Help please - URL:Mal / eiffelcam1.jpg virus (process: XPSMiniViewGadget.exe)

Viruses and worms
1

Hi, I need help please :-\

Avast! pops up these alert messages on my screen.

They pop up at start-up (I notice the message says it’s coming from Process XPSMiniViewGadget.exe - the XPS Mini view is the little screen that I can view on my Dell computer case) and at other random times. I think sometimes I’m not even doing anything via a browser, but I am not sure.

Attached are screenshots of the message itself.

Can someone help me delete it/disable whatever this is.

(In the meantime, I have Malwarebytes running a scan).

2

I’m getting exactly the same thing, and apparently for the same reason. I’m assming it’s a false positive caused by an update in Avast, but not to the point where I’ve asked Avast to treat it as such. It wuld be good to have a definitive view from someone who actually knows what the cause is!

3

Greetings,

Both of you need to follow the instructions in this topic.
http://forum.avast.com/index.php?topic=53253.0
Tools that we need is Malwarebytes, OTL and aswMBR logreport.
Malwarebytes shall search & remove all known malware, OTL and aswMBR are generic diagnostic tools

@CJ2008
Post requested logs here and I shall examine them.

@Kluseau
Open yourself, separate topic and post the requested logs for investigations.

4

Will do Magna.

Thank you

5

OK Magna.

I followed step 1, which was to run MalwareBytes, then attach the log.

Problems I encountered:

1.MalwareBytes would stop responding after every “remove selected” action. But then when I’d go back and rerun the Scan it would find less items. So I’m not sure if that’s an indication the removal action worked.

2.Even though in my settings I have it checked to save logs automatically, I do not see a log for every scan I’ve run.

All that said - I ran the scan one more time - it found 4 items all having to do with that pup.funmoods - but when I say remove selected, it hangs.

So here are the past TWO logs that it kept (since I’ve been having this problem for a while I thought it would help you) along with a screenshot of the quarantined items (also hoping it’s helpful/relevant.)

Let me know if you need anything else - in the meantime I’ll move on to step 2.

6

Just realized there’s potential sensitive information in those logs kept by MalwareBytes.

I will cut and paste instead:

LOG 1:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.10.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
xxxxxx :: xxxxxx

12/10/2013 1:41:05 PM
MBAM-log-2013-12-10 (13-56-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 339413
Time elapsed: 12 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 4
C:\Users\xxxxxx\AppData\LocalLow\Funmoods (PUP.FunMoods) → No action taken.
C:\Users\xxxxxx\AppData\LocalLow\Funmoods\Funmoods (PUP.FunMoods) → No action taken.
C:\Users\xxxxxx\AppData\LocalLow\Funmoods\Funmoods\us (PUP.FunMoods) → No action taken.
C:\Users\xxxxxx\AppData\LocalLow\Funmoods\Funmoods\us\20101003 (PUP.FunMoods) → No action taken.

Files Detected: 0
(No malicious items detected)

(end)

LOG 2:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.27.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
xxxxxxxx :: xxxxxxxx [administrator]

11/27/2013 2:53:43 PM
MBAM-log-2013-11-27 (17-21-57).txt

Scan type: Full scan (C:|K:|L:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 584820
Time elapsed: 2 hour(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 15
HKCR\CLSID{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) → No action taken.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) → No action taken.
HKCR\escort.escortIEPane (PUP.Funmoods) → No action taken.
HKCR\CLSID{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) → No action taken.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) → No action taken.
HKCR\funmoodsApp.appCore (PUP.Funmoods) → No action taken.
HKCR\CLSID{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) → No action taken.
HKCR\f (PUP.Funmoods) → No action taken.
HKCR\Typelib{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) → No action taken.
HKCR\Interface{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) → No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) → No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) → No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) → No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) → No action taken.
HKLM\SOFTWARE\Google\chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki (PUP.Funmoods) → No action taken.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) → Data: Funmoods Toolbar → No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) → Data: → No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 4
C:\Users\xxxxxxxx\AppData\LocalLow\Funmoods (PUP.FunMoods) → No action taken.
C:\Users\xxxxxxxx\AppData\LocalLow\Funmoods\Funmoods (PUP.FunMoods) → No action taken.
C:\Users\xxxxxxxx\AppData\LocalLow\Funmoods\Funmoods\us (PUP.FunMoods) → No action taken.
C:\Users\xxxxxxxx\AppData\LocalLow\Funmoods\Funmoods\us\20101003 (PUP.FunMoods) → No action taken.

Files Detected: 4
C:\Users\xxxxxxxx\AppData\Local\funmoods.crx (PUP.Funmoods) → No action taken.
C:\Users\xxxxxxxx\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) → No action taken.
C:\Users\xxxxxxxx\AppData\LocalLow\Funmoods\Funmoods\us\20101003\kywrds.tat (PUP.FunMoods) → No action taken.
C:\Users\xxxxxxxx\AppData\LocalLow\Funmoods\Funmoods\us\20101003\kywrds.ttr (PUP.FunMoods) → No action taken.

