win32.fraudpackage.dl

[Mike Hunt]

Hello Folks,

I have this annoying fraud package showing up randomly that spybot detects and cleans, but it keeps re appearing along with ad.yieldmanager.com and yieldmanager.net. Just for fun, sometimes I even get adserver.adtechus.com thrown in for good measure. Not sure how to clean this stuff off of my system. I ran regedit and followed the manual removal instructions from safernetworking, to no avail. Thanks for any help you can be in this situation.
Mike
Here is my control y as requested.
Win32.FraudPackage.dl: [SBI $FA4976EE] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1645522239-1303643608-682003330-1003\Software\SuperSoftwarePackage


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-08-26 unins000.exe (51.49.0.0)
2012-02-29 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2012-01-16 Includes\Adware.sbi (*)
2012-03-20 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2012-01-31 Includes\HeavyDuty.sbi (*)
2012-03-20 Includes\Hijackers.sbi (*)
2011-10-04 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2012-03-13 Includes\Keyloggers.sbi (*)
2012-03-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2012-03-27 Includes\Malware.sbi (*)
2012-04-03 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2012-02-28 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-12-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-01-17 Includes\Spyware.sbi (*)
2012-02-28 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2012-04-03 Includes\TrojansC-02.sbi (*)
2012-04-03 Includes\TrojansC-03.sbi (*)
2012-04-03 Includes\TrojansC-04.sbi (*)
2012-03-27 Includes\TrojansC-05.sbi (*)
2012-04-03 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Nunya at 16:54:05 on 2012-04-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2387 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Trend Micro Titanium *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\IProsetMonitor.exe
E:\programs\AiO\Center\EKAiOHostService.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciServiceHost.exe
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.net
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://att.net
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cdloader] "c:\documents and settings\nunya\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [KodakHomeCenter] "e:\programs\aio\center\AiOHomeCenter.exe"
StartupFolder: c:\docume~1\nunya\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\all users\desktop\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - e:\program files\SetPoint.exe
uPolicies-explorer: MaxRecentDocs = 21 (0x15)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: $talisma_url$
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{B7C8F692-6EAD-482C-A074-9FC6292FBF52} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B7C8F692-6EAD-482C-A074-9FC6292FBF52} : DhcpNameServer = 192.168.0.1 192.168.0.1
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
IFEO: cdbxpp.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: fixitcenter.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: labelprint.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: lightscribecontrolpanel.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: lslauncher.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
.
Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nunya\application data\mozilla\firefox\profiles\xd8d099i.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: e:\programs\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: e:\programs\adobe\reader 10.0\reader\browser\nppdf32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-10-23 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-10-23 12464]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl1c5615a4;MpKsl1c5615a4;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\MpKsl1c5615a4.sys [2012-4-4 29904]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2002-6-25 14336]
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-7-11 188272]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-3-2 90952]
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-8-11 112800]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;e:\programs\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-9-1 10384]
R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-6 652360]
R2 McciServiceHost;McciServiceHost;c:\program files\common files\motive\McciServiceHost.exe [2011-11-13 315392]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2011-11-16 66560]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-7-10 64080]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2012-2-9 1529152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-15 20464]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2012-2-9 10064]
S1 liggoaet;liggoaet;\??\c:\windows\system32\drivers\liggoaet.sys --> c:\windows\system32\drivers\liggoaet.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\tcaitdi.sys --> c:\windows\system32\drivers\TCAITDI.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2011-8-11 45288]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2011-7-8 9344]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-6-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
.
=============== Created Last 30 ================
.
2012-04-04 21:50:13 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\MpKsl1c5615a4.sys
2012-04-04 21:16:25 -------- d-----w- c:\documents and settings\nunya\application data\Safer Networking
2012-04-04 16:59:39 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\mpengine.dll
2012-04-03 13:37:31 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-23 03:42:56 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-23 03:42:56 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-20 13:14:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-20 13:14:51 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-20 13:14:41 -------- d-----w- c:\windows\system32\Cache
2012-03-18 00:15:58 -------- d-----w- C:\RECYCLER(2)
2012-03-16 18:31:01 -------- d-----w- C:\cmdcons
2012-03-16 18:29:39 -------- d-----w- C:\ComboFix
.
==================== Find3M ====================
.
2012-04-03 13:37:31 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 01:41:13 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2012-03-01 00:24:46 709968 ----a-w- c:\windows\is-V2VAN.exe
2012-02-18 02:42:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-18 02:42:24 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2012-02-09 20:13:28 31552 -c--a-w- c:\windows\system32\TURegOpt.exe
2012-02-09 13:13:18 28992 ----a-w- c:\windows\system32\uxtuneup.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-29 11:10:42 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 16:56:07.23 ===============