Author Topic: Need to remove TROJAN:WIN32?FakeScanti (Read 13770 times)

Twylla · « **on:** July 15, 2010, 09:46:58 PM »

What is the best way to remove this stubborn bugger? Ive used my software but the problem remains.
Any help is REALLY appreciated.

It seems to be affecting my speach recog. software, people cant hear me talk on Skype and its been driving me nuts for weeks now

PLEASE HELP ME>

SuperDave · « **Reply #1 on:** July 16, 2010, 07:46:33 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.

===============================

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==============================

Please download: HiJackThis to your Desktop.

Double Click the HijackThis icon, located on your Desktop.
By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
Accept the license agreement.
Click the Open the Misc Tools section button.
Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
Please post the log in your next reply.

Twylla · « **Reply #2 on:** July 16, 2010, 11:56:41 PM »

Thank you so much. I hope I post the info you need exactly as you need it to. This is the first scan info. I will do the others tomorrow

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/16/2010 at 10:17 PM

Application Version : 4.40.1002

Core Rules Database Version : 5220
Trace Rules Database Version: 3032

Scan type : Complete Scan
Total Scan Time : 01:20:15

Memory items scanned : 797
Memory threats detected : 0
Registry items scanned : 7407
Registry threats detected : 96
File items scanned : 90921
File threats detected : 219

Rogue.XJRAntiVirus
HKU\S-1-5-21-3752135172-403379316-642457397-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{149256D5-E103-4523-BB43-2CFB066839D6}
HKCR\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}

Adware.MyWebSearch
HKU\S-1-5-21-3752135172-403379316-642457397-1006\Software\Microsoft\Internet
Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
C:\DOCUMENTS AND SETTINGS\SHERRY\MY
DOCUMENTS\DOWNLOADS\SMILEYCENTRALPFSETUP2.3.67.1.SA.HP.ZNFOX000.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Sherry\Cookies\sherry@liveperson[1].txt
C:\Documents and Settings\Sherry\Cookies\sherry@liveperson[2].txt
C:\Documents and Settings\Sherry\Cookies\[email protected][2].txt
C:\Documents and Settings\Sherry\Cookies\sherry@stopzilla[1].txt
.atdmt.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.bellcan.adbureau.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.lfstmedia.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.lfstmedia.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.azjmp.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.knowledgeadventure.122.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.burstnet.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.adcentriconline.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.www.burstnet.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.burstnet.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
www.burstbeacon.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
www.burstnet.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.burstbeacon.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Other\Application
Data\Mozilla\Firefox\Profiles\ffdx0xf7.default\cookies.sqlite ]
C:\Documents and Settings\Other\Cookies\other@doubleclick[1].txt
media.dreamhost.com [ C:\Documents and Settings\Sherry\Application
Data\Macromedia\Flash Player\#SharedObjects\FBBNUYVG ]
.atdmt.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.bellcan.adbureau.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.hitbox.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ehg-mybc.hitbox.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.hitbox.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ehg-mybc.hitbox.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.burstnet.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.popcapgames.122.2o7.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.bluestreak.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.clickbank.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.richmedia.yahoo.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.clickbank.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.statcounter.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
in.getclicky.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.twittercounter.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.twittercounter.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.twittercounter.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.twittercounter.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
statse.webtrendslive.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.adcentriconline.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.yieldmanager.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.lfstmedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.lfstmedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
data.coremetrics.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.microsoftwindows.112.2o7.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.2o7.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.ehg-eset.hitbox.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.trafficmp.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.adecn.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
www.googleadservices.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.msnservices.112.2o7.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.zedo.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.msnonecare.112.2o7.net [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
www.googleadservices.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.stopzilla.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
www.stopzilla.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
sdesapio-conversiontracker.appspot.com [ C:\Documents and
Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
sdesapio-conversiontracker.appspot.com [ C:\Documents and
Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
sdesapio-conversiontracker.appspot.com [ C:\Documents and
Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.stopzilla.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.stopzilla.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.casalemedia.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.stopzilla.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
www.stopzilla.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
.stopzilla.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
www.stopzilla.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\cookies.sqlite ]

Trojan.Agent/Gen
HKCR\idid
HKCR\idid#url1
HKCR\idid#url2
HKCR\idid#url3
HKCR\idid#url4
HKCR\idid#url5
HKCR\idid#url6
HKCR\idid#url7

