Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Still need help. Was waiting for Kaspersky to finish.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » August 6th, 2010, 1:16 am

First and foremost, thank you so much for all of your help. This is an exceptional service you're a part of and it's a rare thing to have this kind of support in this day and age. My system seems to be running better. Haven't had the audio only ads for random cleaning and various other household products, which is a good thing:) After leaving my computer on for awhile though, symantec keeps coming up with this;

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Backdoor.Tidserv!inf
File: C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP6\A0012628.sys
Location: C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP6
Computer: USER-6CEBA5E1E4
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Friday, August 06, 2010 1:03:17 AM

Is this something to be concerned with? Some other questions I still have are:
1. Do I need to delete all the programs installed over the course of this.
2. If yes should I defrag?
3. What should I be running regularly as far as antivirus software? I typically do the symantec, malwarebytes and sometimes spybot. Is Ccleaner or TFC a good thing to use as well?
4. Do I need to delete the Qoobox folder again from my hard drive?

Heres the mbam log:
Malwarebytes' Anti-Malware 1.46

Database version: 4394

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/5/2010 12:54:28 PM
mbam-log-2010-08-05 (12-54-28).txt

Scan type: Quick scan
Objects scanned: 125141
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:39 AM, on 8/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myportal.hcc.mass.edu/site/index_page.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2815210062
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

End of file - 7238 bytes
Regular Member
Posts: 25
Joined: July 10th, 2010, 1:19 am
Register to Remove

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » August 6th, 2010, 8:08 am

The Norton warning is because there are infected files in some of the old System Restore Points. We will take care of that.
Reset System Restore Points
  • Click Start > Help and Support
  • Click on ->Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Close Help and Support Center.
  • Click Start > Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
Folder Deletion
The \Qoobox\ folder is the quarantine location where ComboFix stores infected files.
In Windows Explorer (My Computer), navigate to the folder shown below shown in red, highlight it, if found, and press Delete.

C:\Qoobox\ <== this folder only

You may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
Make absolutely certain that you do not double click or otherwise activate any of the files inside that folder. They are all infected.
Delete the following from Your desktop:
ComboFix(zzz.exe), Rkill, TDSSKiller (file and folder), MGADiag, SystemLook, MBR

  • You can use TFC.exe occasionally to cleanup old Temporary files. (It is very effective, but always requires a reboot).
  • CCleaner is OK as well, but has a Registry button that should not be used.
  • It's OK to defrag, and works best after you have run TFC.
  • Stay away from any Registry optimizers or Registry cleaners. At best they don't work. At worst they will turn your machine into a doorstop.
  • Keep Malwarebytes' Anti-malware. Update and scan every week or so.
    You won't need any other Anti-spyware application.
Uninstall Java(TM) 6 Update 16
Download and Install the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
In the first section on the page, labeled JDK 6 Update 21 (JDK or JRE), click on the link labeled Download JRE. Do NOT choose the link labeled "Download JDK".
Select the Platform Windows and check the box to agree to the license.
Choose the Windows Offline installation version and click on the link.
Download it, choose Save, and save it to your desktop.
Then doubleclick it on your desktop, (or right click and choose "Run as administrator") and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
Replace the Current HOSTS File with MVPs
You can read about HOSTS files here : http://www.mvps.org/winhelp2002/hosts.htm

  • Disable DNS Client Service. This is necessary when installing a large HOSTS file.
    From Start, or Start, Run
    Type services.msc in the box and hit <Enter>
    Give permission to continue if necessary.
    Scroll down to DNS Client on the list, Right Click it and choose Properties.
    Under Service Status, click Stop. Wait until it reports the service stopped.
    Under Startup Type, choose Disabled.
    Then click Apply, OK
  • Use HostsXpert to Install the HOSTS File
    Download HostsXpert and unzip (extract) it to your computer, somewhere where you can find it.
    • Double click on HostsXpert.exe to launch the program. Give whatever Permissions are required.
    • In the bottom half of the left pane, click on File Handling
    • If the first button at the top is labeled Make Writeable?, click on it so the label changes to Make Read Only
    • Click third button from the bottom, labeled Download. A couple new buttons will appear at the top.
    • Click on the top button labeled MVPs Hosts and choose Replace
    • When asked to verify if you want to Replace present Hosts file, click OK.
    • When it finishes, click on File Handling again.
    • Click the button at the top labeled Make Read Only, so the label changes to Make Writeable?
    • Hit the X in the upper right corner to exit HostsXpert

You may have to give permission for your firewall or Antivirus to Unlock the present default HOSTS file and install the new one.
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system.

In the future, you should always be aware of and install updates to Adobe flash and Reader, and Java. Leaving old versions of those programs has been a path for infections in the past.
Of course, your Windows version and Antivirus should have automatic updates as well.
If you stay away from File-sharing programs like Limewire, and are careful what you click on, you should be good to go.
User avatar
Posts: 13901
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » August 8th, 2010, 12:28 am

Awesome, I seem to be symptom free and just need to do the last two things over the next couple of days. I still have a problem with the audio and I don't know if you might know how to correct it. I have to go into my system folder>hardware>audio..and choose update my driver from my specified location and it basically restarts. However, everytime I start my computer, I can hear the speakers click once or twice but no windows start up theme or anything until I go through those steps each time. It's certainly not difficult or tedious, just simply annoying at this point and I don't know if it's just a bad driver or there's still some infection.
Again, thank you very much for all your help, I'll donate what I can to help you all out.
Regular Member
Posts: 25
Joined: July 10th, 2010, 1:19 am

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » August 8th, 2010, 7:07 am

Glad we could help.
I would delete the driver and download/install a new one from the net.
I don't see any infection on your machine, but with any rootkit/bootkit infection, it's always possible things can be hidden that we can't locate.
Good luck.
User avatar
Posts: 13901
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » August 9th, 2010, 7:04 am

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Posts: 13901
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Register to Remove


  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware