Author Topic: Have a PUP.bProtector that AntiSpyware won't remove  (Read 13328 times)

0 Members and 1 Guest are viewing this topic.

Offline rc

  • Full Member
  • ***
  • Posts: 64
    • View Profile
Have a PUP.bProtector that AntiSpyware won't remove
« on: July 11, 2012, 08:16:25 PM »
I ran Super AntiSpyware and it found 11 of these and removed 10 - but one cannot be removed.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 1.6.0_31
Run by Rita at 13:51:37 on 2012-07-11
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3070.1769 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Windows\system32\F5InstallerService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\ProgramData\IBUpdaterService\ibsvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\svchost.exe -k secsvcs
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Rita\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP\Button Manager\BM.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://yahoo.com/
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn3\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Savings Sidekick: {11111111-1111-1111-1111-110011501160} - c:\program files\savings sidekick\Savings Sidekick.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SpecialSavings: {74f475fa-6c75-43bd-aab9-ecda6184f600} - c:\program files\specialsavings\SpecialSavingsSinged.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {98889811-442D-49dd-99D7-DC866BE87DBC} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ALconnect] c:\users\rita\appdata\roaming\directlife\alconnect\ALconnect.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -check_deprecation
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\rita\appdata\roaming\micros~1\windows\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\specialsavings\SpecialSavingsSinged.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: weightwatchers.com
DPF: {00627E89-A19D-4A2B-938B-059CB7B1B493} - file://C:/Program Files/F5 VPN/F5_TMP/f5certchk.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - file://C:/Program Files/F5 VPN/F5_TMP/urxvpn.cab
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - file://C:/Program Files/F5 VPN/F5_TMP/f5tunsrv.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - file://C:/Program Files/F5 VPN/F5_TMP/InstallerControl.cab
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} - hxxp://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - file://C:/Program Files/F5 VPN/F5_TMP/urxshost.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - file://C:/Program Files/F5 VPN/F5_TMP/urxhost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - file://C:/Program Files/F5 VPN/F5_TMP/f5syschk.cab
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ECD34062-D513-43E4-B42E-6FF9EE437801} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: protector.dll c:\progra~1\google\google~1\go36f4~1.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rita\appdata\roaming\mozilla\firefox\profiles\6skr432c.default\
FF - prefs.js: browser.search.selectedengine - search the web (babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?af=114024&babsrc=hp_ss&mntrid=1a4c7ba500000000000000223f5c840e
FF - prefs.js: keyword.url - hxxp://search.babylon.com/?af=114024&babsrc=adbartrp&mntrid=1a4c7ba500000000000000223f5c840e&q=
FF - component: c:\users\rita\appdata\roaming\mozilla\firefox\profiles\6skr432c.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\rita\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\rita\appdata\roaming\mozilla\firefox\profiles\6skr432c.default\extensions\{dbbb3167-6e81-400f-bbfd-bd8921726f52}\plugins\NPuroamHost.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2009-8-5 21728]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2010-8-19 246400]
R2 IBUpdaterService;Updater Service;c:\programdata\ibupdaterservice\ibsvc.exe [2012-7-7 570272]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects 2\uCamMonitor.exe [2010-1-21 104960]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2010-1-21 17920]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-6-21 114672]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2007-12-26 288768]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpnwlh.sys [2010-1-25 34944]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca1b5d2d110ea5;Google Update Service (gupdate1ca1b5d2d110ea5);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S2 SCM_Service;SCM_Service;c:\windows\system32\WinService.exe [2009-8-5 180224]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-15 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys [2010-9-21 13952]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-11 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-3-9 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-8-12 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-6 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-19 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
.reg=Regedit.Document
.
=============== Created Last 30 ================
.
2012-07-11 15:34:38   2345984   ----a-w-   c:\windows\system32\win32k.sys
2012-07-11 03:45:37   6762896   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{b9460f67-f7e5-459b-87d9-d9e45a420102}\mpengine.dll
2012-07-08 01:33:31   --------   d-----w-   c:\users\rita\.jsapi
2012-07-08 01:32:38   --------   d-----w-   c:\users\rita\Sabre Red Workspace
2012-07-08 01:28:31   --------   d-----w-   c:\users\rita\appdata\local\Sabre Red Workspace
2012-07-08 00:45:53   --------   d-----w-   c:\windows\Pronto
2012-07-08 00:34:32   --------   d-----w-   C:\SABRE
2012-06-29 04:28:18   --------   dc-h--w-   c:\users\rita\appdata\local\{E8D024FE-9C03-4ECF-B3CA-FB58783D91C2}
2012-06-29 04:14:00   --------   d-----w-   c:\users\rita\appdata\roaming\DirectLife
2012-06-29 04:13:54   --------   d-----w-   c:\users\rita\appdata\local\PackageAware
2012-06-26 15:30:53   --------   d-----w-   c:\users\rita\appdata\local\Macromedia
2012-06-26 02:39:38   --------   d-----w-   c:\programdata\SUPERSetup
2012-06-26 02:38:44   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-06-19 14:42:31   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-19 14:41:54   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-19 14:41:29   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-19 14:41:29   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-12 23:39:46   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-06-12 23:39:44   2342400   ----a-w-   c:\windows\system32\msi.dll
2012-06-12 23:39:39   8192   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-06-12 23:39:39   58880   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-06-12 23:39:39   129536   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-06-12 23:39:38   164352   ----a-w-   c:\windows\system32\profsvc.dll
2012-06-12 23:39:35   140288   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-06-12 23:39:35   1158656   ----a-w-   c:\windows\system32\crypt32.dll
2012-06-12 23:39:35   103936   ----a-w-   c:\windows\system32\cryptnet.dll
.
==================== Find3M  ====================
.
2012-07-08 01:03:45   790520   ----a-w-   c:\windows\system32\protector.dll
2012-06-23 03:04:15   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-23 03:04:15   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-06-06 05:05:52   1390080   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-06 05:05:52   1236992   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-06 05:03:06   805376   ----a-w-   c:\windows\system32\cdosys.dll
2012-06-02 08:33:25   1800192   ----a-w-   c:\windows\system32\jscript9.dll
2012-06-02 08:25:08   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-06-02 08:25:03   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04   67440   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03   134000   ----a-w-   c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59   369336   ----a-w-   c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39   225280   ----a-w-   c:\windows\system32\schannel.dll
2012-06-02 04:39:10   219136   ----a-w-   c:\windows\system32\ncrypt.dll
.
============= FINISH: 13:52:07.86 ===============

