Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security tool infection


  • Please log in to reply
18 replies to this topic

#1 tjdavis

tjdavis

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 07 October 2009 - 07:05 PM

Hi,

My computer recently started slowing down and freezing up lately. I did a couple of antivirus scans but they didn't help. Now when I turned on my computer the background was blank with none of my icons or background pic. Also, a program called security tool has installed itself without my knowledge or permission. It keeps asking me to update it. Whenever I try to access Malware Bytes program, nothing comes up. I would really appreciate it if anyone could help me with this problem. Thanks for your help in advance.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:06 PM

Posted 07 October 2009 - 07:18 PM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.

For the desktop..
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.



Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 07 October 2009 - 08:56 PM

Does it matter if its a laptop?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:06 PM

Posted 07 October 2009 - 09:32 PM

nope
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 07 October 2009 - 10:39 PM

I ran the SCF scannow but I don't think my computer came with an XP disc. The only two discs it came with were recovery discs and whenever I insert one of these it says it is the wrong disc.

#6 nofomg

nofomg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 08 October 2009 - 08:44 AM

I had this security tool thing too. Here's what i did.

1. Shut your computer down completely then restart

2. As soon as it comes back up to the desktop get the task manager up. (make sure you do it before everything starts loading.)

3. Let the computer load regularly and and everything will come up. (including security tool.)

4. Go to the task manager click the tab "Processes" then look for a process that is just a string of numbers.(It was 70843325.exe for me but maybe its different for everyone) *WRITE THE NUMBER DOWN*

5. Right click the process and tell it to "End Process Tree"

This will shutdown the security tool program down.

6. Then you can go into the C drive and find the security tool folder C:\Documents and Settings\All Users\Application Data (if you can't see the file "Application data" you need to enable hidden files)

*If you cant see hidden files* go to the top of the the window and click tools, go to folder options, click the view tab and under hidden files and folders click show hidden folders

7. Then you will see a folder with the same name *number you saved* as the process you just ended. Inside will be security tool. delete the whole folder.


8. Next go into search and type the *number you saved* and do a scan for all files and folders go into advance and check all system files, hidden files and sub folders. Let it scan. It should find a file, go and delete that as well.

*Now this is not a permanent fix* this will allow you to do some of the other things that much more knowledgeable people than myself on this site have posted.

Once you have done all that i posted then you can log out and go back in and your desktop will be working again and you can start with the other processes that others have posted.

Hope it helps.

Edited by nofomg, 08 October 2009 - 09:09 AM.


#7 nofomg

nofomg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 PM

Posted 08 October 2009 - 09:59 AM

go to this link to finish and make sure all the hidden files and trackers are gone

http://www.bleepingcomputer.com/forums/t/259578/total-security-2009-browser-bug/

#8 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 08 October 2009 - 05:40 PM

I had to cancel the scannow because I didn't have XP disc, now when I try to download Malware it says it can't find the file. Also it won't let me turn on automatic updates, it keeps switching it off. I no longer have pop ups from the security tool but my computer is still very slow and my background is blank. Not sure what the problem. Thanks in advance for your time and help.

Edited by tjdavis, 08 October 2009 - 06:11 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:06 PM

Posted 08 October 2009 - 07:43 PM

Let's try running either or both if thety both run.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Drweb-cureit
You should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
[list][*]After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
[*]In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
[*]Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
[*]Please be patient as this scan could take a long time to complete.
[*]When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
[*]Click Select All, then choose Cure > Move incurable.
[*]In the top menu, click file and choose save report list.
[*]Save the DrWeb.csv report to your desktop.
[*]Exit Dr.Web Cureit when done.
[*]Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
[*]After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)[/list
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 09 October 2009 - 03:10 PM

I ran Rootrepeal and saved the log, but Security tool has now come back and there no icons visible on my desktop. I tried running Dr.web in safemode but it always brings up an error message when I click start.