Adware.MyWebSearch/FunWebProducts
HKLM\SOFTWARE\Fun Web Products
HKLM\SOFTWARE\Fun Web Products#JpegConversionLib
HKLM\SOFTWARE\Fun Web Products\ScreenSaver
HKLM\SOFTWARE\Fun Web Products\ScreenSaver#ImagesDir
HKLM\SOFTWARE\Fun Web Products\Settings
HKLM\SOFTWARE\Fun Web Products\Settings\Promos
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextNone.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqNone
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.numActive
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyTextUninstalled.0
HKLM\SOFTWARE\Fun Web Products\Settings\Promos#BuddyFreqUninstalled
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn
HKLM\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn#HTMLMenuPosDeleted
HKLM\SOFTWARE\MyWebSearch
HKLM\SOFTWARE\MyWebSearch\bar
HKLM\SOFTWARE\MyWebSearch\bar#Maximized
HKLM\SOFTWARE\MyWebSearch\bar#Visible
HKLM\SOFTWARE\MyWebSearch\bar#UseFWB
HKLM\SOFTWARE\MyWebSearch\bar#pid
HKLM\SOFTWARE\MyWebSearch\bar#fwp
HKLM\SOFTWARE\MyWebSearch\bar#un
HKLM\SOFTWARE\MyWebSearch\bar#tiec
HKLM\SOFTWARE\MyWebSearch\bar#Dir
HKLM\SOFTWARE\MyWebSearch\bar#UninstallString
HKLM\SOFTWARE\MyWebSearch\bar#PluginPath
HKLM\SOFTWARE\MyWebSearch\bar#RegHookPath
HKLM\SOFTWARE\MyWebSearch\bar#Id
HKLM\SOFTWARE\MyWebSearch\bar#SettingsDir
HKLM\SOFTWARE\MyWebSearch\bar#sr
HKLM\SOFTWARE\MyWebSearch\bar#pl
HKLM\SOFTWARE\MyWebSearch\MWSOEMON
HKLM\SOFTWARE\MyWebSearch\MWSOEPLG
HKLM\SOFTWARE\MyWebSearch\OEHosts
HKLM\SOFTWARE\MyWebSearch\OEHosts#Windows11
HKLM\SOFTWARE\MyWebSearch\SearchAssistant
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#pid
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#fwp
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#esh
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#lsp
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#LastRequest
HKLM\SOFTWARE\MyWebSearch\SearchAssistant#NextRequest
HKLM\SOFTWARE\MyWebSearch\SkinTools
HKLM\SOFTWARE\MyWebSearch\SkinTools#PlayerPath
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version
HKLM\Software\FocusInteractive
HKLM\Software\FocusInteractive\bar
HKLM\Software\FocusInteractive\bar\Switches
HKLM\Software\FocusInteractive\bar\Switches#incmail.exe
HKLM\Software\FocusInteractive\bar\Switches#msimn.exe
HKLM\Software\FocusInteractive\bar\Switches#msn.exe
HKLM\Software\FocusInteractive\bar\Switches#outlook.exe
HKLM\Software\FocusInteractive\bar\Switches#waol.exe
HKLM\Software\FocusInteractive\bar\Switches#aim.exe
HKLM\Software\FocusInteractive\bar\Switches#icq.exe
HKLM\Software\FocusInteractive\bar\Switches#icqlite.exe
HKLM\Software\FocusInteractive\bar\Switches#msmsgs.exe
HKLM\Software\FocusInteractive\bar\Switches#msnmsgr.exe
HKLM\Software\FocusInteractive\bar\Switches#ypager.exe
HKLM\Software\FocusInteractive\bar\Switches#ua
HKLM\Software\FocusInteractive\bar\Switches#au
HKLM\Software\FocusInteractive\bar\Switches#mwsSrcAs.dll
HKLM\Software\FocusInteractive\Email-IM
HKLM\Software\FocusInteractive\Email-IM\0
HKLM\Software\FocusInteractive\Email-IM\0#Toolbar
HKLM\Software\FocusInteractive\Email-IM\0#AppName
HKLM\Software\FocusInteractive\Outlook
HKLM\Software\FocusInteractive\Outlook#MyWebSearch.OutlookAddin
C:\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings
C:\Program Files\MyWebSearch\bar
C:\Program Files\MyWebSearch
C:\Program Files\FunWebProducts\ScreenSaver\Images
C:\Program Files\FunWebProducts\ScreenSaver
C:\Program Files\FunWebProducts
C:\WINDOWS\SYSTEM32\F3PSSAVR.SCR

