[Kristi2565]

Not able to go online with infected machine. can download to flash drive and move from another pc. ComboFix is not saved to the desktop its in a folder. do I need to create a shortcut to ComboFix on the desktop and then save CFScript to desktop from flash drive? Then drag CFS file to ComboFix shortcut and drop?

[Advertisements]

No I think you need to move the Combofix program to your desktop. I don't think a shortcut will work.

[RKinner]

No I think you need to move the Combofix program to your desktop. I don't think a shortcut will work.

[Kristi2565]

ComboFix 11-12-16.02 - rhizogen 12/20/2011 13:21:47.2.2 - x86 MINIMAL
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.1791.1290 [GMT -6:00]
Running from: c:\users\rhizogen\Downloads\ComboFix.exe
Command switches used :: c:\users\rhizogen\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk"
"c:\windows\System32\drivers\bofntmc.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ebxeq
-------\Service_McComponentHostService
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 19:38 . 2011-12-20 19:38 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-12-20 19:38 . 2011-12-20 19:38 2942 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-12-20 19:38 . 2011-12-20 19:38 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-12-20 19:27 . 2011-12-20 20:28 -------- d-----w- c:\users\rhizogen\AppData\Local\temp
2011-12-20 19:27 . 2011-12-20 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-19 15:07 . 2011-12-19 15:07 -------- d-----w- C:\_OTL
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\users\rhizogen\AppData\Roaming\Malwarebytes
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\programdata\Malwarebytes
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-16 21:14 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-16 15:06 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-15 17:23 . 2011-12-15 17:46 -------- d-----w- c:\windows\system32\sdtmp
2011-12-15 04:05 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 04:05 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-15 04:04 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 04:03 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 04:03 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-15 04:01 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 04:01 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 08:10 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9BB067C9-E1A7-46CA-BF50-F87E60497AB4}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 11:49 . 2011-03-09 19:59 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 11:49 . 2011-03-09 19:59 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-07 11:49 . 2011-03-09 19:59 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 11:49 . 2011-03-09 19:59 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SmileboxTray"="c:\users\rhizogen\AppData\Roaming\Smilebox\SmileboxTray.exe" [2011-12-01 313160]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"SetRefresh"="c:\program files\HP\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1282048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-07-11 73728]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2008-02-22 44168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Attendance Rx.lnk - c:\program files\Acroprint\Attendance Rx\AttendanceRx.exe [2009-3-3 5742592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2011-10-07 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-09-17 180736]
R3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2007-07-16 20504]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=all&pf=cmdt
IE: Add to AVI Video Converter... - c:\program files\Media Player Utilities 4.29\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: Interfaces\{25108261-8D72-49CC-80B9-4C97455452C0}: NameServer = 68.28.186.91,68.28.178.91
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\users\rhizogen\AppData\Roaming\Mozilla\Firefox\Profiles\6zgw1gw8.default\
FF - prefs.js: browser.search.selectedEngine - Inbox Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80179&language=en&qkw=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-12-20 14:34:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-20 20:34
ComboFix2.txt 2011-12-20 14:11
ComboFix3.txt 2011-12-19 17:55
ComboFix4.txt 2011-12-16 19:23
.
Pre-Run: 96,570,900,480 bytes free
Post-Run: 96,514,981,888 bytes free
.
- - End Of File - - FBB7903106DED989B0A4E3735E66FA6D

[Kristi2565]

When I right click on "Computer" and then select "Manage" a window opens that has


Explorer.exe (top left corner)

Illegal operation attempted on registry key that has been marked for deletion.



Tried to do a screen shot but cannot open paint.

C:\windows\System32\mspaint.exe (top left corner)

Illegal operation attempted on registry key that has been marked for deletion.

[Kristi2565]

I am posting from my laptop. Cant get infected machine online.

[RKinner]

Is it still refusing to boot into regular mode? Are you still lacking Internet connection? (I assume you have tried Safe Mode with Networking?)

Did you install LogMeIn?

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

sfc  /scannow
net  start  >>  \junk.txt
ipconfig  /all  >>  \junk.txt
netsh  winsock  show  catalog  >>  \junk.txt 
notepad  \junk.txt

(Copy and Paste or Attach C:\junk.txt to your next Reply.)

msconfig

(Go to Services tab and click on the box to hide Microsoft Services then uncheck
everything that remains. Go to Startup tab and uncheck everything. OK and
reboot. If it doesn't run faster then go back into msconfig and recheck the
things you turned off. If it helps then go back and turn on a few items each
time until you find the culprit.)

cd  \windows\logs\cbs

copy  cbs.log  cbs.old

del  cbs.log

sfc  /scannow

findstr  /c:"[SR]"  cbs.log  >  junk.txt 

attach the file \windows\logs\cbs\junk.txt to your next reply.

[RKinner]

The Illegal operation attempted on registry key that has been marked for deletion error should go away after a reboot.

[Kristi2565]

Still will only boot in safe mode. If I try to boot normally it gets to Vista password screen and doesnt give you time to type password before it starts the blue HP screen and then goes to the Safe mode screen. Can boot Safe with networking but cannot get on line.

[Kristi2565]

Trying to run Command prompt and getting the "The Illegal operation attempted on registry key that has been marked for deletion." error.

[RKinner]

Did you reboot?

[Kristi2565]

no. will do that now.

[Kristi2565]

Reboot is SAFE mode?

[RKinner]

Try regular mode first.

[Kristi2565]

normal boot not working trying safe with command prompt

[Kristi2565]

Ok. Got the command prompt at

C:\Windows\system32