 Results of screen317's Security Check version 0.99.42 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Microsoft Security Essentials   
  (On Access scanning disabled!)
 Error obtaining update status for antivirus! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 SUPERAntiSpyware     
 Secunia PSI   
 CCleaner     
 Java(TM) 6 Update 31 
 Java version out of Date!
 Adobe Flash Player    11.3.300.262 
 Adobe Reader X (10.1.3)
 Mozilla Firefox (8.0.1)
 Google Chrome 20.0.1132.47 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Microsoft Security Client Antimalware NisSrv.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14692
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #1 on: July 11, 2012, 08:46:16 PM »
Hi, Rita. 

Since you've been here before, you know the routine, but I'll repeat it anyway, just as a reminder. 

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Please follow these instructions carefully.

Download ComboFix from the following location:  Link 1

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rc

  • Full Member
  • ***
  • Posts: 64
    • View Profile
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #2 on: July 13, 2012, 03:47:27 AM »
OK - here it is:  it amazes me that you can make anything out of it!
ComboFix 12-07-13.01 - Rita 07/12/2012  21:16:24.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3070.1777 [GMT -7:00]
Running from: c:\users\Rita\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\bProtector
c:\programdata\bProtector\bProtect.exe
c:\programdata\bProtector\bProtect.settings
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome.manifest
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\background.html
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\browser.xul
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\crossrider.js
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\crossriderapi.js
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\dialog.js
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\lib\faye-browser-min.js
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\manage-apps-style.css
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\manage-apps.html
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\messaging.js
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\options.js
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\options.xul
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\push.html
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\search_dialog.xul
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\chrome\content\update.html
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\defaults\preferences\prefs.js
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\install.rdf
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\locale\en-US\translations.dtd
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\button1.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\button2.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\button3.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\button4.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\button5.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\crossrider_statusbar.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\icon128.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\icon16.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\icon24.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\icon48.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\panelarrow-up.png
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\popup.css
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\popup.html
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\popup_binding.xml
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\skin.css
c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\extensions\crossriderapp5060@crossrider.com\skin\update.css
c:\users\Rita\g2ax_customer_downloadhelper_win32_x86.exe
c:\users\Rita\GoToAssistDownloadHelper.exe
c:\windows\security\Database\tmp.edb
c:\windows\UA000079.DLL
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-13 to 2012-07-13  )))))))))))))))))))))))))))))))
.
.
2012-07-13 04:27 . 2012-07-13 04:27   --------   d-----w-   c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-07-13 04:27 . 2012-07-13 04:27   --------   d-----w-   c:\users\IUSR_NMPR\AppData\Local\temp
2012-07-12 13:35 . 2012-05-31 03:41   6762896   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{04A5239F-C72B-45BA-83B9-F1CA5E9398AD}\mpengine.dll
2012-07-11 15:34 . 2012-06-12 02:40   2345984   ----a-w-   c:\windows\system32\win32k.sys
2012-07-08 01:33 . 2012-07-08 01:33   --------   d-----w-   c:\users\Rita\.jsapi
2012-07-08 01:32 . 2012-07-08 01:32   --------   d-----w-   c:\users\Rita\Sabre Red Workspace
2012-07-08 01:28 . 2012-07-08 01:32   --------   d-----w-   c:\users\Rita\AppData\Local\Sabre Red Workspace
2012-07-08 00:45 . 2012-07-08 00:45   --------   d-----w-   c:\windows\Pronto
2012-07-08 00:34 . 2012-07-08 00:34   --------   d-----w-   C:\SABRE
