Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1290
  • Last Modified:

Malware stopping all removal utilities - URGENT

My friends ThinkPad is infected with Spyware Protect 2009 malware.

And it is blocking the installation and running of all the Malware utiltities that are recommended online to remove it, including Malwarebytes & SuperAntiSpyware - even in Safe Mode.

Is there some way to remove this infection without having to format and reinstall?  All advice is appreciated.

Thanks
0
gzembow
Asked:
gzembow
  • 9
  • 7
  • 5
  • +3
4 Solutions
 
houssam_balloutCommented:
had you try to change the  name of the malwarebyte download?

Also try to download and run combofix:

www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
gzembowAuthor Commented:
I did rename the Malwarebyte downloand and installation, I'm not sure if I did it correctly, but I think I did.  Please describe and I will try the combofix.  Thanks.
0
 
skywalker39Commented:
Hi gzembow,

I would try the following:
http://www.superantispyware.com/
http://www.pctools.com/spyware-doctor-antivirus/
http://www.webroot.com/En_US/consumer-products-antivirus.html

I would update the virus definitions then run a full scan in both Normal Windows and in Safe Mode.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
houssam_balloutCommented:
What do you mean thats its blocking the installation?
Cant you install from the web?
Are you able to install it to a different directory?
0
 
mrmarkfuryCommented:
Also, you will want to check for Conficker infection, as it probably brought on this other infection.
0
 
warturtleCommented:
As suggested previously, please run ComboFix, you might want to rename it before saving it to your computer though. Running in safe mode will yield the best results and disabling the antivirus and firewall before it runs will also ensure maximum hits. Don't forget to send us the log.
0
 
gzembowAuthor Commented:
I forgot to add a few facts.  

I did run an updated local Virus scan [Eset NOD32] and an online virus scan from trend micro and neither found any infections.

As stated in the original post, I downloaded and installed the major malware utilities, even renamed them and the install folder.  But when I launch in Safe Mode, they either don't react or generate a XP error msg "Malwarebytes has encountered an error and has to shut down..."

I did seem to get SDfix to run, but it is hard to understand the report and if it worked.

I will try ComboFix after carefully studying the instructions, but all suggestions are still welcome.

Thanks


0
 
houssam_balloutCommented:
0
 
JonveeCommented:
Running ComboFix is probably your best shot right now, and here are further instructions>

Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Before using ComboFix it may be necessary to rename it before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

i recommend that you initially try to run Combofix in normal mode, although it works well in normal mode or safe mode.

You may find this of additional use, particularly if a 'script' is found necessary >
A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

0
 
gzembowAuthor Commented:
I just ran ComboFix in normal mode, I tried Safe Mode first, but Eset NOD32 doesn't have a way to turn off the auto virus scan in Safe Mode.

Once the AV was disabled in Normal Mode I ran CombFix and after the attempt to create a Restore Point, I got the following XP error message.

pv.clexe has encountered a problem and needs to close...

What now?

thnx
0
 
warturtleCommented:
Hmm.. if you cannot disable ESet Nod32 in safe mode, then let it be on and run ComboFix anyways. The reason for this is that in safe mode is that it might catch viruses which might be in memory in normal mode.
0
 
gzembowAuthor Commented:
ComboFix continued after I closed the pv.clexe errror message.  It continued until it listed the Rootkit activity it detected. It was about 10 items, including sys, dat, log and mostly dll files which I recorded as it instructed.

 It then rebooted and had another error - catchme.cfexe - DLL initialization Failed.  The application failed because the window station is shutting down.

This finally killed ComboFix.

So here is the HJT logfile I just ran and should I try Spyware Hunter's free demo?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:17, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINDOWS\system32\iehelper.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [wanActivate] c:\Program Files\lenovo\ActivateWan\WanActivate.exe -check
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\CF25781.exe" /c "C:\GZ-ComboFix\C.bat"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Bluetooth.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://lenovo.live.com
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware2\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13231 bytes


0
 
gzembowAuthor Commented:
Since ComboFix ran partially I decided to try running SuperAntiSpyware and unlike earlier attempts, it is now able to run.  But it's running in normal mode and after 20 minutes has detected 8 items related to a Vundo Variant and 2 item related to the Downloader-Gen/A Trojan. [Also 384 cookies.]

Should I let it continue or restart in Safe Mode?

Thanks
0
 
houssam_balloutCommented:
continue whats its doing.
the restart in normal mode and try

0
 
JonveeCommented:

With a Vundo infection the ComboFix log often shows bad entries that ComboFix was unable to remove.  In such cases we could use its CFScript feature.

