Problems with SuperAntiSpyware - HELP

[Lurch]

Hi,

Last night I took MNOSTEELE's advice and installed SuperAntiSpyware and MS Windows Defender, and ran SAS, and it found 140 issues - about 130 tracking cookies and a few Rootkits, and quarantined and removed them. I thought that was good at first, until this morning when my PC began acting strange and it still isn't the same. It's telling me I can't uninstall Online Armor and "Could not uninstall" because a .dat file is missing and "access is denied".

For a while it wouldn't even reboot and was unresponsive. It was scary as I have customers buying things from me and I'm obligated to ship things to them. I had to shut it off manually. Then it asked me to insert my Dell Resource CD, which I did. Then it installed some files, then things got a little better.

What's up with this?

Please tell me how to fix this. I was going to uninstall this and use PC Tools free firewall.

[mnosteele52]

It sounds like your pc is infected with quite a few things, this is what I have suspected all along. Rootkits are the worst, I have seen where your pc seems to be running fine and when start scanning and removing infections you didn't even know you had things go haywire like this. If you are buying and selling things online it is imperative to have a clean pc, a trojan or rootkit can steal any information from your pc and is very dangerous. I know you installed the program I suggested, but setting them up properly is also half the battle. First follow the Malware Removal Guide in my signature and then post a HijackThis log here for us to look at. We can get you straight but it may take a bit of time.

[Lurch]

OK - I'll do that, and thanks again.

One thing that's strange is that when I tried to install PC Tools free firewall, it said I had Comodo Pro Firewall installed and it must be removed prior to installation, but I haven;t used Comodo in a long time. I removed the only Comodo file I could find on my PC.

When I click on PC Tools firewall from the Program menu (no icon showing in the "running" icons), nothing happens.

SO, I looked in Windows Security to see what firewall was running, and it says Comodo Pro Firewall is running. Funny thing is I haven;t used that in a while if I remember right. There is nothing in add/remove programs that says Comodo.

Now I'll do what you wanted me to and will reply to that as soon as I eat breakfast.

Thank you.

Joe

[Lurch]

Hi

Here's the log file of the newest Hijackthis scan I ran :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:25 AM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif

2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program

Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH -

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program

Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools

Firewall Plus\FWService.exe

--
End of file - 4435 bytes

[mnosteele52]

Programs will leave junk behind all the time, look HERE on how to get rid of the left over Comodo junk.

Your log is clean.

[Lurch]

Hi,

I did the best I could with trying to remove the leftover Comodo junk, but Comodo Firewall Pro still shows as the firewall in Windows Security Canter.

I found registry values for cmd that would not delete - ones that had LEGACY in front of them. I also tried removing them in safe mode, no luck.

I did something with CMD prompt but that didn't seem to work either, after it asked me to remove a folder called Repository - a file in that would not delete because it was in use.

Other than that I guess my PC is running OK, but still shows that I have Comodo firewall. I was using Windows Firewall for a few months.

Now what should I do? Any advice?

Thank you.

[mnosteele52]

Try using Autoruns to see if you see any Comodo or Kapsersky drivers or files listed and delete them. Also use the 30 day trials of jv16 Powertools 2008 to clean out your registry and TuneUp Utilities 2009 to clean the rest of things up, then see how things are running.

[Lurch]

I'll do that and thanks again for more links!

I've got it better than it was. I got more CMD reg entries deleted - the ones that wouldn't delete before did after I right clicked them, then selected "permissions" and checked "allow all users full access", then clicked apply and then OK. Then I rebooted and I can no longer see Comodo in the Internet Security section. I also uninstalled PC Tools firewall to reinstall it because it didn't work. Got that properly installed too and running right. so, I'm getting there. When I installed PC Tools Firewall, it did say "Comodo" is installed and asked me to uninstall it, but at least this time it installed right.

It's been a while since I rebuilt my HD. I may do that in the near future after saving some stuff. If/when I do, I will definitely save the new programs I learned of here and will use them after the rebuild.

I don't think Comodo will show up after I rebuild my HD. I don't think I'd ever install another Comodo anything, after this experience.

[YeOldeStonecat]

Your PC seems to have been hard based on this months past threads.

Do you have access to another computer....so that you can take this computers hard drive, "slave it" to the other computer..and scan it?

Scanning from outside of the windows install on a hard drive is often more effective.

For a 3rd party software firewall..Comodo is good.

[Lurch]

Your PC seems to have been hard based on this months past threads.

Do you have access to another computer....so that you can take this computers hard drive, "slave it" to the other computer..and scan it?

Scanning from outside of the windows install on a hard drive is often more effective.

For a 3rd party software firewall..Comodo is good.

Hi- I don't have access to another PC but I have a slave drive on my PC. Would that be of any help? I have lots of unused space on both drives. One is 40 GB. The slave is 160 GB with 95% free space.