2012-06-29 04:28 . 2012-06-29 04:28   --------   dc-h--w-   c:\users\Rita\AppData\Local\{E8D024FE-9C03-4ECF-B3CA-FB58783D91C2}
2012-06-29 04:14 . 2012-06-29 04:14   --------   d-----w-   c:\users\Rita\AppData\Roaming\DirectLife
2012-06-29 04:13 . 2012-06-29 04:13   --------   d-----w-   c:\users\Rita\AppData\Local\PackageAware
2012-06-26 15:30 . 2012-06-26 15:30   --------   d-----w-   c:\users\Rita\AppData\Local\Macromedia
2012-06-26 02:39 . 2012-06-26 02:40   --------   d-----w-   c:\programdata\SUPERSetup
2012-06-26 02:38 . 2012-06-26 02:38   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-06-19 14:42 . 2012-06-02 22:19   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-19 14:42 . 2012-06-02 22:19   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-19 14:42 . 2012-06-02 22:19   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-19 14:42 . 2012-06-02 22:12   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-19 14:41 . 2012-06-02 22:19   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-19 14:41 . 2012-06-02 22:19   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-19 14:41 . 2012-06-02 22:12   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-19 14:41 . 2012-06-02 22:19   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-19 14:41 . 2012-06-02 22:12   33792   ----a-w-   c:\windows\system32\wuapp.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 22:04 . 2012-04-15 15:45   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-07-11 22:04 . 2011-05-18 14:20   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 04:44 . 2012-06-12 23:39   164352   ----a-w-   c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-12 23:39   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45 . 2012-06-12 23:39   58880   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-04-26 04:45 . 2012-06-12 23:39   129536   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41 . 2012-06-12 23:39   8192   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-04-24 04:36 . 2012-06-12 23:39   140288   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-04-24 04:36 . 2012-06-12 23:39   1158656   ----a-w-   c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-12 23:39   103936   ----a-w-   c:\windows\system32\cryptnet.dll
2011-11-21 04:04 . 2011-12-10 03:10   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-04 1514152]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-04 00:31   1514152   ----a-w-   c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-04 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-28 224248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-11 3905408]
"ALconnect"="c:\users\Rita\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe" [2012-06-18 741504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-09-30 161336]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-04 1391272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Rita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2010-10-19 1795488]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-1-21 323584]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-8-5 1261568]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-3 54512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
.
[HKLM\~\startupfolder\C:^Users^Rita^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
path=c:\users\Rita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
.
[HKLM\~\startupfolder\C:^Users^Rita^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MEMonitor.lnk]
backup=c:\windows\pss\MEMonitor.lnk.Startup
backupExtension=.Startup
path=c:\users\Rita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEMonitor.lnk
.
[HKLM\~\startupfolder\C:^Users^Rita^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
path=c:\users\Rita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-10-17 01:40   1197648   ----a-w-   c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
2006-11-18 13:01   182744   ----a-w-   c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 17:55   206064   ----a-w-   c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2010-11-20 12:17   144384   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-09-29 18:39   151552   ----a-w-   c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 17:35   221184   ----a-w-   c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 17:37   81920   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
2006-09-26 16:56   423424   ----a-w-   c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 12:17   1174016   ----a-w-   c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2010-11-20 12:20   859648   ----a-w-   c:\windows\System32\OobeFldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-07-14 01:14   65024   ----a-w-   c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-03-28 22:10   224248   ----a-w-   c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
R2 gupdate1ca1b5d2d110ea5;Google Update Service (gupdate1ca1b5d2d110ea5);c:\program files\Google\Update\GoogleUpdate.exe

