Registry Key Infected

My computer has been running sluggish lately. So I ran a Spyware program(Superanti Spyware) and it discovered nothing. So I ran Malwarebytes and it found 1 Registry key so I removed it and my computer started running normally again. However, on my next reboot the computer was running sluggish again and I ran Malwarebytes again and it found the same registry key infection.

Here is my Malwarebytes log file:

Malwarebytes' Anti-Malware 1.44
Database version: 3640
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/26/2010 8:42:44 AM
mbam-log-2010-01-26 (08-42-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173515
Time elapsed: 33 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Even though it says it is removed it really isn't cause it pops up after every scan.

Also here is my Hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:49 AM, on 1/26/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
Z:\rw5main.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Mike Tigue\Desktop\AntiSpyware\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theinnatcanalsquare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0071204
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1a032c00-711b-4dc2-b6e3-ec3e5ffac0b2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: (no name) - {6A87B560-AF94-499B-A4C7-41F83FDD651A} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A9ABABC9-2567-4518-90EC-288A169DF388} - (no file)
O2 - BHO: (no name) - {BE58E5AB-7B7A-4546-A43B-4E398E3E18AC} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198952544106
O17 - HKLM\System\CCS\Services\Tcpip\..\{2155033A-89F1-42A9-A665-425CAD2EC975}: NameServer = 192.168.3.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2155033A-89F1-42A9-A665-425CAD2EC975}: NameServer = 192.168.3.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{2155033A-89F1-42A9-A665-425CAD2EC975}: NameServer = 192.168.3.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqRhEvS - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9762 bytes

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Ok I followed the instructions and downloaded Combofix and then ran it. I made sure my firewall and antiviruses were turned off. I then got an error message about half way through the scan that said Combofix must restart because it has detected a Rootkit. It then restarted my computer and its been blue screening ever since. It won't even allow me to get into safe mode or run normally and the recovery console blue screens as well.

The Technical Information on the blue screen was:

Stop: 0x000000CE (0xBA3BABDE, 0x00000008, 0xBA3BABDE, 0x00000000)
Fdc.sys

The error on the blue screen is saying:

Page_fault_in_nonpaged_area

That is weird. Why would ComboFix delete the Floppy Disk Controller driver? I have reported that info to the developer.

Well, anyway, we will have to do a system repair. All of your data will be fine.

Do you have your XP disc?

Last edited by DragonMaster Jay on 26th January 2010, 7:59 pm; edited 1 time in total

I still have the Dell Reinstallation CD for XP Pro Service Pack 2

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
   
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
   
3. If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
   
4. When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
   
5. At the Recovery Console command prompt,
   

Type cd system~1\_resto~1 and press "Enter".

Type dir and press "Enter".

After
you press enter you will see a list of folders (like rp1, rp2) If the
list of restore points has more than one page then press the "Enter" key until you reach the end of the list

Type cd rp {number of the second to last folder in the list} and press "Enter".
Note: Example: cd rp9 if the last restore point is rp10

Type cd snapshot and press "Enter".

Type copy _registry_machine_system c:\windows\system32\config\system and press "Enter".

Type copy _registry_machine_software c:\windows\system32\config\software and press "Enter".

Type exit and press "Enter".

Your PC will reboot.

=======================

If you get an access denied error when doing the above, then do the following at the recovery console:

Type cd \ and press "Enter".

Type cd windows\system32\config and press "Enter".

Type ren system system.bak and press "Enter".

Type exit and press "Enter".

Your PC will reboot, go back into the Recovery Console and start from the beginning.

When I boot from the CD and get to the Recovery Console the only installation option is: 1: C:\Windows. So I chose #1 and then when I type: cd system~1\_resto~1 it says that the system can not find the file or directory.

Also when I do this: Type ren system system.bak and press "Enter". It says that: "A file or directory with the name system.bak already exists."

Ok. Type the following and tell me what it says:

DIR /a/s C:\WINDOWS\fdc.sys

at C:\Windows I typed DIR /a/s C:\Windows\fdc.sys and it said that the Parameter is not valid.

actually anything I do with DIR /a/s comes up with parameters not valid. It does show the volume of the C drive has no name and the serial number but if I just type DIR /a/s it then says C:\a\s The system can not find the file or directory specified.

Since there is already a file named System.bak is it possible to rename the system to something else like system.bac or would that really mess up something else?

Try DIR C:\Windows\fdc.sys

DragonMaster Jay wrote:

Try DIR C:\Windows\fdc.sys

I will try that when I get back to work. What exactly should I be looking for it to do?

It should give you the location(s) of that file.

If that phrase does not work then try this one as well:

dir C:\windows\system32\drivers\fdc.sys

When I did DIR C:\Windows\FDC.sys it said file not found.

However when i did DIR C:\Windows\System32\drivers\fdc.sys it said:

08/04/04 06:00a -a------ 27392 FDC.SYS

I have tried to ren system system.bak but it keeps saying there is a file with that name already. When I checked the dir I found a file named System and one named System.bak and both have the same date on them, same file size, but the system.bak was created 1 minute after the System file. Could it be possilbe to rename system something else so that the cd system~1/_resto~1 can work?

