System Check Virus ... Can't System Restore even in Safe Mode

Maddielee · February 28, 2012, 06:00:57 PM

ComboFix log:

ComboFix 12-02-23.01 - Administrator 02/28/2012 10:43:56.3.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.718 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-28 )))))))))))))))))))))))))))))))
.
.
2012-02-26 21:46 . 2012-02-26 21:46   163   ----a-w-   C:\allprogramsdisable.reg
2012-02-23 15:58 . 2012-02-23 15:58   --------   d-----w-   C:\TDSSKiller_Quarantine
2012-02-22 20:48 . 2012-02-23 15:50   --------   d-----w-   c:\documents and settings\Administrator
2012-02-15 10:41 . 2012-01-11 19:06   3072   ------w-   c:\windows\system32\iacenc.dll
2012-02-15 10:41 . 2012-01-11 19:06   3072   ------w-   c:\windows\system32\dllcache\iacenc.dll
2012-01-31 16:59 . 2012-01-31 16:59   --------   d-----w-   c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-04 10:00   1859968   ----a-w-   c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2004-08-04 10:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-04 10:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 10:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 10:00   385024   ----a-w-   c:\windows\system32\html.iec
2011-12-14 20:23 . 2011-07-20 13:42   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-23_21.43.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-04-11 14:10 . 2012-02-28 11:28   32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-11 14:10 . 2012-02-22 08:12   32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-02-27 15:34 . 2012-02-28 11:28   16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 68856]
"AOL Fast Start"="c:\program files\AOL Desktop 9.6\AOL.EXE" [2011-04-25 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"HostManager"="c:\program files\Common Files\AOL\1129765693\ee\AOLSoftware.exe" [2010-03-08 41800]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2010-07-13 70720]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-09-11 53248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-04-05 01:21   26112   -c--a-w-   c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48   479232   -c--a-w-   c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129765693\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129765693\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [9/14/2010 7:42 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 7:42 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [9/14/2010 7:42 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [9/14/2010 7:42 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [9/14/2010 7:42 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [9/14/2010 7:42 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [9/14/2010 7:42 AM 88480]
R3 ndisrd;WinpkFilter Service;c:\windows\SYSTEM32\DRIVERS\ndisrd.sys [8/8/2010 3:50 PM 20480]
S2 0014401330386081mcinstcleanup;McAfee Application Installer Cleanup (0014401330386081);c:\windows\TEMP\001440~1.EXE -cleanup -nolog --> c:\windows\TEMP\001440~1.EXE -cleanup -nolog [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 4:24 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 4:24 PM 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [9/14/2010 7:42 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [9/14/2010 7:42 AM 83496]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\CA\PCPitstopScheduleService.exe [4/3/2010 7:44 AM 90296]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-02-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-13 12:15]
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 21:23]
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{b80f591e-fe9a-46cf-a13e-180377240586} - (no file)
WebBrowser-{B80F591E-FE9A-46CF-A13E-180377240586} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKCU-Run-SFP - c:\program files\Common Files\Verizon Online\SFP\vzSFPWin.EXE
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-28 12:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-1006\ *]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-1006\ *\Preferences]
"Use Hardware Scroll"=dword:00000001
"UITransitions"=dword:00000001
"Debug Blt"=dword:00000000
"ShowHidden"=dword:00000000
"Show only big images"=dword:00000001
"BigPictureThreshold"=dword:0000ea60
"ResampleFilter2"=dword:00000006
"SizeDots"=dword:00000000
"Hide filtered albums"=dword:00000001
"ShowAlbumThumbnails"=dword:00000001
"Thumbscale"=dword:00000200
"CaptionState"=dword:00000001
"ytHLocal::lang"=dword:00000000
"EnablePrefetch"=dword:00000001
"ShowTooltips"=dword:00000001
"mainwinismax"=dword:00000001
"mainwinpos"="rect(0 0 1024 742)"
"Do unreasonably slow consistency checks"=dword:00000000
"WriteDirscannerCSV"=dword:00000000
.
[HKEY_USERS\S-1-5-21-3309822840-836792384-1404327448-1006\ *\Runtime\LoadImageCheck]
"468"=""
"19c"=""
"7c0"=""
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3672)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Dell Photo AIO Printer 942\dlbubmon.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\AOL Desktop 9.6\waol.exe
c:\program files\common files\aol\1129765693\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AOL Desktop 9.6\shellmon.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
.
**************************************************************************
.
Completion time: 2012-02-28 12:16:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-28 17:16
ComboFix2.txt 2012-02-23 21:51
.
Pre-Run: 6,258,491,392 bytes free
Post-Run: 5,160,374,272 bytes free
.
- - End Of File - - 319D5311267DD6CB58A5B517797A2B75

Corrine · February 28, 2012, 08:39:49 PM

Hi, Maddielee.

