advice on possible virus

Hi Guys,
I had a nasty virus on my desktop recently. Unfortunately my son OKed a registry change and the whole thing crashed. A computer friend is taking the hard drive to his office to try to clean it on another computer. Tonight my daughter's laptop was acting weird. The MaAfee security said it hadn't scanned in a month but when I tried to do a full scan it froze at 13% and then I had to turn it off manually. I tried a full scan again and the same thing happened. Turned it off manually and when I turned it on windows did a big chckdisk thing. I also have some kind of icon that shows blocked startup programs called system configuation utility. I'm thinking it's a virus. Should I run a virus cleanup program? If so, what? Thanks, Judy

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

here is my log:
ComboFix 10-01-04.01 - claire 01/05/2010 14:09:43.2.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3062.2075 [GMT -6:00]
Running from: c:\users\claire\Desktop\commy.exe
Command switches used :: /stepdel
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\$recycle.bin\S-1-5-21-3878062665-890052964-3471927553-500
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 20:15 . 2010-01-05 20:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-03 09:00 . 2010-01-03 09:00 -------- d-----w- c:\program files\MSXML 4.0
2010-01-02 06:49 . 2010-01-02 06:50 -------- d-----w- c:\program files\Microsoft Location Finder
2010-01-02 06:49 . 2010-01-02 06:50 -------- d-----w- c:\program files\Microsoft Streets and Trips Essentials
2010-01-02 06:46 . 2010-01-02 06:47 -------- d-----w- c:\program files\Encarta
2010-01-02 06:41 . 2010-01-02 06:45 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2010-01-02 06:39 . 2010-01-02 06:40 -------- d-----w- c:\program files\microsoft money
2010-01-02 06:28 . 2010-01-02 06:28 -------- d-----w- c:\windows\system32\URTTEMP
2010-01-02 06:27 . 2010-01-02 06:27 -------- d-----w- c:\program files\Microsoft Works Suite 2006
2010-01-01 21:08 . 2010-01-01 21:32 -------- d-----w- c:\program files\Snood 4
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\programdata\Norton
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\program files\Norton Security Scan
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\programdata\NortonInstaller
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\program files\NortonInstaller
2009-12-28 04:53 . 2009-12-28 04:54 -------- d-----w- c:\windows\system32\Adobe
2009-12-26 07:15 . 2009-12-26 07:15 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-09 22:30 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 22:30 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 22:30 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-08 22:57 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 09:03 . 2009-09-26 03:39 -------- d-----w- c:\program files\Microsoft Works
2010-01-02 06:52 . 2009-09-26 00:30 94808 ----a-w- c:\users\claire\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-31 19:11 . 2009-09-26 03:41 -------- d-----w- c:\programdata\Symantec
2009-12-20 21:43 . 2009-09-26 03:51 -------- d-----w- c:\program files\Java
2009-12-14 05:55 . 2009-10-02 01:31 204 ----a-w- c:\users\claire\AppData\Roaming\wklnhst.dat
2009-12-09 23:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 22:30 . 2009-09-26 03:47 -------- d-----w- c:\programdata\Microsoft Help
2009-12-03 01:03 . 2009-09-26 01:05 -------- d-----w- c:\programdata\McAfee
2009-11-27 09:19 . 2009-11-27 09:19 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-27 09:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-27 09:19 . 2009-11-27 09:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-26 19:49 . 2009-11-26 19:49 680 ----a-w- c:\users\claire\AppData\Local\d3d9caps.dat
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-11-26 17:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-21 06:40 . 2009-12-08 22:58 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 22:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 22:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 22:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 00:48 . 2009-11-17 00:48 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-11-17 00:47 . 2009-11-17 00:47 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-11-01 16:31 . 2009-11-01 16:31 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-25 09:00 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-11 10:17 . 2009-09-26 01:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:08 . 2009-11-27 09:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-27 09:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-27 09:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-26 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-19 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]

c:\users\claire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d4,e9,fe,19,bf,6e,ca,01

