BrianB7

Hi, I'm having the same problems as many of the recent posters with no access to my spyware removal tools and google redirecting common sites to spam sites. I've run ComboFix and it did find a few issues. Here is the log and I'm hoping someone much better at this than me can tell me if there are still issues remaining. Thank you so much for your help. It's really appreciated!!!

ComboFix Beta_09-08-18.01 - BLBell 08/20/2009 22:23.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1473 [GMT -5:00]
Running from: c:\documents and settings\blbell\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\010112010146118114.dat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-21 03:28 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-21 03:10 . 2009-08-21 03:10 -------- d-----w- c:\documents and settings\blbell\Application Data\Malwarebytes
2009-08-21 03:10 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 03:10 . 2009-08-21 03:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 03:10 . 2009-08-21 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 03:10 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 02:54 . 2009-08-21 03:01 -------- d-----w- c:\program files\Spybotagain
2009-08-21 02:49 . 2009-08-21 02:50 -------- d-----w- c:\program files\Spybot
2009-08-21 00:59 . 2009-08-21 00:59 71168 ----a-w- c:\windows\system32\drivers\ixncvnidritfxrpv.sys
2009-08-03 18:33 . 2009-08-03 18:44 -------- d-----w- c:\documents and settings\blbell\Application Data\Apple Computer
2009-08-03 18:33 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-03 18:33 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-08-03 18:33 . 2009-08-03 18:33 -------- d-----w- c:\program files\iPod
2009-08-03 18:33 . 2009-08-03 18:33 -------- d-----w- c:\program files\iTunes
2009-08-03 18:33 . 2009-08-03 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-03 18:32 . 2009-08-03 18:32 -------- d-----w- c:\program files\Bonjour
2009-08-03 18:31 . 2009-08-03 18:32 -------- d-----w- c:\program files\QuickTime
2009-08-03 18:31 . 2009-08-03 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-03 18:29 . 2009-07-09 17:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-03 18:29 . 2009-07-09 17:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-27 22:21 . 2004-08-04 06:08 25600 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-07-27 22:21 . 2004-08-04 06:08 25600 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-07-27 22:21 . 2004-08-04 06:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-07-27 22:21 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-07-27 22:13 . 2009-07-27 22:13 -------- d-----w- c:\program files\samsung
2009-07-27 22:13 . 2008-05-23 02:27 104576 ----a-w- c:\windows\system32\drivers\qcusbser.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 03:01 . 2008-08-05 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-21 02:43 . 2008-08-05 01:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-21 00:59 . 2008-06-17 18:40 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-21 00:49 . 2009-08-21 00:49 784438 ----a-w- c:\windows\system32\xa.tmp
2009-08-03 18:41 . 2008-09-16 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-03 18:33 . 2008-09-16 02:05 -------- d-----w- c:\program files\Common Files\Apple
2009-07-27 22:13 . 2008-06-16 03:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 21:48 . 2008-06-17 19:17 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-07-13 19:22 . 2009-07-13 19:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-05-29 23:15 . 2009-05-29 23:15 152576 ----a-w- c:\documents and settings\blbell\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-28 01:20 . 2009-05-28 01:20 726008 ----a-w- c:\documents and settings\blbell\gotomypc_438.exe
2009-04-15 20:24 . 2009-04-15 20:24 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-22 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-2 1753088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 1:40 AM 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:00 AM 101936]
S3 qcusbser;Samsung MITs WinMobile USB Serial;c:\windows\system32\drivers\qcusbser.sys [7/27/2009 5:13 PM 104576]
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\blbell\Application Data\Mozilla\Firefox\Profiles\rokhk950.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - plugin: c:\documents and settings\blbell\Application Data\Mozilla\Firefox\Profiles\rokhk950.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 22:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
.
**************************************************************************
.
Completion time: 2009-08-21 22:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 03:35

Pre-Run: 100,306,153,472 bytes free
Post-Run: 100,232,515,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

226 --- E O F --- 2008-06-17 14:05

BrianB7

Also, I continue to get a yellow popup saying "Symantec Auto-Detect is Disabled" in the lower right portion of the screen.... Still no access to spybot after running combofix.. says I don't have access to it..

sUBs

Download this file > http://download.bleepingcomputer.com...es/Inherit.exe

For every file that says "No Access", DRAG/DROP the file into Inherit.exe
It shall free the file of the locked status.


------


What is this -> c:\Program Files\Spybotagain. Is it something you created? Delete if not.

Then locate and delete these files:

c:\windows\system32\drivers\ixncvnidritfxrpv.sys
c:\windows\system32\xa.tmp



-------





Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

BrianB7

Thank you for the quick response.

Couple things before I run Kaspersky....

First, dragging and dropping the spybot icons into the file you had me download doesn't seem to give me access still..

also, I'm on a corporate version of Norton Antivirus and it won't let me disable or remove it. I don't work for that company anymore so I don't have any tech guy to take it off...

I deleted the two windows files you mentioned and will run Kaspersky now and post when it's finished. thanks!

sUBs

Not the spybot icons. Those icons are shortcuts to files located elsewhere. Right click the icon & check out properties. It shall show you the location of the proper files.

BrianB7

Here is the result of the Kaspersky Scan Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 21, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 21, 2009 05:23:03
Records in database: 2668158
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 34612
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 00:51:10


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3C0000.VBN Infected: Trojan-Dropper.Win32.Agent.auoy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3C0001.VBN Infected: Trojan-Dropper.Win32.Agent.auoy 1

Selected area has been scanned.

BrianB7

Also, I tried your advice about right clicking and selecting properties on the Spybot Search and Destroy shortcut. It said it goes to SpybotSD.exe, but there isn't any such file in any of my spybot folders.. even on reinstalling it only creates SpybotSDfiles.exe and SpybotSDMain.exe so I'm not sure what to do about that either...

sUBs

Good to see Kaspersky found nothing. The initial infection was taken out by ComboFix. We only have to deal with the locked files that remains.

Please list down the names of the files which are locked. I'll try to figure out something for you. The locked files are usually security apps.

BrianB7

Thanks. The files it says I don't have access to are at: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe and C:\Program Files\Spybot\SpybotSD.exe (which I don't see anywhere in the Spybot Folder). I re-downloaded Spybot and shortened the name of the folder to keep it seperate from my original Spybot Seach and Destroy folder.

The message I get for both of them is:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I'm the only use of the computer and have Administrator on all of it.

Actually similarily, it won't let me modify anything in Norton Antivirus either and shows disabled locked options for all settings.

sUBs

Let's take a little peek at those 2 files.


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

BrianB7

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
*******************************************************************************
File: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
\Everyone
Allowed Full Control

No Auditing set


Unknown error

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
*******************************************************************************
Folder: C:\Program Files\Malwarebytes' Anti-Malware\

Unknown error

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
*******************************************************************************
File: C:\Program Files\Spybot\SpybotSD.exe

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
\Everyone
Allowed Full Control

No Auditing set


Unknown error

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
*******************************************************************************
Folder: C:\Program Files\Spybot\

Unknown error

sUBs

Do this now ...

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

BrianB7

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
*******************************************************************************
File: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Unknown error

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)
*******************************************************************************
File: C:\Program Files\Spybot\SpybotSD.exe

Unknown error

sUBs

That looks yucky.
It could be due to one of 2 reasons.

* Infection may still be present. Is machine still sluggish as before?

* Your antivirus program though inaccessible to you is still running & is interfering. In this case, we need to first uninstall it.

sUBs

These are your security programs. ComboFix shows them to be still active

BrianB7

The machine isn't really sluggish.. just doesn't give me access to the anti spyware programs.

I am trying to uninstall Symantec Antivirus but it asks me for an uninstall password.. I don't have it. A company I used to work for loaded the software on my laptop and I have no idea how to remove it.

sUBs

Reboot to Safe Mode. The antivirus program should be inactive there. From there you should be able to free mbam and Spybot using Inherit.

In the meanwhile, I'll go dig around to see if there's any way to remove Symantec without the password.

sUBs

Try this > http://www.raymond.cc/blog/archives/...ivirus-client/

BrianB7

OK that worked. It's uninstalled. I also removed LiveUpdate Symantec

Also, every time the computer re-boots, it opens to the desktop with the Spybot folder open?

BrianB7

and Spybot seems to be working now! thanks! any thoughts on why the folder opens every time upon rebooting?