ComboFix likely took extra long due to removing the folders, although over an hour is excessive and not normal. However, looking at the before and after "bytes free", there was a lot removed.

How is your computer now?

Maddielee · February 28, 2012, 09:17:19 PM

Some of my programs (like Family Tree Maker) still read 'empty'...but, I have most important data on back-up discs.

I am missing some Icons on the desktop, but I don't think that is too awful.

Everything else seems to be ok, if I can remember how it was before correctly.

Is it safe to use?

How can I thank you for all your help? Because you have been wonderful and patient.

Corrine · February 29, 2012, 12:37:37 AM

Hi, Maddielee.

I'll address the missing shortcuts and desktop items in a separate reply.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.

You can also delete RKill and the registry fixes I had you download.

Is your McAfee antivirus software updating?

To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector or, alternatively, visit http://secunia.com/software_inspector/ . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

Detects insecure versions of applications installed
Verifies that all Microsoft patches are applied
Assists you in updating your system and applications

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html. If you have questions about WinPatrol, we have a forum here at LzD: WinPatrol Help & Information.

Corrine · February 29, 2012, 12:43:20 AM

Now on to optional steps to restore any missing menu items or shortcuts.

For missing desktop shortcuts, this tutorial illustrates how to do it much easier than I can explain it! See Computer Tutorials - Create desktop shortcuts in Windows XP.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You have the Program Files menu back but I don't know if you have Accessories and Administrative tools. If not, you can do the following to restore the defaults for the Start Menu, Accessories and Administrative Tools as follows.

Note: This information and the below illustrated example was created by Broni from Bleeping Computer and his website, Smartest Computing. For ease of readability, I've reproduced his example for Avast without the "quote" tag but all credit goes to Broni, who has helped many people:

Restore Accessories Program Files Menu with accrestore.zip for XP
- Extract (unzip) the tool, double-click on it to run and ensure that the following check boxes are checked (as shown below):
- Then click on the Restore button.

It gets more complicated for the missing program shortcuts.

Download App Paths
Double click on AppPaths.exe to run the program.
Keep the program open.

Go Start>All Programs.
Right click on Avast entry, click "Properties".

NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

You'll see this window:

Due to the damage caused by the infection, you'll find "Target" box empty.

Go back to AppPaths window and find Avast entry.
Right click on Avast line, click "Edit".
A pop-up window will open:

Highlight everything in "Path" box, right click on it, click "Copy"
Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
IMPORTANT! Add quotation marks at the beginning of the path and at the end
Click OK and you're done.

You would follow that process for missing program entries like Family Tree Maker.

Maddielee · February 29, 2012, 07:42:22 PM

I'm sorry. I am completely lost...I don't have a program listed named - Avast.

Corrine · February 29, 2012, 07:47:11 PM

Hi, Maddielee.

Using Avast was merely an example of how to add links for missing programs such as Family Tree Maker back to the list using App Paths.

Maddielee · February 29, 2012, 07:49:27 PM

Oh! I get it now! Duh! Thanks, again.

Corrine · February 29, 2012, 07:59:20 PM

You're welcome. Although a bit overwhelming, the instructions are nicely illustrated.

Maddielee · February 29, 2012, 08:26:58 PM

We are good to go! (I think)....Again, thank you for all your help.

Maddielee · February 29, 2012, 08:32:59 PM

I sent a little something through paypal....hope the right people receive it. It shows a donation to Combofix???

Corrine · February 29, 2012, 08:39:00 PM

That was very nice of you, Maddielee, thank you!

Yes, the donation went to sUBs, the creator of ComboFix. He devotes many hours not only to the development and maintenance of ComboFix, DDS and other tools but also, behind the scenes, sharing his wealth of knowledge with trained analysts. Without his extraordinary efforts, we would have a much, much more difficult time not only knowing what is on the computer but also helping people clean their computers.