gzembow
asked on
Malware stopping all removal utilities - URGENT
My friends ThinkPad is infected with Spyware Protect 2009 malware.
And it is blocking the installation and running of all the Malware utiltities that are recommended online to remove it, including Malwarebytes & SuperAntiSpyware - even in Safe Mode.
Is there some way to remove this infection without having to format and reinstall? All advice is appreciated.
Thanks
And it is blocking the installation and running of all the Malware utiltities that are recommended online to remove it, including Malwarebytes & SuperAntiSpyware - even in Safe Mode.
Is there some way to remove this infection without having to format and reinstall? All advice is appreciated.
Thanks
ASKER
I did rename the Malwarebyte downloand and installation, I'm not sure if I did it correctly, but I think I did. Please describe and I will try the combofix. Thanks.
Hi gzembow,
I would try the following:
http://www.superantispyware.com/
http://www.pctools.com/spyware-doctor-antivirus/
http://www.webroot.com/En_US/consumer-products-antivirus.html
I would update the virus definitions then run a full scan in both Normal Windows and in Safe Mode.
I would try the following:
http://www.superantispyware.com/
http://www.pctools.com/spyware-doctor-antivirus/
http://www.webroot.com/En_US/consumer-products-antivirus.html
I would update the virus definitions then run a full scan in both Normal Windows and in Safe Mode.
What do you mean thats its blocking the installation?
Cant you install from the web?
Are you able to install it to a different directory?
Cant you install from the web?
Are you able to install it to a different directory?
Also, you will want to check for Conficker infection, as it probably brought on this other infection.
As suggested previously, please run ComboFix, you might want to rename it before saving it to your computer though. Running in safe mode will yield the best results and disabling the antivirus and firewall before it runs will also ensure maximum hits. Don't forget to send us the log.
ASKER
I forgot to add a few facts.
I did run an updated local Virus scan [Eset NOD32] and an online virus scan from trend micro and neither found any infections.
As stated in the original post, I downloaded and installed the major malware utilities, even renamed them and the install folder. But when I launch in Safe Mode, they either don't react or generate a XP error msg "Malwarebytes has encountered an error and has to shut down..."
I did seem to get SDfix to run, but it is hard to understand the report and if it worked.
I will try ComboFix after carefully studying the instructions, but all suggestions are still welcome.
Thanks
I did run an updated local Virus scan [Eset NOD32] and an online virus scan from trend micro and neither found any infections.
As stated in the original post, I downloaded and installed the major malware utilities, even renamed them and the install folder. But when I launch in Safe Mode, they either don't react or generate a XP error msg "Malwarebytes has encountered an error and has to shut down..."
I did seem to get SDfix to run, but it is hard to understand the report and if it worked.
I will try ComboFix after carefully studying the instructions, but all suggestions are still welcome.
Thanks
Running ComboFix is probably your best shot right now, and here are further instructions>
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.
Before using ComboFix it may be necessary to rename it before saving it to your desktop. If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent). Rename it and connect to the problematic machine.
Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall. It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins. Just let it run.
i recommend that you initially try to run Combofix in normal mode, although it works well in normal mode or safe mode.
You may find this of additional use, particularly if a 'script' is found necessary >
A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.
Before using ComboFix it may be necessary to rename it before saving it to your desktop. If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent). Rename it and connect to the problematic machine.
Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall. It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins. Just let it run.
i recommend that you initially try to run Combofix in normal mode, although it works well in normal mode or safe mode.
You may find this of additional use, particularly if a 'script' is found necessary >
A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ASKER
I just ran ComboFix in normal mode, I tried Safe Mode first, but Eset NOD32 doesn't have a way to turn off the auto virus scan in Safe Mode.
Once the AV was disabled in Normal Mode I ran CombFix and after the attempt to create a Restore Point, I got the following XP error message.
pv.clexe has encountered a problem and needs to close...
What now?
thnx
Once the AV was disabled in Normal Mode I ran CombFix and after the attempt to create a Restore Point, I got the following XP error message.
pv.clexe has encountered a problem and needs to close...
What now?
thnx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hmm.. if you cannot disable ESet Nod32 in safe mode, then let it be on and run ComboFix anyways. The reason for this is that in safe mode is that it might catch viruses which might be in memory in normal mode.
ASKER
ComboFix continued after I closed the pv.clexe errror message. It continued until it listed the Rootkit activity it detected. It was about 10 items, including sys, dat, log and mostly dll files which I recorded as it instructed.
It then rebooted and had another error - catchme.cfexe - DLL initialization Failed. The application failed because the window station is shutting down.
