PLEASE HELP!!! School Teacher In Desperate Need of Working Laptop

[smdouglas]

I am not sure if anyone is up late this time of night but any help would be truly appreciated. My wife is a an elementary school teacher and ended getting the Security Tool installed on her system. Needless to say it has been a bear to get off and I have been unsuccessful to say the least. I did find some help at http://www.bleepingcomputer.com/virus-remo...e-security-tool. However, when I get to the point of updating the definitions for Malwarebytes, I get the following error code:

Unable to execute file:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Create Process failed; code 2.

The system cannot find the file specified.

I looked through the forums and saw that the user steve7 had the same problem posted on 10/14/2009 at 4:22 pm. I noticed that sUBs asked the user to use ComboFix and post the log file but the user never responded.

Should I do the same thing? And is there anyone who can help with the log file if I post it.

PLEASE HELP...as my wife desperately needs her laptop for school on Monday and I am at the end of my rope....any help would be greatly appreciated.

Her system is:

Windows XP Tablet PC Edition 2005

Version 2002

Service Pack 3

Intel Core 2 CPU

T5500 @ 1.66 GHz

1 GB of RAM

Thank you in advance to anyone who can help...and sUBs, if you are out there and catch this thread....your help would be most appreciated.

[smdouglas]

I apologize as I forgot to paste my HJThis Log as this goes with my post above, hope this might help in someone being able to help me.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:46:26 PM, on 10/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\WINDOWS\ATK0100\HControl.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Wireless Console 2\wcourier.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe

C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe

C:\Program Files\Raxco\PerfectDisk10\PerfectDisk.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.0.61:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: CDelHotkeys Object - {78875F5C-A685-4405-8DC5-D48DC65452B0} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: (no name) - {ef75c156-2c33-472b-8643-1fd2c1e94e6b} - dolivowa.dll (file missing)

O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll

O3 - Toolbar: Delicious Toolbar - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ABLKSR] C:\windows\ABLKSR\ABLKSR.exe

O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON

O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe

O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1

O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Network -p -pn "" -n 0 -l 1033 -sl 120000

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [60545828] C:\Documents and Settings\All Users\Application Data\60545828\60545828.exe

O4 - HKLM\..\Run: [75972838] C:\Documents and Settings\All Users\Application Data\75972838\75972838.exe

O4 - HKLM\..\Run: [sijaposojo] Rundll32.exe "rebawiza.dll",s

O4 - HKLM\..\Run: [kujetajar] Rundll32.exe "c:\windows\system32\vuvimuwe.dll",a

O4 - HKLM\..\Run: [06840018] C:\DOCUME~1\ALLUSE~1\APPLIC~1\06840018\06840018.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\Laptop User\Application Data\svcst.exe

O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tablet PC 1.7; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.harcourtschool.com/activity/book_buddy/rosie/skill_pre.html"

O4 - HKUS\S-1-5-21-2840853875-2235548861-4004080104-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'xpadmin')

O4 - HKUS\S-1-5-21-2840853875-2235548861-4004080104-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'CHBROWN')

O4 - HKUS\S-1-5-21-2840853875-2235548861-4004080104-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')

O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Laptop User\Application Data\Dropbox\bin\Dropbox.exe

O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O8 - Extra context menu item: Add to &Evernote - res://C:\Program Files\Evernote\Evernote3.5\enbar.dll/2000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Delicious - {2C887991-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Bookmarks - {2C887992-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Tag - {2C887993-08F0-11DC-A9B2-0012F0B227DD} - C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll

O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204561350991

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL dogesuza.dll c:\windows\system32\ c:\windows\system32\jifakade.dll c:\windows\system32\ rebawiza.dll c:\windows\system32\morugawe.dll c:\windows\system32\vuvimuwe.dll

O21 - SSODL: rigagiwiw - {4dd48dd5-b5de-4b4b-8d7e-1ec027de9ddc} - (no file)

O21 - SSODL: kubogoher - {e915f82d-d0ed-4318-aef0-086aa3e5458c} - c:\windows\system32\morugawe.dll (file missing)

O21 - SSODL: zefivikar - {0e93c1ff-507d-4a05-8d1e-0f1a13a1effb} - c:\windows\system32\vuvimuwe.dll

O22 - SharedTaskScheduler: gahurihor - {4dd48dd5-b5de-4b4b-8d7e-1ec027de9ddc} - (no file)

O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Object Desktop\Fences\FencesMenu.dll

O22 - SharedTaskScheduler: kupuhivus - {e915f82d-d0ed-4318-aef0-086aa3e5458c} - c:\windows\system32\morugawe.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {0e93c1ff-507d-4a05-8d1e-0f1a13a1effb} - c:\windows\system32\vuvimuwe.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe

O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--

End of file - 13692 bytes

[obrienaj]

I have the same error, so will be anxiously looking for advice.

[obrienaj]

I have the same error, so will be anxiously looking for advice.

I ran combofix and I am now able run malwarebytes. The advice here is NOT to run combofix until directed to do so but I thought I would run it to at least get a log file. Combofix went further than I expected , it ran and deleted a whole bunch of stuff while i was out of the room. When i returned my system had rebooted and combofix was generating a report. It had deleted MANY things , e.g.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\40744221

c:\documents and settings\All Users\Application Data\40744221\40744221.exe

c:\documents and settings\All Users\Application Data\96920456.ini

c:\documents and settings\Owner\Desktop\Security Tool.lnk

c:\documents and settings\Owner\nah_log.dat

c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk

c:\program files\\setup.exe

c:\program files\Dealio Toolbar

c:\program files\Dealio Toolbar\config.ini

c:\program files\Dealio Toolbar\Res\amazon.gif

c:\program files\Dealio Toolbar\Res\apple.gif

c:\program files\Dealio Toolbar\Res\barnes.gif

c:\program files\Dealio Toolbar\Res\bestbuy.gif

c:\program files\Dealio Toolbar\Res\dealio_logo.gif

c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif

c:\program files\Dealio Toolbar\Res\ebay.gif

c:\program files\Dealio Toolbar\Res\icon_settings.gif

c:\program files\Dealio Toolbar\Res\macys.gif

c:\program files\Dealio Toolbar\Res\newegg.gif

c:\program files\Dealio Toolbar\Res\overstock.gif

c:\program files\Dealio Toolbar\Res\search-button-hover.gif

c:\program files\Dealio Toolbar\Res\search-button.gif

and on and on, hundreds of files. I had a back-up so was not too worried. Everything appears good, I am 7 minutes in to a Malwarebytes scan and no threats found. I have had fire fox up and running for 5 minutes and no nasty re-directs.

Andy.

[obrienaj]

Everything appears good, I am 7 minutes in to a Malwarebytes scan and no threats found. I have had fire fox up and running for 5 minutes and no nasty re-directs.

Andy.

Actually, as Malwarebytes completed I had 18 threats , 17 multiple.rogue and one trojan.dropper , all were removed successfully.