electricpete
Technical User
My computer is Windows Vista machine. It was taken over by a fake anti-virus called Vista Security or something like that. All attempts at removal were unsuccessful, so I ran combofix.
I actually I ran ComboFix twice and both logs are posted below.
The first time I ran ComboFix, at certain steps I got errors that I could not complete certain activities due to lack of administrator priveleges.
The second time, I ran it by right-clicking and selected "run as administrator". The results seemed roughly the same (still got errors about administrator priveleges and still ran to completion.
My question: Do you recommend any actions based on results of these ComboFix logs below?
I actually I ran ComboFix twice and both logs are posted below.
The first time I ran ComboFix, at certain steps I got errors that I could not complete certain activities due to lack of administrator priveleges.
The second time, I ran it by right-clicking and selected "run as administrator". The results seemed roughly the same (still got errors about administrator priveleges and still ran to completion.
My question: Do you recommend any actions based on results of these ComboFix logs below?
First ComboFix Log said:ComboFix 11-04-15.06 - admin 04/16/2011 22:21:42.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1918.1431 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: RULE_COMPONENT_MNM *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: RULE_COMPONENT_MNM *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: RULE_COMPONENT_MNM *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\26205960.exe
c:\programdata\43179784.exe
c:\programdata\AIAkiwgpWK.exe
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair\Windows Repair.lnk
c:\users\admin\Desktop\Windows Repair.lnk
c:\windows\system32\config\systemprofile\wuaucldt.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\null0.8717782285845986.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\wuaucldt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-04-17 03:25 . 2011-04-17 03:25 -------- d-----w- c:\users\admin\AppData\Local\temp
2011-04-17 03:25 . 2011-04-17 03:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-01 14:32 . 2011-04-01 14:32 -------- d-----w- C:\Windows Repair
2011-03-28 19:00 . 2011-03-28 19:00 119296 --sha-r- c:\windows\system32\itirclh.dll
2011-03-27 00:42 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 00:42 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 01:35 . 2011-03-26 01:35 -------- d--h--w- c:\program files\MalwarebytesAntiMalware2
2011-03-26 00:08 . 2011-03-26 00:08 -------- d--h--w- c:\users\admin\AppData\Roaming\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08 -------- d--h--w- c:\programdata\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 22:25 . 2009-11-24 22:06 119808 ---ha-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-14 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware6\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
R2 WLANBelkinService;Belkin WLAN service;c:\program files\Belkin\F7D4101\V1\wlansrv.exe [2009-12-28 36864]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-23 30192]
R3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-02-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
2011-02-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: ataretail.com
Trusted Zone: bdsmktg.com\ic
Trusted Zone: claops.com\www
Trusted Zone: clareps.com\intranet
Trusted Zone: fgxi.com\ross
Trusted Zone: intersourcing.com\Trusted Zone: jcprewards.com\www
Trusted Zone: paychex.com\eservices
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\0a5p0b5b.default\
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\qca.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AIAkiwgpWK - c:\programdata\AIAkiwgpWK.exe
HKCU-Run-Regedit32 - c:\windows\system32\regedit.exe
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2011-04-16 22:25
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-16 22:27:01
ComboFix-quarantined-files.txt 2011-04-17 03:26
.
Pre-Run: 92,754,616,320 bytes free
Post-Run: 93,978,804,224 bytes free
.
- - End Of File - - 19B61BA8653D76E4723D4109A3FE8409
Second ComboFix Log said:ComboFix 11-04-15.06 - admin 04/16/2011 22:30:33.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1918.1277 [GMT -5:00]
Running from: C:\ComboFix.exe
AV: RULE_COMPONENT_MNM *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: RULE_COMPONENT_MNM *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: RULE_COMPONENT_MNM *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-04-17 03:32 . 2011-04-17 03:32 -------- d-----w- c:\users\admin\AppData\Local\temp
2011-04-17 03:32 . 2011-04-17 03:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-01 14:32 . 2011-04-01 14:32 -------- d-----w- C:\Windows Repair
2011-03-28 19:00 . 2011-03-28 19:00 119296 --sha-r- c:\windows\system32\itirclh.dll
2011-03-27 00:42 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 00:42 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 01:35 . 2011-03-26 01:35 -------- d-----w- c:\program files\MalwarebytesAntiMalware2
2011-03-26 00:08 . 2011-03-26 00:08 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08 -------- d-----w- c:\programdata\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 22:25 . 2009-11-24 22:06 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-14 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware6\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
R2 WLANBelkinService;Belkin WLAN service;c:\program files\Belkin\F7D4101\V1\wlansrv.exe [2009-12-28 36864]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-23 30192]
R3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-02-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
2011-02-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: ataretail.com
Trusted Zone: bdsmktg.com\ic
Trusted Zone: claops.com\www
Trusted Zone: clareps.com\intranet
Trusted Zone: fgxi.com\ross
Trusted Zone: intersourcing.com\Trusted Zone: jcprewards.com\www
Trusted Zone: paychex.com\eservices
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\0a5p0b5b.default\
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\qca.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2011-04-16 22:32
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-16 22:33:57
ComboFix-quarantined-files.txt 2011-04-17 03:33
ComboFix2.txt 2011-04-17 03:27
.
Pre-Run: 94,033,887,232 bytes free
Post-Run: 94,002,577,408 bytes free
.
- - End Of File - - 48E334A4D1BC32D2664A118CF2BA9BDF