Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: win32.fraudpackage.dl

  1. #1
    Junior Member
    Join Date
    Apr 2012
    Posts
    6

    Default win32.fraudpackage.dl

    Hello Folks,

    I have this annoying fraud package showing up randomly that spybot detects and cleans, but it keeps re appearing along with ad.yieldmanager.com and yieldmanager.net. Just for fun, sometimes I even get adserver.adtechus.com thrown in for good measure. Not sure how to clean this stuff off of my system. I ran regedit and followed the manual removal instructions from safernetworking, to no avail. Thanks for any help you can be in this situation.
    Mike
    Here is my control y as requested.
    Win32.FraudPackage.dl: [SBI $FA4976EE] User settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1645522239-1303643608-682003330-1003\Software\SuperSoftwarePackage


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2011-08-26 unins000.exe (51.49.0.0)
    2012-02-29 unins001.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2012-01-16 Includes\Adware.sbi (*)
    2012-03-20 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-11-29 Includes\DialerC.sbi (*)
    2012-01-31 Includes\HeavyDuty.sbi (*)
    2012-03-20 Includes\Hijackers.sbi (*)
    2011-10-04 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2012-03-13 Includes\Keyloggers.sbi (*)
    2012-03-13 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2012-03-27 Includes\Malware.sbi (*)
    2012-04-03 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2012-02-28 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2011-02-24 Includes\Security.sbi (*)
    2011-12-13 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2012-01-17 Includes\Spyware.sbi (*)
    2012-02-28 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2011-09-28 Includes\Trojans.sbi (*)
    2012-04-03 Includes\TrojansC-02.sbi (*)
    2012-04-03 Includes\TrojansC-03.sbi (*)
    2012-04-03 Includes\TrojansC-04.sbi (*)
    2012-03-27 Includes\TrojansC-05.sbi (*)
    2012-04-03 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
    Run by Nunya at 16:54:05 on 2012-04-04
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2387 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Trend Micro Titanium *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Program Files\HitmanPro\hmpsched.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
    C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
    C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\IProsetMonitor.exe
    E:\programs\AiO\Center\EKAiOHostService.exe
    E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Motive\McciServiceHost.exe
    C:\WINDOWS\system32\nlssrv32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://att.net
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    uDefault_Page_URL = hxxp://att.net
    uInternet Settings,ProxyOverride = 127.0.0.1
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [cdloader] "c:\documents and settings\nunya\application data\mjusbsp\cdloader2.exe" MAGICJACK
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Conime] %windir%\system32\conime.exe
    mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [KodakHomeCenter] "e:\programs\aio\center\AiOHomeCenter.exe"
    StartupFolder: c:\docume~1\nunya\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\all users\desktop\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - e:\program files\SetPoint.exe
    uPolicies-explorer: MaxRecentDocs = 21 (0x15)
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: $talisma_url$
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
    TCP: Interfaces\{B7C8F692-6EAD-482C-A074-9FC6292FBF52} : NameServer = 8.8.8.8,8.8.4.4
    TCP: Interfaces\{B7C8F692-6EAD-482C-A074-9FC6292FBF52} : DhcpNameServer = 192.168.0.1 192.168.0.1
    Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
    Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    IFEO: cdbxpp.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    IFEO: fixitcenter.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    IFEO: labelprint.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    IFEO: lightscribecontrolpanel.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    IFEO: lslauncher.exe - "e:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    .
    Note: multiple IFEO entries found. Please refer to Attach.txt
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\nunya\application data\mozilla\firefox\profiles\xd8d099i.default\
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: e:\programs\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: e:\programs\adobe\reader 10.0\reader\browser\nppdf32.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-10-23 56496]
    R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-10-23 12464]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsl1c5615a4;MpKsl1c5615a4;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\MpKsl1c5615a4.sys [2012-4-4 29904]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2002-6-25 14336]
    R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-7-11 188272]
    R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-3-2 90952]
    R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-8-11 112800]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;e:\programs\aio\center\EKAiOHostService.exe [2011-12-19 394672]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-9-1 10384]
    R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-6 652360]
    R2 McciServiceHost;McciServiceHost;c:\program files\common files\motive\McciServiceHost.exe [2011-11-13 315392]
    R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2011-11-16 66560]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-7-10 64080]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2012-2-9 1529152]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-15 20464]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2012-2-9 10064]
    S1 liggoaet;liggoaet;\??\c:\windows\system32\drivers\liggoaet.sys --> c:\windows\system32\drivers\liggoaet.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\tcaitdi.sys --> c:\windows\system32\drivers\TCAITDI.sys [?]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2011-8-11 45288]
    S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2011-7-8 9344]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-6-25 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
    .
    =============== Created Last 30 ================
    .
    2012-04-04 21:50:13 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\MpKsl1c5615a4.sys
    2012-04-04 21:16:25 -------- d-----w- c:\documents and settings\nunya\application data\Safer Networking
    2012-04-04 16:59:39 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56bb2bf2-2c55-4984-be8a-5ac33b0be023}\mpengine.dll
    2012-04-03 13:37:31 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-03-23 03:42:56 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-03-23 03:42:56 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    2012-03-20 13:14:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2012-03-20 13:14:51 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-03-20 13:14:41 -------- d-----w- c:\windows\system32\Cache
    2012-03-18 00:15:58 -------- d-----w- C:\RECYCLER(2)
    2012-03-16 18:31:01 -------- d-----w- C:\cmdcons
    2012-03-16 18:29:39 -------- d-----w- C:\ComboFix
    .
    ==================== Find3M ====================
    .
    2012-04-03 13:37:31 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-01 01:41:13 23624 -c--a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2012-03-01 00:24:46 709968 ----a-w- c:\windows\is-V2VAN.exe
    2012-02-18 02:42:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-02-18 02:42:24 472808 -c--a-w- c:\windows\system32\deployJava1.dll
    2012-02-09 20:13:28 31552 -c--a-w- c:\windows\system32\TURegOpt.exe
    2012-02-09 13:13:18 28992 ----a-w- c:\windows\system32\uxtuneup.dll
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-29 11:10:42 237072 -c----w- c:\windows\system32\MpSigStub.exe
    2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    ============= FINISH: 16:56:07.23 ===============
    Last edited by tashi; 2012-04-06 at 02:46. Reason: Copy pasted log into topic as per sticky. :-)

