.com

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : launchmodem.com
Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter
Physical Address. . . . . . . . . : 00-1B-FC-D8-D8-27
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::31df:a10e:24fa:4b1b%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.95(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, July 19, 2011 1:43:29 PM
Lease Expires . . . . . . . . . . : Thursday, July 21, 2011 1:43:39 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254
192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : launchmodem.com
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-1A-A0-52-46-87
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7907:7092:4823:3127%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.96(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, July 19, 2011 1:43:27 PM
Lease Expires . . . . . . . . . . : Thursday, July 21, 2011 1:43:38 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254
192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hamachi Network Interface
Physical Address. . . . . . . . . : 7A-79-14-00-2D-54
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 5.221.193.220(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : Tuesday, July 19, 2011 1:43:27 PM
Lease Expires . . . . . . . . . . : Wednesday, July 18, 2012 1:45:43 PM
Default Gateway . . . . . . . . . : 5.0.0.1
DHCP Server . . . . . . . . . . . : 5.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:8e4:2a05:3f57:fe9f(Preferred)
Link-local IPv6 Address . . . . . : fe80::8e4:2a05:3f57:fe9f%8(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : launchmodem.com
Description . . . . . . . . . . . : isatap.launchmodem.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{DAA05D88-9183-4B06-8968-936C8A284DD0}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:5dd:c1dc::5dd:c1dc(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: dslrouter
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.47.103
74.125.47.147
74.125.47.105
74.125.47.106
74.125.47.104
74.125.47.99



Pinging google.com [74.125.47.103] with 32 bytes of data:

Reply from 74.125.47.103: bytes=32 time=69ms TTL=49

Reply from 74.125.47.103: bytes=32 time=73ms TTL=49



Ping statistics for 74.125.47.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 69ms, Maximum = 73ms, Average = 71ms

Server: dslrouter
Address: 192.168.1.254

Name: yahoo.com
Addresses: 98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=87ms TTL=46

Reply from 209.191.122.70: bytes=32 time=79ms TTL=46



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 79ms, Maximum = 87ms, Average = 83ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
10 ...00 1b fc d8 d8 27 ...... Broadcom 802.11g Network Adapter
9 ...00 1a a0 52 46 87 ...... NVIDIA nForce Networking Controller
14 ...7a 79 14 00 2d 54 ...... Hamachi Network Interface
1 ........................... Software Loopback Interface 1
8 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
13 ...00 00 00 00 00 00 00 e0 isatap.launchmodem.com
15 ...00 00 00 00 00 00 00 e0 isatap.{DAA05D88-9183-4B06-8968-936C8A284DD0}
16 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 5.0.0.1 5.221.193.220 9256
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.96 20
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.95 25
5.0.0.0 255.0.0.0 On-link 5.221.193.220 9256
5.221.193.220 255.255.255.255 On-link 5.221.193.220 9256
5.255.255.255 255.255.255.255 On-link 5.221.193.220 9256
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.96 276
192.168.1.0 255.255.255.0 On-link 192.168.1.95 281
192.168.1.95 255.255.255.255 On-link 192.168.1.95 281
192.168.1.96 255.255.255.255 On-link 192.168.1.96 276
192.168.1.255 255.255.255.255 On-link 192.168.1.96 276
192.168.1.255 255.255.255.255 On-link 192.168.1.95 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 5.221.193.220 9256
224.0.0.0 240.0.0.0 On-link 192.168.1.96 276
224.0.0.0 240.0.0.0 On-link 192.168.1.95 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 5.221.193.220 9256
255.255.255.255 255.255.255.255 On-link 192.168.1.96 276
255.255.255.255 255.255.255.255 On-link 192.168.1.95 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 5.0.0.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 1110 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
8 18 2001::/32 On-link
8 266 2001:0:4137:9e76:8e4:2a05:3f57:fe9f/128
On-link
16 1010 2002::/16 On-link
16 266 2002:5dd:c1dc::5dd:c1dc/128
On-link
9 276 fe80::/64 On-link
10 281 fe80::/64 On-link
8 266 fe80::/64 On-link
8 266 fe80::8e4:2a05:3f57:fe9f/128
On-link
10 281 fe80::31df:a10e:24fa:4b1b/128
On-link
9 276 fe80::7907:7092:4823:3127/128
On-link
1 306 ff00::/8 On-link
8 266 ff00::/8 On-link
9 276 ff00::/8 On-link
10 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/18/2011 09:41:52 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\9> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:52 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\9> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:51 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\8> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:51 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\8> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:51 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\7> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:51 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\7> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:50 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\6> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:50 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\6> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:50 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\5> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (07/18/2011 09:41:50 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\WAYNE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7UNJA6Z8.DEFAULT\CACHE\5> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (07/20/2011 01:45:17 PM) (Source: DCOM) (User: Kirsten)
Description: application-specificLocalActivation{4991D34B-80A1-4291-83B6-3328366B9097}Flurry-PCKirstenS-1-5-21-930290596-2682039525-3923879146-1002LocalHost (Using LRPC)

