Malware stopping all removal utilities - URGENT

Posted on 2009-04-17
Last Modified: 2013-11-08
My friends ThinkPad is infected with Spyware Protect 2009 malware.

And it is blocking the installation and running of all the Malware utiltities that are recommended online to remove it, including Malwarebytes & SuperAntiSpyware - even in Safe Mode.

Is there some way to remove this infection without having to format and reinstall?  All advice is appreciated.

Question by:gzembow
    LVL 17

    Expert Comment

    had you try to change the  name of the malwarebyte download?

    Also try to download and run combofix:

    Author Comment

    I did rename the Malwarebyte downloand and installation, I'm not sure if I did it correctly, but I think I did.  Please describe and I will try the combofix.  Thanks.
    LVL 8

    Expert Comment

    Hi gzembow,

    I would try the following:

    I would update the virus definitions then run a full scan in both Normal Windows and in Safe Mode.
    LVL 17

    Expert Comment

    What do you mean thats its blocking the installation?
    Cant you install from the web?
    Are you able to install it to a different directory?
    LVL 5

    Expert Comment

    Also, you will want to check for Conficker infection, as it probably brought on this other infection.
    LVL 16

    Expert Comment

    As suggested previously, please run ComboFix, you might want to rename it before saving it to your computer though. Running in safe mode will yield the best results and disabling the antivirus and firewall before it runs will also ensure maximum hits. Don't forget to send us the log.

    Author Comment

    I forgot to add a few facts.  

    I did run an updated local Virus scan [Eset NOD32] and an online virus scan from trend micro and neither found any infections.

    As stated in the original post, I downloaded and installed the major malware utilities, even renamed them and the install folder.  But when I launch in Safe Mode, they either don't react or generate a XP error msg "Malwarebytes has encountered an error and has to shut down..."

    I did seem to get SDfix to run, but it is hard to understand the report and if it worked.

    I will try ComboFix after carefully studying the instructions, but all suggestions are still welcome.


    LVL 17

    Expert Comment

    LVL 27

    Expert Comment

    Running ComboFix is probably your best shot right now, and here are further instructions>

    Download ComboFix and save to your Desktop >

    Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

    Before using ComboFix it may be necessary to rename it before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

    Double click "combofix.exe" and follow the prompts.
    When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
    You could post that log together with a HijackThis log, in a reply for us.
    Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

    i recommend that you initially try to run Combofix in normal mode, although it works well in normal mode or safe mode.

    You may find this of additional use, particularly if a 'script' is found necessary >
    A guide and tutorial on using ComboFix:


    Author Comment

    I just ran ComboFix in normal mode, I tried Safe Mode first, but Eset NOD32 doesn't have a way to turn off the auto virus scan in Safe Mode.

    Once the AV was disabled in Normal Mode I ran CombFix and after the attempt to create a Restore Point, I got the following XP error message.

    pv.clexe has encountered a problem and needs to close...

    What now?

    LVL 17

    Assisted Solution

    LVL 16

    Expert Comment

    Hmm.. if you cannot disable ESet Nod32 in safe mode, then let it be on and run ComboFix anyways. The reason for this is that in safe mode is that it might catch viruses which might be in memory in normal mode.

    Author Comment

    ComboFix continued after I closed the pv.clexe errror message.  It continued until it listed the Rootkit activity it detected. It was about 10 items, including sys, dat, log and mostly dll files which I recorded as it instructed.

     It then rebooted and had another error - catchme.cfexe - DLL initialization Failed.  The application failed because the window station is shutting down.

    This finally killed ComboFix.

    So here is the HJT logfile I just ran and should I try Spyware Hunter's free demo?

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:40:17, on 4/17/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINDOWS\system32\iehelper.dll (file missing)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
    O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [wanActivate] c:\Program Files\lenovo\ActivateWan\WanActivate.exe -check
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\CF25781.exe" /c "C:\GZ-ComboFix\C.bat"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
    O4 - Global Startup: Bluetooth.lnk.disabled
    O4 - Global Startup: Digital Line Detect.lnk.disabled
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) -
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware2\SASWINLO.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
    O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
    O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

    End of file - 13231 bytes


    Author Comment

    Since ComboFix ran partially I decided to try running SuperAntiSpyware and unlike earlier attempts, it is now able to run.  But it's running in normal mode and after 20 minutes has detected 8 items related to a Vundo Variant and 2 item related to the Downloader-Gen/A Trojan. [Also 384 cookies.]

