big mistery here ???

[seagull]

I am cleaning up my son's Acer aspire and found win.32 mall ware. with spy-bot. scanned it with MSE and removed it. I did see in c cleaner the clean up scan where it was in the trash to remove.And did so.

How ever spy bot says it is still in the system and can not remove it because part of it is in memory

How can I tell for sure?

[rjfvillarosa]

Use Ccleaner to clean out all the temporary files (Windows and IE). Make sure MSE and SpyBot are fully upto date, then reboot and run MSE and SpyBot in safemode.

[seagull]

MSE said at end of full scan that it was not fully functional in safe mode. Spy bot found it and said it was removed BUT another SB scan in regular mode showed it was still there. Right back where I started #$%$#%$%^

[rjfvillarosa]

This is a great little stand alone scanner that doesn't install it just runs as a free standing app.
http://www.emsisoft.com/en/software/eek/
You also try Windows Defender Offline. Microsoft?s Free Security Tools ? Windows Defender Offline - Microsoft Security Blog - Site Home - TechNet Blogs
With Defender Offline you create a bootable CD that runs a full scan after update, on your harddrive before Windows boots.

[seagull]

I have a 3 mo old copy of defender but I can't
get it to boot the CD. The bios is set to boot CD. I gave up on that. I will try your other link
Thanks

[rjfvillarosa]

Quote:

Originally Posted by seagull I have a 3 mo old copy of defender but I can't get it to boot the CD.

I don't know why but a few people are having problems making the CD bootable. When you run the app it downloads the ISO files and from what I have seen these downloaded files are the problem. I have the 32 and 64bit versions that I made probably about a year ago and they are working fine. I tried to make some new copies a few weeks back and wound up with a bunch of drinks coasters.

[seagull]

crazy crazy ??
Back to safe mode for the 3rd time. run SBot and it cleans it up. Run sb again to double check.
still not there. Run c cleaner an can see it in the cleanup. Run CC and again it is clean.

Boot into regular mode and run sbot and there it is again.

Is it hiding in firefox? or ???

[glc]

Are you setting CCleaner to clean everything out of all browsers? Also, go to Options - Advanced and uncheck the box to only clean temp files older than 24 hours.

Go download HijackThis and run it, post the log.

Try the standalone EmsiSoft.

[seagull]

I am back to safe mode and have it removed again. When I go to CC advanced everything is unchecked. I have never run a log. I need to read up as to how.

[glc]

We have a sticky thread right in this forum about HijackThis logs.

[seagull]

George I know this is not what you told me to do. I cleaned with SB again and I have it in CC. any thing I can do now in CC ?

[glc]

Why are you resisting the suggestions to run EmsiSoft and get a HijackThis log? All you are doing is going around in circles repeating what is obviously NOT WORKING.

[usnavyretired]

My first concern would be why my anti-malware program didn't catch the bug, win32 infections have been around for many years. The Microsoft Windows Malicious Software Removal Tool is actually very good at removing this type of infection. Some variants of this infection corrupt the system restore files, thus, it returns after you have cleaned and re-booted the machine if system restore is enabled. You may, along with what George and rjfvillarosa suggested, need to turn off system restore before you clean the machine again.