Error: (07/20/2011 01:45:17 PM) (Source: DCOM) (User: Kirsten)
Description: application-specificLocalActivation{4991D34B-80A1-4291-83B6-3328366B9097}Flurry-PCKirstenS-1-5-21-930290596-2682039525-3923879146-1002LocalHost (Using LRPC)

Error: (07/19/2011 01:44:51 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (07/19/2011 01:43:28 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (07/18/2011 09:28:42 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (07/18/2011 09:26:58 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (07/18/2011 09:26:48 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 9:24:02 PM on 7/18/2011 was unexpected.

Error: (07/18/2011 09:24:19 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (07/18/2011 09:22:30 PM) (Source: HTTP) (User: )
Description: \Device\Http\ReqQueueKerberos

Error: (07/18/2011 09:22:23 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 9:19:58 PM on 7/18/2011 was unexpected.


Microsoft Office Sessions:
=========================
Error: (10/14/2008 05:41:32 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 11616 seconds with 1920 seconds of active time. This session ended with a crash.

Error: (07/15/2008 10:12:14 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6308.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 127 seconds with 60 seconds of active time. This session ended with a crash.

Error: (01/22/2008 06:03:57 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 4333 seconds with 2280 seconds of active time. This session ended with a crash.

Error: (09/21/2007 00:28:17 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 5305 seconds with 2820 seconds of active time. This session ended with a crash.


========================= Memory info: ===================================

Percentage of memory in use: 81%
Total physical RAM: 957.76 MB
Available physical RAM: 173.23 MB
Total Pagefile: 2180.1 MB
Available Pagefile: 585.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.16 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:222.78 GB) (Free:141.77 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.91 GB) NTFS