Malware.Trace
C:\WINDOWS\S32.TXT
C:\WINDOWS\WS386.INI
HKLM\SOFTWARE\Microsoft\Sft
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

Rogue.SysinternalsAntivirus
HKU\.DEFAULT\Software\Sysinternals Antivirus
HKU\S-1-5-21-3752135172-403379316-642457397-1006\Software\Sysinternals Antivirus
HKU\S-1-5-18\Software\Sysinternals Antivirus
C:\Program Files\Sysinternals Antivirus

Twylla · « **Reply #3 on:** July 17, 2010, 09:31:29 AM »

Here is the second scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4321

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

17/07/2010 8:11:22 AM
mbam-log-2010-07-17 (08-11-22).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 271160
Time elapsed: 2 hour(s), 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
(Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
(Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe gxiu.nio cunwnq) Good:
(Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\scdata (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images (Trojan.Dropper) -> Quarantined and deleted
successfully.

Files Infected:
C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP267\A0034513.DLL
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP267\A0034514.EXE
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP267\A0034515.DLL
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP267\A0034516.scr
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP258\A0033039.exe
(Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\RegGenieOnUninstall.exe (Spyware.Passwords) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\i1.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\i2.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\i3.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\j1.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\j2.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\j3.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\jj1.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\jj2.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\jj3.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\l1.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\l2.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\l3.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\pix.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\t1.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\t2.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\Thumbs.db (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\up1.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\up2.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\w1.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\w11.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\w2.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\w3.jpg (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\word.doc (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\wt1.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\wt2.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.
C:\Program Files\scdata\images\wt3.gif (Trojan.Dropper) -> Quarantined and
deleted successfully.

Twylla · « **Reply #4 on:** July 17, 2010, 09:32:46 AM »

3rd scan complete

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:13 AM, on 17/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS security services\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\TELUS security services\rps.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\TELUS\TELUS security advisor\TsaComHandler.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\IObitBar\toolbar\1.bin\i0brmon.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\TELUS\TELUS security advisor\Tsa.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.hp.ca/nbaccess
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {7757CBCC-0975-4b79-A519-90B142CA3A23} -
C:\Program Files\IObitBar\toolbar\1.bin\i0SrcAs.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} -
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} -
C:\Program Files\TELUS\TELUS security services\pkR.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9}
- C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Toolbar BHO - {EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE} - C:\Program
Files\IObitBar\toolbar\1.bin\i0bar.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: IObit Toolbar - {EFA17369-CDC0-4927-9AFC-BAAD1F96B2AE} -
C:\Program Files\IObitBar\toolbar\1.bin\i0bar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java
Update\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless
Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile
Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader
9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut]
CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IObitBar Browser Plugin Loader]
C:\PROGRA~1\IObitBar\toolbar\1.bin\i0brmon.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program
Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search -
http://edits.myway.com/menusearch.jhtml?s=100000379&p=YH&si=&a=A402A8D4-9EFC-4CCF-868E-FE87E9061309&n=2010070612
O8 - Extra context menu item: &Translate English Word - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -
C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth
Software\btsendto_ie.htm
O9 - Extra button: Show or hide HP Smart Web Printing -
{DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital
Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF:
START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) -
http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E73232DF-E75E-4483-B1F3-351588EDAC22}:
NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7232DF-4C6E-4BAD-90C8-2F25E652BC38}:
NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF59D2F0-46E4-4A1D-8C74-21DD1DFECEB0}:
NameServer = 8.8.8.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program
Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Update Service (gupdate1cafcddc9333ed2)
(gupdate1cafcddc9333ed2) - Google Inc. - C:\Program
Files\Google\Update\GoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program
Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation
- c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IObit Toolbar Service (IObitBarService) - IObit -
C:\PROGRA~1\IObitBar\toolbar\1.bin\i0barsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems,
Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common
Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. -
C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program
Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program
Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS security services (Radialpoint Security Services) - TELUS -
C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
O23 - Service: TELUS security services Firewall (RP_FWS) - TELUS - C:\Program
Files\TELUS\TELUS security services\Fws.exe

--
End of file - 12569 bytes

Sherry Barrett · « **Reply #5 on:** July 17, 2010, 10:17:52 AM »

Here's hoping and praying this works. So many knowledgeable and helpful people, great work!
Sherry