Actually Housecall will find and remove the trojan vundo >>
http://housecall.trendmicro.com/uk/
0
 
warturtleCommented:
SpyHunter is a fast scanner but it won't remove anything until you buy the licsnse. It only scans for free. Please continue with the scanning and fixing.

Your HijackThis log appears normal, but that could be because of the presence of the rootkit.
0
 
gzembowAuthor Commented:
My current status is that SuperAntiSpyware seemed to run successfully and removed some of the infection.  Then I rebooted into Safe Mode and was finally able to run Malwarebytes which also ran successfully for the first time and found more infections and removed them.

I woild like to know whether the concensus is that this may be enough or should I run something else to make sure?

Thanks
Spyware-results-2.JPG
Spyware-results-3.JPG
Spyware-results-4.JPG
0
 
skywalker39Commented:
Have you removed the following infections you showed in the pictures? Does your computer seem to be working as good as new? If the computer isn't acting as it should be I would run another scan, however I would get a registry cleaner and run a scan on that since you removed alot of infections.
0
 
warturtleCommented:
From the pictures that you've sent, it looks like you've had TDSS and Vundo as well. My suggestion is to do an online scan with Kaspersky Online Scanner, its based at: http://www.kaspersky.co.uk/virusscanner . It has the highest rates of detection, so can help us find out if there is anything left. I feel a critical area scan should be sufficient to see any traces left. This scan isn't going to remove any infections, but will only create a report of what was detected during the scan.

0
 
JonveeCommented:
Another good scanner you could try is "a-squared Free" for a final cleanup:
http://www.emsisoft.com/en/software/free/
0
 
JonveeCommented:
After the above suggestions if you still have a problem, re-run ComboFix then if necessary we'll try a short Script, which can be written ~after~ viewing another Combo log.
0
 
gzembowAuthor Commented:
Thanks to all - after the scans that I listed it seems OK.

I will run the online scan(s) - [is 2 better than 1] - then run ComboFix again.

It may take 12-36 hours to post the results again. [It is a warm weekend here in sunny southern California!]

Thanks again.
0
 
JonveeCommented:
  > [is 2 better than 1] <           <<<Yes, and 3 better than 2, when you have had quite an infected machine!  

> after the scans that I listed it seems OK <

If you are saying that the ThinkPad is now performing normally, i would recommend that you do not re-run ComboFix, at this time.  It's an excellent tool, but there is invariably an element of risk running it.  It's well worth this risk however if a machine appears to be heavily infected.

If however you still have a problem, run Combo again and we'll take a look at the logfile.

Enjoy the sun, someone will be here when you report back.  
0
 
gzembowAuthor Commented:
I ran the two suggested scans overnight and this morning and A-squared found mostly cookies and one infected file and it's registry keys.  I will post the log below and then after deleting the items found I ran a second quick scan and it was 100% clear.

The Kasoersky Online Scan results are in the attached screenshot and I manually quarantined the file using NOD32.

Are there any other steps needed or can I return this laptop with a clean bill of health?

Thanks so much!!!!


a-squared Free - Version 4.0
Last update: 4/19/2009 9:15:19 AM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start:      4/19/2009 9:29:37 AM