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/25/2009 7:15 PM 93320]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 8:23 PM 21504]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/25/2009 9:50 PM 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 4:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-01-01 c:\windows\Tasks\Norton Security Scan for claire.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-31 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 14:15
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


c:\users\claire\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hȋdden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-01-05 14:18:20
ComboFix-quarantined-files.txt 2010-01-05 20:18

Pre-Run: 59,338,997,760 bytes free
Post-Run: 59,284,090,880 bytes free

- - End Of File - - 21F33F6E7A349B77449BEB974C4C50E7

Please download Cheetah-Anti-Rogue, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

Cheetah Anti-Rogue v1.0.22
by DragonMaster Jay

Microsoft Windows [Version 6.0.6002]
Tue 01/05/2010 16:20:42.03


-- Known infection --



If objects found, full virus scan or anti-malware scan necessary


EOF

Please download Malwarebytes Anti-Malware from here.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

DragonMaster Jay,
Tried to run Mbam. Kept freezing and I had to turn off the computer manually after it sat there for over 15 minutes each time it got to a certain point. Ran it in safe mode 3 times. It detedcted 3 infected files but would freeze up again and I would have to manually shut down the computer.
The last two times in safe mode I noted that it stopped at this file
c:\backup\09-09-25 0553PM\Windows\Installer\$PatchCache$\Manger\00002119F20000000000000000F01Fec\12.0.6215\MSO.DLL
Again, I would have to manually shut down the computer even in safe mode.
I did have to do a factory restore and it may have been around Sept. 9, 09 if that helps at all.

Thanks for all your time.
Judy

Please download the Kaspersky AVP Tool from Kaspersky-labs.com.

• Save it to your desktop.
  
• Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• It will by default install it to your desktop folder.Click Next.
  
• Hit ok at the prompt for scanning in Safe Mode.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked:
  
  
  • System Memory
    
  • Startup Objects
    
  • Disk Boot Sectors.
    
  • My Computer.
    
  • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
  
• It will automatically Neutralize any objects found.
  
• If some objects are left un-neutralized then click the button that says Neutralize all
  
• If it says it cannot be Neutralized then chooose The delete option when prompted.
  
• After that is done click on the reports button at the bottom and save it to file name it Kas.
  
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

I am scanning with Kaspersky in safe mode right now. It seems to have frozen during the autoscan about the same place c:\backup\09-09-250554p...\system.speech.dll. This is the same spot McAfee would freeze and that got my attention to contact geekpolice.

I will let it go a while longer (it's been frozen for about 10 minutes). Then I will probably shut down the computer and try to run Kaspersky again.
Questions: I still want my McAfee virusscan, et.al turned off for this right? When I set up the Kaspersky autoscan I did not check Partion_1 (c:), Recovery (d:), but I did check CD Drive (e:) as well as the other items you listed to be checked. Is that correct?
Thanks, Judy

Ok.

Go to the link below and download Microsoft Malicious Tool remover.

http://www.microsoft.com/security/malwareremove/default.mspx

After you have installed and run it that, come back and tell me if there has been a change.

OK, I will. BTW, I did get Kaspersky to run again for awhile. It said it found 7 items and at least one was a trojan...Torjan-dropper.Win32.Agent.azhd. It could not neutralize so I had it delete and then the system froze again. Kaspersky never could finish the scan and the computer did a crach dump that said STOP:0x00008086.
Judy

Well, let's see what Microsoft's tool says.

Running Microsoft Mal Removal on the laptop and it is frozen at the same file
MaAfee froze at C:\Backup\09-09-25 0554PM\Program Foles\Reference Assemblies\...\System.Speech.dll
Still have it running but it hasn't done anything for about 15 min.

Hey DragonMaster Jay,
FYI, there is an icon on my toolbar that says "blocked startup programs". When I click on it it has a user account control window come up (this is w/ Vista) and asks if I started this action click continue. It lists System Configuration Utility by Microsoft Windows. I'm suspicious that this is part of the virus-scam so I have not clicked continue to open it but have x-ed out of it. Could this be causing all the malware programs to freeze before completing?

Not sure.

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

Please remove any e-mail address in the RootRepeal report (if present).