Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: win32 (pup) infection  (Read 12503 times)

0 Members and 1 Guest are viewing this topic.

besame2anne

    Topic Starter


    Rookie

    • Experience: Familiar
    • OS: Windows XP
    win32 (pup) infection
    « on: October 14, 2013, 10:59:25 PM »
    Hi-  Before I found your site, my computer started running really slow.  I installed Malwarebytes and ran a scan.  It found some malware, I clicked remove and restarted my computer and I had no START menu.  A friend stopped by and finally got it back for me through the task manager.  Then I ran Avast's free virus scan and it said I had a win32 (pup) infection associated with chrome.exe.  It was not able to remove it.  Then I got suckered by SpyHunter.  They said they'd remove my virus this one time for free.  Ha ha!  At the end of their scan, they wanted $40.  I was p---ed, but it claimed to have found 400 infections, so I paid the $40.  The computer ran even worse.  I submitted support tickets for a week and they ignored me.  I said they sucked and I wanted my money back.  Finally someone answered and directed me to safe.cart.  I requested a refund.  Next day, someone emailed me and said they'd have to do a remote session.  I downloaded the link but, they put me off over the weekend and safe.cart refunded my money Monday morning.  I deleted SpyHunter. Sat. morning, my computer was barely moving.  Sat. nite, it was quite a bit better.  Not good, but better. Over the weekend, I was trying to clean some stuff out and there are 3 Apple programs that weren't there before and I didn't download them.  I tried to remove them and I couldn't.  It said they were on a network resource that wasn't available?  Then I was looking through the Event Viewer and reading some of the events.  Had been there quite awhile and all the sudden, it said my event log file was corrupted!  In local disk C, there were some files I tried to open and Windows said it couldn't open them because it didn't know who created it.  Also, several times I would open the task manager and when it first came up, I could only catch a quick glimpse and I'd see there were like 75 or 80 processes running but, they would immediately start disappearing before I could see what they were and it would drop back to my normal of around 45.  Weird!  It's still doing it but, not so many - around 55 when it opens.  The computer is still slow today but, it was worse.  I'm going to try to attach the logs now.  I'll download the Hijack This tool but, I don't know if I'll do it tonight or tomorrow.  Don't know if I will know enough to use it properly.  I'm totally confused by the whole thing !   P.S.  I only got the cleaner on this post.  Says my log too big and Filedropper first said it couldn't read my file and then it said it was too big!  May have to do more posts..............

    [recovering disk space, attachment deleted by admin]
    « Last Edit: October 14, 2013, 11:21:37 PM by besame2anne »

    besame2anne

      Topic Starter


      Rookie

      • Experience: Familiar
      • OS: Windows XP
      Re: win32 (pup) infection
      « Reply #1 on: October 14, 2013, 11:25:31 PM »
      I don't know what to do-keeps saying my log is too large.  Didn't look like any of them amounted too much to me.  I'm really tired - it will probably go on first time in the morning - sorry and thanks!

      SuperDave

      • Malware Removal Specialist


      • Genius
      • Thanked: 991
      • Certifications: List
      • Experience: Expert
      • OS: Windows 8
      Re: win32 (pup) infection
      « Reply #2 on: October 15, 2013, 01:26:57 PM »
      Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

      1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
      2. The fixes are specific to your problem and should only be used for this issue on this machine.
      3. If you don't know or understand something, please don't hesitate to ask.
      4. Please DO NOT run any other tools or scans while I am helping you.
      5. It is important that you reply to this thread. Do not start a new topic.
      6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
      7. Absence of symptoms does not mean that everything is clear.

      If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
      *************************************************************************
      Please download Malwarebytes Anti-Malware from here.
      Double Click mbam-setup.exe to install the application.
      • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
      • If an update is found, it will download and install the latest version.
      • Once the program has loaded, select "Perform Full Scan", then click Scan.
      • The scan may take some time to finish,so please be patient.
      • When the scan is complete, click OK, then Show Results to view the results.
      • Make sure that everything is checked, and click Remove Selected.
      • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
      • Please save the log to a location you will remember.
      • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
      • Copy and paste the entire report in your next reply.
      Extra Note:

      If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
      *************************************************
      Please download Junkware Removal Tool to your desktop.