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys

R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe

S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

S2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe

S2 IBUpdaterService;Updater Service;c:\programdata\IBUpdaterService\ibsvc.exe

S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys

S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys

S2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe

S2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe

S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys

S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys

S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe

S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpnwlh.sys

S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS

S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS

.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - avgntflt
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-07-14 01:14   126464   ----a-w-   c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 22:04]
.
2012-07-08 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2010-06-28 20:57]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:57]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:57]
.
2012-07-13 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2012-07-13 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-04-06 21:30]
.
2012-06-30 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2012-07-13 c:\windows\Tasks\User_Feed_Synchronization-{17ED33CB-05F1-4DA1-9A19-750230D986D6}.job
- c:\windows\system32\msfeedssync.exe [2011-05-13 18:03]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\SpecialSavings\SpecialSavingsSinged.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: weightwatchers.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} - hxxp://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
FF - ProfilePath - c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\
FF - prefs.js: browser.search.selectedengine - search the web (babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?af=114024&babsrc=hp_ss&mntrid=1a4c7ba500000000000000223f5c840e
FF - prefs.js: keyword.url - hxxp://search.babylon.com/?af=114024&babsrc=adbartrp&mntrid=1a4c7ba500000000000000223f5c840e&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
MSConfigStartUp-NvCplDaemon - c:\windows\system32\NvCpl.dll
MSConfigStartUp-NvMediaCenter - c:\windows\system32\NvMcTray.dll
MSConfigStartUp-NvSvc - c:\windows\system32\nvsvc.dll
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-Random House Webster's Unabridged Dictionary - c:\program files\Random House
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3500)
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-07-12  21:36:19 - machine was rebooted
ComboFix-quarantined-files.txt  2012-07-13 04:36
.
Pre-Run: 94,117,797,888 bytes free
Post-Run: 94,078,337,024 bytes free
.
- - End Of File - - BE052AFE48EEDB1636C22C4F7C962F22

Offline rc

  • Full Member
  • ***
  • Posts: 64
    • View Profile
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #3 on: July 13, 2012, 04:07:52 AM »
i think i sent the results incorrectly - i pasted to the bottom of your reply and clicked post at the bottom - anyway, did you see the results of the combofix?  sorry if i did it incorrectly!!
also - i don't know where my microsoft security essentials went!  (to be honest i don't know how long it's been - i forgot to check for that icon after a while after you helped me before)   - and i keep going to internet options and putting yahoo as my home page, i click apply and then ok, but it won't stay :(

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14692
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #4 on: July 13, 2012, 04:47:26 PM »
Hi, Rita.

Firefox is way out of date.  It is currently at version 13.0.1 and you have Mozilla Firefox (8.0.1) installed.  Although I am not found of the "rapid-release" schedule Mozilla has been using for Firefox, critical security updates have been included in the updates.

Please uninstall Java(TM) 6 Update 31 and update to the latest version, JRE7u5 from http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html  (Note:  Watch for pre-checked extras offered with the software.)

Please go here to run an ESET on-line scan.

Notes:

✱  It is easiest if you use Internet explorer for this scan. 
✱  If you use an alternate browser, it will be necessary to download the ESET Smart Installer, esetsmartinstaller_enu.exe, when prompted, then double-click to install.  Vista/Windows 7 users, select Run as Administrator.
✱  Temporarily disable your antivirus and anti-malware security applications during the scan.  This can usually be accomplished by a right-click on the icon in the System Tray.  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  .