This finally killed ComboFix.
So here is the HJT logfile I just ran and should I try Spyware Hunter's free demo?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:17, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\ibmpms vc.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\IPSSVC .EXE
C:\Program Files\ThinkPad\ConnectUtil ities\AcPr fMgrSvc.ex e
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\Program Files\Bonjour\mDNSResponde r.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkSe rvice.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iv iRegMgr.ex e
C:\Program Files\Java\jre6\bin\jqs.ex e
C:\Program Files\LogMeIn\x86\RaMaint. exe
C:\Program Files\LogMeIn\x86\LogMeIn. exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monit or_svc.exe
C:\WINDOWS\System32\TPHDEX LG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvt sched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtil ities\AcSv c.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon .exe
C:\Program Files\ThinkPad\ConnectUtil ities\SvcG uiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIc on.exe
C:\Program Files\Synaptics\SynTP\SynT PLpr.exe
C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\system32\rundll 32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFN F7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDS VC.exe
C:\WINDOWS\system32\TpShoc ks.exe
C:\Program Files\Java\jre6\bin\jusche d.exe
C:\Program Files\Lenovo\HOTKEY\TPONSC R.exe
C:\WINDOWS\System32\DLA\DL ACTRLW.EXE
C:\Program Files\Lenovo\Zoom\TpScrex. exe
C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-7 68834316C6 1} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhanc er.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A 0F997BA588 C} - C:\Program Files\Skype\Toolbars\Inter net Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4 C09146192C A} - C:\Program Files\Real\RealPlayer\rpbr owserrecor dplugin.dl l
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\System32\DLA\DL ASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre6\bin\ssv.dl l
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8 182A2DA7C6 3} - C:\WINDOWS\system32\iehelp er.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\5 .1.1309.35 72\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7 6C02E2E7C4 E} - C:\Program Files\Google\Google Toolbar\Component\fastsear ch_219B3E1 547538286. dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E ABFE594F69 C} - C:\Program Files\Java\jre6\lib\deploy \jqs\ie\jq s_plugin.d ll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-7 5E3E0F476C 5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0 E72E116A85 6} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT PLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILI T~1\PWRMGR TR.DLL,Pwr MgrBkGndMo nitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI T~1\BatLog Ex.DLL,Sta rtBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFN F7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDS VC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL ACTRLW.EXE
O4 - HKLM\..\Run: [wanActivate] c:\Program Files\lenovo\ActivateWan\W anActivate .exe -check
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe "
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\CF257 81.exe" /c "C:\GZ-ComboFix\C.bat"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR OS~1\DW\dw trig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR OS~1\DW\dw trig20.exe " -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Bluetooth.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.h tm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-8 3BB1906C42 1} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-8 3BB1906C42 1} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D 32B190E9B0 7} - C:\Program Files\Skype\Toolbars\Inter net Explorer\SkypeIEPlugin.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2 F5B1AA8452 2} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://lenovo.live.com
O16 - DPF: {49232000-16E4-426C-A231-6 2846947304 B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1 830C7DD7F5 D} - C:\PROGRA~1\COMMON~1\Skype \SKYPE4~1. DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware2\SA SWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil ities\AcPr fMgrSvc.ex e
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil ities\AcSv c.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde r.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkSe rvice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpms vc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC .EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iv iRegMgr.ex e
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex e
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint. exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn. exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi veShare9.e xe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMe diaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWa tch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monit or_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX LG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvt sched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
--
End of file - 13231 bytes
It then rebooted and had another error - catchme.cfexe - DLL initialization Failed. The application failed because the window station is shutting down.
This finally killed ComboFix.
So here is the HJT logfile I just ran and should I try Spyware Hunter's free demo?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:17, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\IPSSVC
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Bonjour\mDNSResponde
C:\Program Files\Diskeeper Corporation\Diskeeper\DkSe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\E
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\InterVideo\RegMgr\iv
C:\Program Files\Java\jre6\bin\jqs.ex
C:\Program Files\LogMeIn\x86\RaMaint.
C:\Program Files\LogMeIn\x86\LogMeIn.
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\Intel\Wireless\Bin\R
C:\WINDOWS\system32\svchos
C:\Program Files\Common Files\Lenovo\tvt_reg_monit
C:\WINDOWS\System32\TPHDEX
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvt
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtil
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuaucl
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIc
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\system32\rundll
C:\Program Files\Lenovo\NPDIRECT\TPFN
C:\Program Files\Lenovo\HOTKEY\TPOSDS
C:\WINDOWS\system32\TpShoc
C:\Program Files\Java\jre6\bin\jusche
C:\Program Files\Lenovo\HOTKEY\TPONSC
C:\WINDOWS\System32\DLA\DL
C:\Program Files\Lenovo\Zoom\TpScrex.