      Warning! Once the scan is complete JRT will shut down your browser with NO warning.

      Shut down your protection software now to avoid potential conflicts.

      •Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

      •Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

      •The tool will open and start scanning your system.

      •Please be patient as this can take a while to complete depending on your system's specifications.

      •On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

      •Copy and Paste the JRT.txt log into your next message.
      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

      besame2anne

        Topic Starter


        Rookie

        • Experience: Familiar
        • OS: Windows XP
        Re: win32 (pup) infection
        « Reply #3 on: October 15, 2013, 03:06:00 PM »
        Well, I've ran both tools and here are the results.  My computer seems to be running better so far, too.

        [recovering disk space, attachment deleted by admin]

        SuperDave

        • Malware Removal Specialist


        • Genius
        • Thanked: 991
        • Certifications: List
        • Experience: Expert
        • OS: Windows 8
        Re: win32 (pup) infection
        « Reply #4 on: October 15, 2013, 04:21:40 PM »
        Download Combofix from any of the links below, and save it to your DESKTOP
        If your version of Windows defaults to you download folder you will need to copy it to your desktop.

        Link 1
        Link 2
        Link 3

        To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.
        • Close any open windows and double click ComboFix.exe to run it.

          You will see the following image:


        Click I Agree to start the program.

        ComboFix will then extract the necessary files and you will see this:



        As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

        It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

        If you did not have it installed, you will see the prompt below. Choose YES.



        Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

        **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

        Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



        Click on Yes, to continue scanning for malware.

        When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

        Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

        Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
        Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

        besame2anne

          Topic Starter


          Rookie

          • Experience: Familiar
          • OS: Windows XP
          Re: win32 (pup) infection
          « Reply #5 on: October 15, 2013, 08:30:42 PM »
          Ok, here's the Combo Fix report.

