Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Professionally cleaned but still generic16/vundo/pakes/patched.CH


  • This topic is locked This topic is locked
18 replies to this topic

#1 mtry

mtry

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 20 March 2010 - 04:46 PM

Hi,

We sent our PC off to the shop after getting infected with security/guardian essential fake type virus. It wouldn't even boot in safe mode!

Anyway we got it back after a week, turned it on, google redirecting from the minute we opened firefox.
AVG and malware bytes doen't see it in a scan it but it's residential shield does record the history of it.
The generic 16 and vundo appear in a file System Volume Information/_restore/ blah blah
Could they have infected us again restoring it? They said perhaps our router infected us again, but it was only 2 weeks old at the time. Can't afford to pay to have it sorted again.
They did leave behind a Hiren's Boot CD in our drive. Obviously they are tools I have no idea how to use so thought I'd ask first!

We are pretty good at not going anywhere dodgy, keeping up to date, not downloading...however we are still trying to let our 7 year old understand not to click on popups!

tia

Edited by mtry, 20 March 2010 - 04:47 PM.


BC AdBot (Login to Remove)

 


#2 mtry

mtry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 24 March 2010 - 06:35 AM

Anybody? Should I post some logs or something to get a reply?

#3 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:10:02 AM

Posted 24 March 2010 - 07:44 AM

Let's start here:

Scan for Spyware/Adware

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#4 mtry

mtry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 24 March 2010 - 08:46 AM

Thank you but I do that everyday. MBAM never finds anything wrong! Clean as a whistle. Only evidence I have of infection is the residential shield history (would it be useful to post that, it's huge?). Do an actual AVG scan and again nothing comes up.
But it's google redirecting constantly, residential shield pop ups every hour and some windows issues e.g. I can't install Microsoft .NET Framework, there's a missing dll

Malwarebytes' Anti-Malware 1.44
Database version: 3826
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/03/2010 13:33:32
mbam-log-2010-03-24 (13-33-32).txt

Scan type: Quick Scan
Objects scanned: 174264
Time elapsed: 16 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



One odd thing I noticed was that AVG says ""Virus identified Win32/Patched.CH" "C:\WINDOWS\system32\drivers\atapi.sys" "Object is white-listed (critical/system file that should not be removed)"

I uploaded this file to a site http://virusscan.jotti.org and it said it was clean.

Edited by mtry, 24 March 2010 - 08:56 AM.


#5 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:10:02 AM

Posted 24 March 2010 - 09:04 AM

Just to be sure, I would like you to submit this file for analysis via VirusTotal.
After clicking the link you will click on the Browse Button and browse to: C:\WINDOWS\system32\drivers.
Click on the file named: atapi.sys
Click "Open" and you will then click on Send file. Let me know the results of the VirusTotal Scan.

I'd also like you to run SuperAntiSpyware.

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
  • First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Please post the log from VirusTotal and SAS.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#6 mtry

mtry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 24 March 2010 - 09:24 AM

Thanks so much for helping... Virustotal found something -

eSafe 7.0.17.0 2010.03.24 Win32.Rootkit

http://www.virustotal.com/analisis/b4df1d2...70b9-1269440401

I'll get going on the SAS then or is this the answer and I need to deal with this?

#7 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:10:02 AM

Posted 24 March 2010 - 09:41 AM

Let's run SAS and see what it has to say.

I'm thinking the e-safe "may" me a false positive but let's be sure.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#8 mtry

mtry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 25 March 2010 - 07:53 AM

Right I'm back...took 19 hours to run that scan!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/25/2010 at 12:36 PM

Application Version : 4.34.1000

Core Rules Database Version : 4724
Trace Rules Database Version: 2536

Scan type : Complete Scan
Total Scan Time : 18:59:35

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 4579
Registry threats detected : 0
File items scanned : 498629
File threats detected : 54

Adware.Tracking Cookie
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@bizzclick[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@bs.serving-sys[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@www.windowsmedia[2].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@lego.112.2o7[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@louisvuitton.solution.weborama[2].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@weborama[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@247realmedia[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@ad.yieldmanager[3].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@ad.yieldmanager[4].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@ads.bcserving[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@apmebf[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@atdmt[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@bs.serving-sys[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@click.fastpartner[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@clickpayz1.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@clickpayz1.91469.blueseek[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@clickpayz10.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@clickpayz3.91469.blueseek[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@clickthrough.kanoodle[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@content.yieldmanager[4].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@doubleclick[3].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@doubleclick[4].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@invitemedia[4].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@mediaplex[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@mediaplex[3].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@overture[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@pointroll[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@smartadserver[1].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@smartadserver[2].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@smartadserver[3].txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\system@yieldmanager[1].txt

Trojan.Agent/Gen-FakeAlert
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\FE.TMP


I let it do the quarantine and removal stuff...still getting google redirection though.