Ok. Please open the computer tower and unhook the floppy disk drive. Then, see if the computer can boot up.

To do this, please follow these instructions:

• Open the computer tower, touch an unpainted metal surface, and find the cable that goes to the floppy drive, and disconnect it.
  
• Then, close the computer case and start the computer. Does it blue screen now?
  
  

DragonMaster Jay wrote:

Ok. Please open the computer tower and unhook the floppy disk drive. Then, see if the computer can boot up.

To do this, please follow these instructions:

• Open the computer tower, touch an unpainted metal surface, and find the cable that goes to the floppy drive, and disconnect it.
  
• Then, close the computer case and start the computer. Does it blue screen now?
  
  

Yes it still blue screens with the floppy drive unplugged.

The error message on the blue screen says:

Driver_Unloaded_Without_cancelling_pending_operation

I know it says not to reply to your own threads but I was thinking of a solution. Instead of doing "ren system system.bak" could I just rename the driver that is causing the error? For example: "ren fdc.sys fdc.old" Or am I going down the wrong thought process here?

Might later.

Anyway, time to do a "ComboFix undo" - to reverse the changes ComboFix did.

1.Please reboot into Recovery Console as you did before.

2.You must enter which Windows installation to log onto. Type 1 and press Enter.

3.At the C:\Windows prompt, type the following bolded command, and press Enter:

set allowallpaths = true

4.At the next prompt type without the quotes "cd erdnt\subs" and hit Enter.

5.At the next prompt, please type in the following without the quotes: "batch erdnt.con" and hit Enter.

The erunt backups should begin copying backup files. At the next prompt after it is complete, Type exit.

Shut down. Hook up the floppy drive again.

kindly reboot your pc and tell me if Windows is loading now

DragonMaster Jay wrote:

Might later.

Anyway, time to do a "ComboFix undo" - to reverse the changes ComboFix did.

1.Please reboot into Recovery Console as you did before.

2.You must enter which Windows installation to log onto. Type 1 and press Enter.

3.At the C:\Windows prompt, type the following bolded command, and press Enter:

set allowallpaths = true

4.At the next prompt type without the quotes "cd erdnt\subs" and hit Enter.

5.At the next prompt, please type in the following without the quotes: "batch erdnt.con" and hit Enter.

The erunt backups should begin copying backup files. At the next prompt after it is complete, Type exit.

Shut down. Hook up the floppy drive again.

kindly reboot your pc and tell me if Windows is loading now

No it is still blue screening. With the same error.

Make sure to see the spaces in between these items.

In the recovery console, place in exactly:

copy C:\Windows\System32\DriverStore\FileRepository\fdc.inf_0c3c0ab2 C:\

ren C:\fdc.inf_0c3c0ab2 fdc.sys

copy C:\fdc.sys C:\windows\system32\drivers\fdc.sys

I typed in: copy C:\Windows\System32\DriverStore\FileRepository\fdc.inf_0c3c0ab2 C:\
And it said the system can not find the file specified.


Edit: It looks like i do not have a Driverstore in my system32 directory.

Did you say you can or cannot boot to the XP setup?

I recommend a repair install: http://michaelstevenstech.com/XPrepairinstall.htm

DragonMaster Jay wrote:

Did you say you can or cannot boot to the XP setup?

I recommend a repair install: http://michaelstevenstech.com/XPrepairinstall.htm

I can't boot into windows though either through safemode or regular. It takes me to the windows screen but the scroll bar doesn't move and then after about 5 seconds on the windows screen it goes to the BSoD.

In regards to your other instructions, as I said, I don't have a DriverStore but I do have a DrvStore. However, it does not have a FileRepository in it.

Would doing this do anythign for me?

rmdir c:\windows\prefetch

md c:\windows\prefetch




Or back to my renaming the troubled driver would it work if I did:

cd c:\windows\system32\drivers

ren fdc.sys fdc.old

copy c:\windows\system32\dllcache\fdc.sys c:\

Course at that point I don't know if I just reboot or if I need to recopy back into the windows/system32/drivers directory a second time?

Update:

I didn't try my above idea cause i wasn't 100% sure if it would work or make things worse. But what I did do was got into the BIOS and switched my floppy drive controller from Internal to USB and it allowed windows to boot up. However, ComboFix is now finishing its original scan that I started yesterday. Is that a good thing or bad thing? I guess at this point it doesn't matter cause I am to afraid to cancel the scan.

Edit: ComboFix scan completed. It deleted a file in the system32/drivers directory but it went to fast I couldn't read it. It also said that the c:\windows\system32\drivers\fdc.sys is infected and it will restore it. Then after about 3 minutes it went to my desktop with no desktop icons on it and then a mini cmd blue screen came up that says "Rebooting Windows....Please Wait" However, that rebooting windows screen has been up now for about 20minutes. Any suggestions or should I manually reboot windows.

Note: The computer is not locked up though which is why I am hesitant to manually reboot it myself.

Go ahead and manually reboot. After that file gets restored, it should be fine.

ComboFix should not freeze up.