Win32: Goldun-BZ trojan +Win32: Adware-gen

[wyrmrider]

well you had to follow the pestpatrol link

iinstall.exe
crack.exe
data
iinstall.exe
crack.exe

notice that two of the files are found in different locations- the question is where
do a "search" or "find" for these using your os START>FIND (or whatever)

you can then upload to virus total  my use of "search" was inappropriate
virus total will eventually report to Avast to help improve detections

notice how EWIDO shows- you might try the EWIDO online scan
or the Bit-Defender one  Bit Defender will remove
*but watch for False Positives with their advanced heuristics

I do not know if the IST or possibly 1ST is in the registry- try a search
verify the paths if you find it as these bastards frequently use the same name in a different location as a trap for the overanxious and imprudent

F-Secure also has an on-line scan I think

take your time and track down all the leads  no rush now

anything in that C:/data file?  just nuke it

[nunchuck]

Yeah, I searched for them before and nothing turned up aside from the file called "data". Is iinstall.exe and crack.exe MEANT to exist? When I my search I selected "search on all files and folders" and filled in the names in both criteria boxes "all or part of the file name" and "a word or phrase in the file" and searched in "My Computer". Hopefully I did things correctly.

When I searched the registry several times for "IST" I am presented with something different every single time.

Also, I am not sure what is in the C:/data file
Here is a screen shot of the file in question:

search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU (didn't find it and show hidden files is available)



AND/ OR
run SDFIX
http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t131299.html
read ALL of the instructions TWICE and print them out
this is a powerful tool so do NOT be impulsive

read the stickie at the top of this forum and post a Hijack this
and any logs
As DavidR hinted - we gotta know exactly what we are dealing with

I have yet to do what is bolded, so y'know.  There's quite a bit right now and I feel like a chicken with it's head cut off.

[nunchuck]

I chose to scan with Ewido. Haven't scanned with F-Secure or Bit-Defender yet because I assume that this will be sufficent enough in providing information.

[wyrmrider]

stay at it
the anti Trojans/malware scanners target different (overlaping) sets than the AV's
so you need to do some of each
I like to alternate- sorta like pealing an onion

we hope those file are gone since they were baddies no problem if they are missing - good riddence
besides these baddies change file names so we gotta double check everything

SO EWIDO and Bit Defender are two good choices- one of each type
then post up the HJT  well save the big gun tilllater

i do not remember and gotta go for awhile- did you do this?

search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU

[nunchuck]

i do not remember and gotta go for awhile- did you do this?

search for this and delete if found- be sure to enable show hidden files etc
TROJ_ISTBAR.DU

Yeah, I searched for it but didn't find it.

So, I am currently rescanning with Ewido because last night I fell asleep and didn't get rid of what I found and once I came back my computer restarted  Interesting, after doing it again it's found a few different tracking cookies than the last scan. Anyway.  After it's finished (which it is close to) I'll scan with Bit Defender and then the HJT.

[nunchuck]

Scanned with Ewido and got rid of what is listed in the attached report. Then scanned with Bit Defender and it didn't find anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:36 AM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [LogitechSetup] E:\Setup\Setup.exe /restart /l:enu
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Lorna\Application Data\Mozilla\Firefox\Profiles\li5lgnoc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Lorna\Application Data\Mozilla\Firefox\Profiles/li5lgnoc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Online Accelerated&userName=irulenifleheim&firstName=Lorna&qs=NAIMPNDNPMOHKBHBGMINDLONHHPJEDLMMFGFLBABAMPICPFDKAHJNCCPHAICOCJDMPMOHGPKEDNJPCEEJKGOOKAMKELPKDBBEMBLPAIEDCLLIDELEMJHNLCHNODCJLDF|FCEKNKBDDGNMCNOPADEEAAG
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114375882703
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.platoweb01.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe (file missing)
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 8989 bytes


Some of the things listed there are interesting like Photoshop, MSN Messenger, Norton Internet Security, AIM Toolbar, PeoplePC Online ( )and Bit Torrent. All of which I got rid of a long time ago and do not want. I know it's unrelated but 

[wyrmrider]

that bit-defender did NOT find anything is really good news
I could not read your first EWIDO log
did it find anything besides cookies?
did it safely quarantine or deal with anything it did find?
was there anything that it found it could not deal with?

Perhaps Polonus can look at your HJT

I'll be out for a couple of hours

those files were baddies and if they are gone - something got them - good
do you have the paths to any IST files left- if any

Follow these directions to download the Norton Removal Tool and run it to remove the above programs.

   1. Click on the following link to download the Norton removal tool

      ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

   2. Click Save and save the file to your desktop
   3. Close all  Norton Application windows you may have open, and double-click on Norton_Removal_Tool.exe to start the removal tool. Windows Vista users will have to right-click on the file and select "Run as Administrator"
   4. After the removal tool finishes, you should be prompted to restart your computer.
   5. Once the computer restarts, your Norton product should be uninstalled.

Extra Optional Steps

   1. Open My Computer, double-click on Drive C
   2. Double-click on Program Files
   3. Look for any Norton or Symatec product folders that remain. Right-click on them and choose Delete. Also look in the Program Files\Common Files for the Symantec Shared folder and delete it
   4. Close My Computer and other folders

[polonus]

Hi nunchuck,

Your hjt analysis showed the following:
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.
   We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.