          ComboFix 13-10-15.02 - Leslie 10/15/2013  21:04:33.1.1 - x86
          Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1278.727 [GMT -5:00]
          Running from: c:\documents and settings\Leslie\Desktop\ComboFix.exe
          AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
          .
          .
          (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          c:\documents and settings\All Users\Application Data\TEMP
          c:\documents and settings\Leslie\System
          c:\documents and settings\Leslie\System\win_qs8.jqx
          c:\documents and settings\Leslie\WINDOWS
          C:\drvrtmp
          c:\windows\system32\Cache
          c:\windows\system32\Cache\075884af680ff6dc.fb
          c:\windows\system32\Cache\227113dfa1ca894d.fb
          c:\windows\system32\Cache\49fbbc5a8678d502.fb
          c:\windows\system32\Cache\5c54eb1a1655b076.fb
          c:\windows\system32\Cache\613e8ce7ab7106af.fb
          c:\windows\system32\Cache\633a76311867bd11.fb
          c:\windows\system32\Cache\691f14230153a9e1.fb
          c:\windows\system32\Cache\6cb409d7ac73d9f1.fb
          c:\windows\system32\Cache\7614bd6cfa99e546.fb
          c:\windows\system32\Cache\77664b6ccc36be9f.fb
          c:\windows\system32\Cache\881b3593316772f0.fb
          c:\windows\system32\Cache\898aecf53e81d018.fb
          c:\windows\system32\Cache\98657d0579ae1930.fb
          c:\windows\system32\Cache\d5c0f4e7bbe35bf3.fb
          c:\windows\system32\Cache\d9ca663388d21ec0.fb
          c:\windows\system32\Cache\f2cda51fd108941f.fb
          c:\windows\system32\Cache\f34d8db84131d925.fb
          c:\windows\system32\start.exe
          c:\windows\wininit.ini
          .
          .
          (((((((((((((((((((((((((   Files Created from 2013-09-16 to 2013-10-16  )))))))))))))))))))))))))))))))
          .
          .
          2013-10-16 00:18 . 2013-09-05 03:02   7328304   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E9D97F56-FCCC-4FA3-A2FD-0569CECF7578}\mpengine.dll
          2013-10-15 20:59 . 2013-09-05 03:02   7328304   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
          2013-10-15 20:52 . 2013-10-15 20:52   --------   d-----w-   c:\windows\ERUNT
          2013-10-15 03:08 . 2013-10-15 20:10   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
          2013-10-15 03:08 . 2013-04-04 19:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
          2013-10-14 08:19 . 2013-10-14 08:20   --------   d-----w-   c:\program files\Microsoft Security Client
          2013-10-10 20:57 . 2013-10-10 20:57   --------   d-----w-   c:\documents and settings\Leslie\Application Data\TeamViewer
          2013-10-10 20:15 . 2013-07-03 02:12   25088   -c----w-   c:\windows\system32\dllcache\hidparse.sys
          2013-10-10 20:15 . 2013-07-03 01:59   14976   -c----w-   c:\windows\system32\dllcache\usbscan.sys
          2013-10-10 20:14 . 2013-07-17 00:58   60160   -c----w-   c:\windows\system32\dllcache\usbaudio.sys
          2013-10-10 20:14 . 2013-07-17 00:58   123008   -c----w-   c:\windows\system32\dllcache\usbvideo.sys
          2013-10-10 20:04 . 2009-03-18 11:02   30336   -c----w-   c:\windows\system32\dllcache\usbehci.sys
          2013-10-10 20:04 . 2013-08-09 00:55   144128   -c----w-   c:\windows\system32\dllcache\usbport.sys
          2013-10-10 20:04 . 2013-08-09 00:55   32384   -c----w-   c:\windows\system32\dllcache\usbccgp.sys
          2013-10-10 20:04 . 2013-08-09 00:55   5376   -c----w-   c:\windows\system32\dllcache\usbd.sys
          2013-10-06 19:24 . 2013-10-12 15:41   --------   d-----w-   c:\windows\A16BBEABAAEF434ABFDD297708709FCC.TMP
          2013-10-06 06:42 . 2013-10-15 02:50   --------   d-----w-   C:\AdwCleaner
          2013-09-30 05:58 . 2013-10-04 15:41   --------   d-----w-   c:\program files\Enigma Software Group
          2013-09-30 05:53 . 2013-10-15 02:31   --------   d-----w-   c:\windows\DB847E94446B49E0AC5DC5627EC8B0C0.TMP
          2013-09-30 05:53 . 2013-10-04 15:37   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
          2013-09-29 06:54 . 2013-09-29 06:54   --------   d-----w-   c:\documents and settings\LocalService\Application Data\iolo
          2013-09-29 06:50 . 2013-09-19 02:24   2097984   ----a-w-   c:\windows\system32\Incinerator32.dll
          2013-09-29 06:50 . 2013-09-19 02:12   9341   ----a-w-   c:\windows\system32\drivers\filedisk.sys
          2013-09-29 06:48 . 2013-09-19 02:42   41616   ----a-w-   c:\windows\system32\iolobtdfg.exe
          2013-09-29 06:48 . 2013-09-19 02:42   23568   ----a-w-   c:\windows\system32\smrgdf.exe
          2013-09-29 06:48 . 2013-09-19 02:12   68464   ----a-w-   c:\windows\system32\drivers\PDFsFilter.sys