SuperDave · « **Reply #6 on:** July 17, 2010, 11:14:50 AM »

Ok. Please run these scans and post the logs.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

=====================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

====================================

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

================================

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

Twylla · « **Reply #7 on:** July 17, 2010, 03:44:00 PM »

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
RPS AntiVirus
RPS Firewall
Microsoft Security Essentials
Microsoft Security Essentialy successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 20
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
Mozilla Firefox (3.6.6)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

SuperDave · « **Reply #8 on:** July 18, 2010, 12:52:18 PM »

Twylla, from the Security Check it appears that you're running two Anti-Virus programs which is a no-no. RPS AntiVirus and Microsoft Security Essentials. One will have to be disabled. I do not see the log for ComboFix??

Twylla · « **Reply #9 on:** August 11, 2010, 08:11:19 AM »

Life got in my way. Sorry about that. This is the Combo

ComboFix 10-07-16.01 - Sherry 17/07/2010 13:46:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1202 [GMT -6:00]
Running from: c:\documents and settings\Sherry\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated)
{BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: TELUS security services Anti-Virus *On-access scanning disabled* (Updated)
{5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Norton Internet Worm Protection *disabled*
{990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: TELUS security services Firewall *enabled*
{80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sherry\g2mdlhlpx.exe
c:\program files\RegGenie
c:\program files\RegGenie\Backups\40316.8136917593
c:\program files\RegGenie\RegGenie.ini
c:\windows\ayitalud.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17
)))))))))))))))))))))))))))))))
.