  • Select the option YES, I accept the Terms of Use then click:
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology
  • Click the Start button:
  • The virus signature database... will begin to download.  Be patient.  This make take some time depending on your Internet connection.
  • When the signatures have completed downloading, the Online Scan will begin automatically.
  • Do not touch either the mouse or keyboard during the scan.  Otherwise it may stall.
  • When the scan is completed, make sure you copy the log file and, if you wish, select Uninstall application on close.
  • Click the Finish button,
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your antivirus and anti-malware software after the scan is complete!


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rc

  • Full Member
  • ***
  • Posts: 64
    • View Profile
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #5 on: July 19, 2012, 07:46:48 PM »
geez - all this time I thought you hadn't responded yet!!!  I didn't think to look here - I was waiting for an email notification.  Thank you so much for these instructions - will do ASAP!!  I was getting very anxious - glad I found your reply.  Thanks again!

Offline rc

  • Full Member
  • ***
  • Posts: 64
    • View Profile
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #6 on: July 19, 2012, 10:02:17 PM »
this is what it found - i couldn't exactly follow your directions so hope this is what you need:
C:\Qoobox\Quarantine\C\ProgramData\bProtector\bProtect.exe.vir   a variant of Win32/bProtector application
C:\Users\Rita\Downloads\PDFCreatorSetup.exe   a variant of Win32/InstallCore.E application
C:\Windows\System32\protector.dll   a variant of Win32/bProtector application

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14692
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #7 on: July 19, 2012, 10:57:18 PM »
Hi, Rita.

Please go to VirusTotal:  http://www.virustotal.com/

In the "Upload a file", browse to the following file path and upload the file:  C:\Users\Rita\Downloads\PDFCreatorSetup.exe

Please repeat the same process for the following:  C:\Windows\System32\protector.dll

Note the URL for the results and post a link to each in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14692
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #9 on: July 20, 2012, 01:11:42 PM »
You're welcome, Rita. 

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
File::
c:\windows\system32\protector.dll
C:\Users\Rita\Downloads\PDFCreatorSetup.exe