          2013-09-29 06:48 . 2013-09-19 02:12   56200   ----a-w-   c:\windows\system32\offreg.dll
          2013-09-29 06:48 . 2013-09-29 06:48   --------   d-----w-   c:\program files\iolo
          2013-09-29 06:36 . 2013-09-29 06:36   74703   ----a-w-   c:\windows\system32\mfc45.dat
          2013-09-29 06:36 . 2013-09-29 06:36   --------   d-----w-   C:\iolo
          2013-09-29 06:21 . 2013-10-03 07:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\iolo
          2013-09-29 06:21 . 2013-09-29 07:10   --------   d-----w-   c:\documents and settings\Leslie\Application Data\iolo
          2013-09-27 07:42 . 2013-10-14 15:29   --------   d-----w-   c:\documents and settings\Leslie\Local Settings\Application Data\Corel
          2013-09-27 07:41 . 2013-10-14 12:55   848   --sha-w-   c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
          2013-09-27 06:14 . 2013-09-27 07:41   --------   d-----w-   c:\documents and settings\Leslie\Application Data\Corel
          2013-09-27 06:06 . 2013-09-27 06:06   --------   d-----w-   c:\program files\Common Files\Protexis
          2013-09-27 06:06 . 2013-09-27 07:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\Corel
          2013-09-27 06:06 . 2013-09-27 06:09   --------   d-----w-   c:\program files\Common Files\Corel
          2013-09-27 06:06 . 2013-09-27 06:06   --------   d-----w-   c:\program files\Corel
          2013-09-25 02:32 . 2013-08-30 07:47   229648   ----a-w-   c:\windows\system32\aswBoot.exe
          2013-09-25 02:26 . 2013-09-29 06:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVAST Software
          2013-09-25 02:08 . 2013-09-25 02:08   --------   d-----w-   c:\windows\system32\wbem\Repository
          2013-09-25 01:43 . 2013-09-25 01:43   --------   d-----w-   C:\$AVG
          2013-09-25 01:41 . 2013-09-25 01:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG2014
          2013-09-25 01:33 . 2013-09-25 01:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
          2013-09-25 01:33 . 2013-09-25 01:33   --------   d-----w-   c:\documents and settings\Leslie\Local Settings\Application Data\MFAData
          2013-09-24 06:28 . 2013-09-24 06:28   --------   d-----w-   c:\documents and settings\Leslie\Application Data\Malwarebytes
          2013-09-24 06:28 . 2013-09-24 06:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
          .
          .
          .
          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2013-10-09 02:16 . 2012-09-24 15:58   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
          2013-10-09 02:16 . 2012-09-24 15:58   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
          2013-09-23 18:33 . 2004-08-12 14:09   920064   ----a-w-   c:\windows\system32\wininet.dll
          2013-09-23 18:33 . 2004-08-12 13:59   43520   ------w-   c:\windows\system32\licmgr10.dll
          2013-09-23 18:33 . 2004-08-12 13:58   1469440   ------w-   c:\windows\system32\inetcpl.cpl
          2013-09-23 18:33 . 2004-08-12 13:56   18944   ----a-w-   c:\windows\system32\corpol.dll
          2013-09-23 18:06 . 2004-08-12 13:57   385024   ------w-   c:\windows\system32\html.iec
          2013-08-29 01:31 . 2004-08-12 14:09   1878656   ----a-w-   c:\windows\system32\win32k.sys
          2013-08-23 04:37 . 2013-08-23 04:37   176952   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
          2013-08-23 03:56 . 2013-08-23 03:56   209208   ----a-w-   c:\windows\system32\drivers\avgidsdriverx.sys
          2013-08-23 03:56 . 2013-08-23 03:56   223032   ----a-w-   c:\windows\system32\drivers\avglogx.sys
          2013-08-23 03:56 . 2013-08-23 03:56   146232   ----a-w-   c:\windows\system32\drivers\avgidshx.sys
          2013-08-21 03:54 . 2013-08-21 03:54   102200   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
          2013-08-09 01:56 . 2004-08-12 14:07   386560   ----a-w-   c:\windows\system32\themeui.dll
          2013-08-09 00:55 . 2004-08-12 14:08   144128   ----a-w-   c:\windows\system32\drivers\usbport.sys
          2013-08-09 00:55 . 2004-08-12 14:08   32384   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
          2013-08-09 00:55 . 2004-08-12 14:08   5376   ----a-w-   c:\windows\system32\drivers\usbd.sys
          2013-08-05 13:30 . 2004-08-12 14:02   1289728   ----a-w-   c:\windows\system32\ole32.dll
          2013-08-03 19:18 . 2006-10-19 02:47   1543680   ------w-   c:\windows\system32\wmvdecod.dll
          2013-08-01 21:08 . 2013-08-01 21:08   193848   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
          2013-08-01 21:06 . 2013-08-01 21:06   22840   ----a-w-   c:\windows\system32\drivers\avgidsshimx.sys
          2013-08-01 21:06 . 2013-08-01 21:06   120120   ----a-w-   c:\windows\system32\drivers\avgdiskx.sys