    Should I let it continue or restart in Safe Mode?

    LVL 17

    Expert Comment

    continue whats its doing.
    the restart in normal mode and try

    LVL 27

    Expert Comment


    With a Vundo infection the ComboFix log often shows bad entries that ComboFix was unable to remove.  In such cases we could use its CFScript feature.

    Actually Housecall will find and remove the trojan vundo >>
    LVL 16

    Expert Comment

    SpyHunter is a fast scanner but it won't remove anything until you buy the licsnse. It only scans for free. Please continue with the scanning and fixing.

    Your HijackThis log appears normal, but that could be because of the presence of the rootkit.

    Author Comment

    My current status is that SuperAntiSpyware seemed to run successfully and removed some of the infection.  Then I rebooted into Safe Mode and was finally able to run Malwarebytes which also ran successfully for the first time and found more infections and removed them.

    I woild like to know whether the concensus is that this may be enough or should I run something else to make sure?

    LVL 8

    Expert Comment

    Have you removed the following infections you showed in the pictures? Does your computer seem to be working as good as new? If the computer isn't acting as it should be I would run another scan, however I would get a registry cleaner and run a scan on that since you removed alot of infections.
    LVL 16

    Expert Comment

    From the pictures that you've sent, it looks like you've had TDSS and Vundo as well. My suggestion is to do an online scan with Kaspersky Online Scanner, its based at: . It has the highest rates of detection, so can help us find out if there is anything left. I feel a critical area scan should be sufficient to see any traces left. This scan isn't going to remove any infections, but will only create a report of what was detected during the scan.

    LVL 27

    Expert Comment

    Another good scanner you could try is "a-squared Free" for a final cleanup:
    LVL 27

    Expert Comment

    After the above suggestions if you still have a problem, re-run ComboFix then if necessary we'll try a short Script, which can be written ~after~ viewing another Combo log.

    Author Comment

    Thanks to all - after the scans that I listed it seems OK.

    I will run the online scan(s) - [is 2 better than 1] - then run ComboFix again.

    It may take 12-36 hours to post the results again. [It is a warm weekend here in sunny southern California!]

    Thanks again.
    LVL 27

    Expert Comment

      > [is 2 better than 1] <           <<<Yes, and 3 better than 2, when you have had quite an infected machine!  

    > after the scans that I listed it seems OK <

    If you are saying that the ThinkPad is now performing normally, i would recommend that you do not re-run ComboFix, at this time.  It's an excellent tool, but there is invariably an element of risk running it.  It's well worth this risk however if a machine appears to be heavily infected.

    If however you still have a problem, run Combo again and we'll take a look at the logfile.

    Enjoy the sun, someone will be here when you report back.  

    Author Comment

    I ran the two suggested scans overnight and this morning and A-squared found mostly cookies and one infected file and it's registry keys.  I will post the log below and then after deleting the items found I ran a second quick scan and it was 100% clear.

    The Kasoersky Online Scan results are in the attached screenshot and I manually quarantined the file using NOD32.

    Are there any other steps needed or can I return this laptop with a clean bill of health?

    Thanks so much!!!!

    a-squared Free - Version 4.0
    Last update: 4/19/2009 9:15:19 AM

    Scan settings:

    Objects: Memory, Traces, Cookies, C:\
    Scan archives: On
    Heuristics: Off
    ADS Scan: On