  2. #2
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi Nunya,

    Firstly, welcome to the Safer-Networking Malware Removal Forum.
    My name is Scolabar, and I'll be helping you with your malware problems.
    Logs can take a while to research, so please be patient.
    If you no longer require help I would be grateful if you would let me know.

    Please note the following important guidelines before proceeding:
    1. The instructions that will be provided are for YOUR computer and system only!
      Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable
      !
    2. If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
    3. Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
    4. Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
      Absence of symptoms does not necessarily mean that everything is clear.
    5. DO NOT run any other fix or removal tools unless instructed to do so!
    6. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
    7. Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
    8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    9. Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

    Please Note: If you haven't done so already, please read this topic "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) where the conditions for receiving help here are explained.

    Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
    In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.


    If you follow these guidelines, things should proceed smoothly.
    I am currently reviewing your log and will return, as soon as possible, with additional instructions.

    Thank you for your patience.

    Scolabar
    Malware Removal University - You too could train to help others

  3. #3
    Junior Member
    Join Date
    Apr 2012
    Posts
    6

    Default Thanks Scolabar

    Doing the backup now.

  4. #4
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi Mike,

    Thank you again for your patience.

    Please read these instructions carefully before executing and perform the steps, in the order given.
    lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

    Before proceeding please make sure any open programs are closed.

    Step 1:
    ERUNT - Emergency Recovery Utility NT

    Please backup the Registry before proceeding as follows:

    1. Launch ERUNT.
    2. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\DD-MM-YYYY (where DD-MM-YYYY is the date of the backup) which is fine.
    3. under Backup options make sure both of the first two options: System registry and Current user registry are checked.
    4. Click on the Yes button to allow the folder to be created.
      After a short duration the Registry backup is complete! pop-up message will appear.
    5. Now click on OK. A registry backup has now been created.

