Free Malware Removal Forum

[jlaureni]

Hi deltalima,
ComboFix finished and created a log file. It did a reboot while it was running. When I try to open IE or Firefox I get the following message: Illegal operation attempted on a registry key that has been marked for deletion.

I can try to copy the log file onto a thumb drive and move it to my other machine - but I am just worried about copying the virus or whatever along with it. Please let me know what you think.

Joe

[deltalima]

Please copy the log to a thumb drive, it is a text file and so is safe to copy to another machine.

[jlaureni]

Hi deltalima,
Here is ComboFix.txt

ComboFix 10-12-04.02 - Sonia 12/05/2010 15:48:46.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.329 [GMT -5:00]
Running from: c:\users\Sonia\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Sonia\AppData\Roaming\Bitrix Security
c:\users\Sonia\AppData\Roaming\Bitrix Security\27102010_221113_277288688_skey_27-10-2010__22-11-58.zip
c:\users\Sonia\AppData\Roaming\Bitrix Security\cet.txt
c:\users\Sonia\AppData\Roaming\Bitrix Security\crf.txt
c:\users\Sonia\AppData\Roaming\Bitrix Security\ffcd
c:\users\Sonia\AppData\Roaming\Bitrix Security\lrtg.txt
c:\users\Sonia\AppData\Roaming\Bitrix Security\mor.txt
c:\users\Sonia\AppData\Roaming\Bitrix Security\mxd1.txt
c:\users\Sonia\AppData\Roaming\Bitrix Security\podzce_shrd
c:\users\Sonia\AppData\Roaming\Bitrix Security\rgx.txt
c:\users\Sonia\AppData\Roaming\Bitrix Security\rjg.txt
c:\users\Sonia\AppData\Roaming\Bitrix Security\uurn
c:\users\Sonia\AppData\Roaming\install
c:\users\Sonia\GoToAssistDownloadHelper.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf

c:\windows\explorer.exe . . . is infected!!

c:\windows\System32\wininit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))
.

2010-12-03 10:19 . 2010-12-03 10:19 -------- d-----w- C:\MGADiagToolOutput
2010-12-03 10:01 . 2010-12-04 21:32 -------- d-----w- C:\Malware
2010-12-01 06:31 . 2010-12-01 06:31 388096 ----a-r- c:\users\Sonia\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-29 11:52 . 2010-11-29 11:52 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-11-29 11:51 . 2010-11-29 11:51 -------- d-----w- c:\users\Sonia\Office Genuine Advantage
2010-11-28 15:17 . 2010-11-28 15:17 -------- d-----w- c:\program files\Trend Micro
2010-11-25 12:44 . 2010-11-25 13:21 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-25 12:44 . 2010-11-25 12:44 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-11-25 12:43 . 2010-11-25 12:43 -------- d-----w- c:\programdata\Hitman Pro
2010-11-24 06:32 . 2010-12-03 10:11 -------- d-----w- c:\program files\Fiddler2
2010-11-23 02:39 . 2010-11-23 02:39 -------- d-----w- c:\users\Sonia\AppData\Roaming\Malwarebytes
2010-11-23 02:37 . 2010-11-23 02:37 -------- d-----w- c:\programdata\Malwarebytes
2010-11-23 02:37 . 2010-12-05 19:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-22 00:33 . 2010-11-22 00:33 -------- d-----w- c:\users\Joe\AppData\Roaming\Verizon
2010-11-21 23:53 . 2010-12-05 19:34 -------- d-----w- c:\programdata\STOPzilla!
2010-11-17 08:57 . 2010-09-04 19:09 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2010-11-17 08:57 . 2010-09-04 19:09 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-11-17 08:56 . 2010-09-04 19:09 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-11-17 08:56 . 2010-09-04 19:09 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-17 08:56 . 2010-09-04 19:09 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-11-17 08:56 . 2010-09-04 19:09 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-11-17 08:56 . 2010-09-04 19:09 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-17 08:56 . 2010-09-04 19:09 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-11-17 08:56 . 2010-09-04 19:09 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-11-17 08:56 . 2010-09-04 19:09 164808 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-11-17 08:56 . 2010-09-04 19:09 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-17 08:56 . 2010-11-17 09:01 -------- d-----w- c:\program files\Common Files\Mcafee
2010-11-17 08:55 . 2010-11-17 09:01 -------- d-----w- c:\program files\McAfee
2010-11-17 08:28 . 2010-11-18 01:07 -------- d-----w- c:\programdata\McAfee
2010-11-17 08:22 . 2010-11-17 08:22 -------- d-----w- c:\users\Sonia\AppData\Roaming\Verizon
2010-11-17 08:22 . 2010-11-17 08:22 -------- d-----w- c:\programdata\Radialpoint
2010-11-17 08:22 . 2010-11-17 08:22 -------- d-----w- c:\programdata\Verizon
2010-11-17 08:22 . 2010-11-17 08:22 -------- d-----w- c:\program files\Verizon
2010-11-16 21:47 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{071AF54F-DAE8-4C9C-9B0A-2C45FE224306}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-03 11:59 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-10 16:37 . 2010-10-14 12:52 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 12:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 12:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 12:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 12:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:56 . 2010-10-14 12:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:04 . 2010-10-14 12:50 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 12:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 12:50 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-04 19:09 . 2010-11-17 08:57 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
2008-09-12 01:43 1780248 ----a-w- c:\program files\Softonic_English\tbSoft.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-29 02:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{930f1200-f5f1-4870-bac6-e233ec8e7023}"= "c:\program files\Softonic_English\tbSoft.dll" [2008-09-12 1780248]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

[HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{930F1200-F5F1-4870-BAC6-E233EC8E7023}"= "c:\program files\Softonic_English\tbSoft.dll" [2008-09-12 1780248]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

[HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 133912]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Sonia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OneNote Table Of Contents.onetoc2 [2007-10-27 3656]
West Orange Public Library Tray App.lnk - c:\program files\PermissionTV\bin\dmtray.exe [2008-5-8 57344]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-4-19 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-11-10 17:23 157312 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-04-08 271480]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-09-04 84264]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-09-04 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-09-04 164808]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-04-08 271480]
S2 McMPFSvc;McAfee Personal Firewall;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-04-08 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-04-08 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-09-04 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-09-04 141792]
S2 PermissionTVDownloadManager;PermissionTV Download Manager Service;c:\progra~1\PERMIS~1\bin\dm.exe [2007-08-07 221245]
S2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
S2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [2010-03-16 689392]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-09-04 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-09-04 312904]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-10-26 4247552]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-24 08:10]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 02:26]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 02:26]

2010-11-17 c:\windows\Tasks\HPCeeScheduleForJoe.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-04-19 21:23]

2010-12-05 c:\windows\Tasks\HPCeeScheduleForSonia.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-04-19 21:23]

2010-12-05 c:\windows\Tasks\User_Feed_Synchronization-{2933925B-0929-4965-86AF-B48000DDDC3B}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect2.prudential.com/dana-ca ... Client.cab
FF - ProfilePath - c:\users\Sonia\AppData\Roaming\Mozilla\Firefox\Profiles\o428qjez.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\Sonia\AppData\Roaming\Mozilla\Firefox\Profiles\o428qjez.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Extension: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Sonia\AppData\Roaming\Mozilla\Firefox\Profiles\o428qjez.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\Sonia\AppData\Roaming\Mozilla\Firefox\Profiles\o428qjez.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\users\Sonia\AppData\Roaming\Mozilla\Firefox\Profiles\o428qjez.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-FileZilla Client - c:\program files\FileZilla Client\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-05 17:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3496)
c:\progra~1\mcafee\sitead~1\saHook.dll
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Vongo\VongoService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Common Files\McAfee\Core\mchost.exe
.
**************************************************************************
.
Completion time: 2010-12-05 17:52:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-05 22:52

Pre-Run: 80,494,735,360 bytes free
Post-Run: 80,391,802,880 bytes free

- - End Of File - - 6F230154BE99502D6D7604BD9EB38430

[deltalima]

Hi jlaureni,

c:\windows\explorer.exe . . . is infected!!
c:\windows\System32\wininit.exe . . . is infected!!

The malware has infected two vital system files, we may be able to repair these but if we are unsuccessful the system could become unbootable. Before we proceed I urge you to make backup copies of any important data and check the backups are readable on another computer.

If you understand the risks involved and are prepared to reinstall the operating system if things go wrong we can proceed.

If we are to continue then we need to run the following scan to obtain more information.

Download SystemLook and save it to your Desktop.

• Right click SystemLook.exe and select: Run as Administrator.
• Copy the content of the following codebox into the main textfield:
  

  Code: Select all

  :file
  c:\windows\explorer.exe 
  c:\windows\System32\wininit.exe
  :filefind
  explorer.exe 
  wininit.exe
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please let me know if you wish to continue with the fix.

