Wife's laptop infected

Kyle,

All ESET found where in Qoobox, which are backups of what Combofix removed, it also found entries in your System Restore program so we need to flush it all out and its so important to create a new Restore Point.

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:
  1. Click Start > Run > copy and paste the following into the run box:
    %SystemRoot%\System32\restore\rstrui.exe
  2. Press OK. Choose Create a Restore Point then click Next.
  3. Name it (something you'll remember) and click Create.
  4. When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points
  1. Click Start > Run > copy and paste the following into the run box:
    cleanmgr
  2. Choose to scan drive C:\ (if C:\ is your main drive).
  3. At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
  4. Click on the Yes button.
  5. When finished, click on Cancel button to exit.

You never said if your having boot problems ???????????????????
 
The last boot was when combofix ran the last time and I didn't have any startup problems that I saw. Everything seemed normal and I was able to get on the web thru wireless like normal.
 
Done with the restore point and the cleanup. Nothing happened when I told it to delete all but the last restore point. Did it do it?
Kyle
 
Glad it all worked, need to finish working with you by Saturday so I can get together with fellow Gators for the game on Saturday :) Up here in Connecticut we have a Gator Club and get together at local pubs to watch the game.

Can you boot to safemode and go into your user accounts ? The reason I am asking is sometimes malware will create a bogus account, not sure if this is the case here. Read this and see if you can remove it
http://www.microsoft.com/windowsxp/using/setup/winxp/accounts.mspx

Let me know how it goes ???
 
Rebooted in safe mode and attempted to delete user account BMOC. The error msg "cannot perform this operation on built-in accounts" comes up. I changed the status in properties to"account is disabled" and now it has a red x on the face. Rebooting in safe mode again, there is no option to pick a user and the computer go directly to the main desktop. It is still in safe mode, what next?
Thanks, Kyle
 
Kyle,

What I would like you to do is post here, like this forum its free you just need to register, they can help you remove that account, we just do malware removal on this forum and right now my plate is full.

http://forums.pcpitstop.com/index.php?/forum/3-user-to-user-help/

Feel free to link this to this thread so they can see what we have done, if they feel its malware related let me know and we can dig deeper.



TFC Temp File Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • CF-Uninstall.png

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.







Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • WinPatrol Keep this fine program activated to block a lot of threats
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
When I type "Combofix /uninstall" in the run box it has begun to run the scan again. I put the space between x and the / but not between the / and the u. Do I need to use the windows uninstall program?
 
Thanks a million for all of your help these last three days Ken. I for sure thought her computer was totally messed up and would need a reinstall. I am glad you volenteer your time here helping out. I will reinstall Spybot without the teatimer and spywareblaster and firefox 3. I will also have her read the links you provided about infections. The log below is the last Combofix run before I ran OTC.
Thanks again, and I will check your reply after I post the log. I will also post on the other forum you gave me about the user in safe mode.
Kyle

ComboFix 10-10-12.03 - User 10/15/2010 18:52:43.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.246 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: /unistall
.

((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.

2010-10-15 17:09 . 2010-10-15 17:09 -------- d-----w- c:\program files\ESET
2010-10-14 17:15 . 2010-10-14 17:55 -------- d-----w- C:\Combo-Fix
2010-10-12 02:34 . 2010-10-12 02:34 -------- d-----w- c:\program files\ERUNT
2010-10-10 00:25 . 2010-10-10 00:25 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-10-10 00:23 . 2010-10-10 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-10-08 22:36 . 2010-10-09 10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-08 22:36 . 2010-10-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-14_17.49.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-15 22:49 . 2010-10-15 22:49 16384 c:\windows\temp\Perflib_Perfdata_e4.dat
+ 2010-10-14 17:53 . 2010-10-14 17:53 1550 c:\windows\SoftwareDistribution\EventCache\{495F3796-97B5-4F07-8821-6083693DE133}.bin
+ 2010-10-15 16:13 . 2010-10-15 16:13 192512 c:\windows\ERDNT\10-15-2010\Users\00000002\UsrClass.dat
+ 2010-10-15 16:13 . 2005-10-20 16:02 163328 c:\windows\ERDNT\10-15-2010\ERDNT.EXE
+ 2010-10-15 16:13 . 2010-10-15 16:13 7921664 c:\windows\ERDNT\10-15-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-02-08 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [1/26/2005 10:55 PM 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 10:29 PM 135664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BASFND
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]

2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 02:28]

2010-10-15 c:\windows\Tasks\User_Feed_Synchronization-{0FA48CAD-70F5-43AA-998D-BE8715FA0925}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: tenderfoot.com
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2828)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-15 19:01:08
ComboFix-quarantined-files.txt 2010-10-15 23:01
ComboFix2.txt 2010-10-15 22:47
ComboFix3.txt 2010-10-15 16:35
ComboFix4.txt 2010-10-15 00:43
ComboFix5.txt 2010-10-15 22:51

Pre-Run: 71,529,140,224 bytes free
Post-Run: 71,510,388,736 bytes free

- - End Of File - - 051C85F3EB267D825A16B442E34E024B
 
You must log in or register to reply here.
Back
Top