C:\Program Files\LogMeIn\x86\LogMeInS
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Google\GoogleToolbar
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-7
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-7
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFN
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDS
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL
O4 - HKLM\..\Run: [wanActivate] c:\Program Files\lenovo\ActivateWan\W
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\CF257
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Bluetooth.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk.disabled
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.h
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-8
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-8
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=http://lenovo.live.com
O16 - DPF: {49232000-16E4-426C-A231-6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware2\SA
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkSe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpms
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iv
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWa
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monit
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvt
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
--
End of file - 13231 bytes
ASKER
Since ComboFix ran partially I decided to try running SuperAntiSpyware and unlike earlier attempts, it is now able to run. But it's running in normal mode and after 20 minutes has detected 8 items related to a Vundo Variant and 2 item related to the Downloader-Gen/A Trojan. [Also 384 cookies.]
Should I let it continue or restart in Safe Mode?
Thanks
Should I let it continue or restart in Safe Mode?
Thanks
continue whats its doing.
the restart in normal mode and try
the restart in normal mode and try
With a Vundo infection the ComboFix log often shows bad entries that ComboFix was unable to remove. In such cases we could use its CFScript feature.
Actually Housecall will find and remove the trojan vundo >>
http://housecall.trendmicro.com/uk/
SpyHunter is a fast scanner but it won't remove anything until you buy the licsnse. It only scans for free. Please continue with the scanning and fixing.
Your HijackThis log appears normal, but that could be because of the presence of the rootkit.
Your HijackThis log appears normal, but that could be because of the presence of the rootkit.
ASKER
My current status is that SuperAntiSpyware seemed to run successfully and removed some of the infection. Then I rebooted into Safe Mode and was finally able to run Malwarebytes which also ran successfully for the first time and found more infections and removed them.
I woild like to know whether the concensus is that this may be enough or should I run something else to make sure?
Thanks
Spyware-results-2.JPG
Spyware-results-3.JPG
Spyware-results-4.JPG
I woild like to know whether the concensus is that this may be enough or should I run something else to make sure?
Thanks
Spyware-results-2.JPG
Spyware-results-3.JPG
Spyware-results-4.JPG
Have you removed the following infections you showed in the pictures? Does your computer seem to be working as good as new? If the computer isn't acting as it should be I would run another scan, however I would get a registry cleaner and run a scan on that since you removed alot of infections.
From the pictures that you've sent, it looks like you've had TDSS and Vundo as well. My suggestion is to do an online scan with Kaspersky Online Scanner, its based at: http://www.kaspersky.co.uk/virusscanner . It has the highest rates of detection, so can help us find out if there is anything left. I feel a critical area scan should be sufficient to see any traces left. This scan isn't going to remove any infections, but will only create a report of what was detected during the scan.
Another good scanner you could try is "a-squared Free" for a final cleanup:
http://www.emsisoft.com/en/software/free/
http://www.emsisoft.com/en/software/free/
After the above suggestions if you still have a problem, re-run ComboFix then if necessary we'll try a short Script, which can be written ~after~ viewing another Combo log.
ASKER
Thanks to all - after the scans that I listed it seems OK.
I will run the online scan(s) - [is 2 better than 1] - then run ComboFix again.
It may take 12-36 hours to post the results again. [It is a warm weekend here in sunny southern California!]
Thanks again.
I will run the online scan(s) - [is 2 better than 1] - then run ComboFix again.
It may take 12-36 hours to post the results again. [It is a warm weekend here in sunny southern California!]
Thanks again.
> [is 2 better than 1] < <<<Yes, and 3 better than 2, when you have had quite an infected machine!
> after the scans that I listed it seems OK <
If you are saying that the ThinkPad is now performing normally, i would recommend that you do not re-run ComboFix, at this time. It's an excellent tool, but there is invariably an element of risk running it. It's well worth this risk however if a machine appears to be heavily infected.
If however you still have a problem, run Combo again and we'll take a look at the logfile.
Enjoy the sun, someone will be here when you report back.
> after the scans that I listed it seems OK <
If you are saying that the ThinkPad is now performing normally, i would recommend that you do not re-run ComboFix, at this time. It's an excellent tool, but there is invariably an element of risk running it. It's well worth this risk however if a machine appears to be heavily infected.
If however you still have a problem, run Combo again and we'll take a look at the logfile.
Enjoy the sun, someone will be here when you report back.