          2013-08-01 21:05 . 2013-08-01 21:05   26936   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
          2013-07-25 00:59 . 2013-07-25 00:59   1409   ----a-w-   c:\windows\QTFont.for
          2013-07-19 06:18 . 2013-07-19 06:18   102608   ----a-w-   c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
          2012-10-05 13:36 . 2012-10-10 23:47   172440   ----a-w-   c:\program files\gcres.dll
          .
          .
          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          *Note* empty entries & legit default entries are not shown
          REGEDIT4
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
          "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
          "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
          "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
          "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
          "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 7311360]
          "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-06-24 295512]
          "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
          "Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
          "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-07-18 995184]
          .
          [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
          "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
          @="Service"
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
          @="Service"
          .
          [HKEY_LOCAL_MACHINE\software\microsoft\security center]
          "AntiVirusOverride"=dword:00000001
          .
          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
          "%windir%\\system32\\sessmgr.exe"=
          "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
          "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
          "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
          "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
          "c:\\WINDOWS\\system32\\dpnsvr.exe"=
          "c:\\WINDOWS\\system32\\dxdiag.exe"=
          .
          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
          "20570:TCP"= 20570:TCP:*:Disabled:wilife
          "20572:TCP"= 20572:TCP:*:Disabled:wilife
          "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
          .
          R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [9/29/2013 1:50 AM 1164328]
          R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/14/2013 10:08 PM 418376]
          R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2013 10:08 PM 701512]
          R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [9/29/2013 1:48 AM 68464]
          R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [4/16/2013 3:07 AM 39056]
          R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2013 10:08 PM 22856]
          S3 A_USBETHMP;USB PowerPacket Network Adapter;c:\windows\system32\drivers\usbethmp.sys [9/28/2012 9:33 PM 14342]
          S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
          S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
          S3 PCDSRVC{E9D79540-57D5953E-06020200}_0;PCDSRVC{E9D79540-57D5953E-06020200}_0 - PCDR Kernel Mode Service Helper Driver;\??\c:\program files\dell support center\pcdsrvc.pkms --> c:\program files\dell support center\pcdsrvc.pkms [?]
          S3 WLRAWSp50x86;WLRAWSp50x86 NDIS Protocol Driver;c:\windows\system32\drivers\WLRAWSp50x86.sys [9/28/2012 8:38 AM 27032]
          .
          --- Other Services/Drivers In Memory ---
          .
          *NewlyCreated* - MBAMPROTECTOR
          *NewlyCreated* - MBAMSCHEDULER
          *NewlyCreated* - MBAMSERVICE
          .
          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
          HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
          hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
          .
          Contents of the 'Scheduled Tasks' folder
          .
          2013-10-16 c:\windows\Tasks\Adobe Flash Player Updater.job
          - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-24 02:16]
          .
          2013-10-16 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
          - c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-07-18 21:49]
          .
          2013-08-24 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
          - c:\program files\My Dell\uaclauncher.exe [2013-05-22 17:10]
          .
          2013-10-16 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1390067357-1935655697-839522115-1004.job
          - c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45]
          .
