[Flashorn]

Hey mizzvee !!



OK, I should have noticed the names of the files before but,

I didn't pay attention (sorry). I thought you just wanted to delete files

that came with the Smiley Central.



Now, ntuser.dat LOG 1 File 256 KB is most likely Your user file.

Do Not delete. It is part of the Registry and is a Protected file.

You will not be able to delete and if you do , the part of the

registry that this and the other file belongs to, will be deleted

along with it.



The other file indicating 0 bites would be part of another user

account if and when it is created. Do Not delete this one either. Just leave

them be. One NTUSER.DAT for each user on the machine.

As you install other software, this file will most likely

grow. They are and will be needed for the good of the registry

and the Operating System (Vista).



I hope you will forgive my oversight .



FLASHORN.

[JimH443]

If it was Smiley Central, it's harmless enough anyway. Yes, it has its quirks (as I recall, it might temporarily hijack your home page and install a toolbar in IE) but it's not like your computer is "infected" or anything. I've had it on my system and enjoyed the added abilities. I have yet to figure out why so many virus scanners get so hyper about it.



But it is a real bugger to remove completely. I found removal instructions at http://www.pchell.co...eycentral.shtml, but these do presume a familiarity with the program HijackThis.

[Flashorn]

Hey Jim !!



The Virus scanners get so up-tight about it because they invite

other form of security breach . Not to mention pop-ups and adds

which will lead to infected PCs.



They are easily spotted with the help of HjT but , only if you are

familiar with the program. To be able to use this program , you

have to have allot of training which takes years of studying .



OH, and Hijacking of your Home Page for ANY lenght of time is

akin to hijacking your privacy.



Sorry but, I do not share your views on this piece of software.



FLASHORN.

[JimH443]

There is a lot of controversy about Smiley Central to be found on the net. I had it on my computer for years and never had any problem because of it. That's not to say it's not possible - merely that over the course of about 2 years it never did actually happen to me.

[dacohenz]

There is a software that I use that may help in this situation, but it is a dangerous software. At times, I have not been able to boot the computer, I just get a boot loop. This software has an over 99% success rate for me however. Do a search for combofix, it normally does a great job when used with Malwarebytes.



Dave

[mizzvee210]

No problem thanks for your help! :)

[mizzvee210]

How can I get rid of these Adwares that keep poping up in my Super Anti spyware scan? They are found in the Registry Items section..

Here are the names:

Adware.HB Helper (6)

Adware.System Search Dispatch (9)

Adware.Juicy Access (2)

Threats Detected: 17

[JimH443]

Spybot Search & Destroy is a good free program that cleans out suspicious registry entries. It's available at:

http://www.safer-networking.org/

[Flashorn]

Hey mizzvee !!



Ok, since they are recurring , we would need to verify that you don't have a Tool Bar

installed in the Features & Programs. We will also Delete All restore points except

the latest one.



First > Go to > Start > Control Panel > Features & Programs. Wait for the list to populate.

Verify the names of the programs. If there is one or more that you don't recognize or that is

similar to the ones reported by SUPERAntiSpyware, post the name(s) in your next reply.



To delete the restore points :

Go to > Start > Programs > Accessories > System Tools > Disk Cleanup.

Click on the last one (Disk Cleanup) . Follow the pics :



Click on the "Files from all users....."





Click "OK" unless you have another Drive Letter for your Main Drive.





Progression of Cleanup. A few seconds.





This will pop-up after cleanup. Now , Do Not click on "OK" yet.

Click the "More Options" tab.





On the "More Options"screen , click on the BOTTOM Clean up.





You will get this Pop-Up . Clck on the DELETE .





Wait until you can highlight

the "OK" button by mousing over it with the cursor. Once it becomes blue when

mousing over , click it . You will get another pop-up asking :



Click on the DELETE FILES. A progress bar will appear and when the Cleanup

is done , all of the screens will disappear. You are now done cleaning.



After the Clean up, Re-Scan using SUPERAntiSpyware. Use a Quick Scan.

I would also recommend you install , update the definitions Before scanning

with MalwareBytes' Anti-Malware .

Do a Quick Scan (3 minutes) .



After you are done please post your progress.



FLASHORN.

[Flashorn]

Hey mizzvee !!



