Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Need some checking after phone scammers got into my computer


Recommended Posts

Hi, I'm hoping you can clear up any malware after some phone scammers got into my computer. I don't think there are any real problems but would like to be sure. Here is the link to the thread.




Here is the DDS log



DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by ANNE at 14:44:41 on 2012-08-10

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.61.1033.18.1918.554 [GMT 10:00]


AV: CA Anti-Virus *Enabled/Updated* {57B5C44D-AAB5-DBC9-741B-542BE5A132EA}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe


C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup


C:\Windows\system32\svchost.exe -k LocalService


C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe


C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\PDF Suite 2010\ConversionService.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Web Assistant\ExtensionUpdaterService.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup


C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe






C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Cyberlink\PowerCinema\PCMAgent.exe

C:\Program Files\Cyberlink\PowerCinema\Kernel\CLML\CLMLSvc.exe

C:\Program Files\Cyberlink\PlayMovie\PMVService.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe

C:\Program Files\PDF Suite\PDFServerEngine.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Ask.com\Updater\Updater.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe


C:\Program Files\Temp File Cleaner\TempFileCleaner.exe



C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Program Files\Internet Explorer\iexplore.exe


C:\Program Files\Internet Explorer\iexplore.exe





============== Pseudo HJT Report ===============


uStart Page = hxxp://www.google.com.au/

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=93&bd=Presario&pf=cndt

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=93&bd=Presario&pf=cndt

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=93&bd=Presario&pf=cndt

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PDF Suite Helper: {1ad61d5b-58a3-4592-9b34-dc84688ff805} - c:\program files\pdf suite 2010\PDFIEHelper.dll

BHO: Web Assistant: {336d0c35-8a85-403a-b9d2-65c292c39087} - c:\program files\web assistant\Extension32.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Incredibar.com Helper Object: {6e13dde1-2b6e-46ce-8b66-dc8bf36f6b99} - c:\program files\incredibar.com\incredibar\\bh\incredibar.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

TB: PDF Suite Toolbar: {261f6a8b-7aaf-4bf5-8552-6610f4d67819} - c:\program files\pdf suite 2010\PDFIEPlugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Incredibar Toolbar: {f9639e4a-801b-4843-aee3-03d9da199e77} - c:\program files\incredibar.com\incredibar\\incredibarTlbr.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [updatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [PCMAgent] "c:\program files\cyberlink\powercinema\PCMAgent.exe"

mRun: [CLMLServer] "c:\program files\cyberlink\powercinema\kernel\clml\CLMLSvc.exe"

mRun: [PlayMovie] "c:\program files\cyberlink\playmovie\PMVService.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe

mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"

mRun: [PDFServerEngine] c:\program files\pdf suite\PDFServerEngine.exe /autorun

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [<NO NAME>]

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f

dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f

StartupFolder: c:\users\anne\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-au\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\VetRedir.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer =

TCP: Interfaces\{1380CE7C-1AEF-420F-B3E3-E527A938C649} : DhcpNameServer =

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: PFW - UmxWnp.Dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: http://www.spywareinfo.com


============= SERVICES / DRIVERS ===============


R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-4-1 73720]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-8-21 26352]

R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-8-21 21104]

R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-8-21 161008]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-4-1 205304]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-9 22344]

R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-8-21 130280]

S3 PCDSRVC{4F253FFC-7957E8FC-06000000}_0;PCDSRVC{4F253FFC-7957E8FC-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc.pkms [2009-2-3 20848]

S3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\drivers\zghsdiag.sys [2011-1-13 106752]

S3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\drivers\zghsmdm.sys [2011-1-13 106752]

S3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\drivers\zghsnmea.sys [2011-1-13 106752]


=============== Created Last 30 ================


2012-08-09 14:41:32 -------- d-----w- c:\users\anne\appdata\roaming\addpcs

2012-08-09 14:41:17 -------- d-----w- c:\program files\Temp File Cleaner

2012-08-09 14:40:36 -------- d-----w- c:\program files\Incredibar.com

2012-08-09 14:40:10 -------- d-----w- c:\program files\Web Assistant

2012-08-09 14:38:31 -------- d-----w- c:\program files\Yontoo

2012-08-09 14:38:27 -------- d-----w- c:\programdata\Tarma Installer

2012-08-09 08:26:39 -------- d-----w- c:\users\anne\appdata\roaming\SUPERAntiSpyware.com