(end)

7

OK Step 2: OTL results.

I xxxxxx out some stuff - probably silly, and probably didn’t really “do” anything, but I felt better anyway. Hopefully it won’t interfere with what you need to do.

8

Step 3: aswMBR.exe logs

9

OK I think that’s all you need Magna.

I’ll await further instructions.

Thanks in advance.

10

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

--------- Next ---------

Re-run OTL, just click QuickScan and post me fresh OTL.txt logreport.

11

OK - here’s the latest OTL report.

Thanks for all the work and help on this.

12

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:FILES
C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\21u8wzda.SocialMedia\extensions\crossriderapp14917@crossrider.com
C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\9icj375d.default\extensions\yawr@sdx.hu
C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\21u8wzda.SocialMedia\extensions\classicretweet@jonpierce.com.xpi
C:\Windows\System32\*.tmp
C:\Windows\*.tmp
C:\Users\xxxxx\Documents\*.tmp
C:\Program Files\XPSMiniViewGadget
:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O15 - HKU\S-1-5-21-3830217095-534917726-2058998712-1000\..Trusted Domains: aol.com ([objects] * is out of zone range -  5)
O15 - HKU\S-1-5-21-3830217095-534917726-2058998712-1000\..Trusted Domains: localhost ([]* in Local intranet)
@Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:C7461AB9
:COMMANDS
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

How’s your computer running now?

13

Magna,

After I posted the log last night I realized that I forgot to include this in the Custom Scans/Fixes box when I ran OTL. Let me know if you first need me to rerun it with these parameters before moving on to the last custom scan/fix you posted.

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

14

No need. Feel free to execute OTLScript.

15

OK Magna - logs from the OTL fix.

You’ll see 2 logs. I had to run the OTL twice, because the first time I realized in the log (the 100225) at the top it said “could not interpret” - so I had to put in the actual user name in the script and run the fix again. I attached that log just in case though. Second fix is the 111342 log.

16

Are you saying that you’s isn’t “xxxxx” but you removed the original reports, changing them and attaching here the modified reports? ???

Please explain me now why, what might be the reason you did that …I am deeply interested?

17

Well, since you went offline and I also have to go about my own business, I wanna to write something.

Do you think that these tools I use were allowed globaly for use if they infringe on your privacy? Do you think that MBAM does threatens your privacy? Why do you use MBAM then?
It’s just your username, nothing else, nothing important, nothing mysterious. It just an %path% (Windows variable) that I need to be able to address the malicious entries and files.

To reassure you, here’s my %path% from my hosts systems, header of one tool. Does it mean anything to you? No, right?

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-12-2013 01
Ran by Igor (administrator) on MAGNA on 13-12-2013 19:41:56
Running from C:\Users\Igor\Desktop
Windows 8.1 Pro (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
[ … ]
2013-12-05 00:33 - 2013-12-13 19:41 - 01927462 _____ (Farbar) C:\Users\Igor\Desktop\FRST64.exe
2013-12-13 02:00 - 2013-12-13 02:10 - 00000718 _____ C:\Users\Igor\Desktop\zez.txt
2013-12-13 01:44 - 2013-12-13 01:44 - 00377856 _____ C:\Users\Igor\Desktop\GMER.exe
2013-11-26 20:00 - 2013-11-26 20:00 - 00000000 ____D C:\Users\Igor\Documents\OneNote Notebooks

Changing the original report I will not tolerate. I do not want to waste time guessing the correct file %path% or worse … to be guilty if the tool does something that should not if tool fail to read the script by comparing with widnows path.
But l’ll be tolerant and will tell you that the machine was full of garbage and avast has been alerted by “C:\Program Files\XPSMiniViewGadget”.
You haven’t had any malware but adware (bad PUP software) that comes from user-side by not following installation wizard of installer some legit software.

Remove OTL by clicking on CleanUp! button. Tools should be removed.

Regards,
magna

18

Right - I’m saying that my username isn’t “xxxxx”.

I had replaced my real usernames in all the previous logs for privacy reasons (again, not sure if this is necessary but made me feel better) so when you created the “fix script” to paste into OTL it had the “xxxxxx” usernames, and I had not noticed that when I first ran it. So I ran OTL a second time but replaced the CORRECT usernames in the script.

Let me know if this clears it up. :slight_smile:

And let me know where we are clean-up wise - were we successful?

19

Woah Magna. You sound really annoyed.

My removing the usernames had nothing to do with not trusting the tools. At all. If that had thought that I wouldn’t have used the tools.

This was more me thinking that maybe I should not put my real username on the public forum. It’s one of those things were maybe if you’re really knowledgeable you’d know that the username is “nothing important” but if you’re a regular person you may not understand that.

And because I didn’t want to do anything that would interfere with what you needed to do, when I changed the username in the logs I made sure to tell you that I did it, and why, and said that I hoped it would not at all interfere with what you needed to do. The LAST thing I wanted you to do was waste your time.

I do thank you for your help, and I’ve been expressing that every step of the way.

Thank you.