My wife was tricked into downloading/purchasing a scam anti-virus from Edit They have already hit out credit card twice for $69.95. I have suspended the card and an working with the fraud division of our bank.

Not sure what she may have dowloaded, but expect that there is something on her laptop that casued the original pop-ups that tricked her into this purchase.

Appreciate the help (once again).

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Elizabeth at 20:01:58 on 2012-01-11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.811 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\system32\STacSV.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\AOL\1205800139\ee\aolsoftware.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Software Informer\softinfo.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1205800139\ee\AOLDesktop.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\RacAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120109210944.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Software Informer] "c:\program files\software informer\softinfo.exe" -autorun
uRun: [fsm]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] c:\program files\dell support center\gs_agent\custom\dsca.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [HostManager] c:\program files\common files\aol\1205800139\ee\AOLSoftware.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\elizab~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\aoldes~1.lnk - c:\program files\common files\aol\launch\aollaunch.exe
StartupFolder: c:\users\elizab~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{27160E6B-2112-4BAE-AC82-07E4DFFBCEEF} : DhcpNameServer = 75.75.75.75 75.75.76.76
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-11-4 464176]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-11-4 64880]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-11-4 165680]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-3-9 73728]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-18 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-8-30 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-11-4 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-11-4 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-11-4 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-4 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-4 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-4 150856]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-8-5 1153368]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-4 57600]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-3-10 111104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-11 40776]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-4 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-4 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-4 338176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9df7b19a4bd40;Google Update Service (gupdate1c9df7b19a4bd40);c:\program files\google\update\GoogleUpdate.exe [2009-5-28 133104]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-3-9 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-28 133104]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-4 87656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-12 00:55:02 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-12 00:55:02 -------- d-----w- c:\users\elizabeth\appdata\roaming\Malwarebytes
2012-01-12 00:54:30 -------- d-----w- c:\programdata\Malwarebytes
2012-01-12 00:54:27 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-12 00:54:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-10 01:13:00 161792 ----a-w- c:\windows\system32\msls31.dll
2012-01-10 01:13:00 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-01-10 01:13:00 107008 ----a-w- c:\program files\internet explorer\iecleanup.exe
2012-01-09 14:51:46 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2012-01-09 09:46:12 -------- d-----w- c:\program files\Windows Portable Devices
2012-01-09 09:06:22 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2012-01-09 09:06:20 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2012-01-09 09:06:19 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2012-01-09 08:59:32 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2012-01-09 08:59:26 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2012-01-09 08:59:26 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2012-01-09 08:59:26 252928 ----a-w- c:\windows\system32\dxdiag.exe
2012-01-09 08:59:26 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2012-01-09 08:59:26 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2012-01-09 08:59:23 519680 ----a-w- c:\windows\system32\d3d11.dll
2012-01-07 18:24:21 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-01-07 18:24:20 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-01-07 18:24:16 293376 ----a-w- c:\windows\system32\psisdecd.dll
2012-01-07 18:24:16 217088 ----a-w- c:\windows\system32\psisrndr.ax
2012-01-07 18:24:15 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-01-07 18:24:14 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-01-07 18:24:12 375808 ----a-w- c:\windows\system32\winsrv.dll
2012-01-07 18:22:45 98816 ----a-w- c:\windows\system32\mfps.dll
2012-01-07 18:22:45 258048 ----a-w- c:\windows\system32\winspool.drv
2012-01-07 18:22:44 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2012-01-07 18:19:33 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-01-07 18:18:42 2043904 ----a-w- c:\windows\system32\win32k.sys
2012-01-07 18:18:38 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-07 18:18:34 49152 ----a-w- c:\windows\system32\csrsrv.dll
2012-01-07 18:18:26 2048 ----a-w- c:\windows\system32\tzres.dll
2012-01-07 18:17:50 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2012-01-07 18:17:50 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2012-01-07 18:17:50 238080 ----a-w- c:\windows\system32\oleacc.dll
2012-01-07 18:17:49 563712 ----a-w- c:\windows\system32\oleaut32.dll
2012-01-07 18:16:03 707584 ----a-w- c:\program files\common files\system\wab32.dll
2012-01-07 18:14:08 231424 ----a-w- c:\windows\system32\msshsq.dll
2012-01-07 12:52:37 -------- d-----w- c:\windows\system32\vi-VN
2012-01-07 12:52:37 -------- d-----w- c:\windows\system32\eu-ES
2012-01-07 12:52:37 -------- d-----w- c:\windows\system32\ca-ES
2012-01-06 06:35:40 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c7dae568-881c-4ee4-acae-96b756fee67b}\mpengine.dll
2012-01-05 04:49:59 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2011-12-14 23:23:45 677136 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
.
==================== Find3M ====================
.
2011-11-09 11:30:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 19:32:30 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-15 18:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 18:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 18:16:16 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 18:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 18:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 18:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 18:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 18:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 18:16:16 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 18:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-14 16:02:19 429056 ----a-w- c:\windows\system32\EncDec.dll
2009-06-22 13:21:53 177512 ----a-w- c:\program files\UnHyCam2.exe
2009-06-22 13:21:51 976208 ----a-w- c:\program files\HyCam2.exe
2009-06-17 19:47:36 102400 ----a-w- c:\program files\CamRes2.dll
2009-06-11 14:55:38 57344 ----a-w- c:\program files\MClick2.dll
.
============= FINISH: 20:09:32.57 ===============