          2013-10-09 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1390067357-1935655697-839522115-1004.job
          - c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45]
          .
          2013-10-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-1935655697-839522115-1004.job
          - c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45]
          .
          2013-10-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-1935655697-839522115-1004.job
          - c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 17:45]
          .
          2013-10-16 c:\windows\Tasks\User_Feed_Synchronization-{77F495CE-29C5-47CF-BBF4-237FAC098B1A}.job
          - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
          .
          2013-10-16 c:\windows\Tasks\User_Feed_Synchronization-{CE4DC6E6-D66A-489A-80C5-888E2DDF0E88}.job
          - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
          .
          .
          ------- Supplementary Scan -------
          .
          uStart Page = hxxp://www.yahoo.com/
          uInternet Settings,ProxyOverride = <local>
          TCP: DhcpNameServer = 216.139.111.53 216.139.111.54
          TCP: Interfaces\{1E82F90F-8561-4D3A-9260-A13FDF8601A7}: NameServer = 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
          .
          - - - - ORPHANS REMOVED - - - -
          .
          URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
          .
          .
          .
          **************************************************************************
          .
          catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
          Rootkit scan 2013-10-15 21:11
          Windows 5.1.2600 Service Pack 3 NTFS
          .
          scanning hidden processes ... 
          .
          scanning hidden autostart entries ...
          .
          scanning hidden files ... 
          .
          scan completed successfully
          hidden files: 0
          .
          **************************************************************************
          .
          [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020200}_0]
          "ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
          .
          --------------------- LOCKED REGISTRY KEYS ---------------------
          .
          [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
          @Denied: (2) (LocalSystem)
          "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
             d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,3a,c7,06,a7,4b,f5,40,9e,59,cf,\
          "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
             d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,3a,c7,06,a7,4b,f5,40,9e,59,cf,\
          .
          [HKEY_USERS\S-1-5-21-1390067357-1935655697-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
          @Allowed: (Read) (RestrictedCode)
          @Allowed: (Read) (RestrictedCode)
          .
          [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
          @Denied: (A 2) (Everyone)
          @="FlashBroker"
          "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
          .
          [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
          "Enabled"=dword:00000001
          .
          [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
          @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
          .
          [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
          @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
          .
          [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
          @Denied: (A 2) (Everyone)
          @="IFlashBroker5"
          .
          [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
          @="{00020424-0000-0000-C000-000000000046}"
          .
          [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
          @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
          "Version"="1.0"
          .
          Completion time: 2013-10-15  21:13:54
          ComboFix-quarantined-files.txt  2013-10-16 02:13
          .
          Pre-Run: 293,247,909,888 bytes free
          Post-Run: 293,726,646,272 bytes free
          .
          WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
          [boot loader]
          timeout=2
          default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
          [operating systems]
          c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
          UnsupportedDebug="do not select this" /debug
          multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
          .
          - - End Of File - - 4E6685E1A6D2E9C2B13E324F85D35A7A
          8F558EB6672622401DA993E1E865C861