Folder::
c:\program files\Ask.com

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rc

  • Full Member
  • ***
  • Posts: 64
    • View Profile
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #10 on: July 20, 2012, 02:45:43 PM »
Here are the results:   Thanks!!  :)
ComboFix 12-07-20.02 - Rita 07/20/2012   8:18.2.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3070.1936 [GMT -7:00]
Running from: c:\users\Rita\Downloads\ComboFix.exe
Command switches used :: c:\users\Rita\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Rita\Downloads\PDFCreatorSetup.exe"
"c:\windows\system32\protector.dll"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Ask.com
c:\program files\Ask.com\assets\oobe\b.png
c:\program files\Ask.com\assets\oobe\bl.png
c:\program files\Ask.com\assets\oobe\br.png
c:\program files\Ask.com\assets\oobe\l.png
c:\program files\Ask.com\assets\oobe\pointer.png
c:\program files\Ask.com\assets\oobe\r.png
c:\program files\Ask.com\assets\oobe\t.png
c:\program files\Ask.com\assets\oobe\tl.png
c:\program files\Ask.com\assets\oobe\tr.png
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\precache.exe
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\Updater\config.xml
c:\program files\Ask.com\Updater\Updater.exe
c:\program files\Ask.com\UpdateTask.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-20 to 2012-07-20  )))))))))))))))))))))))))))))))
.
.
2012-07-20 15:29 . 2012-07-20 15:29   --------   d-----w-   c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-07-20 15:29 . 2012-07-20 15:29   --------   d-----w-   c:\users\IUSR_NMPR\AppData\Local\temp
2012-07-20 15:29 . 2012-07-20 15:29   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-07-20 14:49 . 2012-06-29 08:44   6891424   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{D624FAA3-E9FF-4B2E-8B57-992B21D68C8E}\mpengine.dll
2012-07-20 05:03 . 2012-07-03 20:46   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-07-19 21:03 . 2012-07-19 21:03   --------   d--h--w-   c:\windows\AxInstSV
2012-07-19 21:02 . 2012-07-19 21:02   --------   d-----w-   c:\program files\Common Files\Java
2012-07-19 21:01 . 2012-07-19 21:01   --------   d-----w-   c:\program files\Oracle
2012-07-19 21:01 . 2012-07-06 05:06   772544   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-07-11 15:34 . 2012-06-12 02:40   2345984   ----a-w-   c:\windows\system32\win32k.sys
2012-07-08 01:33 . 2012-07-08 01:33   --------   d-----w-   c:\users\Rita\.jsapi
2012-07-08 01:32 . 2012-07-08 01:32   --------   d-----w-   c:\users\Rita\Sabre Red Workspace
2012-07-08 01:28 . 2012-07-08 01:32   --------   d-----w-   c:\users\Rita\AppData\Local\Sabre Red Workspace
2012-07-08 00:45 . 2012-07-08 00:45   --------   d-----w-   c:\windows\Pronto
2012-07-08 00:34 . 2012-07-08 00:34   --------   d-----w-   C:\SABRE
2012-06-29 04:28 . 2012-06-29 04:28   --------   dc-h--w-   c:\users\Rita\AppData\Local\{E8D024FE-9C03-4ECF-B3CA-FB58783D91C2}
2012-06-29 04:14 . 2012-06-29 04:14   --------   d-----w-   c:\users\Rita\AppData\Roaming\DirectLife
2012-06-29 04:13 . 2012-06-29 04:13   --------   d-----w-   c:\users\Rita\AppData\Local\PackageAware
2012-06-26 15:30 . 2012-06-26 15:30   --------   d-----w-   c:\users\Rita\AppData\Local\Macromedia
2012-06-26 02:39 . 2012-06-26 02:40   --------   d-----w-   c:\programdata\SUPERSetup
2012-06-26 02:38 . 2012-06-26 02:38   --------   d-----w-   c:\program files\SUPERAntiSpyware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 22:04 . 2012-04-15 15:45   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-07-11 22:04 . 2011-05-18 14:20   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 05:06 . 2010-04-20 15:31   687544   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-02 22:19 . 2012-06-19 14:41   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-19 14:42   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 14:42   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 14:41   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 14:41   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 14:42   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-19 14:42   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-19 14:41   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-19 14:41   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-05-31 19:25 . 2009-10-05 18:33   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-05-01 04:44 . 2012-06-12 23:39   164352   ----a-w-   c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-12 23:39   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45 . 2012-06-12 23:39   58880   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-04-26 04:45 . 2012-06-12 23:39   129536   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41 . 2012-06-12 23:39   8192   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-04-24 04:36 . 2012-06-12 23:39   140288   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-04-24 04:36 . 2012-06-12 23:39   1158656   ----a-w-   c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-12 23:39   103936   ----a-w-   c:\windows\system32\cryptnet.dll
2011-11-21 04:04 . 2011-12-10 03:10   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-28 224248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-11 3905408]
"ALconnect"="c:\users\Rita\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe" [2012-06-18 741504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-09-30 161336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\users\Rita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2010-10-19 1795488]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2010-1-21 323584]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-8-5 1261568]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-3 54512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
.
[HKLM\~\startupfolder\C:^Users^Rita^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
path=c:\users\Rita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
.
[HKLM\~\startupfolder\C:^Users^Rita^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MEMonitor.lnk]
backup=c:\windows\pss\MEMonitor.lnk.Startup
backupExtension=.Startup
path=c:\users\Rita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEMonitor.lnk
.
[HKLM\~\startupfolder\C:^Users^Rita^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
path=c:\users\Rita\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-10-17 01:40   1197648   ----a-w-   c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
2006-11-18 13:01   182744   ----a-w-   c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 17:55   206064   ----a-w-   c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2010-11-20 12:17   144384   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-09-29 18:39   151552   ----a-w-   c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 17:35   221184   ----a-w-   c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 17:37   81920   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
2006-09-26 16:56   423424   ----a-w-   c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 12:17   1174016   ----a-w-   c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2010-11-20 12:20   859648   ----a-w-   c:\windows\System32\OobeFldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-07-14 01:14   65024   ----a-w-   c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-03-28 22:10   224248   ----a-w-   c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
R2 gupdate1ca1b5d2d110ea5;Google Update Service (gupdate1ca1b5d2d110ea5);c:\program files\Google\Update\GoogleUpdate.exe