2010-07-17 15:00 . 2010-07-17 15:00 -------- d-----w- c:\program files\Trend Micro
2010-07-17 11:22 . 2010-07-17 11:22 -------- d-----w- c:\documents and
settings\Sherry\Application Data\Malwarebytes
2010-07-17 11:21 . 2010-04-29 21:39 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 11:21 . 2010-07-17 11:21 -------- d-----w- c:\documents and
settings\All Users\Application Data\Malwarebytes
2010-07-17 11:21 . 2010-04-29 21:39 20952 ----a-w-
c:\windows\system32\drivers\mbam.sys
2010-07-17 11:21 . 2010-07-17 11:21 -------- d-----w- c:\program
files\Malwarebytes' Anti-Malware
2010-07-17 02:44 . 2010-07-17 02:44 63488 ----a-w- c:\documents and
settings\Sherry\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-17 02:44 . 2010-07-17 02:44 52224 ----a-w- c:\documents and
settings\Sherry\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-17 02:44 . 2010-07-17 02:44 117760 ----a-w- c:\documents and
settings\Sherry\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-17 02:43 . 2010-07-17 02:43 -------- d-----w- c:\documents and
settings\Sherry\Application Data\SUPERAntiSpyware.com
2010-07-17 02:43 . 2010-07-17 02:43 -------- d-----w- c:\documents and
settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-17 02:43 . 2010-07-17 02:50 -------- d-----w- c:\program
files\SUPERAntiSpyware
2010-07-16 14:43 . 2010-07-16 14:43 16384 ---ha-w- C:\SZKGFS.dat
2010-07-16 14:40 . 2010-07-16 14:40 -------- d-----w- c:\documents and
settings\All Users\Application Data\SITEguard
2010-07-16 14:38 . 2010-07-16 14:38 -------- d-----w- c:\program files\Common
Files\iS3
2010-07-16 14:38 . 2010-07-17 14:20 -------- d-----w- c:\documents and
settings\All Users\Application Data\STOPzilla!
2010-07-15 23:49 . 2010-07-15 23:49 -------- d-----w- c:\documents and
settings\Sherry\Local Settings\Application Data\LogMeIn
2010-07-15 23:49 . 2010-07-15 23:49 -------- d-----w- c:\documents and
settings\All Users\Application Data\LogMeIn
2010-07-15 21:31 . 2010-07-15 21:31 -------- d-----w- c:\documents and
settings\LocalService\Local Settings\Application Data\ICS
2010-07-15 21:31 . 2010-06-02 22:06 53632 ----a-w-
c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-07-15 21:31 . 2010-06-02 22:06 83360 ----a-w-
c:\windows\system32\LMIRfsClientNP.dll
2010-07-15 21:31 . 2010-06-02 22:06 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-07-15 21:31 . 2010-01-27 18:22 47640 ----a-w-
c:\windows\system32\drivers\LMIRfsDriver.sys
2010-07-15 21:29 . 2010-06-02 22:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-07-15 21:29 . 2010-07-17 11:03 -------- d-----w- c:\program files\LogMeIn
2010-07-15 21:26 . 2010-07-15 21:28 -------- d-----w- c:\documents and
settings\Sherry\Local Settings\Application Data\Deployment
2010-07-15 16:05 . 2010-07-15 16:05 -------- d-----w- c:\program files\Microsoft
Security Essentials
2010-07-14 12:54 . 2010-06-14 14:31 744448 ------w-
c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 04:09 . 2010-07-15 13:16 -------- d-----w- c:\documents and
settings\All Users\Application Data\Norton
2010-07-14 04:09 . 2010-07-14 04:09 -------- d-----w- c:\documents and
settings\All Users\Application Data\NortonInstaller
2010-07-05 16:13 . 2010-07-05 16:13 -------- d-----w- c:\documents and
settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-05 16:05 . 2010-07-13 15:02 -------- d-----w- c:\program files\QuickTime
2010-07-05 15:59 . 2010-07-13 15:01 -------- d-----w- c:\program files\Bonjour
2010-07-05 15:51 . 2010-07-05 15:51 72504 ----a-w- c:\documents and settings\All
Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-03 16:52 . 2010-07-03 16:52 -------- d-----w- c:\documents and
settings\Other\Application Data\HPAppData
2010-06-25 16:16 . 2006-03-23 12:12 139264 ----a-w- c:\windows\system32\igfxres.dll
2010-06-25 16:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\NetWaiting
2010-06-25 15:59 . 2010-06-25 15:59 -------- d-----w- c:\program files\Broadcom
2010-06-25 15:54 . 2010-06-25 15:54 -------- d-----w- c:\documents and
settings\Sherry\Application Data\Uniblue
2010-06-21 02:21 . 2010-06-21 02:21 -------- d-----w- c:\program files\Common
Files\L&H
2010-06-20 21:14 . 2010-07-13 14:59 -------- d-----r- c:\program files\Skype
2010-06-20 14:33 . 2010-07-13 14:55 -------- d-----w- c:\windows\system32\XPSViewer
2010-06-20 14:33 . 2010-06-20 14:33 -------- d-----w- c:\program files\MSBuild
2010-06-20 14:33 . 2010-06-20 14:33 -------- d-----w- c:\program files\Reference
Assemblies
2010-06-20 14:33 . 2008-07-06 12:06 89088 ----a-w-
c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-06-20 14:31 . 2008-07-06 12:06 89088 ------w-
c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-06-20 14:31 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-06-20 14:31 . 2008-07-06 12:06 575488 ------w-
c:\windows\system32\dllcache\xpsshhdr.dll
2010-06-20 14:31 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-06-20 14:31 . 2008-07-06 12:06 1676288 ------w-
c:\windows\system32\dllcache\xpssvcs.dll
2010-06-20 14:31 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-06-20 14:31 . 2008-07-06 10:50 597504 ------w-
c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-06-20 14:31 . 2008-07-06 10:50 597504 ------w-
c:\windows\system32\dllcache\printfilterpipelinesvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 19:56 . 2009-09-12 16:14 48210208 --sha-w-
c:\windows\system32\drivers\fidbox.dat
2010-07-17 19:56 . 2009-09-12 16:14 2107424 --sha-w-
c:\windows\system32\drivers\fidbox2.dat
2010-07-17 16:42 . 2009-09-12 16:14 644948 --sha-w-
c:\windows\system32\drivers\fidbox.idx
2010-07-17 16:42 . 2009-09-12 16:14 197540 --sha-w-
c:\windows\system32\drivers\fidbox2.idx
2010-07-17 16:42 . 2010-05-26 14:14 -------- d-----w- c:\documents and
settings\Sherry\Application Data\Skype
2010-07-17 15:45 . 2010-05-26 14:18 -------- d-----w- c:\documents and
settings\Sherry\Application Data\skypePM
2010-07-17 14:18 . 2010-07-17 14:18 240 ----a-w-
c:\windows\system32\drivers\kgpcpy.cfg
2010-07-15 23:42 . 2006-05-19 07:02 -------- d-----w- c:\program files\CONEXANT
2010-07-15 15:54 . 2009-11-19 16:21 -------- d-----w- c:\documents and
settings\Sherry\Application Data\HPAppData
2010-07-15 15:35 . 2006-03-27 16:17 86835 ----a-w-