          [recovering disk space, attachment deleted by admin]
          « Last Edit: October 16, 2013, 01:20:17 PM by SuperDave »

          SuperDave

          • Malware Removal Specialist


          • Genius
          • Thanked: 991
          • Certifications: List
          • Experience: Expert
          • OS: Windows 8
          Re: win32 (pup) infection
          « Reply #6 on: October 16, 2013, 01:23:21 PM »
          SysProt Antirootkit

          Download
          SysProt Antirootkit from the link below (you will find it at the bottom
          of the page under attachments, or you can get it from one of the
          mirrors).

          http://sites.google.com/site/sysprotantirootkit/

          Unzip it into a folder on your desktop.
          • Double click Sysprot.exe to start the program.
          • Click on the Log tab.
          • In the Write to log box select the following items.
            • Process << Selected
            • Kernel Modules << Selected
            • SSDT << Selected
            • Kernel Hooks << Selected
            • IRP Hooks << NOT Selected
            • Ports << NOT Selected
            • Hidden Files << Selected
          • At the bottom of the page
            • Hidden Objects Only << Selected
          • Click on the Create Log button on the bottom right.
          • After a few seconds a new window should appear.
          • Select Scan Root Drive. Click on the Start button.
          • When it is complete a new window will appear to indicate that the scan is finished.
          • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
          Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

          besame2anne

            Topic Starter


            Rookie

            • Experience: Familiar
            • OS: Windows XP
            Re: win32 (pup) infection
            « Reply #7 on: October 17, 2013, 11:38:20 AM »
            Ok, here's this one.  I downloaded it from one of the mirrors first and I'm not sure what happened exactly but somehow I ended up with a setup for an installation that included the Conduit toolbar.  I don't know if it was from the site or if I clicked the wrong thing on my desktop.................. but, I cancelled the installation and deleted that setup off my desktop.  Hope I didn't mess anything up........................

            besame2anne

              Topic Starter


              Rookie

              • Experience: Familiar
              • OS: Windows XP
              Re: win32 (pup) infection
              « Reply #8 on: October 17, 2013, 11:39:51 AM »
              oops - forgot to attach it!

              [recovering disk space, attachment deleted by admin]

              SuperDave

              • Malware Removal Specialist


              • Genius
              • Thanked: 991
              • Certifications: List
              • Experience: Expert
              • OS: Windows 8
              Re: win32 (pup) infection
              « Reply #9 on: October 17, 2013, 12:57:57 PM »
              I'd like to scan your machine with ESET OnlineScan

              •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
              ESET OnlineScan

              •Click the button.
              •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
              • Click on to download the ESET Smart Installer. Save it to your desktop.
              • Double click on the icon on your desktop.
              •Check
              •Click the button.
              •Accept any security warnings from your browser.
              • Leave the check mark next to Remove found threats.
              •Check
              •Push the Start button.
              •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
              •When the scan completes, push
              •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
              •Push the button.
              •Push
              A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
              Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

              besame2anne

                Topic Starter


                Rookie

                • Experience: Familiar
                • OS: Windows XP
                Re: win32 (pup) infection
                « Reply #10 on: October 18, 2013, 04:13:10 PM »
                Here's the ESET scan.  (Ithink!)

                [recovering disk space, attachment deleted by admin]

                SuperDave

                • Malware Removal Specialist


                • Genius
                • Thanked: 991
                • Certifications: List
                • Experience: Expert
                • OS: Windows 8
                Re: win32 (pup) infection
                « Reply #11 on: October 18, 2013, 06:58:23 PM »
                How's your computer running now?
                Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                besame2anne

                  Topic Starter


                  Rookie

                  • Experience: Familiar
                  • OS: Windows XP
                  Re: win32 (pup) infection
                  « Reply #12 on: October 18, 2013, 10:55:52 PM »
                  It's much better!  You are fantastic help!  I can't tell you how grateful I am!  I'm very financially strapped right now and this is the best thing that's happened to me lately!  Many, many thanks!  I have one more question to ask you.  I'd kinda forgotten about it this last week but, I'm wondering if it might be part of or the cause of my problem.  A year or a little farther back, I used to order *censored* pills for a friend off a site he found.  Ever since then, my email is flooded with *censored* emails.  Never the same address - always a different name.  I blocked them at first by having it block key words like *censored*, *censored*, prescription, etc.  Then they started coming through with the key words misspelled.  Then they started coming with my own email address as the sender.  I had to put my own email address in my block list.  I have most of them blocked but a few still get through.  And for the last 2 or 3 months, I get alot of messages about mail delivery failure.  One is from "[email protected] telling me that my msg could not be delivered to one or more recipients.  The remote mail system said:Maximum Retry Queue Reached".  Another is from Mail Delivery System.  Undelivered mail returned to sender.  It's in a foreign language - French, I think.  Another one said "Undeliverable" and "we have reason to believe this msg is unwanted here."  Is someone using my computer to send spam?  Could this be where I got these viruses, etc?  Do I need to change my email address?  Thanks again - you're my hero!