    Scan start:      4/19/2009 9:29:37 AM

    Value: HKEY_CLASSES_ROOT\CLSID\{183261F8-780B-4506-BE91-434C01DD010A}\InprocServer32 --> ThreadingModel       detected: Trace.Registry.Remotely Anywhere Server Edition!A2
    Value: HKEY_CLASSES_ROOT\CLSID\{43534152-0000-0010-8000-00AA00389B71}\InprocServer32 --> ThreadingModel       detected: Trace.Registry.Remotely Anywhere Server Edition!A2
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{183261F8-780B-4506-BE91-434C01DD010A}\InprocServer32 --> ThreadingModel       detected: Trace.Registry.Remotely Anywhere Server Edition!A2
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43534152-0000-0010-8000-00AA00389B71}\InprocServer32 --> ThreadingModel       detected: Trace.Registry.Remotely Anywhere Server Edition!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@1901.nordstrom[1].txt       detected: Trace.TrackingCookie.190!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@about[2].txt       detected: Trace.TrackingCookie.about!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@adsremote.scrippsnetworks[1].txt       detected: Trace.TrackingCookie.adsremote!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@adsremote.scripps[1].txt       detected: Trace.TrackingCookie.adsremote!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@angelfire[1].txt       detected: Trace.TrackingCookie.angelfire!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@belointeractive[1].txt       detected: Trace.TrackingCookie.belointeractive!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@comedycentral[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commentarymagazine[2].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@comments.realclearpolitics[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commerce.metapress[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commondreams[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[2].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[3].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@com[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@ercva[2].txt       detected: Trace.TrackingCookie.ercva!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@indextools[1].txt       detected: Trace.TrackingCookie.indextools!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@landing.domainsponsor[1].txt       detected: Trace.TrackingCookie.landing.domainsponsor!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@link.p0[2].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@linkedin[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@linkreferral[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@link[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@popmatters[2].txt       detected: Trace.TrackingCookie.pop!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@popsugar[2].txt       detected: Trace.TrackingCookie.pop!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@pricegrabber[1].txt       detected: Trace.TrackingCookie.pricegrabber!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@pricegrabber[3].txt       detected: Trace.TrackingCookie.pricegrabber!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@questionmarket[2].txt       detected: Trace.TrackingCookie.questionmarket!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@rubberchickencards[1].txt       detected: Trace.TrackingCookie.rub!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@rubiconproject[1].txt       detected: Trace.TrackingCookie.rub!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@search.infoweb[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@specificclick[2].txt       detected: Trace.TrackingCookie.specificclick!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@travelocity[1].txt       detected: Trace.TrackingCookie.travelocity!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@travelzoo[2].txt       detected: Trace.TrackingCookie.travelzoo!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@tribalfusion[1].txt       detected: Trace.TrackingCookie.tribalfusion!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie[1].txt       detected: Trace.TrackingCookie.webtrends!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.buycostumes[2].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.buytekon[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.comicom[2].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.commentarymagazine[1].txt       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Application Data\Mozilla\Firefox\Profiles\1i9g1mvw.default\cookies.txt:26       detected:!A2
    C:\Documents and Settings\Bernie Weinraub\Desktop\Malware Utilities\SmitfraudFix\Reboot.exe       detected: Riskware.RiskTool.Win32.Reboot.f!A2


    Files:       263493
    Traces:       619200
    Cookies:       2790
    Processes:       78


    Files:       1
    Traces:       4
    Cookies:       40
    Processes:       0
    Registry keys:       0

    Scan end:      4/19/2009 11:36:27 AM
    Scan time:      2:06:50

    LVL 27

    Expert Comment

    The laptop does appear to be clean, although of course one can never really *guarantee* that it's completely free from infections.
    You may find this article useful>
    Spyware Traces in Detail:

    For further security you may also wish to scan for rootkits using RootkitRevealer v1.71

    My only other comment is that it is preferable(if possible), to perform
    at least one Deep scan on your C:\ drive using a-squared Free.


    Author Comment

    The first scan I did last night was the Kaspersky scan and this morning was an A-squared Deep Scan, which produced the logfile above and the 2nd A-squared scan was a Quick scan that found nothing.

    I may run the rootkit revealer, but I am satisfied it is 'clean' for now.  Is it safe to clone the drive to an image I can use to restore functionality if a drive failure or severe infection disables the drive?

    Thanks to all.
    LVL 8

    Assisted Solution

    You can use
    If everything comes back fine with no virus, malware, spyware, then I would create an image. You can use if you don't have anything already, something like Norton Ghost or Acronis True Image.
    LVL 27

    Accepted Solution


    Also thanks for the earlier a-squared scan report, and if you haven't already done so you can uninstall ComboFix as follows >

    Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
    Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.

    LVL 16

    Assisted Solution

    Good, good - so most of the bad things have been finsihed now. After the above mentioned scan(s) come clean, the laptop should be in a useable state again. I am also going to suggest that you install a firewall on this PC, because there is no firewall installed currently. My favorite is ZoneAlarm free firewall. Its a bit heavy on resources but is great for overall security of your PC. Windows Firewall doesn't monitor outbound connections, this is why I suggested ZoneAlarm.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    I wrote an article ( some time ago with a reference to nLite  ( software.  I recently changed that link to point to NTLite (https://www.ntl…
    Operating system developers such as Microsoft ( and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now