While we are doing some Spring cleanup , we will also delete the Java temps files.

Go to > Start > Control Panel > Java.

Double click on Java. Wait a few seconds and the Control Panel for Java will appear.

Click on the "Settings" button at the bottom of the screen.





Once clicked , a pop-up will appear :

Now, UNCHECK the box in the upper left hand corner.

At the bottom of this pop-up , click on the "Delete Files"

Another pop-up will show .





Click on the "OK" button to delete all Java Temps Files. They are a source for infection.





To close all other screens , click on the OK on the "Temps Files Settings"

Then, on the APPLY and OK on the Bottom of the Java Control Panel.



If you have any questions in regards to the order of the cleaning procedure,

pease ask before going foreward.



FLASHORN.

[SpiritWind]

:D Hi Mizzvee ( and Flashorn ) :
Flashorn failed to issue some additional Precautions that should be done when it comes

to downloading the "Unlocker" program ; when I recommend the program, I usually, if NOT

always recommend NOT having Unlocker Explorer extension run in "Silent Mode" AND

De-activate "Unlocker Assistant" during Installation . These 2 are found in the "Frequently

Asked Questions" section on the website .

IF you are getting repeated "Reports" of Adware, you should consider using the FREE

"CookieWall", available from the Author's Site at www.analogx.com/contents/download/network/cookie.htm

There is additional Info on this program at [http://www.spychecker.com/program/cookiewall.html]

and a screenshot at [http://www.spychecker.com/screenshots/cookiewall.htm] .

It would be a whole lot easier to clean your Java Cache by using the FREE

"ATF Cleaner" .

[mizzvee210]

OK super anti spyware says theres now 15 threats detected & malwarebytes says it has detected 16...do i next these scans now & reboot if it asks too?

[Flashorn]

Hey mizzvee !!



YES , most definitely. if you are asked to Delete them then , do so. This will "Quarantine"

those infected files. Once you have clicked on Next and / or re-booted , run another scan

with Both to see if anything else is detected. Report your progress along with the Logs

of Both the scanners in your next reply.



Ok, if you followed the pics and SUPERAntiSpyware and MalwareBytes' Anti-Malware

returned with more infections detected , could you please post the Logs from both of

the scanners .

In MalwareBytes', you will see a Logs tab on the top portion of the screen . Click on it

and from there , choose the appropriate date of the Log. Double click on it and it will

open in a Notepad .doc . Simply Copy & Paste in your next post.



In SUPERAntiSpyware , from the Front screen , click on the "Preferences" button.

From there , you will see a "Statistics / Logs" tab. Click on it . Then , from the list of

Logs , choose the appropriate date by clicking Once on that Log. From the Right hand

panel click on the "View Log" button . Again , the Log will open in Notepad. Simply

Copy & Paste in your next post.



This will give us the Path of the infected items . We could then use the appropriate tools

IF necessary to dislodge those pesky Adware.



I know it's allot of work and sometimes confusing but, it is a necessary evil if you want to

regain control of your notebook. The next time someone asks to use your notebook, you

should create a New User Account. This will limite what that person can do with your notebook.



FLASHORN.

[mizzvee210]

*
SUPERAntiSpyware Scan Log*
*http://www.superantispyware.com

Generated 07/24/2009 at 07:14 AM

Application Version : 4.23.1006

Core Rules Database Version : 4015*
*Trace Rules Database Version: 1955

Scan type : Quick Scan*
*Total Scan Time : 00:33:48

Memory items scanned : 176*
Memory threats detected : 0
Registry items scanned : 260
Registry threats detected : 13
File items scanned : 6897
*File threats detected : 0

Adware.HBHelper*
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}InprocServer32
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}ProgID
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}TypeLib
* HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}VersionIndependentProgID

Adware.SystemSearchDispatch*
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}InprocServer32
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}ProgID
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}Programmable
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}TypeLib
* HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}VersionIndependentProgID

Adware.JuicyAccess*
HKLMSoftwareDoubleD
* HKLMSoftwareDoubleDDoubleD

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware 1.39*
Database version: 2492
*Windows 6.0.6002 Service Pack 2

7/24/2009 3:16:46 AM*
*mbam-log-2009-07-24 (03-16-46).txt

Scan type: Quick Scan*
Objects scanned: 22050
*Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0*
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
*Files Infected: 0