    < STOP > If you are unable to complete this step successfully, < STOP > do not continue with any fix steps, let me know immediately in your next post!

    Step 2:
    ComboFix

    I notice ComboFix has been recently installed on this computer. You need to be aware of the following:

    Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.
    Please post the entire contents of the combofix.txt log file (- it is normally to be found in the C:\qoobox\ directory) into your next reply.

    Step 3:
    Advisory - P2P Software Present!

    IMPORTANT There are signs of a P2P (Peer-to-Peer) File Sharing Program installed on your computer.

    eMule
    P2P File Sharing Programs are used as a major conduit for spreading malware infection to computer systems these days.

    P2P programs open up access to the computer on which the program is installed. The computer's settings are more often than not changed in a manner that renders the computer insecure and access to the computer remains open even when the program is not in use. Consequently, the system's security is completely compromised.

    So be aware that it is not just what is downloaded that causes problems, just having a P2P program installed is like leaving all the doors to your house unlocked.

    I advise you take the time to read the following articles that explain the risk of installing these programs:

    In order to continue assisting you with your malware issues I will require you to uninstall the P2P software as follows:

    Remove P2P Program
    1. Click on Start > Control Panel and double-click on Programs and Features.
    2. Locate the following program:

      eMule

    3. Click on the Change/Remove button to uninstall it.
    4. When the program has been uninstalled Close the Programs and Features and Control Panel windows.


    Step 4:
    Warning - Multiple Antivirus Programs!

    Your logs indicate that you are running more than one Anti-virus program!

    Microsoft Security Essentials
    Trend Micro Titanium

    Running more than one Anti-virus program is not recommended because:
    1. They can conflict with each other.
    2. Report the other Anti-virus software as malicious.
    3. Anti-virus programs use an enormous amount of computer's resources actively scanning your computer.
    4. It can cause your computer to run slowly, become unstable and crash.

    I strongly advise you uninstall one of them. Which one you decide to uninstall is your decision.

    Step 5:
    Re-Run DDS

    Please re-run DDS. Then Copy and Paste the contents of the DDS.txt into your next reply and Attach the Attach.txt file.

    Step 6:
    Include in Next Post

    1. Did you have any problems carrying out the instructions?
    2. combofix.txt.
    3. DDS.txt.
    4. Attach.txt.
    5. Do you have the original Windows installation media for your PC?


    Scolabar
    --------------------------------------------------------------------------
    No Reply Within 3 Days Will Result In Your Topic Being Closed
    Malware Removal University - You too could train to help others

  5. #5
    Junior Member
    Join Date
    Apr 2012
    Posts
    6

    Default Hello

    Thanks,

    I ran combofix several weeks ago, no txt file. It crashed so I never got results.
    ! I deleted the P2P software and got rid of trend micro as per your instructions.

    I will run DDS again and send text and attach.

    Thanks

  6. #6
    Junior Member
    Join Date
    Apr 2012
    Posts
    6

    Default Hello again

    Here are the requested files. No combofix because it never ran sucessfully.

    Thanks again

  7. #7
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi Mike,

    Thank you for the logs.

    Please confirm whether or not you have the original Windows installation media for your computer, as requested in my last post.

    Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
    If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

    Before proceeding please make sure any open programs are closed.

    Step 1:
    Uninstall Programs

    Registry Cleaners Advisory

    I notice that TuneUp Utilities 2012 is installed on this computer.
    This software suite incorporates a Registry Cleaner.

    I don't personally recommend the use of ANY Registry Cleaners.
    Here is an excerpt from a discussion on Registry Cleaners:
    Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
    The point we are trying to make is that the risk of using one far outweighs any benefit.
    If it does work perfectly you will not see any difference.
    If it doesn't work properly you may end up with an expensive doorstop.
    http://miekiemoes.blogspot.com/2008/...eaking_13.html
    http://forums.whatthetech.com/Regcleaner_t42862.html

    Please follow the instructions below to remove this program as well as others:

    1. Select Start > Control Panel > Add/Remove Programs.
    2. Scroll down the list of installed programs and select each of the following programs:

      Coupon Printer for Windows
      HijackThis 1.99.1
      <-- outdated version
      HitmanPro 3.6 <-- may interfere with the fixes. Can be re-installed once the computer has been declared clean, if required.
      TuneUp Utilities 2012
      TuneUp Utilities Language Pack (en-US)

    3. Click on the Remove button to uninstall the program.
    4. Click on the Yes button at the prompt.
    5. Repeat steps 4 to 6 for each of the above programs.
    6. Close the Add/Remove Programs control panel when the removals have been completed.
    7. Restart the computer to complete removal of the programs.

