# AMMYY phone scam?



## Joker37

Hi everybody!

Ten minutes ago I got a call from someone with an Indian accent claiming that there was something wrong with my computer. They told me to click the windows key from my keyboard and then click r, which led to the run tab. They then told me to enter "inf" and click okay. They said that I had some dangerous files and that I needed to go to this site in order to get rid of the files:

http://www.ammyy.com/en/

I clicked it however I sort of hung up straight after when they asked me what my computer ID was.

Anyway, I was wondering whether anybody knows whether they were legitimately trying to help me or if it was some scam? And with these sorts of things, how do you know?


----------



## Aastii

It was a scam. You know it is a scam because nobody will spontaneously call saying "there is something wrong with your computer" because there is no way for them to know that.

What they will do is take you to a site, get you to download something and it will mess up your system, it will basically be a virus that you agreed to install onto your computer. They will then say to recover your system you must buy x, y and z software. It does nothing to help, but they will have your money and, potentially, your bank details, so will clean you out


----------



## johnb35

As Aastii as said, its a scam and you will need to clean it off your system. I had the joy of removing this off of one my clients pc's just a few weeks ago.  I told them to never allow someone else to manually take over their system and try to tell them that they are infected.

Please do the following.

Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## Lost Underwear

yeah how does anyone know theres anything wrong with your computer?

next time go on a rant at them about how they know about where you live and how they got your ip ect ect.  they dont have it but that would be the only way they could know youe pc is broke and have you location.   put the scare in them a little play fire with fire!   See how quickly they hang up on you instead of the other way around


----------



## Lliam

JohnB35 I have the same problem. here is my Mbam log:  Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8384

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17/12/2011 15:45:10
mbam-log-2011-12-17 (15-45-09).txt

Scan type: Quick scan
Objects scanned: 166762
Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and my HJT log: Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:02:07, on 17/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://dub106.mail.live.com/default.aspx?id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI371A~1\Datamngr\BROWSE~1.DLL
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Security Essentials.lnk = C:\Program Files\Microsoft Security Client\msseces.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1315236543279
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1315995271281
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - (no file)
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - (no file)
O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

--
End of file - 5014 bytes


----------



## johnb35

Lliam,

I need you to run combofix to get a better idea of what files are on your system that have been created in the last 30 days.  

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

*Combofix*


When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
Save the file to your windows desktop.  The combofix icon will look like this when it has downloaded to your desktop.





We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:


Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found *here*.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Please click on I agree on the disclaimer window.
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.





ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.





Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:





At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.

Please click on yes in the next window to continue scanning for malware.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.





When ComboFix has finished running, you will see a screen stating that it is preparing the log report.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.  

Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy.  Then come to the forum in your reply and right click on your mouse and click on paste.  



In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## turbodiesel

you could tell it was a scam because nobody gives free computer fixing 
and the fact they knew your number


----------



## pwlljakob

Their website says the following:


Ammyy Admin - cases of malicious use. Official WARNING.

Dear users of Ammyy Admin 

Unfortunately, there are some cases of malicious use of our software noticed. Please be attentive and never grant access to people you don't know personally or whom you don't trust.

!!! If you receive a phone call claiming to be from 'Microsoft' or someone claiming to work on their behalf, telling you that you have a virus on your computer or some errors which they will help you to fix via Ammyy Admin, it is definitely a scam.

There also might be phone calls from people presenting themselves as internet service provider technicians or any other tech support specialists.

Ammyy Inc. is a legit software development company, we take the privacy and security of our customers and partners personal information very seriously. We are advising Ammyy Admin users to treat all unsolicited phone calls with skepticism and not to grant access to your PC to anyone you don't know personally.

We can assure you Ammyy Inc. doesn't make these kinds of calls and never asks to download and launch Ammyy Admin.

Here are some cases of scam:

"I got call from an India based consultant who said to me that he is calling from a govt. organisation in Melbourne, Australia. He made me to log into my computer to track some files and without advising me he wanted me to download a software application from ammyy.com and get remotely connected to a technician to delete some files..."

"I was recently called by what I thought was my internet service provider technician who used Ammyy to gain remote access to my computer - after I stupidly granted him that permission. It turns out that he was nothing to do with my internet service provider. When I became suspicious and began questioning him he said he would show me who he was and opened a website of a company - the web site triggered my virus software and I then demanded that the remote access be terminated..."

In case you received such type of phone call - hang up, do not let them have remote control access to your computer and never provide any of your credit card requisites.

*If you got scammed...

If you got scammed (launched Ammyy Admin and granted access to your PC to a scammer and inputted your credit card requisites during the remote desktop connection session) please do the following:
1) Turn off your Internet connection, then turn off the PC and call your bank to freeze all your bank accounts.
2) Boot your PC in the safe mode and check it for viruses (it's possible the scammers had run their malicious hidden software)
3) If your Antivirus Software shows no warnings restart the PC and make sure Ammyy Admin Service isn't installed and doesn't run in automatic mode. For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.
*
If you're not sure you can manage the actions described above then just turn off your PC and address to a computer specialist you know or to a company that provides technical support.

Ammyy Admin software (if downloaded from www.ammyy.com) itself doesn't bring any risk of data leakage or harm to your PC. It doesn't make any hidden manipulations with your files and folders. You also don't have to uninstall it. If you decide not to use Ammyy Admin just delete the exe file from your PC.


Best wishes

Ammyy Inc. team

	Privacy Policy  Terms and Conditions  EULA	 Copyright © 2011 Ammyy. All rights reserved.




> I acctually Quite Like this software!


----------



## johnb35

It's still a scam and the software needs to come off the system, its used for mailicious purposes.  I wouldn't even trust this sofware since its associated with the scam.


----------



## Lliam

John, here's the combo log you asked for.
Lliam.

ComboFix 11-12-17.05 - Owner 18/12/2011  14:37:17.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.446.202 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Virgin Media Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Firewall Booster *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\alcrmv.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-11-18 to 2011-12-18  )))))))))))))))))))))))))))))))
.
.
2011-12-18 12:41 . 2011-12-18 12:41	--------	d-----w-	c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-12-18 12:22 . 2011-11-21 02:47	6823496	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5DEC67C-2663-43D5-9C31-65018C9AA407}\mpengine.dll
2011-12-17 16:00 . 2011-12-17 16:01	388096	----a-r-	c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-17 15:30 . 2011-12-17 15:30	--------	d-----w-	c:\documents and settings\Owner\Application Data\Malwarebytes
2011-12-17 15:30 . 2011-12-17 15:30	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-17 15:29 . 2011-08-31 17:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-12-17 15:29 . 2011-12-17 15:30	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-12-15 18:02 . 2011-12-15 18:02	--------	d-----w-	c:\program files\CCleaner
2011-12-15 15:29 . 2011-12-15 15:30	--------	d-----w-	c:\program files\Opera
2011-12-15 11:17 . 2011-11-21 02:47	6823496	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-14 16:28 . 2010-10-19 20:51	222080	------w-	c:\windows\system32\MpSigStub.exe
2011-12-14 16:25 . 2011-12-14 16:25	--------	d-----w-	c:\program files\Microsoft Security Client
2011-12-14 16:19 . 2011-12-14 16:19	--------	d-----w-	c:\documents and settings\Guest\AppData
2011-12-14 16:18 . 2011-12-14 16:18	--------	d-----w-	c:\documents and settings\Guest\Application Data\searchquband
2011-12-14 16:17 . 2011-12-14 16:17	--------	d-----w-	c:\documents and settings\Guest\Application Data\Radialpoint
2011-12-14 16:16 . 2011-12-14 16:16	--------	d-----w-	c:\documents and settings\Guest\Application Data\{{userdatapath.company}}
2011-12-14 16:16 . 2011-12-14 16:19	--------	d-----w-	c:\documents and settings\Guest\Application Data\searchqutoolbar
2011-12-14 16:15 . 2011-12-14 16:15	--------	d-----w-	c:\documents and settings\Guest\Application Data\Virgin Media
2011-12-12 18:31 . 2011-12-15 18:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-12-12 18:31 . 2011-12-12 18:36	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2011-12-11 12:28 . 2010-09-17 21:14	341072	----a-w-	c:\windows\system32\drivers\TM_CFW.sys
2011-12-11 12:25 . 2011-12-11 12:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERSetup
2011-12-11 12:23 . 2011-12-11 12:23	--------	d-----w-	c:\documents and settings\Owner\Application Data\{{userdatapath.company}}
2011-12-11 12:14 . 2010-09-17 21:14	92112	----a-w-	c:\windows\system32\drivers\tmtdi.sys
2011-12-11 12:12 . 2010-09-17 21:14	80464	----a-w-	c:\windows\system32\drivers\tmactmon.sys
2011-12-11 12:12 . 2010-09-17 21:14	64080	----a-w-	c:\windows\system32\drivers\tmevtmgr.sys
2011-12-11 12:12 . 2010-09-17 21:14	189520	----a-w-	c:\windows\system32\drivers\tmcomm.sys
2011-12-11 12:08 . 2011-12-17 16:00	--------	d-----w-	c:\program files\Trend Micro
2011-12-11 11:04 . 2011-12-11 11:04	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-12-11 11:04 . 2011-12-11 11:04	--------	d-----w-	c:\program files\AVG
2011-12-07 13:49 . 2011-12-07 13:49	--------	d-----w-	c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-12-06 16:08 . 2011-12-06 16:08	--------	d-----w-	c:\windows\system32\config\systemprofile\Application Data\Radialpoint
2011-12-06 15:49 . 2011-12-06 15:49	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Trend Micro
2011-12-06 15:47 . 2011-12-15 11:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\Trend Micro
2011-12-06 15:10 . 2011-12-06 15:10	--------	d-----w-	c:\documents and settings\Owner\Application Data\Virgin Media
2011-12-06 15:10 . 2011-12-15 10:49	--------	d-----w-	c:\documents and settings\All Users\Application Data\Radialpoint
2011-12-06 15:10 . 2011-12-14 14:36	--------	d-----w-	c:\documents and settings\Owner\Application Data\Radialpoint
2011-12-06 15:10 . 2011-12-15 11:14	--------	d-----w-	c:\program files\Virgin Media
2011-12-06 15:10 . 2011-12-15 11:05	--------	d-----w-	c:\documents and settings\All Users\Application Data\Virgin Media
2011-12-02 18:46 . 2011-12-02 18:46	--------	d--h--w-	c:\windows\PIF
2011-12-02 18:36 . 2011-12-03 10:49	--------	d-----w-	c:\documents and settings\Owner\Application Data\AVG
2011-11-29 18:38 . 2011-11-29 18:38	--------	d-----w-	c:\documents and settings\Owner\Application Data\DivX
2011-11-29 18:29 . 2011-11-29 19:29	--------	d-----w-	c:\program files\DivX
2011-11-29 18:26 . 2011-11-29 19:29	--------	d-----w-	c:\documents and settings\All Users\Application Data\DivX
2011-11-28 11:10 . 2011-11-28 11:10	--------	d-----w-	c:\documents and settings\All Users\Application Data\boost_interprocess
2011-11-27 17:29 . 2011-11-27 17:30	--------	d-----w-	c:\documents and settings\Owner\Application Data\vlc
2011-11-27 17:26 . 2011-11-27 17:27	--------	d-----w-	c:\documents and settings\Owner\Local Settings\Application Data\Ilivid Player
2011-11-27 17:24 . 2011-11-27 17:24	--------	d-----w-	c:\documents and settings\Owner\AppData
2011-11-27 17:24 . 2011-11-27 17:24	--------	d-----w-	c:\documents and settings\Owner\Application Data\searchquband
2011-11-27 15:31 . 2011-11-27 17:26	--------	d-----w-	c:\documents and settings\Owner\Application Data\searchqutoolbar
2011-11-27 15:31 . 2011-11-27 15:31	--------	d-----w-	c:\program files\Windows iLivid Toolbar
2011-11-23 13:25 . 2011-11-23 13:25	1859584	-c----w-	c:\windows\system32\dllcache\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 11:11 . 2011-09-05 15:54	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2011-09-14 12:00	1859584	----a-w-	c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-04 12:00	916992	----a-w-	c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 12:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00	1469440	----a-w-	c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00	385024	----a-w-	c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 12:00	1288704	----a-w-	c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2011-09-14 12:00	33280	----a-w-	c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2011-09-14 11:49	2192768	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2011-09-14 11:49	2069376	----a-w-	c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 12:00	186880	----a-w-	c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2011-09-05 14:32	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 12:00	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 18:59	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2004-08-04 12:00	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2004-08-04 12:00	20480	----a-w-	c:\windows\system32\oleaccrc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54	551296	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 04:42	15360	----a-w-	c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DATAMNGR]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 15:16	997920	----a-w-	c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
2007-06-11 10:15	176128	----a-r-	c:\windows\system32\S3Trayp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MsMpSvc"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"cisvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"!SASCORE"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\REALTEK\\11n USB Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 4:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 9:55 PM 67664]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [12/11/2011 12:28 PM 341072]
S1 MpKsl4da05428;MpKsl4da05428;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5DEC67C-2663-43D5-9C31-65018C9AA407}\MpKsl4da05428.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5DEC67C-2663-43D5-9C31-65018C9AA407}\MpKsl4da05428.sys [?]
S1 MpKsl66a82d02;MpKsl66a82d02;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5DEC67C-2663-43D5-9C31-65018C9AA407}\MpKsl66a82d02.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5DEC67C-2663-43D5-9C31-65018C9AA407}\MpKsl66a82d02.sys [?]
S1 MpKsle6050b43;MpKsle6050b43;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{48338B2F-7A02-4D26-9511-40D44D0A7B2A}\MpKsle6050b43.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{48338B2F-7A02-4D26-9511-40D44D0A7B2A}\MpKsle6050b43.sys [?]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys [4/22/2002 8:28 AM 113632]
S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192cu.sys [9/5/2011 3:14 PM 894696]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 11:38 PM 116608]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]
.
.
------- Supplementary Scan -------
.
uStart Page = https://dub106.mail.live.com/default.aspx?id=64855
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-18 14:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-789336058-1450960922-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(860)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-18  14:52:25 - machine was rebooted
ComboFix-quarantined-files.txt  2011-12-18 14:52
.
Pre-Run: 65,898,217,472 bytes free
Post-Run: 66,380,050,432 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C2426BE50235C5CEADCCCD8BCFD492D5


----------



## johnb35

I don't see any remnants of ammyy on your system unless they changed their ways.  However, you do have some issues on your system and I need to see an uninstall list before posting what to do next.  Combofix created the log for us but doesn't automatically show it.  Navigate to C:\Qoobox and in that folder will be a file named add-remove programs.txt, please copy the contents and post it back here.


----------



## Lliam

Hi again John, thanks for your help. My computer seems to be running a little faster after the scanning process.

 Here's a fresh hijackthis log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:31:32, on 18/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://dub106.mail.live.com/default.aspx?id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1315236543279
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1315995271281
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - (no file)
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - (no file)
O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

--
End of file - 4010 bytes


----------



## Lliam

Ok John.

123 Free Solitaire 2011 v8.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
AMD Processor Driver
CCleaner
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB2633952)
jv16 PowerTools 1.3
M318B Digital Video Camera
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Professional
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Nero OEM
Opera 11.60
PowerDVD
Realtek AC'97 Audio
REALTEK Wireless LAN Driver and Utility
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Spybot - Search & Destroy
VC80CRTRedist - 8.0.50727.6195
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3


----------



## S.T.A.R.S.

Only a moron would believe to unknown person who calls someone on the phone to tell him/her that something is wrong with his/her PC lmao!Because there is NO WAY for a scammer(s) to know that.No offence to anyone of course,but really...only morons would provide personal and bank informations to someone unknown who just called them on the phone lmao!


----------



## johnb35

Ok, they are not listed in add/remove programs list.  I need you to download and run a couple removal tools.

Trend micro - http://solutionfile.trendmicro.com/solutionfile/EN-1037161/32bit.exe

1.  Download the Trend Micro Diagnostic Toolkit.
2. When the File Download window appears, click Run.

After the download finishes, the Trend Micro Diagnostic Toolkit window appears.

3.  Click the Uninstall tab, then click 1. Uninstall software.






The Toolkit will automatically detect the Trend Micro program that is currently installed.

4.  Click Uninstall






After the program finishes uninstalling, you will then be asked to restart your computer.

5.  Click Yes.







AVG - http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x86_2012_1796.exe

Then post a fresh hijackthis log.


----------



## Lliam

OK John, fresh HJT.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:07:15, on 19/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://dub106.mail.live.com/default.aspx?id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI371A~1\Datamngr\BROWSE~1.DLL
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Security Essentials.lnk = C:\Program Files\Microsoft Security Client\msseces.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1315236543279
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1315995271281
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - (no file)
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - (no file)
O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

--
End of file - 4855 bytes


----------



## johnb35

Re run hijackthis and place checks next to the following entries.

O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx. dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx. dll
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - (no file)
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - (no file)
O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll 

Theb click on fix checked.

Then do an online scan with ESET.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats 
Accept any security warnings from your browser. 
Check Scan archives 
Click Start 
ESET will then download updates, install and then start scanning your system. 
When the scan is done, push list of found threats 
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply. 
If no threats are found then it won't produce a log.


----------



## Lliam

No log produced from ESET John.


----------



## johnb35

Ok. let me know if you have any more issues.


----------



## Lliam

OK John, thanks a lot for your help.


----------



## Perkomate

you just tell them you don't have a computer, or you're on Dialup. 
Or, you can be sneak, play along with it but don't do what they say, find out some details and tell the coppers. 
The Aussie federal police have a taskforce set up to deal with this stuff, that's who I spoke to.


----------