ASKER
I ran the two suggested scans overnight and this morning and A-squared found mostly cookies and one infected file and it's registry keys. I will post the log below and then after deleting the items found I ran a second quick scan and it was 100% clear.
The Kasoersky Online Scan results are in the attached screenshot and I manually quarantined the file using NOD32.
Are there any other steps needed or can I return this laptop with a clean bill of health?
Thanks so much!!!!
a-squared Free - Version 4.0
Last update: 4/19/2009 9:15:19 AM
Scan settings:
Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On
Scan start: 4/19/2009 9:29:37 AM
Value: HKEY_CLASSES_ROOT\CLSID\{1 83261F8-78 0B-4506-BE 91-434C01D D010A}\Inp rocServer3 2 --> ThreadingModel detected: Trace.Registry.Remotely Anywhere Server Edition!A2
Value: HKEY_CLASSES_ROOT\CLSID\{4 3534152-00 00-0010-80 00-00AA003 89B71}\Inp rocServer3 2 --> ThreadingModel detected: Trace.Registry.Remotely Anywhere Server Edition!A2
Value: HKEY_LOCAL_MACHINE\SOFTWAR E\Classes\ CLSID\{183 261F8-780B -4506-BE91 -434C01DD0 10A}\Inpro cServer32 --> ThreadingModel detected: Trace.Registry.Remotely Anywhere Server Edition!A2
Value: HKEY_LOCAL_MACHINE\SOFTWAR E\Classes\ CLSID\{435 34152-0000 -0010-8000 -00AA00389 B71}\Inpro cServer32 --> ThreadingModel detected: Trace.Registry.Remotely Anywhere Server Edition!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@1901.nordstrom[1] .txt detected: Trace.TrackingCookie.190!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@about[2].txt detected: Trace.TrackingCookie.about !A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@adsremote.scripps networks[1 ].txt detected: Trace.TrackingCookie.adsre mote!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@adsremote.scripps [1].txt detected: Trace.TrackingCookie.adsre mote!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@angelfire[1].txt detected: Trace.TrackingCookie.angel fire!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@belointeractive[1 ].txt detected: Trace.TrackingCookie.beloi nteractive !A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@comedycentral[1]. txt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commentarymagazin e[2].txt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@comments.realclea rpolitics[ 1].txt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commerce.metapres s[1].txt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commondreams[1].t xt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[1].txt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[2].txt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[3].txt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@com[1].txt detected: Trace.TrackingCookie.com!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@ercva[2].txt detected: Trace.TrackingCookie.ercva !A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@indextools[1].txt detected: Trace.TrackingCookie.index tools!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@landing.domainspo nsor[1].tx t detected: Trace.TrackingCookie.landi ng.domains ponsor!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@link.p0[2].txt detected: Trace.TrackingCookie.link! A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@linkedin[1].txt detected: Trace.TrackingCookie.link! A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@linkreferral[1].t xt detected: Trace.TrackingCookie.link! A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@link[1].txt detected: Trace.TrackingCookie.link! A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@popmatters[2].txt detected: Trace.TrackingCookie.pop!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@popsugar[2].txt detected: Trace.TrackingCookie.pop!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@pricegrabber[1].t xt detected: Trace.TrackingCookie.price grabber!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@pricegrabber[3].t xt detected: Trace.TrackingCookie.price grabber!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@questionmarket[2] .txt detected: Trace.TrackingCookie.quest ionmarket! A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@rubberchickencard s[1].txt detected: Trace.TrackingCookie.rub!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@rubiconproject[1] .txt detected: Trace.TrackingCookie.rub!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@search.infoweb[1] .txt detected: Trace.TrackingCookie.searc h.in!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@specificclick[2]. txt detected: Trace.TrackingCookie.speci ficclick!A 2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@travelocity[1].tx t detected: Trace.TrackingCookie.trave locity!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@travelzoo[2].txt detected: Trace.TrackingCookie.trave lzoo!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@tribalfusion[1].t xt detected: Trace.TrackingCookie.triba lfusion!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@webtrends.telegra ph.co[1].t xt detected: Trace.TrackingCookie.webtr ends!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.buycostumes[2].txt detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.buytekon[1].txt detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.comicom[2].txt detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.commentarymagazine[1].txt detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Bernie Weinraub\Application Data\Mozilla\Firefox\Profi les\1i9g1m vw.default \cookies.t xt:26 detected: Trace.TrackingCookie.triba lfusion.co m!A2
C:\Documents and Settings\Bernie Weinraub\Desktop\Malware Utilities\SmitfraudFix\Reb oot.exe detected: Riskware.RiskTool.Win32.Re boot.f!A2
Scanned
Files: 263493
Traces: 619200
Cookies: 2790
Processes: 78
Found
Files: 1
Traces: 4
Cookies: 40
Processes: 0
Registry keys: 0
Scan end: 4/19/2009 11:36:27 AM
Scan time: 2:06:50
Spyware-results-v5.JPG
The Kasoersky Online Scan results are in the attached screenshot and I manually quarantined the file using NOD32.
