help remove

Hello,
I have tried to install malware bytes on a dell laptop with no resolve.
spyguard will not let program run.it os also blocking task manager from running.
I have tried to change program name to get to run but still no good.
please help.

Hello I moved your topic from XP to here.

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.

***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.

Thanks i will try that way later this evening.I will update after that.

OK ,thanks I'll look for it.

Finally rid myself from that nasty rogue.
Thanks for your help. change file exe to .pif worked great.
Thanks again for your help.

That's good, i would like you to run 2 more tools and be sure to get all the hangers out.
Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
• In the Main Menu, click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/16/2009 at 09:50 PM

Application Version : 4.24.1004

Core Rules Database Version : 3713
Trace Rules Database Version: 1688

Scan type : Complete Scan
Total Scan Time : 01:56:59

Memory items scanned : 163
Memory threats detected : 0
Registry items scanned : 6438
Registry threats detected : 0
File items scanned : 27842
File threats detected : 37

Rogue.XP AntiSpyware2009-Trace
C:\Documents and Settings\Amanda Daleo\Desktop\delself.bat

Adware.Tracking Cookie
.atwola.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
ar.atwola.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
magnet.traffic.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.traffic.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
adserver.equalvision.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Amanda Daleo\Application Data\Mozilla\Firefox\Profiles\a8oaxnig.default\cookies.txt ]

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSMTVD.DAT
C:\WINDOWS\SYSTEM32\TDSSORVD.DAT

Hello again,I need to say this now that we see a TDDS Rootki/trojan.
A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to go toa known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.

if you would prefer to format let me know or proceed with S!Ri's SmitfraudFix,part 1.


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Scan done at 18:46:53.04, Sun 01/18/2009
Run from C:\Documents and Settings\Amanda Daleo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amanda Daleo\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amanda Daleo


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\AMANDA~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amanda Daleo\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\AMANDA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\twex.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 209.26.88.31
DNS Server Search Order: 204.215.43.3

HKLM\SYSTEM\CCS\Services\Tcpip\..\{78173EB6-D237-403C-8855-731DAFE819D2}: DhcpNameServer=209.26.88.31 204.215.43.3
HKLM\SYSTEM\CS1\Services\Tcpip\..\{78173EB6-D237-403C-8855-731DAFE819D2}: DhcpNameServer=209.26.88.31 204.215.43.3
HKLM\SYSTEM\CS2\Services\Tcpip\..\{78173EB6-D237-403C-8855-731DAFE819D2}: DhcpNameServer=209.26.88.31 204.215.43.3
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=209.26.88.31 204.215.43.3
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=209.26.88.31 204.215.43.3
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=209.26.88.31 204.215.43.3


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

what is the best way to format . this is dell E1505 laptop don't know if i have original disc computer came with.
can i back up on external hard drive??? will threat still be there??
Thanks

I am not very well schooled on this ,can any info be stolen or corrupted by anyone reading these posts.

hello the posted info is OK.

If you don't have disks then we will clean.
Run Part 2 of SmitFraudFix

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Go into Control Panel >Add Remove Programs(check that the "Show Updates box is checked) and find any Java(JRE) applications. highlight it and tell me the version number.


Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.

Edited by boopme, 18 January 2009 - 08:10 PM.

after running smit fraud and mbam i can't copy log files access denied to rapport and mbam log file

It appears this infection has run to deep. The only way we can clean it is with HJT. Follow the steps here. Do steps 6 & 7.
Preparation Guide For Use Before Using Hijackthis
Then post the complete log here.. HijackThis Logs and Virus/Trojan/Spyware/Malware Removal