#9 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:10:02 AM

Posted 25 March 2010 - 09:01 AM

We're going to Reset All Internet Explorer Defaults. Open Internet Explorer and click on Tools, then Internet Options. Once there you want to click on the Advanced Tab.

Closer to the bottom of the page, click the Reset button.

Posted Image


Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start.(the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished

Please post the ESET log when complete.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#10 mtry

mtry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 26 March 2010 - 03:16 AM

Well it wouldn't work in IE at all (first time I've used IE on this computer) and active x was enabled. So I used the downloadable version. It hung on the first go so gave it 2 goes.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=47d7fe29122f54428c39a2949ede5d09
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-03-25 05:42:44
# local_time=2010-03-25 05:42:44 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 19876219 19876219 0 0
# compatibility_mode=1024 16777175 100 0 2620987 2620987 0 0
# compatibility_mode=5889 16764286 0 100 46052565 110298270 0 0
# compatibility_mode=8192 67108863 100 0 203 203 0 0
# scanned=42092
# found=2
# cleaned=2
# scan_time=4661
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentieu.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 84D32DF25B197060583FB9AFA10D5EAC C
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\9bl0v5lr.default\Mail\Local Folders\Sent HTML/Phishing.gen trojan (contained infected files) 1433678F14D201A54E3DABE7EA45AF22 C
ESETSmartInstaller@High as downloader log:
all ok

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=47d7fe29122f54428c39a2949ede5d09
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-26 12:27:41
# local_time=2010-03-26 12:27:41 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=2057
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 19891215 19891215 0 0
# compatibility_mode=1024 16777191 100 0 2635983 2635983 0 0
# compatibility_mode=5889 16764286 0 100 46067561 110313266 0 0
# compatibility_mode=8192 67108863 100 0 18799 18799 0 0
# scanned=391793
# found=7
# cleaned=7
# scan_time=13962
C:\AUTOEXEC.BAT Win32/Delf.PBU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Desktop\Jon\MyPhoneExplorer_Setup_1.7.3.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Local Settings\Temp\109.tmp a variant of Win32/Kryptik.CLT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Local Settings\Temp\119.tmp a variant of Win32/Kryptik.CQE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Local Settings\Temp\11F.tmp a variant of Win32/Kryptik.CQE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner.USER-173C2FDF26\Application Data\Thunderbird\Profiles\zp7itbc9.default\Mail\Local Folders\Inbox Win32/TrojanDownloader.Bredolab.AA trojan (contained infected files) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner.USER-173C2FDF26\Application Data\Thunderbird\Profiles\zp7itbc9.default\Mail\Local Folders\Trash Win32/TrojanDownloader.Bredolab.AA trojan (contained infected files) 00000000000000000000000000000000 C

#11 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:10:02 AM

Posted 26 March 2010 - 06:50 AM

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

* Save any unsaved work. TFC will close ALL open programs including your browser!
* Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
* Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
* TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
* Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.



Once you have rebooted please re-run SAS ( after updating it of course ) and post a fresh log.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#12 mtry

mtry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 26 March 2010 - 02:41 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/26/2010 at 07:06 PM

Application Version : 4.34.1000

Core Rules Database Version : 4724
Trace Rules Database Version: 2536

Scan type : Complete Scan
Total Scan Time : 04:24:33

Memory items scanned : 428
Memory threats detected : 0
Registry items scanned : 4567
Registry threats detected : 0
File items scanned : 300387
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@ehg-eset.hitbox[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@ads.sun[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner.USER-173C2FDF26\Cookies\owner@hitbox[2].txt


I did however forget to plug in the external hard drive so not as many files were scanned. But that just has photographs on it.
Still google redirecting though.

#13 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:10:02 AM

Posted 29 March 2010 - 06:31 AM

Could you please let me know how your computer is running now?
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#14 mtry

mtry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 29 March 2010 - 07:18 AM

Same as before! Still google redirecting.

#15 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:10:02 AM

Posted 29 March 2010 - 07:21 AM

At this point, I think this one is best left to the experts, so I'm going to refer you to the Virus, Trojan, Spyware, and Malware Removal Logs Forum.

Please read the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help in cleaning your computer. Once complete, post a link back to this forum so the HJT team knows what we have tried.

Please be patient as the HJT team is quite busy sometimes and it may take a day or even a few for someone to pickup your log but someone will get back to you.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users