Memory Processes Infected:*
*(No malicious items detected)

Memory Modules Infected:*
*(No malicious items detected)

Registry Keys Infected:*
HKEYCLASSESROOTCLSID{cdbfb47b-58a8-4111-bf95-06178dce326d} (Adware.DoubleD) -> Delete on reboot.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYCURRENTUSERSOFTWAREMicrosoftInternet ExplorerSearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerSearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftCode Store DatabaseDistribution Units{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{cdbfb47b-58a8-4111-bf95-06178dce326d} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
*HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:*
*(No malicious items detected)

Registry Data Items Infected:*
*(No malicious items detected)

Folders Infected:*
*(No malicious items detected)

Files Infected:*
*(No malicious items detected)
*

[Flashorn]

Hey mizzvee !!


How is the notebook running now ?? . please be specific. Did you run

another scan with Both AFTER the deletion of those infected registry keys ??



Thanks for the Logs. One point which you might want to take care of.

SUPERAntiSpyware is Out of Date. Please update the definitions along

with the newer version. It should read :

version :





As for MalwareBytes' , it is up to date.



Now would be a good idea to run the ATF Cleaner mentioned by

SpiritWind .The version 3 is also recommnded for Vista as this is the only one

we recommend .



I would like you to run a few other Tools which May or May not find anything but,

will re-assure us that nothing was left behind by Both scanners. The first is a On Demand

Antivirus tool. Dr.WebCureit . Simply scroll down to the bottom

of the page and click on the "Download Dr.WebCureIt". There is NO updates to perform as the

module you are downloading is the latest version all the time. Ther are NO installation to perform.

It will NOT interfer with any other

security programs on your notebook. The "Quick Scan" will only take a few minutes and if it

finds anything , they will be available to see on the front bottom part of the pop-up as it scans.

This is what the downloaded file will look like along with the version :





You will have to Right Click on the .exe and choose "Run as Administrator" , to get the process started.

Accept the Prompt .

This is what comes up :





Click on the Start button and let it go. it will scan for viruses and other malware.

Once finished (about 3 minutes or less) this is what will show :





if it finds any infected files , they will show under the Object , Path , Status , Action.

Follow the prompts to delete or re-boot to delete.

When finished with Dr.Web CureIt simply click on the Red X at the top right of the pop-up.



I will instruct on the other tool After you have performed these tasks. Please report your

findings in your next reply. If you have any questions before doing a task , please stop

and ask.



FLASHORN.

[mizzvee210]

My notebook is running a little better. Although I forgot to mention my notebook has been freezing and shutting off for no reason. A few days ago it started shutting down for no reason. The computer wouldnt turn off though just the screen. It was just a black screen. I figured maybe it was too hot or something. But not even 20 minutes that Im on it happends. And now these past 2 days my volume keeps going off. It will make sound and then later I see its not working at all so I have to restart. And just this morning I was restarting(not rebooting) and as it said "Shutting Down" it froze & then went to a black screen with a blue line at the bottom but it was still running. I left it alone and it ended up starting by itself again. Is this a sign of anything?

Yes, I ran both scan after the reboots. Super Anti Spyware found 13 threats detected when usually it finds 17. The Malwarebytes found 16. I will do these next step and report the progress. thank you!

[Flashorn]

Hey mizzvee !!



Can you post the logs for the Last scans with MalwareBytes' and SUPERAntiSpyware.

The ones you say that you did After the deletion of the first detection of these malware.

IF you didn't re-boot your PC after the first detection , it might be that nothing was deleted

the first time.

I will wait for the results of Dr.Web CuteIt before asking you to do any other tasks.



FLASHORN.