========================= Users: ========================================

User accounts for \\FLURRY-PC

Administrator Allan Gracie
Guest Ian Kirsten
Tyler Wayne


== End of log ==

=====================================================================

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7217

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19088

7/20/2011 11:03:38 PM
mbam-log-2011-07-20 (23-03-37).txt

Scan type: Quick scan
Objects scanned: 271593
Time elapsed: 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 50
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 15
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{7138F250-5B72-48DD-ADFB-9A83B429DD9E} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0923208C-E259-4ED5-A778-CB607DA350AD} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3F0915B8-B238-4C2D-AD1E-60DB1E14D27A} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Srv.CoreServices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Srv.CoreServices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8971CB48-9FCA-445A-BE77-E8E8A4CC9DF7} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{08755390-F46D-4D09-968C-3430166B3189} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{34E29700-0D13-46AA-B9A5-ACE68E21A091} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostOL.MailAnim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostOL.MailAnim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{914A8F99-38E4-47ec-B875-2B0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{914A8F99-38E4-47EC-B875-2B0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{B88E4484-3FF6-4EA9-815B-A54FE20D4387} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostOL.WebmailSend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostOL.WebmailSend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{CDCA70D8-C6A6-49EE-9BED-7429D6C477A2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8AD9AD05-36BE-4E40-BA62-5422EB0D02FB} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{D136987F-E1C4-4CCC-A220-893DF03EC5DF} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EDDBB5EE-BB64-4bfc-9DBE-E7C85941335B} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1F158A1E-A687-4a11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{54A3F8B7-228E-4ED8-895B-DE832B2C3959} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E313F5DC-CFE7-4568-84A4-C76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CoreSrv.CoreServices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CoreSrv.CoreServices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CoreSrv.LfgAx (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CoreSrv.LfgAx.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HBMain.CommBand (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HBMain.CommBand.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.HbMain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.HbMain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostIE.Bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HostIE.Bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.HbAx (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.HbAx.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.HbInfoBand (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.HbInfoBand.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.IEButton (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.IEButton.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.IEButtonA (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.IEButtonA.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.RprtCtrl (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShoppingReport.RprtCtrl.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\seekmosa (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\Seekmo@Seekmo.com (Adware.SeekMo) -> Value: Seekmo@Seekmo.com -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\2aca5cc3-0f83-453d-a079-1076fe1a8b65 (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\programdata\SeekmoSA (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\Users\Wayne\AppData\Roaming\Seekmo (Adware.Seekmo) -> Delete on reboot.
c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\Seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\Seekmo\bin (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\Seekmo\bin\10.0.406.0 (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\shoppingreport (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files\shoppingreport\Bin (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\program files\shoppingreport\Bin\2.5.0 (Adware.ShopperReports) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\privacy center (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\Users\Wayne\AppData\Roaming\microsoft\Windows\start menu\Programs\privacy center (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Seekmo (Adware.Seekmo) -> Quarantined and deleted successfully.

Files Infected:
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1001\$RFQGRU0.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1001\$RYS8ICF.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1003\$R5VMLZ5.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1003\$R6LKUEF.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1003\$R8APEZQ.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1003\$RFVQGAF.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1003\$RHDKK7G.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1003\$RUDEWOD.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1003\$RXNWYSY.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-930290596-2682039525-3923879146-1003\$RBSAYOD.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\Windows\Temp\tmp0000000132324aa29651ac20 (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\tmp0000000c07546efa01c56b20 (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Gracie\downloads\popularscreensavers.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Users\Gracie\downloads\xvidsetup(2).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\Users\Gracie\downloads\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\programdata\SeekmoSA\SeekmoSA.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\programdata\SeekmoSA\seekmosaabout.mht (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\programdata\SeekmoSA\seekmosaau.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\programdata\SeekmoSA\seekmosaeula.mht (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\programdata\SeekmoSA\seekmosa_kyf.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Installr\1.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\privacy center\privacy center.lnk (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Seekmo\reset cursor.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\Seekmo\seekmo customer support center.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.

=====================================================================================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-21 00:48:01
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\00000059 ST325082 rev.3.AD
Running: k47k8fjn.exe; Driver: C:\Users\Wayne\AppData\Local\Temp\uxdiipob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9C4917A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9C491848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9C4918E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9C491980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 624 824C4C48 4 Bytes [A0, 17, 49, 9C]
.text ntkrnlpa.exe!KeSetTimerEx + 854 824C4E78 8 Bytes [48, 18, 49, 9C, E4, 18, 49, ...] {DEC EAX; SBB [ECX-0x64], CL; IN AL, 0x18; DEC ECX; PUSHF }
.text ntkrnlpa.exe!KeSetTimerEx + 8B4 824C4ED8 4 Bytes [80, 19, 49, 9C] {SBB BYTE [ECX], 0x49; PUSHF }
? System32\drivers\illooine.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  
• Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

• Open SUPERAntiSpyware.
  
• Under "Configuration and Preferences", click the Preferences button.
  
• Click the Scanning Control tab.
  
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  
  • Close browsers before scanning.
    
  • Terminate memory threats before quarantining.
  
  
• Click the "Close" button to leave the control center screen.
  
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan.
  
• Click "Next" to start the scan. Please be patient while it scans your computer.
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes".
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Copy and paste the Scan Log results in your next reply.
  
  
• Click Close to exit the program.

Post SUPERAntiSpyware log.