[jlaureni]

Hi deltalima,
I want to continue with the fix. It may take a day to backup the files - although most are already backed up. I assume that I can download the files you asked me to download to another computer and copy them to the desktop of the infected computer. Please confirm.

Thanks,

Joe

[deltalima]

Hi jlaureni,

I want to continue with the fix. It may take a day to backup the files

OK, let me know when you are ready to continue.

I assume that I can download the files you asked me to download to another computer and copy them to the desktop of the infected computer

Yes that will be fine. You may find that after another reboot Internet Explorer will work on the infected computer and you can download directly.

You can continue with the SystemLook scan before the backup is complete as this will make no changes to the system. When complete please post the log then I can plan the rest of the fix.

[jlaureni]

Hi deltalima,
Here is the result of SystemLook. I will let you know when things are backed up. You were correct about the reboot. IE is now working.

SystemLook 04.09.10 by jpshortstuff
Log created at 07:54 on 06/12/2010 by Sonia
Administrator - Elevation successful

========== file ==========

c:\windows\explorer.exe - File found and opened.
MD5: 7564E503828CB2CB1E9F795ED1F75F4D
Created at 22:59 on 10/12/2008
Modified at 06:29 on 29/10/2008
Size: 2927104 bytes
Attributes: --a----
FileDescription: Windows Explorer
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: EXPLORER.EXE.MUI
InternalName: explorer
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\System32\wininit.exe - File found and opened.
MD5: A577D354D179E5DC802C18442C4D0783
Created at 22:41 on 15/09/2008
Modified at 07:33 on 19/01/2008
Size: 96768 bytes
Attributes: --a----
FileDescription: Windows Start-Up Application
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: WinInit.exe.mui
InternalName: WinInit
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

========== filefind ==========

Searching for "explorer.exe "
C:\Windows\explorer.exe --a---- 2927104 bytes [22:59 10/12/2008] [06:29 29/10/2008] 7564E503828CB2CB1E9F795ED1F75F4D
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe --a---- 2926592 bytes [03:05 17/09/2009] [06:27 11/04/2009] D07D4C3038F3578FFCE1C0237F2A1253
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe --a---- 2923520 bytes [08:47 02/11/2006] [09:45 02/11/2006] FD8C53FB002217F6F888BCF6F5D7084D
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe --a---- 2923520 bytes [22:59 10/12/2008] [06:20 29/10/2008] 37440D09DEAE0B672A04DCCF7ABF06BE
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe --a---- 2923520 bytes [22:59 10/12/2008] [02:15 28/10/2008] E7156B0B74762D9DE0E66BDCDE06E5FB
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe --a---- 2927104 bytes [22:42 15/09/2008] [07:33 19/01/2008] FFA764631CB70A30065C12EF8E174F9F
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe --a---- 2927104 bytes [22:59 10/12/2008] [06:29 29/10/2008] 4F554999D7D5F05DAAEBBA7B5BA1089D
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe --a---- 2927616 bytes [22:59 10/12/2008] [03:59 30/10/2008] 50BA5850147410CDE89C523AD3BC606E

Searching for "wininit.exe"
C:\Windows\System32\wininit.exe --a---- 96768 bytes [22:41 15/09/2008] [07:33 19/01/2008] A577D354D179E5DC802C18442C4D0783
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe --a---- 95744 bytes [08:44 02/11/2006] [09:45 02/11/2006] D4385B03E8CCCEE6F0EE249F827C1F3E
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe --a---- 96768 bytes [22:41 15/09/2008] [07:33 19/01/2008] 101BA3EA053480BB5D957EF37C06B5ED

-= EOF =-

[deltalima]

Hi jlaureni,

IE is now working

Good.

There is more we can do before the backup is complete as this will not make any changes to the system.

Create a batch file

1. Open Notepad.
2. Copy/paste the following text into the empty Notepad window.
   

   Code: Select all

   @echo off
   Copy C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe  c:\explorer.exe >> results.txt
   Copy C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe  c:\wininit.exe >> results.txt 
   start notepad results.txt
   Del %0
   

3. Save the file as xxx.bat on your desktop. Save it with the file type... all types *.*.
4. Right click the file xxx.bat and select: Run as Administrator.

results.txt should open in Notepad automatically when the script has complete, post the contents of this file in your next response.

Please run SystemLook again as before using the following in the main textfield:

Code: Select all

:file
c:\windows\explorer.exe 
c:\windows\System32\wininit.exe
c:\explorer.exe 
c:\wininit.exe

Please post the log in your next reply, again this can be done before the backup is completed as it is not making any changes to the system.