[mizzvee210]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/25/2009 at 03:20 AM

Application Version : 4.23.1006

Core Rules Database Version : 4019
Trace Rules Database Version: 1959

Scan type : Quick Scan
Total Scan Time : 00:05:30

Memory items scanned : 189
Memory threats detected : 0
Registry items scanned : 261
Registry threats detected : 11
File items scanned : 1147
File threats detected : 0

Adware.HBHelper
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}InprocServer32
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}ProgID
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}TypeLib
HKCRCLSID{CA3EB689-8F09-4026-AA10-B9534C691CE0}VersionIndependentProgID

Adware.SystemSearchDispatch
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}InprocServer32
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}ProgID
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}Programmable
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}TypeLib
HKCRCLSID{CDBFB47B-58A8-4111-BF95-06178DCE326D}VersionIndependentProgID



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 6.0.6002 Service Pack 2

7/25/2009 3:10:46 AM
mbam-log-2009-07-25 (03-10-46).txt

Scan type: Quick Scan
Objects scanned: 77366
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEYCLASSESROOTInterface{480098c6-f6ad-4c61-9b5c-2bae228a34d1} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEYCLASSESROOTCLSID{cdbfb47b-58a8-4111-bf95-06178dce326d} (Adware.DoubleD) -> Delete on reboot.
HKEYLOCALMACHINESOFTWAREMicrosoftInternet ExplorerLow RightsRunDll32Policyf3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREMicrosoftMultimediaWMPlayerSchemesf3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEYLOCALMACHINESOFTWAREDoubleD (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEYCURRENTUSER{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEYLOCALMACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:UsersvangieLocal SettingsTemporary Internet Files{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> Quarantined and deleted successfully.
c:Usersvangielocal settingstemporary internet files{5617eca9-488d-4ba2-8562-9710b9ab78d2}Data (Adware.DoubleD) -> Quarantined and deleted successfully.

Files Infected:
c:Usersvangielocal settingstemporary internet files{5617eca9-488d-4ba2-8562-9710b9ab78d2}bg.jpg (Adware.DoubleD) -> Quarantined and deleted successfully.
c:Usersvangielocal settingstemporary internet files{5617eca9-488d-4ba2-8562-9710b9ab78d2}CurrentVersion.xml (Adware.DoubleD) -> Quarantined and deleted successfully.
c:Usersvangielocal settingstemporary internet files{5617eca9-488d-4ba2-8562-9710b9ab78d2}icon.ico (Adware.DoubleD) -> Quarantined and deleted successfully.
c:Usersvangielocal settingstemporary internet files{5617eca9-488d-4ba2-8562-9710b9ab78d2}ProductInfo.dll (Adware.DoubleD) -> Quarantined and deleted successfully.
c:Usersvangielocal settingstemporary internet files{5617eca9-488d-4ba2-8562-9710b9ab78d2}stbdl.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
c:Usersvangielocal settingstemporary internet files{5617eca9-488d-4ba2-8562-9710b9ab78d2}DataProductInfo.mx (Adware.DoubleD) -> Quarantined and deleted successfully.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 6.0.6002 Service Pack 2

7/25/2009 3:02:36 AM
mbam-log-2009-07-25 (03-02-36).txt

Scan type: Quick Scan
Objects scanned: 22341
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEYCLASSESROOTCLSID{cdbfb47b-58a8-4111-bf95-06178dce326d} (Adware.DoubleD) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[mizzvee210]

ok just posted the recent logs. I followed the Dr.Web Cureit instructions but it said Done-0 Viruses Found.

[Flashorn]

Hey mizzvee !!



You've done well considering all of the scans i've had you done.

I do believe your browser has been hijacked and those recurring

infected files are some how hidden from the tools we would normally

use to detect and delete.



Unfortunately, this is as far as I dare to venture with this kind of infection.

We would need the help of the program HijackThis in order to determine

where they are hidding. I am not trained to read those HjT logs. Unless

SpiritWind has more to add , I can only direct you to a site where those

Trained Experts will read and know where to look . I don't think the use of

more specialized tools will help until we know exactly where to find the infected

files.



If you don't mind registering "Register at AumHa"

and posting at Aumha.net , they will be able to find the

hidden places and delete the intruders. They are very understanding and

patient. When explaining your problem , be as specific as possible and also,

tell them what you have done so far. Every bit of information is valuable .

If you don't understand one of the tasks , ask and they will explain what has

to be done. You could also post your question here in this thread and we will

explain what and how it is to be done.



The first post on their forum is "Read First ! Your post will be...."

You should read it and then , post your problem along with the logs that they will require in the

same forum as I have posted above.



I'm sure they will have you back up and running in no time.



If you have any concerns, post it in you next reply and I will do my best to help.



FLASHORN.