c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-15 13:16 . 2006-05-19 07:24 -------- d-----w- c:\program files\Common
Files\Symantec Shared
2010-07-14 02:56 . 2010-07-13 15:01 -------- d---a-w- c:\documents and
settings\All Users\Application Data\TEMP
2010-07-13 17:31 . 2010-05-19 01:38 -------- d-----w- c:\program files\RegistryTool
2010-07-13 17:29 . 2010-05-19 01:39 -------- d-----w- c:\documents and
settings\Sherry\Application Data\RegistryTool
2010-07-13 15:02 . 2010-07-13 15:02 -------- d-----w- c:\documents and
settings\Other\Application Data\Apple Computer
2010-07-13 15:02 . 2010-07-05 16:13 -------- d-----w- c:\program files\iTunes
2010-07-13 15:02 . 2010-07-05 16:13 -------- d-----w- c:\program files\iPod
2010-07-13 15:02 . 2009-09-06 04:14 -------- d-----w- c:\program files\Common
Files\Apple
2010-07-13 14:59 . 2010-02-02 23:57 -------- d-----w- c:\program files\Citrix
2010-07-13 14:59 . 2010-07-13 14:59 -------- d-----w- c:\program files\Common
Files\Skype
2010-07-13 14:59 . 2010-05-26 14:11 -------- d-----w- c:\documents and
settings\All Users\Application Data\Skype
2010-07-13 14:58 . 2010-07-13 14:58 -------- d-----w- c:\documents and
settings\All Users\Application Data\Driver Whiz
2010-07-13 14:57 . 2006-05-19 04:51 -------- d-----w- c:\program files\Hp
2010-07-13 14:50 . 2010-07-12 16:46 -------- d-----w- c:\program files\Windows
Defender
2010-07-07 16:35 . 2010-07-07 16:35 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-06 21:12 . 2009-09-06 04:18 -------- d-----w- c:\documents and
settings\Sherry\Application Data\Apple Computer
2010-07-06 13:14 . 2010-07-06 13:14 -------- d-----w- c:\program files\IObitBar
2010-07-03 16:41 . 2009-09-12 16:22 88896 ----a-w- c:\documents and
settings\Other\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-27 23:00 . 2010-06-05 18:25 -------- d-----w- c:\program files\CCleaner
2010-06-20 19:39 . 2009-08-04 07:13 88896 ----a-w- c:\documents and
settings\Sherry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2004-08-04 21:00 744448 ----a-w-
c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 15:58 . 2009-10-06 13:52 -------- d-----w- c:\documents and
settings\Sherry\Application Data\HpUpdate
2010-06-05 18:28 . 2010-06-05 18:28 -------- d-----w- c:\documents and
settings\Sherry\Application Data\IObit
2010-06-05 18:28 . 2010-06-05 18:28 -------- d-----w- c:\program files\IObit
2010-06-05 18:03 . 2006-05-19 07:14 -------- d-----w- c:\documents and
settings\All Users\Application Data\HP
2010-06-05 16:23 . 2009-11-23 20:14 -------- d-----w- c:\documents and
settings\All Users\Application Data\Microsoft Help
2010-06-05 16:22 . 2006-05-19 07:10 -------- d-----w- c:\program files\Microsoft
Works
2010-06-05 15:53 . 2010-06-02 19:27 160205 ----a-w- c:\windows\hpoins44.dat
2010-06-04 21:45 . 2009-11-23 19:33 -------- d-----w- c:\documents and
settings\Sherry\Application Data\GetRightToGo
2010-06-04 16:11 . 2009-08-16 02:41 -------- d-----w- c:\documents and
settings\Sherry\Application Data\HP
2010-06-02 20:48 . 2010-06-02 20:48 10134 ----a-r- c:\documents and
settings\Sherry\Application
Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2010-06-02 20:03 . 2010-01-23 18:28 -------- d-----w- c:\program files\Windows Live
2010-06-02 20:01 . 2010-06-02 20:01 -------- d-----w- c:\program files\Microsoft
SQL Server Compact Edition
2010-06-02 19:33 . 2010-06-02 19:33 -------- d-----w- c:\program files\Common
Files\Hewlett-Packard
2010-06-01 17:37 . 2010-07-12 16:50 221568 ------w-
c:\windows\system32\MpSigStub.exe
2010-06-01 12:45 . 2010-04-08 19:02 -------- d-----w- c:\documents and
settings\All Users\Application Data\NOS
2010-05-28 16:15 . 2010-05-28 16:15 503808 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1082a321-n\msvcp71.dll
2010-05-28 16:15 . 2010-05-28 16:15 499712 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1082a321-n\jmc.dll
2010-05-28 16:15 . 2010-05-28 16:15 348160 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1082a321-n\msvcr71.dll
2010-05-28 16:15 . 2010-05-28 16:15 61440 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2081b5e3-n\decora-sse.dll
2010-05-28 16:15 . 2010-05-28 16:15 12800 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2081b5e3-n\decora-d3d.dll
2010-05-26 14:19 . 2010-05-26 14:19 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-26 14:16 . 2006-05-19 07:33 -------- d-----w- c:\program files\Google
2010-05-19 01:21 . 2010-05-19 01:21 -------- d-----w- c:\program files\Common
Files\ParetoLogic
2010-05-19 01:21 . 2010-05-19 01:21 -------- d-----w- c:\documents and
settings\All Users\Application Data\ParetoLogic
2010-05-19 00:58 . 2010-05-19 00:58 86016 ----a-w- c:\documents and settings\All
Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-19 00:55 . 2010-05-19 00:55 -------- d-----w- c:\documents and
settings\Sherry\Application
Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-18 22:35 . 2010-05-18 22:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 22:35 . 2010-05-18 22:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 22:35 . 2010-05-18 22:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 18:04 . 2010-05-06 18:04 503808 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35ee882f-n\msvcp71.dll
2010-05-06 18:04 . 2010-05-06 18:04 499712 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35ee882f-n\jmc.dll
2010-05-06 18:04 . 2010-05-06 18:04 348160 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35ee882f-n\msvcr71.dll
2010-05-06 18:04 . 2010-05-06 18:04 61440 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-70faaa81-n\decora-sse.dll
2010-05-06 18:04 . 2010-05-06 18:04 12800 ----a-w- c:\documents and
settings\Sherry\Application
Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-70faaa81-n\decora-d3d.dll
2010-05-06 18:04 . 2010-05-06 18:04 411368 ----a-w-
c:\windows\system32\deployJava1.dll
2010-05-04 17:20 . 2004-08-04 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 21:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-04 21:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 21:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-10-01 04:22 . 2009-07-29 00:27 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7757CBCC-0975-4b79-A519-90B142CA3A23}"= "c:\program
files\IObitBar\toolbar\1.bin\i0SrcAs.dll" [2010-07-06 49152]