[jlaureni]

Hi deltalima,
The results of the bat file run:
1 file(s) copied.
1 file(s) copied.

Results from SystemLook:

SystemLook 04.09.10 by jpshortstuff
Log created at 08:59 on 06/12/2010 by Sonia
Administrator - Elevation successful

========== file ==========

c:\windows\explorer.exe - File found and opened.
MD5: 7564E503828CB2CB1E9F795ED1F75F4D
Created at 22:59 on 10/12/2008
Modified at 06:29 on 29/10/2008
Size: 2927104 bytes
Attributes: --a----
FileDescription: Windows Explorer
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: EXPLORER.EXE.MUI
InternalName: explorer
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\System32\wininit.exe - File found and opened.
MD5: A577D354D179E5DC802C18442C4D0783
Created at 22:41 on 15/09/2008
Modified at 07:33 on 19/01/2008
Size: 96768 bytes
Attributes: --a----
FileDescription: Windows Start-Up Application
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: WinInit.exe.mui
InternalName: WinInit
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\explorer.exe - File found and opened.
MD5: FD8C53FB002217F6F888BCF6F5D7084D
Created at 13:55 on 06/12/2010
Modified at 09:45 on 02/11/2006
Size: 2923520 bytes
Attributes: --a----
FileDescription: Windows Explorer
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: EXPLORER.EXE.MUI
InternalName: explorer
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\wininit.exe - File found and opened.
MD5: D4385B03E8CCCEE6F0EE249F827C1F3E
Created at 13:56 on 06/12/2010
Modified at 09:45 on 02/11/2006
Size: 95744 bytes
Attributes: --a----
FileDescription: Windows Start-Up Application
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: WinInit.exe.mui
InternalName: WinInit
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-= EOF =-

[deltalima]

Hi jlaureni,

That looks good so far.

Let me know when you have everything backed up then we can continue.

[jlaureni]

Hi deltalima,

OK everything is backed up and I am ready to resume.

Thanks,

Joe

[deltalima]

Hi jlaureni,

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

• Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  
• Click the Script tab and copy/paste the following text there:

Code: Select all

CopyFile:
C:\explorer.exe C:\Windows\explorer.exe
C:\wininit.exe  C:\WINDOWS\system32\wininit.exe

• Click Execute Now. Your computer will need to reboot in order to replace the files.
  
• When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

[jlaureni]

Hi deltalima,
Here is the log from BlitzBlank.


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\wininit.exe", destinationFile = "\??\c:\windows\system32\wininit.exe"

BTW - IE is very slow now.

Thanks,

Joe

[deltalima]

Hi jlaureni,

Please run SystemLook again as before using the following in the main textfield:

Code: Select all

:file
c:\windows\explorer.exe 
c:\windows\System32\wininit.exe
c:\explorer.exe 
c:\wininit.exe

Please post the log in your next reply.

[jlaureni]

Hi deltalima,

Here is the result from SystemLook:

SystemLook 04.09.10 by jpshortstuff
Log created at 07:30 on 07/12/2010 by Sonia
Administrator - Elevation successful

========== file ==========

c:\windows\explorer.exe - File found and opened.
MD5: FD8C53FB002217F6F888BCF6F5D7084D
Created at 22:59 on 10/12/2008
Modified at 11:48 on 07/12/2010
Size: 2923520 bytes
Attributes: --a----
FileDescription: Windows Explorer
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: EXPLORER.EXE.MUI
InternalName: explorer
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\System32\wininit.exe - File found and opened.
MD5: D4385B03E8CCCEE6F0EE249F827C1F3E
Created at 22:41 on 15/09/2008
Modified at 11:48 on 07/12/2010
Size: 95744 bytes
Attributes: --a----
FileDescription: Windows Start-Up Application
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: WinInit.exe.mui
InternalName: WinInit
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\explorer.exe - File found and opened.
MD5: FD8C53FB002217F6F888BCF6F5D7084D
Created at 13:55 on 06/12/2010
Modified at 09:45 on 02/11/2006
Size: 2923520 bytes
Attributes: --a----
FileDescription: Windows Explorer
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: EXPLORER.EXE.MUI
InternalName: explorer
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\wininit.exe - File found and opened.
MD5: D4385B03E8CCCEE6F0EE249F827C1F3E
Created at 13:56 on 06/12/2010
Modified at 09:45 on 02/11/2006
Size: 95744 bytes
Attributes: --a----
FileDescription: Windows Start-Up Application
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: WinInit.exe.mui
InternalName: WinInit
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-= EOF =-