    Step 2:
    OTL - Scan

    1. Please download OTL by Old Timer. Save it to your Desktop.
    2. Double-click on OTL.exe to run the program.
    3. Under Output, ensure that the Standard Output option is selected.
    4. Under the Extra Registry section, select the Use SafeList option.
    5. Click the Scan All Users checkbox.
    6. Tick the LOP Check and Purity Check checkboxes.
      Note: Please leave the remaining selections on the default settings.
    7. Click on the Run Scan button in the top left-hand corner of the program window.
    8. When done, two Notepad files will automatically open:
      • OTL.txt <-- Will be opened, maximized.
      • Extras.txt <-- Will be minimized on task bar.
    9. Please Copy and Paste the entire contents of both OTL.txt and Extras.txt files into your next reply.

    Step 3:
    GMER

    The downloaded file will have a random filename. This prevents malware from detecting and blocking it.

    Please download GMER ... random named.exe by GMER. An alternative (zip file) download is available here.
    IMPORTANT: Do not run any programs while GMER is running.
    CAUTION: Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

    1. Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
    2. If it gives you a warning about rootkit activity and asks if you want to run a scan click on NO. <--- Important!
    3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (See image below.)
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All <-- don't miss this one



      Click on image to enlarge

    4. If you don't get a warning, then click on the Rootkit/Malware tab at the top of the GMER window.
    5. Click on the Scan button.
    6. Once the scan has finished, click on Save. The Save window will open.
    7. Save the scan results as ark.txt to your Desktop.
    8. Double-click on the ark.txt file on the Desktop to open it in Notepad.
    9. Copy and Paste the entire contents of ark.txt into your next reply.

    Step 4:
    Include in Next Post

    1. Did you have any problems carrying out the instructions?
    2. Do you have the original Windows installation media for your PC?
    3. OTL.txt.
    4. Extras.txt.
    5. ark.txt.


    Scolabar
    --------------------------------------------------------------------------
    No Reply Within 3 Days Will Result In Your Topic Being Closed
    Malware Removal University - You too could train to help others

  8. #8
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi Mike,

    It has been over 48 hours since my last post.

    1. Do you still need help?
    2. Do you need more time?
    3. Are you having problems following my instructions?
    4. In line with Safer-Networking's Forum Guidelines, topics will be closed after 3 days without a response.
    5. If you do not reply within the next 24 hours, this topic will be closed.


    Scolabar
    --------------------------------------------------------------------------
    No Reply Within 3 Days Will Result In Your Topic Being Closed
    Malware Removal University - You too could train to help others

  9. #9
    Junior Member
    Join Date
    Apr 2012
    Posts
    6

    Default Hello again

    Scolabar,

    I really like my tuneup utilities and my Hitman and do not wish to uninstall them. I am not questioning your expertise at all, but I wonder if I can leave these installed and we could work with them. I'm sure there are posts out there that say Spybot disrupts other programs and is less than ideal.
    Yes, I have the original installation medium. Yes, it is a registered legitamate copy of windows. Could you not tell from the current windows updates applied? I do not see why Hijack this is necessary to remove. Why is Spybot the only program that is indicating this problem exists?

    Thanks for your patience with me in this process. I will be in the hospital from Tuesday thru Friday of this week. Can we keep this post open, though I will not be able to respond until Saturday?

    Mike

  10. #10
    Junior Member
    Join Date
    Apr 2012
    Posts
    6

    Default Hello and Thanks

    I can't post the gmer, your system keeps telling me the message I have entered is too short. The OTL program freezes up while scanning the firefox settings. Now what can I do?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •