Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SuperAntiSpyware Free ed. finds but can't remove


  • Please log in to reply
3 replies to this topic

#1 lukelanta

lukelanta

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 25 March 2009 - 02:54 PM

I have run Mbex, ATFCleaner, and SuperAntiSpyware on this machine repeatedly, but can't get rid of 11 threats that SAS finds.

Mbex and Symantec each found and reported deleting a AV360 trojan, which was the first incident I tried to clean.

Log files from scans below. Any help appreciated.

http://www.superantispyware.com

Generated 03/25/2009 at 03:27 PM

Application Version : 4.25.1014

Core Rules Database Version : 3784
Trace Rules Database Version: 1768

Scan type : Quick Scan
Total Scan Time : 00:08:28

Memory items scanned : 395
Memory threats detected : 0
Registry items scanned : 411
Registry threats detected : 11
File items scanned : 6729
File threats detected : 0

SAS log:
Adware.HBHelper
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version
___________________________________________________________________________
Mbex log:
Malwarebytes' Anti-Malware 1.34
Database version: 1896
Windows 5.1.2600 Service Pack 3

3/25/2009 2:13:12 PM
mbam-log-2009-03-25 (14-13-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 127100
Time elapsed: 25 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP60\A0019469.exe (Rogue.AV360) -> Quarantined and deleted successfully.
:thumbsup:

Malwarebytes' Anti-Malware 1.34
Database version: 1896
Windows 5.1.2600 Service Pack 3

3/25/2009 2:13:12 PM
mbam-log-2009-03-25 (14-13-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 127100
Time elapsed: 25 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)
_________________________________________________________________________
Symantec files:

Files Infected:
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP60\A0019469.exe (Rogue.AV360) -> Quarantined and deleted successfully.

Symantec Quarintine log entry:
3/25/2009 1:35:28 PM A0019469.exe Trojan Horse C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP60\

Symantec reported I successfully deleted this file from quarantine.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:42 AM

Posted 25 March 2009 - 04:16 PM

Did you run Malwarebytes after the SAS scan, because then it would appear that only 3 are left ..in System Restore?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lukelanta

lukelanta
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 26 March 2009 - 12:29 PM

Here is an update on my attempts to remove Adware.HBhelper and Browser Hijacker.Deskbar

I did rerun Mbex again, but I couldn't recall if it was immediately after a scan by SAS. So, I tried turning off System Restore and booting into Safe mode. I also disconnected network cable to prevent unseen reconnections. I then rerun SAS which again reported the same 11 instances (9 registry entries and 2 invected files). I told it to clean them and it asked for a reboot, which I did.

When machine came back up I let it boot normally and rerun Mbex again. It reported nothing found. I also used Microsoft's free scanner at their OnePoint site. It reported there were 254 registry entries it wanted to delete, but it only deleted 253 registry settings with 1 error.

I turned System Restore back on and created a new Restore Point, then reran Mbex, which reported nothing found. So, I reran SAS in full scan mode. It reported finding 12 infections.

That was yesterday. I downloaded new definitions for both Malwarebytes and SuperAntiSpyware (SAS) this morning, then disconnected network cable. I ran Mbex first and it found nothing. I ran SAS and it reported finding 5 registry entries for Adware.HBhelper and another 4 for Browser Hijacker.Deskbar, plus two cookies. I told it to delete/remove and it asked for a reboot, which I did.

Not confident at this point it had succeeded it removing them I was searching this site for additional clues and found instructions for running SAS that mentioned two steps I had not previously taken.

The first was to go into preferences and uncheck loading SAS at startup and the other was to check box to terminate memory resident programs before removing registry/files.

I booted into Safe mode again and reran SAS, and it reported finding 10 items (the 2 cookies were gone). This scan took over an hour and a half to run, I guess because it was running in safe mode. When I checked the log file here is what it says:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2009 at 01:15 PM

Application Version : 4.25.1014

Core Rules Database Version : 3815
Trace Rules Database Version: 1769

Scan type : Complete Scan
Total Scan Time : 01:34:39

Memory items scanned : 216
Memory threats detected : 0
Registry items scanned : 5322
Registry threats detected : 10
File items scanned : 14302
File threats detected : 0

Adware.HBHelper
HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib

I'm about to give up and reformat. Any other suggestions?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:42 AM

Posted 26 March 2009 - 04:07 PM

Hi obviously something is protecting or hiding it from these tools. Reformatting always fixes what ails ya. If you want to wait several more days and have the HJT team finally clean this then go here. I just wanted to tell you that they are back logged and it will be a few days.

We need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users