2012-08-09 08:26:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-08-09 08:26:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-08-09 06:06:15 -------- d-----w- c:\users\anne\appdata\roaming\Malwarebytes

2012-08-09 06:05:50 -------- d-----w- c:\programdata\Malwarebytes

2012-08-09 06:05:49 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-09 06:05:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-08-08 02:32:45 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{faa0ea53-6447-45ed-84fc-6e663ac11a55}\mpengine.dll

2012-08-06 10:00:55 -------- d-----w- c:\programdata\IObit

2012-08-06 10:00:26 -------- d-----w- c:\users\anne\appdata\roaming\IObit

2012-08-03 10:47:20 -------- d-----w- c:\programdata\AMMYY

2012-08-03 10:46:55 289 ----a-w- c:\windows\windows security detail.vbs

2012-08-03 10:46:06 -------- d-----w- c:\program files\IObit

2012-08-03 10:40:07 -------- d-----w- c:\users\anne\appdata\local\LogMeIn Rescue Applet

2012-07-13 02:01:25 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-07-12 03:25:14 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll

2012-07-12 03:25:13 1401856 ----a-w- c:\windows\system32\msxml6.dll

2012-07-12 03:25:13 1248768 ----a-w- c:\windows\system32\msxml3.dll

2012-07-12 03:25:12 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-12 03:25:12 278528 ----a-w- c:\windows\system32\schannel.dll

2012-07-12 03:25:12 204288 ----a-w- c:\windows\system32\ncrypt.dll


==================== Find3M ====================


2012-08-03 03:30:02 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-03 03:30:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-10 03:24:44 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-07-10 03:24:44 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 05:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 05:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-05-31 02:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe


============= FINISH: 14:46:42.94 ===============

Link to comment
Share on other sites

Need some checking after phone scammers got into my computer


Here is the MBAM LOG:


Malwarebytes Anti-Malware (Trial)



Database version: v2012.08.09.07


Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

ANNE :: ANNE-PC [administrator]


Protection: Enabled


10/08/2012 3:18:35 PM

mbam-log-2012-08-10 (15-18-35).txt


Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 356008

Time elapsed: 2 hour(s), 6 minute(s),


Memory Processes Detected: 0

(No malicious items detected)


Memory Modules Detected: 0

(No malicious items detected)


Registry Keys Detected: 0

(No malicious items detected)


Registry Values Detected: 0

(No malicious items detected)


Registry Data Items Detected: 0

(No malicious items detected)


Folders Detected: 0

(No malicious items detected)


Files Detected: 0

(No malicious items detected)




And the Superspy log


SUPERAntiSpyware Scan Log



Generated 08/12/2012 at 12:43 PM


Application Version : 5.5.1012


Core Rules Database Version : 9044

Trace Rules Database Version: 6856


Scan type : Complete Scan

Total Scan Time : 01:19:03


Operating System Information

Windows Vista Home Basic 32-bit, Service Pack 2 (Build 6.00.6002)

UAC On - Limited User (Administrator User)


Memory items scanned : 697

Memory threats detected : 0

Registry items scanned : 34385

Registry threats detected : 0

File items scanned : 51071

File threats detected : 11


Adware.Tracking Cookie

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\WDIR3K8U.txt [ Cookie:anne@serving-sys.com/ ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\3JM3LMCE.txt [ Cookie:anne@imrworldwide.com/cgi-bin ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\M0077IJV.txt [ Cookie:anne@iinet.122.2o7.net/ ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\L6A9C06E.txt [ Cookie:anne@invitemedia.com/ ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\LRDYZAZQ.txt [ Cookie:anne@stats.paypal.com/ ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\2T5V3IQP.txt [ Cookie:anne@collective-media.net/ ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\0EHDUO4C.txt [ Cookie:anne@yieldmanager.net/ ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\9LAIZESL.txt [ Cookie:anne@revsci.net/ ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\FV9N7I3B.txt [ Cookie:anne@media6degrees.com/ ]

C:\USERS\ANNE\AppData\Roaming\Microsoft\Windows\Cookies\Low\NDEIT7TB.txt [ Cookie:anne@track.pubmatic.com/ ]



Thanks in advance for your help



Link to comment
Share on other sites

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.