Value: HKEY_CLASSES_ROOT\CLSID\{183261F8-780B-4506-BE91-434C01DD010A}\InprocServer32 --> ThreadingModel       detected: Trace.Registry.Remotely Anywhere Server Edition!A2
Value: HKEY_CLASSES_ROOT\CLSID\{43534152-0000-0010-8000-00AA00389B71}\InprocServer32 --> ThreadingModel       detected: Trace.Registry.Remotely Anywhere Server Edition!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{183261F8-780B-4506-BE91-434C01DD010A}\InprocServer32 --> ThreadingModel       detected: Trace.Registry.Remotely Anywhere Server Edition!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43534152-0000-0010-8000-00AA00389B71}\InprocServer32 --> ThreadingModel       detected: Trace.Registry.Remotely Anywhere Server Edition!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@1901.nordstrom[1].txt       detected: Trace.TrackingCookie.190!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@about[2].txt       detected: Trace.TrackingCookie.about!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@adsremote.scrippsnetworks[1].txt       detected: Trace.TrackingCookie.adsremote!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@adsremote.scripps[1].txt       detected: Trace.TrackingCookie.adsremote!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@angelfire[1].txt       detected: Trace.TrackingCookie.angelfire!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@belointeractive[1].txt       detected: Trace.TrackingCookie.belointeractive!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@comedycentral[1].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commentarymagazine[2].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@comments.realclearpolitics[1].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commerce.metapress[1].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commondreams[1].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[1].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[2].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[3].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@com[1].txt       detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@ercva[2].txt       detected: Trace.TrackingCookie.ercva!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@indextools[1].txt       detected: Trace.TrackingCookie.indextools!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@landing.domainsponsor[1].txt       detected: Trace.TrackingCookie.landing.domainsponsor!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@link.p0[2].txt       detected: Trace.TrackingCookie.link!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@linkedin[1].txt       detected: Trace.TrackingCookie.link!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@linkreferral[1].txt       detected: Trace.TrackingCookie.link!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@link[1].txt       detected: Trace.TrackingCookie.link!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@popmatters[2].txt       detected: Trace.TrackingCookie.pop!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@popsugar[2].txt       detected: Trace.TrackingCookie.pop!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@pricegrabber[1].txt       detected: Trace.TrackingCookie.pricegrabber!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@pricegrabber[3].txt       detected: Trace.TrackingCookie.pricegrabber!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@questionmarket[2].txt       detected: Trace.TrackingCookie.questionmarket!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@rubberchickencards[1].txt       detected: Trace.TrackingCookie.rub!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@rubiconproject[1].txt       detected: Trace.TrackingCookie.rub!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@search.infoweb[1].txt       detected: Trace.TrackingCookie.search.in!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@specificclick[2].txt       detected: Trace.TrackingCookie.specificclick!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@travelocity[1].txt       detected: Trace.TrackingCookie.travelocity!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@travelzoo[2].txt       detected: Trace.TrackingCookie.travelzoo!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@tribalfusion[1].txt       detected: Trace.TrackingCookie.tribalfusion!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@webtrends.telegraph.co[1].txt       detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.buycostumes[2].txt       detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.buytekon[1].txt       detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.comicom[2].txt       detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.commentarymagazine[1].txt       detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Bernie Weinraub\Application Data\Mozilla\Firefox\Profiles\1i9g1mvw.default\cookies.txt:26       detected: Trace.TrackingCookie.tribalfusion.com!A2
C:\Documents and Settings\Bernie Weinraub\Desktop\Malware Utilities\SmitfraudFix\Reboot.exe       detected: Riskware.RiskTool.Win32.Reboot.f!A2

Scanned

Files:       263493
Traces:       619200
Cookies:       2790
Processes:       78

Found

Files:       1
Traces:       4
Cookies:       40
Processes:       0
Registry keys:       0

Scan end:      4/19/2009 11:36:27 AM
Scan time:      2:06:50

Spyware-results-v5.JPG
0
 
JonveeCommented:
The laptop does appear to be clean, although of course one can never really *guarantee* that it's completely free from infections.
 
You may find this article useful>
Spyware Traces in Detail:
http://www.emsisoft.com/en/kb/articles/tec070120/

For further security you may also wish to scan for rootkits using RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

My only other comment is that it is preferable(if possible), to perform
at least one Deep scan on your C:\ drive using a-squared Free.

0
 
gzembowAuthor Commented:
The first scan I did last night was the Kaspersky scan and this morning was an A-squared Deep Scan, which produced the logfile above and the 2nd A-squared scan was a Quick scan that found nothing.

I may run the rootkit revealer, but I am satisfied it is 'clean' for now.  Is it safe to clone the drive to an image I can use to restore functionality if a drive failure or severe infection disables the drive?

Thanks to all.
0
 
skywalker39Commented:
You can use http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
If everything comes back fine with no virus, malware, spyware, then I would create an image. You can use if you don't have anything already, something like Norton Ghost or Acronis True Image.
http://www.symantec.com/norton/ghost
http://www.acronis.com/homecomputing/products/trueimage/
0
 
JonveeCommented:

Also thanks for the earlier a-squared scan report, and if you haven't already done so you can uninstall ComboFix as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.

0
 
warturtleCommented:
Good, good - so most of the bad things have been finsihed now. After the above mentioned scan(s) come clean, the laptop should be in a useable state again. I am also going to suggest that you install a firewall on this PC, because there is no firewall installed currently. My favorite is ZoneAlarm free firewall. Its a bit heavy on resources but is great for overall security of your PC. Windows Firewall doesn't monitor outbound connections, this is why I suggested ZoneAlarm.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 9
  • 7
  • 5
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now