                  SuperDave

                  • Malware Removal Specialist


                  • Genius
                  • Thanked: 991
                  • Certifications: List
                  • Experience: Expert
                  • OS: Windows 8
                  Re: win32 (pup) infection
                  « Reply #13 on: October 19, 2013, 04:20:47 PM »
                  Quote
                  A year or a little farther back, I used to order *censored* pills for a friend off a site he found.  Ever since then, my email is flooded with *censored* emails.  Never the same address - always a different name.  I blocked them at first by having it block key words like *censored*, *censored*, prescription, etc.  Then they started coming through with the key words misspelled.  Then they started coming with my own email address as the sender.  I had to put my own email address in my block list.  I have most of them blocked but a few still get through.  And for the last 2 or 3 months, I get alot of messages about mail delivery failure.  One is from "[email protected] telling me that my msg could not be delivered to one or more recipients.  The remote mail system said:Maximum Retry Queue Reached".  Another is from Mail Delivery System.  Undelivered mail returned to sender.  It's in a foreign language - French, I think.  Another one said "Undeliverable" and "we have reason to believe this msg is unwanted here."  Is someone using my computer to send spam?  Could this be where I got these viruses, etc?  Do I need to change my email address?  Thanks again
                  You should use a Spam filter program such as MailWasher. You could also delete all your cookies which should stop most of this annoying spam. You could also download and run SAS which will delete those tracking cookies. I don't need to see the log. Keep this on your computer and run it often.

                  SUPERAntiSpyware

                  If you already have SUPERAntiSpyware be sure to check for updates before scanning!


                  Download SuperAntispyware Free Edition (SAS)
                  * Double-click the icon on your desktop to run the installer.
                  * When asked to Update the program definitions, click Yes
                  * If you encounter any problems while downloading the updates, manually download and unzip them from here
                  * Next click the Preferences button.

                  •Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
                  * Click the Scanning Control tab.
                  * Under Scanner Options make sure only the following are checked:

                  •Close browsers before scanning
                  •Scan for tracking cookies
                  •Terminate memory threats before quarantining
                  Please leave the others unchecked

                  •Click the Close button to leave the control center screen.

                  * On the main screen click Scan your computer
                  * On the left check the box for the drive you are scanning.
                  * On the right choose Perform Complete Scan
                  * Click Next to start the scan. Please be patient while it scans your computer.
                  * After the scan is complete a summary box will appear. Click OK
                  * Make sure everything in the white box has a check next to it, then click Next
                  * It will quarantine what it found and if it asks if you want to reboot, click Yes

                  •To retrieve the removal information please do the following:
                  •After reboot, double-click the SUPERAntiSpyware icon on your desktop.
                  •Click Preferences. Click the Statistics/Logs tab.

                  •Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

                  •It will open in your default text editor (preferably Notepad).
                  •Save the notepad file to your desktop by clicking (in notepad) File > Save As...

                  * Save the log somewhere you can easily find it. (normally the desktop)
                  * Click close and close again to exit the program.
                  ***********************************************
                  To uninstall ComboFix

                  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
                  • In the field, type in ComboFix /uninstall


                  (Note: Make sure there's a space between the word ComboFix and the forward-slash.)

                  • Then, press Enter, or click OK.
                  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
                  ********************************************
                  Click Start> Computer> right click the C Drive and choose Properties> enter
                  Click Disk Cleanup from there.



                  Click OK on the Disk Cleanup Screen.
                  Click Yes on the Confirmation screen.



                  This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
                  *******************************************
                  Go to Microsoft Windows Update and get all critical updates.

                  ----------

                  I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

                  SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                  * Using SpywareBlaster to protect your computer from Spyware and Malware
                  * If you don't know what ActiveX controls are, see here

                  Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

                  Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
                  Safe Surfing!
                  Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender