Hello Folks,

I have this annoying fraud package showing up randomly that spybot detects and cleans, but it keeps re appearing along with ad.yieldmanager.com and yieldmanager.net. Just for fun, sometimes I even get adserver.adtechus.com thrown in for good measure. Not sure how to clean this stuff off of my system. I ran regedit and followed the manual removal instructions from safernetworking, to no avail. Thanks for any help you can be in this situation.
Mike
Here is my control y as requested.
Win32.FraudPackage.dl: [SBI $FA4976EE] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1645522239-1303643608-682003330-1003\Software\SuperSoftwarePackage


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-08-26 unins000.exe (51.49.0.0)
2012-02-29 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2012-01-16 Includes\Adware.sbi (*)
2012-03-20 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2012-01-31 Includes\HeavyDuty.sbi (*)
2012-03-20 Includes\Hijackers.sbi (*)
2011-10-04 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2012-03-13 Includes\Keyloggers.sbi (*)
2012-03-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2012-03-27 Includes\Malware.sbi (*)
2012-04-03 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2012-02-28 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-12-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-01-17 Includes\Spyware.sbi (*)
2012-02-28 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2012-04-03 Includes\TrojansC-02.sbi (*)
2012-04-03 Includes\TrojansC-03.sbi (*)
2012-04-03 Includes\TrojansC-04.sbi (*)
2012-03-27 Includes\TrojansC-05.sbi (*)
2012-04-03 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Nunya at 16:54:05 on 2012-04-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2387 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Trend Micro Titanium *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\IProsetMonitor.exe
E:\programs\AiO\Center\EKAiOHostService.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciServiceHost.exe
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.net
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://att.net
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cdloader] "c:\documents and settings\nunya\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [KodakHomeCenter] "e:\programs\aio\center\AiOHomeCenter.exe"
StartupFolder: c:\docume~1\nunya\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\all users\desktop\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - e:\program files\SetPoint.exe
uPolicies-explorer: MaxRecentDocs = 21 (0x15)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: $talisma_url$
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{B7C8F692-6EAD-482C-A074-9FC6292FBF52} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B7C8F692-6EAD-482C-A074-9FC6292FBF52} : DhcpNameServer = 192.168.0.1 192.168.0.1
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
IFEO: cdbxpp.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: fixitcenter.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: labelprint.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: lightscribecontrolpanel.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: lslauncher.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
.
Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nunya\application data\mozilla\firefox\profiles\xd8d099i.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: e:\programs\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: e:\programs\adobe\reader 10.0\reader\browser\nppdf32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-10-23 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-10-23 12464]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl1c5615a4;MpKsl1c5615a4;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\MpKsl1c5615a4.sys [2012-4-4 29904]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2002-6-25 14336]
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-7-11 188272]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-3-2 90952]
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-8-11 112800]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;e:\programs\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-9-1 10384]
R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-6 652360]
R2 McciServiceHost;McciServiceHost;c:\program files\common files\motive\McciServiceHost.exe [2011-11-13 315392]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2011-11-16 66560]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-7-10 64080]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2012-2-9 1529152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-15 20464]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2012-2-9 10064]
S1 liggoaet;liggoaet;\??\c:\windows\system32\drivers\liggoaet.sys --> c:\windows\system32\drivers\liggoaet.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\tcaitdi.sys --> c:\windows\system32\drivers\TCAITDI.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2011-8-11 45288]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2011-7-8 9344]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-6-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
.
=============== Created Last 30 ================
.
2012-04-04 21:50:13 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\MpKsl1c5615a4.sys
2012-04-04 21:16:25 -------- d-----w- c:\documents and settings\nunya\application data\Safer Networking
2012-04-04 16:59:39 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\mpengine.dll
2012-04-03 13:37:31 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-23 03:42:56 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-23 03:42:56 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-20 13:14:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-20 13:14:51 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-20 13:14:41 -------- d-----w- c:\windows\system32\Cache
2012-03-18 00:15:58 -------- d-----w- C:\RECYCLER(2)
2012-03-16 18:31:01 -------- d-----w- C:\cmdcons
2012-03-16 18:29:39 -------- d-----w- C:\ComboFix
.
==================== Find3M ====================
.
2012-04-03 13:37:31 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 01:41:13 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
2012-03-01 00:24:46 709968 ----a-w- c:\windows\is-V2VAN.exe
2012-02-18 02:42:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-18 02:42:24 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2012-02-09 20:13:28 31552 -c--a-w- c:\windows\system32\TURegOpt.exe
2012-02-09 13:13:18 28992 ----a-w- c:\windows\system32\uxtuneup.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-29 11:10:42 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 16:56:07.23 ===============