You could fix the following items:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Lorna\Application Data\Mozilla\Firefox\Profiles\li5lgnoc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT
/SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Lorna\Application
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
If the following is not there ebcause of your provider fix as well:
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Online Accelerated&userName=irulenifleheim&firstName=Lorna&qs=NAIMPNDNPMOHKBHBGMINDLONHHPJEDLMMFGFLBABAMPICPFDKAHJNCCPHAICOCJDMPMOHGPKEDNJPCEEJKGOOKAMKELPKDBBEMBLPAIEDCLLIDELEMJHNLCHNODCJLDF|FCEKNKBDDGNMCNOPADEEAAG

And check if you are familiar with these entries, if not fix:
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.platoweb01.com/pathways
/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab

Now after you have seen into that, I'd like you to download silent runners from here:
http://silentrunners.org/Silent%20Runners.vbs
Let it fully run out on your computer, and post the results.txt as an attachment to your next posting

polonus

[nunchuck]

that bit-defender did NOT find anything is really good news
I could not read your first EWIDO log
did it find anything besides cookies?
did it safely quarantine or deal with anything it did find?
was there anything that it found it could not deal with

There were two others aside from the cookies:
Name: Adware.WhyPPC
Path: HKU\S-1-5-21-1123561945-1275210071-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A8FB8EB3-183B-4598-924D-86F0E5E37085}
Risk: Medium

Name: Downloader.IstBar.ja
Path: C:\data
Risk: High

I did a quick scan on my computer with MWB and SAS. The former found my system to be clean, whereas the latter still picked up the cookies. I just had them quarantined and removed just now.

Your hjt analysis showed the following:
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.
   We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.

And check if you are familiar with these entries, if not fix:
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.platoweb01.com/pathways
/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab

I have the windows firewall. Anyway, I will get to installing the service pack now. Does that mean I can get rid of the older updates for SP2?

Also, I am familiar with those items but they have no need to be on my computer anymore thus I had them taken care of.

[wyrmrider]

let's ask poponus about
Downloader.IstBar.ja
when he looks at your startup log
this is not a new baddie so I am surprised that most do not detect
perhaps it was packed with something that only BD unpacks
A-Squared anti trojan detected years ago
I would think that BD nuked it if asked

here is a write up on the people pal toolbar that I hope BD nuked
I did a google on
A8FB8EB3-183B-4598-924D-86F0E5E37085
www.castlecops.com/tk1272-PPCToolbar_dll_PPCToolbar_dll_digit.html
castle cops is a very reputable site

[polonus]

Hi nunchuck and wyrmrider,

The info on this new baddie: http://spyware.processlibrary.com/details/SpyName/Trojan-Downloader.IstBar.ja/
Also you can distill the manual removal instructions from the aforementioned link, make sure you print the removal instructions out, so you can meticulously tackle these one by one,
SAS came with a complete new program just a minute ago, download it and scan
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

polonus

[nunchuck]

The info on this new baddie: http://spyware.processlibrary.com/details/SpyName/Trojan-Downloader.IstBar.ja/
Also you can distill the manual removal instructions from the aforementioned link, make sure you print the removal instructions out, so you can meticulously tackle these one by one,
SAS came with a complete new program just a minute ago, download it and scan
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

I just scanned and the Downloader.IstBar.ja is gone. However, I still am encountering  "adware tracking cookies" each time.

[YoKenny]

The info on this new baddie: http://spyware.processlibrary.com/details/SpyName/Trojan-Downloader.IstBar.ja/
Also you can distill the manual removal instructions from the aforementioned link, make sure you print the removal instructions out, so you can meticulously tackle these one by one,
SAS came with a complete new program just a minute ago, download it and scan
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

I just scanned and the Downloader.IstBar.ja is gone. However, I still am encountering  "adware tracking cookies" each time.

CCleaner safely removes older un-needed Service Pack files:
http://www.ccleaner.com/download/builds  <== select Slim for no Toolbar installation

Then install a HOSTS file to prevent "adware tracking cookies" from infesting the system.

HOSTS files I use:
http://www.mvps.org/winhelp2002/hosts.htm
http://hosts-file.net/?s=Download

Managed with HostsMan and I use its HostsServer proxy to speed up browsing:
http://www.abelhadigital.com

[wyrmrider]

you just scanned with what?
anyway if you go to the uniblue website and in the middle of the page click on
files modified
and
registry entries
check em out and make sure they are gone

do not run uniblue tool unless asked

I'm going to try the new version of SAS
I suggest you do the same

tracking cookies will reappear unless you lock down your browser to minimise
I block third party tracking cookies

I can't see this whole thread but
secunia software inspector needs to be done sometime
and the HOSTS file suggestion by YoKenny is a real winner

Polonus may want you to post a HJT- we'll deal with that later

We need to talk prevention now that the firefighting is under control

[nunchuck]

Then install a HOSTS file to prevent "adware tracking cookies" from infesting the system.

HOSTS files I use:
http://www.mvps.org/winhelp2002/hosts.htm
http://hosts-file.net/?s=Download

Managed with HostsMan and I use its HostsServer proxy to speed up browsing:
http://www.abelhadigital.com

I downloaded from http://www.mvps.org/winhelp2002/hosts.htm. However, I am not quite sure I know how this program works. If you could explain it to me. Do I actually do anything with it? Like, run it or something? Otherwise, could you instruct me on how to take it off because the instructions on how to do so are over my head. Sorry.

you just scanned with what?
anyway if you go to the uniblue website and in the middle of the page click on
files modified
and
registry entries
check em out and make sure they are gone

do not run uniblue tool unless asked

I'm going to try the new version of SAS
I suggest you do the same

*tracking cookies will reappear unless you lock down your browser to minimise
I block third party tracking cookies

I can't see this whole thread but
secunia software inspector needs to be done sometime
and the HOSTS file suggestion by YoKenny is a real winner

Polonus may want you to post a HJT- we'll deal with that later

We need to talk prevention now that the firefighting is under control

Sorry for not being specific; I scanned with the new SAS. I just got done with updating the programs listed from Secunia. Also, earlier I posted a HJT which was taken care of.