Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

d.exe, msb.exe, IE popups - Advice requested


  • Please log in to reply
12 replies to this topic

#1 mrslippy

mrslippy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 17 October 2009 - 11:54 AM

Hey there,
I am running Windows 7, Evaluation build 7100.
Yesterday at some point I guess I contracted a virus of some kind. My Avast! scanner went nuts and tried to delete 5 or 6 worms propagating on my system.
Now I have 2 processes that keep starting and running and using up relatively high CPU, d.exe, and msb.exe. Stopping the processes just brings them back later. If I leave them running, then it leads to fairly frequent Firefox crashes, sluggish system performance, especially when opening pictures in the Picture Viewer, for example, and most importantly, multiple popups in IE originating from 'Harren Media Network'.
Windows defender has subsequently detected Renos.js, and although it 'removes/quarantines' it, I am guessing it pops back up.
My system was as clean as a whistle until yesterday and running smoothly.
I would appreciate any help I can get to eradicate the problem/s.
Thanks in advance:)

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 17 October 2009 - 11:39 PM

Please download Malwarebytes Anti-Malware (v1.41) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mrslippy

mrslippy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 18 October 2009 - 02:10 AM

Thanks for responding:)
Heres the copy of my log:

Malwarebytes' Anti-Malware 1.41
Database version: 2977
Windows 6.1.7100

18/10/2009 3:09:46 AM
mbam-log-2009-10-18 (03-09-46).txt

Scan type: Quick Scan
Objects scanned: 98963
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 29

Memory Processes Infected:
C:\Users\mrslippy\AppData\Local\Temp\lsass.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Users\mrslippy\AppData\Local\Temp\services.exe (Password.Stealer) -> Unloaded process successfully.
C:\Users\mrslippy\AppData\Local\Temp\taskmgr.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\msb.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{48444dbe-0486-4a38-b803-413739dc584d} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QuickyPlaeyrSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\streambuffercomposerecordingobj (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Login Software 2009 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjafosi8kdf98winmdkmnkmfnwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\QuickyPlaeyr (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\StreamBufferComposeRecordingObj\StreamBufferComposeRecordingObj.dll (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\biabqjx.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\872934.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\TMP000000A41FCAFF587307B877 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\Temp\VRT708D.tmp (Malware.Tool) -> Quarantined and deleted successfully.
C:\Windows\Temp\VRT8D13.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\rundll32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrslippy\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\calc.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Users\mrslippy\AppData\Local\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\d.exe (Trojan.Downloader) -> Delete on reboot.
C:\Users\mrslippy\AppData\Local\Temp\n1j9dg.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\mrslippy\AppData\Local\Temp\drweb.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\mrslippy\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Not sure if its useful to report, but upon reboot, two dlls were prevented running 'ntuser.dll' and 'calc.dll'. Theres had a habit of setting Avast! off multiple times before, although the option recommended 'move to chest' would not get rid of it, as it would keep popping up the same notification until ignored. The infection there seemed to be the Win32:Trojan-gen. Avast! popped up and 'move to chest' was applied after reboot, this time they havent popped up again, but im not convinced its been completely removed. Also Avast has popped up once since with a different virus, but it seemed to successfully apply the 'move to chest' option. If it crops up again I will include it here.
Thanks in advance:)

Edited by mrslippy, 18 October 2009 - 02:25 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 18 October 2009 - 07:34 AM

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete..
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 mrslippy

mrslippy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 18 October 2009 - 05:36 PM

Phew! You werent kidding when you said it would take a while fpr Dr. Web to scan.
First, here the log file from the full scan of Anti Malware:

Malwarebytes' Anti-Malware 1.41
Database version: 2977
Windows 6.1.7100

18/10/2009 11:35:16 AM
mbam-log-2009-10-18 (11-35-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 394116
Time elapsed: 2 hour(s), 12 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjafosi8kdf98winmdkmnkmfnwe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Pamela\pamela.for.skype.professional.v4.5.0.96-ismail.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\CheckForUpdates.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\codecsetup4100.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\codecsetup7974.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\svcsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Roaming\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> Quarantined and deleted successfully.
C:\Users\mrslippy\Desktop\PAMELA.SKYPE.PRO.v4.5.0.96\pamela.for.skype.professional.v4.5.0.96-ismail.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\mrslippy\Documents\My Received Files\AddintoolsWord2007-Keygen.exe (Malware.Packer) -> Quarantined and deleted successfully.
C:\Windows\ServiceProfiles\LocalService\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QOW05YAY\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QYLIKK7P\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\mrslippy\AppData\Local\Temp\login.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\mrslippy\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

And heres the full scan from Dr. Web
Process in memory: C:\Windows\System32\svchost.exe:668;;BackDoor.Tdss.565;Eradicated.;
freeripmp3_31.exe\data028;C:\Documents and Settings\mrslippy\Downloads\freeripmp3_31.exe;Adware.MyWay;;
freeripmp3_31.exe;C:\Documents and Settings\mrslippy\Downloads;Archive contains infected objects;Moved.;
PictureResizeGeniusEn.exe\data001;C:\Documents and Settings\mrslippy\Downloads\PictureResizeGeniusEn.exe;Win32.Induc;;
PictureResizeGeniusEn.exe;C:\Documents and Settings\mrslippy\Downloads;Archive contains infected objects;Moved.;
PictureResizeGeniusEn.exe.part\data001;C:\Documents and Settings\mrslippy\Downloads\PictureResizeGeniusEn.exe.part;Win32.Induc;;
PictureResizeGeniusEn.exe.part;C:\Documents and Settings\mrslippy\Downloads;Archive contains infected objects;Moved.;
PRG.exe;C:\Program Files\Picture Resize Genius;Win32.Induc;Cured.;