Hi Nunya,

Firstly, welcome to the Safer-Networking Malware Removal Forum. :)
My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.
If you no longer require help I would be grateful if you would let me know.

Please note the following important guidelines before proceeding:
The instructions that will be provided are for YOUR computer and system only!
Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
Absence of symptoms does not necessarily mean that everything is clear.
DO NOT run any other fix or removal tools unless instructed to do so!
DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!
Please Note: If you haven't done so already, please read this topic "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.


Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.

Backup Your Data - Windows XP (http://support.microsoft.com/kb/308422)
If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.

Scolabar

Doing the backup now.:thanks:

Hi Mike,

Thank you again for your patience. :)

Please read these instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
ERUNT - Emergency Recovery Utility NT

Please backup the Registry before proceeding as follows:

Launch ERUNT.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\DD-MM-YYYY (where DD-MM-YYYY is the date of the backup) which is fine.
under Backup options make sure both of the first two options: System registry and Current user registry are checked.
Click on the Yes button to allow the folder to be created.
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on OK. A registry backup has now been created.
< STOP > If you are unable to complete this step successfully, < STOP > do not continue with any fix steps, let me know immediately in your next post!

Step 2:
ComboFix

I notice ComboFix has been recently installed on this computer. You need to be aware of the following:


Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer (http://img.photobucket.com/albums/v666/sUBs/New_Disclaimer_090525.gif).
Please post the entire contents of the combofix.txt log file (- it is normally to be found in the C:\qoobox\ directory) into your next reply.

Step 3:
Advisory - P2P Software Present!

IMPORTANT There are signs of a P2P (Peer-to-Peer) File Sharing Program installed on your computer.


eMule
P2P File Sharing Programs are used as a major conduit for spreading malware infection to computer systems these days.

P2P programs open up access to the computer on which the program is installed. The computer's settings are more often than not changed in a manner that renders the computer insecure and access to the computer remains open even when the program is not in use. Consequently, the system's security is completely compromised.

So be aware that it is not just what is downloaded that causes problems, just having a P2P program installed is like leaving all the doors to your house unlocked.

I advise you take the time to read the following articles that explain the risk of installing these programs:

Perils of P2P File Sharing (http://www.techsupportforum.com/forums/f50/perils-of-p2p-file-sharing-305923.html)
Use of P2P File Sharing Programs (http://spywarewarrior.com/viewtopic.php?t=26216)
Clean/Infected P2P Programs (http://malwareremoval.com/p2pindex.php)
Risks of Peer-to-Peer Systems (http://www.fbi.gov/scams-safety/peertopeer/oeertopeer)
File sharing infects 500,000 computers (http://www.itpro.co.uk/195672/file-sharing-infects-500-000-computers)
File-sharing dangers involve more than legal troubles (http://www.usatoday.com/tech/columnist/kimkomando/2006-04-13-file-sharing-woes_x.htm)
How to Prevent the Online Invasion of Spyware and Adware (http://www.internetworldstats.com/articles/art053.htm)

In order to continue assisting you with your malware issues I will require you to uninstall the P2P software as follows:

Remove P2P Program
Click on Start > Control Panel and double-click on Programs and Features.
Locate the following program:


eMule


Click on the Change/Remove button to uninstall it.
When the program has been uninstalled Close the Programs and Features and Control Panel windows.

Step 4:
Warning - Multiple Antivirus Programs!

Your logs indicate that you are running more than one Anti-virus program!


Microsoft Security Essentials
Trend Micro Titanium

Running more than one Anti-virus program is not recommended because:
They can conflict with each other.
Report the other Anti-virus software as malicious.
Anti-virus programs use an enormous amount of computer's resources actively scanning your computer.
It can cause your computer to run slowly, become unstable and crash.
I strongly advise you uninstall one of them. Which one you decide to uninstall is your decision.

Step 5:
Re-Run DDS

Please re-run DDS. Then Copy and Paste the contents of the DDS.txt into your next reply and Attach the Attach.txt file.

Step 6:
Include in Next Post

Did you have any problems carrying out the instructions?
combofix.txt.
DDS.txt.
Attach.txt.
Do you have the original Windows installation media for your PC?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Thanks,

I ran combofix several weeks ago, no txt file. It crashed so I never got results.
! I deleted the P2P software and got rid of trend micro as per your instructions.

I will run DDS again and send text and attach.

Thanks

Here are the requested files. No combofix because it never ran sucessfully.

Thanks again

Hi Mike,

Thank you for the logs. :)

Please confirm whether or not you have the original Windows installation media for your computer, as requested in my last post.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
Uninstall Programs

Registry Cleaners Advisory

I notice that TuneUp Utilities 2012 is installed on this computer.
This software suite incorporates a Registry Cleaner.

I don't personally recommend the use of ANY Registry Cleaners.
Here is an excerpt from a discussion on Registry Cleaners:

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference.
If it doesn't work properly you may end up with an expensive doorstop.
http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html

Please follow the instructions below to remove this program as well as others:

Select Start > Control Panel > Add/Remove Programs.
Scroll down the list of installed programs and select each of the following programs:


Coupon Printer for Windows
HijackThis 1.99.1 <-- outdated version
HitmanPro 3.6 <-- may interfere with the fixes. Can be re-installed once the computer has been declared clean, if required.
TuneUp Utilities 2012
TuneUp Utilities Language Pack (en-US)


Click on the Remove button to uninstall the program.
Click on the Yes button at the prompt.
Repeat steps 4 to 6 for each of the above programs.
Close the Add/Remove Programs control panel when the removals have been completed.
Restart the computer to complete removal of the programs.
Step 2:
OTL - Scan

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) by Old Timer. Save it to your Desktop.
Double-click on OTL.exe to run the program.
Under Output, ensure that the Standard Output option is selected.
Under the Extra Registry section, select the Use SafeList option.
Click the Scan All Users checkbox.
Tick the LOP Check and Purity Check checkboxes.
Note: Please leave the remaining selections on the default settings.
Click on the Run Scan button in the top left-hand corner of the program window.
When done, two Notepad files will automatically open:
OTL.txt <-- Will be opened, maximized.
Extras.txt <-- Will be minimized on task bar.
Please Copy and Paste the entire contents of both OTL.txt and Extras.txt files into your next reply.
Step 3:
GMER

The downloaded file will have a random filename. This prevents malware from detecting and blocking it.

Please download GMER ... random named.exe (http://www2.gmer.net/download.php) by GMER. An alternative (zip file) download is available here (http://www2.gmer.net/gmer.zip).
IMPORTANT: Do not run any programs while GMER is running.
CAUTION: Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
If it gives you a warning about rootkit activity and asks if you want to run a scan click on NO. <--- Important!
On the right side panel, several boxes have been checked. Please UNCHECK the following: (See image below.)
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All <-- don't miss this one

http://i28.photobucket.com/albums/c227/tetonbob/gmer_th.gif (http://i28.photobucket.com/albums/c227/tetonbob/gmer_screen2-1.gif)
Click on image to enlarge


If you don't get a warning, then click on the Rootkit/Malware tab at the top of the GMER window.
Click on the Scan button.
Once the scan has finished, click on Save. The Save window will open.
Save the scan results as ark.txt to your Desktop.
Double-click on the ark.txt file on the Desktop to open it in Notepad.
Copy and Paste the entire contents of ark.txt into your next reply.
Step 4:
Include in Next Post

Did you have any problems carrying out the instructions?
Do you have the original Windows installation media for your PC?
OTL.txt.
Extras.txt.
ark.txt.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Hi Mike,

It has been over 48 hours since my last post.

Do you still need help?
Do you need more time?
Are you having problems following my instructions?
In line with Safer-Networking's Forum Guidelines, topics will be closed after 3 days without a response.
If you do not reply within the next 24 hours, this topic will be closed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar,

I really like my tuneup utilities and my Hitman and do not wish to uninstall them. I am not questioning your expertise at all, but I wonder if I can leave these installed and we could work with them. I'm sure there are posts out there that say Spybot disrupts other programs and is less than ideal.
Yes, I have the original installation medium. Yes, it is a registered legitamate copy of windows. Could you not tell from the current windows updates applied? I do not see why Hijack this is necessary to remove. Why is Spybot the only program that is indicating this problem exists?

Thanks for your patience with me in this process. I will be in the hospital from Tuesday thru Friday of this week. Can we keep this post open, though I will not be able to respond until Saturday?

Mike

I can't post the gmer, your system keeps telling me the message I have entered is too short. The OTL program freezes up while scanning the firefox settings. Now what can I do?

Hi Mike,

In answer to your questions:


I really like my tuneup utilities and my Hitman and do not wish to uninstall them. I am not questioning your expertise at all, but I wonder if I can leave these installed and we could work with them.If you wish to keep those programs, particularly given the warning regarding Tuneup Utilities, that is your choice. However, I'm afraid, I would require them to be uninstalled for time being for the reasons I have already given, if you wish continued assistance. Neither of those programs would be used in the cleanup process.


I'm sure there are posts out there that say Spybot disrupts other programs and is less than ideal.That is why the "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) includes instructions for disabling TeaTimer for the duration of the assistance, which I presume you followed as the logs you have provided so far show TeaTimer is already disabled. ;)
TeaTimer is an effective anti-malware tool, however its anti-malware functionality does mean that it will interfere with the tools used to clean up malware infection. Hence the request to disable TeaTimer.


Yes, I have the original installation medium. Yes, it is a registered legitamate copy of windows. Could you not tell from the current windows updates applied?I asked you whether or not you have your original installation media for two reasons: a) To make sure that, in the event of serious malware infection being uncovered, you have the ability to reformat and reinstall your system, if deemed necessary. b) The knowledge of whether or not you have the original installation media determines how the cleanup procedure is progressed.


I do not see why Hijack this is necessary to remove.I believe I made it quite clear as to why I requested the program to be removed - the program is very outdated. The version you have was outdated in 2007 - 5 years ago! All effective malware tools are updated on a regular basis. Updates are delivered in weeks rather than months. ;)


Why is Spybot the only program that is indicating this problem exists?If all anti-malware tools were maintained by the same anti-malware team they would all pick up the same issues. Fortunately, as that is not the case, different tools can and do pick up different malware issues. By their very nature all tools used to combat malware have areas of strength and weakness. There never has been or ever will be a one-hit wonder tool that will fix all malware issues. ;)


I will be in the hospital from Tuesday thru Friday of this week. Can we keep this post open, though I will not be able to respond until Saturday?Given that you will be unable to continue with this thread until next weekend at the earliest, my recommendation is to close this topic and for you to post a fresh set of logs when you have returned from hospital and are able to respond to instructions given in good time.

Please let me know when you have read this post and I will arrange to have this topic closed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Due to lack of response, this topic is now closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. How to post a DDS log. (http://forums.spybot.info/showpost.php?p=1150&postcount=2)

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm) to me or a MOD. A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.