[HKEY_CLASSES_ROOT\clsid\{7757cbcc-0975-4b79-a519-90b142ca3a23}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE}]
2010-07-06 13:14 638976 ----a-w- c:\program files\IObitBar\toolbar\1.bin\i0bar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EFA17369-CDC0-4927-9AFC-BAAD1F96B2AE}"= "c:\program
files\IObitBar\toolbar\1.bin\i0bar.dll" [2010-07-06 638976]

[HKEY_CLASSES_ROOT\clsid\{efa17369-cdc0-4927-9afc-baad1f96b2ae}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EFA17369-CDC0-4927-9AFC-BAAD1F96B2AE}"= "c:\program
files\IObitBar\toolbar\1.bin\i0bar.dll" [2010-07-06 638976]

[HKEY_CLASSES_ROOT\clsid\{efa17369-cdc0-4927-9afc-baad1f96b2ae}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
[2010-06-29 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java
Update\jusched.exe" [2010-02-18 248040]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless
Assistant.exe" [2006-02-15 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
[2007-10-15 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device
Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[2010-06-09 976832]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe"
[2006-04-18 61952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"IObitBar Browser Plugin
Loader"="c:\progra~1\IObitBar\toolbar\1.bin\i0brmon.exe" [2010-07-06 20480]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe
[2006-2-27 581693]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital
Imaging\bin\hpqtra08.exe [2009-5-21 275768]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital
Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program
files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\LMIinit]
2010-06-02 22:06 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010
12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010
12:41 PM 67656]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program
files\LogMeIn\x86\rainfo.sys [27/01/2010 12:22 PM 12856]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys -->
c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate1cafcddc9333ed2;Google Update Service
(gupdate1cafcddc9333ed2);c:\program files\Google\Update\GoogleUpdate.exe
[26/05/2010 8:12 AM 133104]
S2 IObitBarService;IObit Toolbar
Service;c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe [06/07/2010 7:14 AM 28766]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe
[03/11/2006 7:19 PM 13592]
S3 Radialpoint Security Services;TELUS security services;c:\program
files\TELUS\TELUS security services\RpsSecurityAwareR.exe [09/12/2008 3:04 PM 97520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 14:11]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 14:11]