Edit: I managed to get the rootrepeal log, but neither Dr. Web or MBAM are working

Log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/08 18:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE841000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C1C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA57E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Tiffany\settings.dat
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\tiffany\local settings\temp\etilqs_olasoge2oiee6ecg1zlz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\tiffany\local settings\temp\etilqs_uhmrmm2pfjnynnzzvdxh
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x84b4fb70

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x84be3b90

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x84b90210

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x84b90198

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x84b4fe40

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x84bd0ef8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x84b90288

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x84b4fbe8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x84b4fa80

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x84b6c148

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x84b4fcd8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x84b3e210

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x84b4ff30

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x84b4fd50

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x84bd11e8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x84b4feb8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x84b4fc60

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x84b4ffa8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x84b4fdc8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x84b4faf8

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 828) Address: 0x00780000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 1252) Address: 0x00a20000 Size: 28672

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x847b8900 Size: 1792

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x847b8888 Size: 1912

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x847d37d0 Size: 286

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x847d3758 Size: 406

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x847d36e0 Size: 526

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x847d3668 Size: 646

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x847d35f0 Size: 766

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x847d3578 Size: 886

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x847d3500 Size: 1006

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84818fa8 Size: 89

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84818f30 Size: 209

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84818eb8 Size: 329

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84818e40 Size: 449

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84818dc8 Size: 569

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84818d50 Size: 689

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84818cd8 Size: 809

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84816fa8 Size: 89

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84816f30 Size: 209

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x84816eb8 Size: 329

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x84816e40 Size: 449

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84816dc8 Size: 569

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84816d50 Size: 689

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x84816cd8 Size: 809

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x847d75d8 Size: 2600

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x847d7560 Size: 2720

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x847d74e8 Size: 2840

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x847d7470 Size: 2960

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x847d73f8 Size: 3080

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x846a2d40

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x83c86b58

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x84b15360

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x84ae7688

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x846a9788

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8469d808

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x83ce0220

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x846887f0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8469ed68

==EOF==

Edited by tjdavis, 09 October 2009 - 03:56 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:06 PM

Posted 09 October 2009 - 07:43 PM

Download this Utility and save it to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 10 October 2009 - 09:13 PM

Hi,

I ended up going back to a restore point and it seemed to get rid of the worst of it. However, there is still something that keeps turning off my windows updates and won't allow me to turn it on. I've tried several times to get rid of it with MBAM with no success. Security tool seems to no longer be a problem, do you still want to download the utility program?

Thank you for your time and advice.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:06 PM

Posted 11 October 2009 - 01:22 PM

Hello, you've probably restored to a different infected state ,that's OK. WNext run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now. e'll c;ear it all up when done.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 tjdavis

tjdavis
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 12 October 2009 - 10:39 PM

Here is the log for my SAS scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/12/2009 at 07:08 PM

Application Version : 4.29.1002

Core Rules Database Version : 4161
Trace Rules Database Version: 2085

Scan type : Complete Scan
Total Scan Time : 03:31:41

Memory items scanned : 232
Memory threats detected : 0
Registry items scanned : 6404
Registry threats detected : 0
File items scanned : 69370
File threats detected : 33

Adware.Tracking Cookie
C:\Documents and Settings\Tiffany\Cookies\tiffany@richmedia.yahoo[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@ads.bridgetrack[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@socialmedia[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@ak[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@www.stopzilla[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@at.atwola[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@cgi-bin[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@html[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@ad1.clickhype[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@adinterax[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@advertising[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@tacoda[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@insightexpressai[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@mediatraffic[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@cdn.at.atwola[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@businessfind[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@redirectclicks[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@specificmedia[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@atwola[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@a1.interclick[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@stopzilla[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@interclick[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@media.legacy[1].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@advertising[2].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@apmebf[1].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@at.atwola[1].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@atdmt[1].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@atwola[1].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@cdn.at.atwola[1].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@doubleclick[1].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@mediaplex[2].txt
C:\Documents and Settings\Tiffany\Local Settings\Temp\Cookies\tiffany@tacoda[1].txt

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\MALESIBA.EXE

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:06 PM

Posted 13 October 2009 - 01:55 PM

Thats' good,,
1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users