Are there any other steps needed or can I return this laptop with a clean bill of health?
Thanks so much!!!!
a-squared Free - Version 4.0
Last update: 4/19/2009 9:15:19 AM
Scan settings:
Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On
Scan start: 4/19/2009 9:29:37 AM
Value: HKEY_CLASSES_ROOT\CLSID\{1
Value: HKEY_CLASSES_ROOT\CLSID\{4
Value: HKEY_LOCAL_MACHINE\SOFTWAR
Value: HKEY_LOCAL_MACHINE\SOFTWAR
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@1901.nordstrom[1]
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@about[2].txt detected: Trace.TrackingCookie.about
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@adsremote.scripps
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@adsremote.scripps
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@angelfire[1].txt detected: Trace.TrackingCookie.angel
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@belointeractive[1
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@comedycentral[1].
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commentarymagazin
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@comments.realclea
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commerce.metapres
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@commondreams[1].t
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[1].txt detected: Trace.TrackingCookie.com!A
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[2].txt detected: Trace.TrackingCookie.com!A
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@community[3].txt detected: Trace.TrackingCookie.com!A
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@com[1].txt detected: Trace.TrackingCookie.com!A
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@ercva[2].txt detected: Trace.TrackingCookie.ercva
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@indextools[1].txt
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@landing.domainspo
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@link.p0[2].txt detected: Trace.TrackingCookie.link!
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@linkedin[1].txt detected: Trace.TrackingCookie.link!
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@linkreferral[1].t
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@link[1].txt detected: Trace.TrackingCookie.link!
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@popmatters[2].txt
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@popsugar[2].txt detected: Trace.TrackingCookie.pop!A
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@pricegrabber[1].t
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@pricegrabber[3].t
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@questionmarket[2]
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@rubberchickencard
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@rubiconproject[1]
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@search.infoweb[1]
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@specificclick[2].
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@travelocity[1].tx
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@travelzoo[2].txt detected: Trace.TrackingCookie.trave
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@tribalfusion[1].t
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@webtrends.telegra
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.buycostumes[2].txt detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.buytekon[1].txt detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.comicom[2].txt detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Bernie Weinraub\Cookies\bernie weinraub@www.commentarymagazine[1].txt detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Bernie Weinraub\Application Data\Mozilla\Firefox\Profi
C:\Documents and Settings\Bernie Weinraub\Desktop\Malware Utilities\SmitfraudFix\Reb
Scanned
Files: 263493
Traces: 619200
Cookies: 2790
Processes: 78
Found
Files: 1
Traces: 4
Cookies: 40
Processes: 0
Registry keys: 0
Scan end: 4/19/2009 11:36:27 AM
Scan time: 2:06:50
Spyware-results-v5.JPG
The laptop does appear to be clean, although of course one can never really *guarantee* that it's completely free from infections.
You may find this article useful>
Spyware Traces in Detail:
http://www.emsisoft.com/en/kb/articles/tec070120/
For further security you may also wish to scan for rootkits using RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
My only other comment is that it is preferable(if possible), to perform
at least one Deep scan on your C:\ drive using a-squared Free.
You may find this article useful>
Spyware Traces in Detail:
http://www.emsisoft.com/en/kb/articles/tec070120/
For further security you may also wish to scan for rootkits using RootkitRevealer v1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
My only other comment is that it is preferable(if possible), to perform
at least one Deep scan on your C:\ drive using a-squared Free.
ASKER
The first scan I did last night was the Kaspersky scan and this morning was an A-squared Deep Scan, which produced the logfile above and the 2nd A-squared scan was a Quick scan that found nothing.
I may run the rootkit revealer, but I am satisfied it is 'clean' for now. Is it safe to clone the drive to an image I can use to restore functionality if a drive failure or severe infection disables the drive?
Thanks to all.
I may run the rootkit revealer, but I am satisfied it is 'clean' for now. Is it safe to clone the drive to an image I can use to restore functionality if a drive failure or severe infection disables the drive?
Thanks to all.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also try to download and run combofix:
www.bleepingcomputer.com/combofix/how-to-use-combofix