2010-07-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]

2010-07-17 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-05-19 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12
05:01]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.ca/nbaccess
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program
files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program
files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth
Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program
files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: {E73232DF-E75E-4483-B1F3-351588EDAC22} = 8.8.8.8
TCP: {FE7232DF-4C6E-4BAD-90C8-2F25E652BC38} = 8.8.8.8
TCP: {FF59D2F0-46E4-4A1D-8C74-21DD1DFECEB0} = 8.8.8.8
FF - ProfilePath - c:\documents and settings\Sherry\Application
Data\Mozilla\Firefox\Profiles\3jc2ngcb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage -
hxxp://www.facebook.com/?ref=home|http://legacywebmail.telus.net/horde/imp/mailbox.php?mailbox=INBOX|http://by130w.bay130.mail.live.com/default.aspx?rru=inbox&wa=wsignin1.0&nwi=1&n=891874880|http://biblestudy.crosswalk.com/|http://www.workathomeprofitzone.com/members/|http://www.danijohnson.com/category/home-business/|http://www.risetosuccess.com/members/|http://www.theweathernetwork.com/weather/caab0253
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\IObitBar\toolbar\1.bin\NPi0Stub.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\TELUS\TELUS security advisor\nprpspa.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation
Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors",
true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",
5);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled",
true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref",
true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-07-17 13:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?

??

@?

??@?

?O?

??(?@?

@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1260)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-07-17 13:59:15
ComboFix-quarantined-files.txt 2010-07-17 19:59

Pre-Run: 72,244,109,312 bytes free
Post-Run: 72,406,978,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition"
/noexecute=optin /fastdetect

- - End Of File - - 9A28319BCF561B39E88422243D7F7765

SuperDave · « **Reply #10 on:** August 11, 2010, 04:55:42 PM »

Registry cleaners (RegistryTool )are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance. There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners

=====================================

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Twylla · « **Reply #11 on:** August 11, 2010, 11:07:46 PM »

figured out how to open it and it is downloaded on start up menu, went to 7-Zip
however the only options to extract to are: Extract files,extract here and
extract to "kndRPdg7QBa. Extracted it to the last one. I'm not following what
you want me to do or if this was right.

SuperDave · « **Reply #12 on:** August 12, 2010, 05:40:38 PM »

Don't bother with that one. Try this one.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Twylla · « **Reply #13 on:** August 12, 2010, 08:17:26 PM »

I followed the directions for the GMER scan, was scanning and my computer
restarted itself. Should I redo the scan? This was before the log came up so I
could save it. Awaiting instructions.

SuperDave · « **Reply #14 on:** August 13, 2010, 04:57:38 PM »

Yes, please run the scan again and see if you can get the log.

Computer Hope Forum

News:

Author Topic: Need to remove TROJAN:WIN32?FakeScanti (Read 13770 times)

Twylla

Need to remove TROJAN:WIN32?FakeScanti

SuperDave

Re: Need to remove TROJAN:WIN32?FakeScanti

Twylla

Re: Need to remove TROJAN:WIN32?FakeScanti

Twylla

Re: Need to remove TROJAN:WIN32?FakeScanti

Twylla

Re: Need to remove TROJAN:WIN32?FakeScanti

Sherry Barrett

Re: Need to remove TROJAN:WIN32?FakeScanti

SuperDave

Re: Need to remove TROJAN:WIN32?FakeScanti

Twylla

Re: Need to remove TROJAN:WIN32?FakeScanti

SuperDave

Re: Need to remove TROJAN:WIN32?FakeScanti

Twylla

Re: Need to remove TROJAN:WIN32?FakeScanti

SuperDave

Re: Need to remove TROJAN:WIN32?FakeScanti

Twylla

Re: Need to remove TROJAN:WIN32?FakeScanti

SuperDave

Re: Need to remove TROJAN:WIN32?FakeScanti

Twylla

Re: Need to remove TROJAN:WIN32?FakeScanti

SuperDave

Re: Need to remove TROJAN:WIN32?FakeScanti