1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.


If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.


Hi, I'm hoping you can clear up any malware after some phone scammers got into my computer.

Could you please explain this in more detail. What is it doing to your computer?


I strongly recommend that you remove Ask from your computer because it;


•Promotes its toolbars on sites targeted to kids.


•Promotes its toolbars through ads that appear to be part of other companies' sites.


•Promotes its toolbars through other companies' spyware.


•Installs without any disclosure whatsoever and without any consent whatsoever.


•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.


•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.


See Here for more info.


If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.


AskBarDis or anything related to Ask


Then please find and delete this folder in bold (if present):

C:\Program Files\AskBarDis. or anything related to Ask.


I would also recommend your remove c:\program files\pdf suite 2010. There's more information here.


You should also remove/uninstall c:\program files\web assistant. It is a program that will prevent you from changing your home page after it's been hijacked.


Download Security Check by screen317 from one of the following links and save it to your desktop.


Link 1

Link 2


* Double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

* Post the contents of that document in your next reply.


Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.


Download Combofix from any of the links below, and save it to your DESKTOP.


Link 1

Link 2

Link 3


To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.
    You will see the following image:



Click I Agree to start the program.


ComboFix will then extract the necessary files and you will see this:




As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7


It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


If you did not have it installed, you will see the prompt below. Choose YES.




Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.


When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).


Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Link to comment
Share on other sites

Hi Dave!


I can help clarify some of this.


There is an older thread by Cicely from Iobit support concerning this scam. It involves scammers gaining remote access to people utilizing a very outdated version of an Iobit software. They then charge an exorbitant fee to supposedly "fix" the machine.


The thread that hutch linked to in the first post will help clarify if you wish to review it. She:oops: appears to have had her:oops: machine remotely accessed. It is by WozofOz's recommendation and my agreement in that she:oops: has posted here. The software that was remotely installed has been removed and she has run MBAM and SAS, as well as the newest version of AdvancedSystemCare by Iobit and her machine is running well now.


So it is precautionary to see if you can find anything... there may very well be nothing to find.;-)




Live long and prosper!


[EDIT] by Mel... one of your links appears to be broken... I tried two different browsers. This is a screenshot so the link is not active in it. You will have to go to your post to find the active link... It is this instruction: http://forums.iobit.com/attachment.php?attachmentid=10325&d=1344816477


Link to comment
Share on other sites

Hi Mel, thanks for that message to Dave. By the way, the "he" is a "she"..but I'm not particulariy worried about it :-)) It's the computer I'm more worried about!


Hi Dave, I had already deleted all the Ask programs on the computer. I did have a browse around before I posted here and noticed that particular item and deleted it then.


I have also deleted the pdf 2010 file as well as the web assisstant file.


As Mel said, a couple of the links did not work when I went to use the Security Check. One did work and here is the log


Results of screen317's Security Check version 0.99.43

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

CA Anti-Virus

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````


Spybot - Search & Destroy



Malwarebytes Anti-Malware version

Temp File Cleaner

Java 6 Update 33

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

Google Chrome 21.0.1180.60

Google Chrome 21.0.1180.75

Google Chrome VisualElementsManifest.xml..

````````Process Check: objlist.exe by Laurent````````

Windows Defender MSASCui.exe

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

CA CA Internet Security Suite CA Anti-Virus ISafe.exe

CA CA Internet Security Suite CA Anti-Virus VetMsg.exe

CA CA Internet Security Suite CA Anti-Virus cavrid.exe

Windows Defender MSASCui.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0 %

````````````````````End of Log``````````````````````


I closed down CA Antivirus but the program for Combofix would not accept it and wanted me to delete the whole program...am I doing something wrong there? I did get up to the black screen with bright green writing but that is where it stopped!