hi pmaxxx13,

Your post is a few days old. If you still need help simply post back.

Thanks for the reponse.

I would still like some help:

1) there was likely something on this laptop that casued the fake pop-up warning that the computer was infected
2) I am not sure what my wife downloaded when she was tricked into buying the scam anti-virus

The laptop seems to be working fine at this point. Maybe you can take a quick look at the DDS and see if there is anything there that needs to be cleaned up?

FYI- i am traveling and won't be able to access this laptop until tomorrow (Friday) evening

Thanks

Looks like you got hit with scareware. (http://www.malwarevault.com/scareware.html) Malwarebytes usually does a pretty good job of cleaning this stuff up and I see you have it installed.

Sometimes this will only be scareware that can be easily removed. Other times it can install more malware to your machine and so for that reason we will get another download to use as a check. Its called combofix. There is a guide to read first. Read through the guide and apply the directions on your machine. Post the log.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

COMBOFIX Log below

1) I was not able to turn off McAfee? Sorry
2) I got numerous error messages "cannot find file NIRKMD please make sure you typed it correctly" seemed like at least once for every stage of check.

Thanks for your help!




ComboFix 12-01-21.02 - Elizabeth 01/23/2012 19:36:17.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1007 [GMT -5:00]
Running from: c:\users\elizabeth\downloads\combofix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\Uninstall
c:\users\Elizabeth\Documents\~WRL0003.tmp
c:\users\Elizabeth\Documents\~WRL0005.tmp
c:\users\Elizabeth\Documents\~WRL0796.tmp
c:\users\Elizabeth\Documents\~WRL1101.tmp
c:\users\Elizabeth\Documents\~WRL1413.tmp
c:\users\Elizabeth\Documents\~WRL1474.tmp
c:\users\Elizabeth\Documents\~WRL1624.tmp
c:\users\Elizabeth\Documents\~WRL3038.tmp
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\ndisapi.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-24 01:01 . 2012-01-24 01:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-12 01:00 . 2012-01-12 01:00 -------- d-----w- c:\program files\ERUNT
2012-01-12 00:55 . 2012-01-12 00:55 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\Malwarebytes
2012-01-12 00:54 . 2012-01-12 00:54 -------- d-----w- c:\programdata\Malwarebytes
2012-01-12 00:54 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-12 00:54 . 2012-01-12 00:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-11 22:18 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 22:18 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 22:18 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 22:18 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 22:17 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 22:17 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 22:17 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 22:17 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-10 01:13 . 2012-01-10 01:13 161792 ----a-w- c:\windows\system32\msls31.dll
2012-01-10 01:13 . 2012-01-10 01:13 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-01-10 01:13 . 2012-01-10 01:13 107008 ----a-w- c:\program files\Internet Explorer\iecleanup.exe
2012-01-10 00:47 . 2012-01-10 00:47 -------- d-----w- c:\program files\Common Files\Adobe
2012-01-09 14:51 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2012-01-09 09:46 . 2012-01-09 09:46 -------- d-----w- c:\program files\Windows Portable Devices
2012-01-09 09:06 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2012-01-09 09:06 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2012-01-09 09:06 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2012-01-09 08:59 . 2009-09-25 01:33 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2012-01-09 08:59 . 2009-09-25 02:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2012-01-09 08:59 . 2009-09-25 02:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2012-01-09 08:59 . 2009-09-25 02:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2012-01-09 08:59 . 2009-09-25 01:33 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2012-01-09 08:59 . 2009-09-25 01:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
2012-01-09 08:59 . 2009-09-25 01:31 519680 ----a-w- c:\windows\system32\d3d11.dll
2012-01-07 18:24 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-01-07 18:24 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-01-07 18:24 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2012-01-07 18:24 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2012-01-07 18:24 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-01-07 18:24 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-01-07 18:22 . 2011-01-20 16:07 258048 ----a-w- c:\windows\system32\winspool.drv
2012-01-07 18:22 . 2011-01-20 16:04 98816 ----a-w- c:\windows\system32\mfps.dll
2012-01-07 18:22 . 2011-01-20 16:06 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2012-01-07 18:19 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-01-07 18:18 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2012-01-07 18:18 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2012-01-07 18:18 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2012-01-07 18:17 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2012-01-07 18:17 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2012-01-07 18:17 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2012-01-07 18:17 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2012-01-07 18:16 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2012-01-07 18:14 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2012-01-07 12:52 . 2012-01-07 12:53 -------- d-----w- c:\windows\system32\ca-ES
2012-01-07 12:52 . 2012-01-07 12:53 -------- d-----w- c:\windows\system32\eu-ES
2012-01-07 12:52 . 2012-01-07 12:53 -------- d-----w- c:\windows\system32\vi-VN
2012-01-06 06:35 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C7DAE568-881C-4EE4-ACAE-96B756FEE67B}\mpengine.dll
2012-01-05 04:51 . 2012-01-05 04:58 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\Audacity
2012-01-05 04:49 . 2012-01-05 04:50 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-14 23:23 . 2011-12-14 23:23 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-11-09 11:30 . 2011-11-09 11:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-06-22 13:21 . 2009-06-24 13:43 177512 ----a-w- c:\program files\UnHyCam2.exe
2009-06-22 13:21 . 2009-06-24 13:43 976208 ----a-w- c:\program files\HyCam2.exe
2009-06-17 19:47 . 2009-06-24 13:43 102400 ----a-w- c:\program files\CamRes2.dll
2009-06-11 14:55 . 2009-06-24 13:43 57344 ----a-w- c:\program files\MClick2.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Software Informer"="c:\program files\Software Informer\softinfo.exe" [2009-11-25 2011205]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-15 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-15 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-15 133656]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-22 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"HostManager"="c:\program files\Common Files\AOL\1205800139\ee\AOLSoftware.exe" [2008-06-24 41824]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\users\Elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2008-6-24 41824]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-9 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 10:00]
.
2012-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 10:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-fsm - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-23 20:04
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-01-23 20:10:20
ComboFix-quarantined-files.txt 2012-01-24 01:10
.
Pre-Run: 31,342,383,104 bytes free
Post-Run: 32,318,717,952 bytes free
.
- - End Of File - - 01B70D102C3DB05F566A3F17AC8885B5

ok. Not much to worry about there. The errors most likely are from your AV being active when combofix was running. To get around this you can run combofix again, but in safe mode this time. Most likely it will not find any malware but just run smoother.

To reach safe mode you would tap the f8 key during a computer restart and chose the first option from the list: safe mode. Log into your usual account. Once at the safe mode desktop run combofix and post the new log.

I am not having any success in running Combo in Safe Mode (tried safe mode with networking as well).

Here is what I am doing:
- restart in Safe Mode
- run ComboFix
- still get error that McAfee is running (even after I close it out_)
- Combo says it will now run at my own risk, but nothing happens.

Tried this a couple of times and ComboFix does not seem to run.

It seems as if I am re-stalling ComboFix with each attempt (I dont see the application on my program menu, so I search for the file an re-launch the ap)

Any suggestions?

I dont see anything in the logs that look like malware. Malwarebytes is pretty good at cleaning up scareware. You managed to run combofix once, with errors. I think we can leave it at that as the logs look ok.
The only other solution would be to uninstall Mcafee, reboot then run Combofix and reinstall Mcafee afterwards. Dont know if you want to go through with that. I dont think its necessary at this point.

OK - Great

Thank you so much for your help, much appreciated!

No problem. You can remove combofix like this:

If you hit the Windows + R key you will get a run window. Here you can type in combofix /uninstall
click ok or enter
note the space after the x and before the /

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for web based applications, browser plugins and addons like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source? See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) The why and how for securing (http://www.cert.org/tech_tips/securing_browser/) your browser for safer surfing.

10) Warez, cracks, keygens and p2p are very popular for carrying malware payloads. A file can be named anything, be nothing but malware or have malware bundled in it. Do you really trust the source?


More info/tips with pictures, links below

Happy Safe Surfing.