Ive rebooted, and so far, no popups, notifications, warning signs, etc.
What do you think doc? Do I have a clean bill of health? Can I play the violin again? (not that I could before :thumbsup:
If theres anymore advice, then thanks in advance, I really appreciate it, if you think everything is all clear, then thanks a lot, I couldnt have done it without your help:)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 18 October 2009 - 06:02 PM

Due to the amount of malware we found I recommend one more scan.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode, then perform your scans in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 mrslippy

mrslippy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 18 October 2009 - 07:16 PM

good call!
It found another 2.
Unfortunately, although the 'save log' function is checked, it doesnt seem to have a log in its records upon reboot. No idea why.
Recalling from memory, it found 7 instances of the Win 32/gen trojan, and 160 Ad tracking cookies, that was about it though. I would love to post more, but I can see any log, sorry :thumbsup:
A question though...if my PC was this stacked with stuff, why didnt AVAST! find it? Is there another virus scanner youd recommend, or do I need to scan my PC with all this stuff regularly?
Is there any other steps I need to do?
Thanks again:)

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 18 October 2009 - 09:10 PM

To retrieve the SAS scan log information, launch SAS.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

NOTE: Some malware infections are difficult to remove completely and may leave so many remnants behind that security tools cannot find them. After a security vendor updates their program version or definition databases, it is not uncommon for subsequent scans to find more malicious files which had previously gone undetected by prior scans.

How is your computer running now? Are there any more reports/signs of infection (i.e. unwanted pop-ups, bogus security alerts, error messages when you try to run applications, browser redirection)?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 mrslippy

mrslippy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 18 October 2009 - 09:17 PM

Thanks for the response, yeah, I followed the scan log directions from before, my log file list is empty even though I did a full scan, and the 'save log file' option is selected. (could this be a windows 7 issue?)
No bugs, popups, etc so far. I stress so far as its only been a while, but yeah, so far so good:)
I guess the game keeps changing, and so does the software used to fight these things. Thats why you guys will never be out of work :thumbsup:
Anyway, nothing suspicious has appeared as of late, certainly not compared to my computer falling apart a few days ago:)
You guys will be the first to know if anything does however.
Thanks again!

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 19 October 2009 - 06:26 AM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 SDC0603

SDC0603

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 19 October 2009 - 06:54 AM

Hi Quietman7,

You mention "multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus".

Would these multiple programs not conflict with one-another? For example windows security centre stating that you have more than one product installed, and only letting you you use one at a time? e.g. I have McAfee security suite and spyware doctor and they conflict with each other. i.e. both have AV and both have spyware.

Can you suggest the best spyware/malware tool (freeware) to permanently run along side McAfee security suite (i.e, for prevention/blocking not just detecting/removal), and would you recommend disabling the spyware/malware portion of Mcafee to let a specialist programe do the job in this area?

Also which tool IYO is best for prevention/blocking spyware/malware and which is best for detection/removal??

Thanks......

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 19 October 2009 - 07:06 AM

Choosing a security toolkit with anti-virus, firewall and anti-malware programs is a matter of personal preference, your technical ability and experience, features offered, the amount of resources utilized, how it may affect system performance and what will work best for your system. A particular combination that works well for one person may not work as well for another. There is no universal "one size fits all" solution that works for everyone. You may need to experiment and find what is most suitable for your needs. Another factor to consider is whether you want to use paid for products or free alternatives.

As a general rule, using more than one anti-spyware program like Malwarebytes' Anti-Malware, SuperAntispyware, Spybot S&D, Ad-Aware, etc will not conflict with each other or your anti-virus if using them as stand-alone scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. The overlap of protection from using different signature databases will aid in detection and removal of more threats when scanning your system for malware. However, if using any of their real-time resident shields (TeaTimer, Ad-Watch, MBAM Protection Module, Spyware Terminator Shields, etc) together at the same time, there can be conflicts when each application tries to compete for resources and exclusive rights to perform an action. Additionally, competing tools may even provide redundant alerts which can be annoying and/or confusing. Keep in mind that you can overkill a system with resource heavy security programs that will slow down performance.

I recommend taking advantage of the Malwarebytes Anti-Malware Protection Module which uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology monitors every process and stops malicious processes before they can infect your computer. Enabling the Protection Module feature requires reqistration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as it utilizes few system resources and should not conflict with other scanners or anti-virus programs.

Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs and infections install themselves, read:Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

Other related reading sources:• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 AceFire

AceFire

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 03 April 2010 - 09:54 AM

so that all works and solve the problem, yeah?? I got them a few hours a go, did a full system scan with my avg scanner and it was looking good for a time.. but they are back.. so just wanting to know if it all works fine and wont add anything else to my system..

if it is safe, then I will undergo the process later on in the week when ive got a few days free

EDIT: my computer is a dell laptop that is running Vista on it. I did a full scan with my avg scanner and got rid of a few things and am now doing a full scan with windows defender.

I am intending to go through most of the articles that you have linked, quietman7, later on in the week when I have much more time on my hands.. thanks in advance guys

Edited by AceFire, 03 April 2010 - 10:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users