R2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys

R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe

S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

S2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe

S2 IBUpdaterService;Updater Service;c:\programdata\IBUpdaterService\ibsvc.exe

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe

S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys

S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys

S2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe

S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys

S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys

S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe

S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpnwlh.sys

S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS

S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS

.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - avgntflt
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-07-14 01:14   126464   ----a-w-   c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 22:04]
.
2012-07-19 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2010-06-28 20:57]
.
2012-07-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-25 17:57]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:57]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:57]
.
2012-07-19 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2012-07-19 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-04-06 21:30]
.
2012-06-30 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2012-07-20 c:\windows\Tasks\User_Feed_Synchronization-{17ED33CB-05F1-4DA1-9A19-750230D986D6}.job
- c:\windows\system32\msfeedssync.exe [2011-05-13 18:03]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\SpecialSavings\SpecialSavingsSinged.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: weightwatchers.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} - hxxp://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - file://C:/Program Files/F5 VPN/F5_TMP/f5opswati.cab
FF - ProfilePath - c:\users\Rita\AppData\Roaming\Mozilla\Firefox\Profiles\6skr432c.default\
FF - prefs.js: browser.search.selectedengine - search the web (babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?af=114024&babsrc=hp_ss&mntrid=1a4c7ba500000000000000223f5c840e
FF - prefs.js: keyword.url - hxxp://search.babylon.com/?af=114024&babsrc=adbartrp&mntrid=1a4c7ba500000000000000223f5c840e&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
AddRemove-{79A765E1-C399-405B-85AF-466F52E918B0} - c:\program files\Ask.com\Updater\Updater.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-20  08:32:42
ComboFix-quarantined-files.txt  2012-07-20 15:32
ComboFix2.txt  2012-07-13 04:36
.
Pre-Run: 95,454,724,096 bytes free
Post-Run: 95,565,991,936 bytes free
.
- - End Of File - - 5E7D7AF03DBEFCB7DFB19E1FC66E41CF

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14692
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #11 on: July 20, 2012, 04:31:28 PM »
Good job, Rita! 

How is your computer now?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rc

  • Full Member
  • ***
  • Posts: 64
    • View Profile
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #12 on: July 20, 2012, 04:47:08 PM »
Thanks :)
I have no idea!!!  Can you tell me?  LOL    does this show that those trojans or malware or whatever they were were removed?  I don't know how to tell!!!  How can I check?  Also, I'm afraid that Microsoft Security Essentials is disabled like it was before, and I don't know how to get that back.  Am I supposed to have it along with the AntiMalware and SuperAntiSpyware?   Thanks!
Rita

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14692
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #13 on: July 20, 2012, 08:44:59 PM »
Hi, Rita.

Well, unless you want to bring your computer to my house, you need to be the judge of how well your computer is working since we started the cleanup process.  :D  Seriously, the signs of infection that I found all appear to be gone. 

First, let's take care of ComboFix.  Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


Next, regarding Microsoft Security Essentials.  Yes you need an antivirus software program so let's see about getting it working again.  Can you access the Windows Security Center?  Is the Windows 7 Firewall operational?

Let's try manually starting the service for Microsoft Security Essentials.
  • For Windows 7, click Start, click in the Start Search box, type services.msc, and then press Enter.
  • Search for Microsoft Antimalware Service. Right-click it and select Properties or double-click it to open the service.
  • Check to make sure that the "Startup Type" is set to "Automatic".
  • Click the Start button to start the service. If the Start button isn't available, click the Stop button, and then click the Start button to restart the service.

Please let me know the results. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rc

  • Full Member
  • ***
  • Posts: 64
    • View Profile
Re: Have a PUP.bProtector that AntiSpyware won't remove
« Reply #14 on: July 21, 2012, 01:11:45 AM »
The Firewall says it is turned on.  I can't find Windows Security Center, but when I followed your instructions it was already set to Automatic - I clicked start, and I got the message that Micosoft Security Essentials is turned off and must be turned on manually - it said click for more info, and whe i did I got this screen:  (I just attached it - hope you can see it )  basically it says the same thing - MSE is turned off, and the turn on button is grayed out.  :(