Thanks for your help so far.




[EDIT] by Mel: Sorry Anne... I have fixed my post!:oops:

Link to comment
Share on other sites

Sorry, please try the link here


Update Your Java (JRE)


Old versions of Java have vulnerabilities that malware can use to infect your system.


First Verify your Java Version


If there are any other version(s) installed then update now.


Get the new version (if needed)


If your version is out of date install the newest version of the Sun Java Runtime Environment.


Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.


Be sure to close ALL open web browsers before starting the installation.


Remove any old versions


1. Download JavaRa and unzip the file to your Desktop.

2. Open JavaRA.exe and choose Remove Older Versions

3. Once complete exit JavaRA.


Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.


Update your Adobe Reader. get.adobe.com/reader.


Be sure to uncheck the Free McAfee Security Scan so it isn't installed.



Try running ComboFix without disabling your AV.

Link to comment
Share on other sites

Hi Dave, I clicked on your link in the above post and got sent to a "rip-off report"?


Not what I was expecting. Is there something there I'm supposed to click on?


Before I go on with this though, after I posted the last log I put up here, I turned off the computer. Next day when I started it up (today as well) I got an error message on the opening screen after login. It reads,

"Windows Defender Application failed to initialize: 0x800106ba".


I followed all the instructions they gave me and nothing worked I keep getting that message. It's like the whole thing has just disappeared! Any suggestions? Does it have any major implications to the running of the computer?


I shall go and check up on Java and disable that nuisance McAfee too and be back!


Thanks, hutch

Link to comment
Share on other sites

Hi Dave, I have un-installed McAfee and I have updated the Java. Just letting you know that I am still getting the notification every time I start up the computer about the Windows Defender item!. Is this important?


I also did a defrag on the computer which made a BIG difference! It is scheduled to run once a month...at 1am...Obviously, if the computer is not on, it's not going to work...even though it says it did!! I'll be ignoring that notice in future and will run it when I am on regardless!


Thanks for your help so far. hutch

Link to comment
Share on other sites

Hi Dave, I have run ComboFix 4 times now. Starts OK but then I get a warning about CA Antivirus. I have 'snoozed' CA as per the tutorial but still won't work!


I'm about to do the Windows Defender as per your instructions.


I've been away for a couple of days and couldn't do it before.


Thanks hutch. PS any other hints on how to get ComboFix working?

Link to comment
Share on other sites

OK, I have looked everywhere but can not find a programme or file called Windows Defender???? It is certainly not listed in the program files!


I'm just going to go to MS and see if a new version will download!~



Link to comment
Share on other sites

Hi Hutch... Concerning Windows Defender and CA antivirus.


Look in C drive/programfiles/windows defender. It is by Microsoft. Here is one place you can download Windows defender.


Concerning tha CA antivirus... This is from my post #22 on the closed thread:

Now to the Anti Virus. The A/V you are using I would question. Not only have they not recently been accredited (five or six years it looks like to me)... they have fallen off the radar for independant testers and so there is no new data on their effectiveness. Do a google search and investigation looking for reviews and draw your own conclusions. You may find this thread informative... be sure to open all the links in Enoskype's post and view everything. If you view the thread and wish to see what a different antivirus offers... consider that Avira, Avast, AVG, MSE, BitDefender... and others offer effective free versions. Iobit has a beta ASC with A/V as well but it is still in the beta testing stage. I will not recommend one over the other as all have their +'s and -'s. Some are heavier on your system, some have easier to use interface and options, some are "prettier" than others. If you asked the question here (as it has been posed many times) you will get a plethora of opinions and advisements. The only recommendation (and this is a strong recommendation) I offer here is that you choose a known tested reputable A/V with a tested and known high detection rate over what you currently employ. Keep in mind that the generally accepted truth is that you should run only one A/V at a time.

You should consider removing this CA antivirus from your system anyway... not to mention that it is interfering with Combofix.


@ Dave... thought this might be helpful. I hope you would let me know if one of my posts is not :wink:




Live long and prosper!

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...