Combofix deleted system files during Malware Removal Guide?

I have a Dell Studio 15 laptop on which I am running Vista 32-bit. I suspected malware on my system and followed your Malware Removal Guide. But when I reached the Combofix step, everything went to hell. Here’s the full story:

A few weeks ago, I was cleaning the house and found a stack of old cds from many years ago. I figured I’d put the files on the laptop, sort through them, and get rid of the cds. In retrospect, I learned that one of the cds from a friend had a cracked version of Age of Empires on it, but I didn’t know that at the time. I unwittingly copied that file onto the laptop twice because it was on two different cds.

I didn’t realize there was a problem until last week. Spybot picked up a bunch of tracking cookies during a routine scan, which was odd because I am pretty vigilant about cookies. I removed them and moved on. Later, I checked the cookies list in Firefox, and I saw that the tracking cookies were still there. I tried deleting them, but they remained. I clicked delete again, and they appeared to be deleted. However, when I reopened the Firefox cookie viewer, they reappeared. I tried to delete all cookies, and all cookies were deleted except the offenders. This was the only symptom of malware I noticed.

I ran Spybot again, and it didn’t pick up anything. I ran AdAware, and it didn’t pick up anything either. I booted in safe mode and got some results. Spybot picked up the tracking cookies, and AdAware picked up two instances of Win32TrojanAgent. It traced them to the two Age of Empires files from the cds, which I quarantined and removed.

I wasn’t sure if the system was really clean, so I did some research using my desktop and found your site. I started your Malware Removal Guide with the intention of posting afterwards with the logs, but I ran into major problems before I could finish.

I’m not sure if this is relevant, but I had trouble uninstalling Java 6 Update 3. I got an error message when I tried to uninstall it using the Add/Remove Programs utility, so I downloaded the Windows Installer Cleanup Utility and tried that. It removed the program from the Add/Remove Programs list, but when I downloaded the latest Java I could see that there were two environments running: the newest update and Update 3. I went in manually and deleted the folder that contained the Update 3 files, and now I can’t find any trace of Update 3.

I continued following the guide, and there appeared to be nothing detected by either SUPERAntiSpyware or Malwarebytes Anti-Malware.

I then disabled my McAfee antivirus and firewall and ran Combofix. I left the computer while it ran, and when I came back there was a notice from McAfee asking if I wanted to allow changes to the registry. Apparently there was some sort of McAfee registry monitor that I was unaware of, and I should have disabled it before starting Combofix. Doh!

I allowed the changes so Combofix could do its thing. Several more messages about registry changes popped up, and I allowed them all. Immediately afterwards, I saved the log and tried to restart my antivirus and firewall. I got the following error message:

“Illegal operation attempted on a registry key that has been marked for deletion.”

Crap! I tried opening the Combofix log file so I could post it here and got the same message. Same thing when I tried to open the other logs, the Control Panel, and Firefox. I disconnected from the internet and left the computer on overnight because I didn’t know if a reboot would aggravate the situation.

This morning, I tried to enable my antivirus and firewall again, and it worked. But I still get the same error message when I try to open the Control Panel, Firefox, Combofix log, SUPERAntiSpyware log, Malwarebytes log, and several other programs. Did I just lose a bunch of system files?

 

Good news! As I was replying to your message, I realized that I probably couldn't open the log files because there was an application problem, not a corruption of the files themselves. So I copied them onto an SD card and was able to open them on my desktop, even though I got an error message when I tried to open them on the laptop. I've attached them to this message.

To answer your question, no, I've been keeping the system restore option in my back pocket, hoping to avoid it. I guess it might be time to bite the bullet depending on what the log files reveal.

I had assumed that the registry keys were deleted because of McAfee's interference with Combofix's process, but I noticed in the log file that Windows Defender was enabled during the scan. I'm not sure how that happened because I always had Windows Defender turned off since I was using McAfee's firewall. Is there a setting that triggers it to turn on if a third party application's firewall is disabled?

 

I can't run MGtools because I get the following error message:

“Illegal operation attempted on a registry key that has been marked for deletion.”

How can I restore the registry keys that are marked for deletion?

 

I'm assuming that Combofix marked the keys for deletion because I didn't start getting the error message until after I ran it. I looked through the Combofix log file to see if I could tell which files were marked for deletion, but I came up empty.

I don't know much about how the registry works, so I don't know how to identify which keys are marked for deletion. The error message doesn't provide any detail about the specific keys.

If you could please point me in the right direction, I can try to get more info for you about the keys.

 

When I try to run the System File Checker, I get the following error message:

"C:\Windows\system32\sfc.exe
Illegal operation attempted on a registry key that has been marked for deletion."

 

I was able to run the System File Checker in both Safe Mode and the "Guest" account. I then rebooted in normal mode, and I am now able to open the programs that wouldn't start before without the registry key error message.

I continued following the Malware Removal Guide and have uploaded the RootRepeal and MGtools logs.

 

We're back where we started with not being able to delete tracking cookies in Firefox.

Last night I ran full scans of AdAware and Spybot in safe mode. AdAware's scan was clean, but Spybot picked up the following tracking cookies:

AdRevolver
Adviva
Blue Streak
BurstMedia
CasaleMedia
CoreMetrics
DoubleClick
FastClick
Mediaplex
Right Media
Tradedoubler
WebTrends live
Zedo

I used Spybot to remove the cookies and ran another scan that came up clean. I rebooted in safe mode and ran Spybot again: clean.

I opened Firefox and went to "show cookies" in Tools>Options>Privacy. A huge list of cookies that were all obviously trackers appeared. It seemed to be larger than the last time I went through this routine, but I am not certain. I clicked "remove all cookies," and the list dwindled somewhat. I clicked it again, and the list was empty.

Upon closing and re-opening the menu, the same huge list of tracking cookies appeared, and I went through the same routine: try to delete them, it doesn't fully work, then it seems to work, then I check again and they reappear.

I rebooted in safe mode and ran Spybot again. It identified the same tracking cookies listed above. I went through this routine several times and got the same results.

I checked the cookies folders to see if I could delete manually and was surprised that the cookies weren't there.

The following files were in the administrator folder (C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies):

• desktop.ini
• username@updates.digitalpersona[2].txt
• index.dat
• a folder named "Low" that was empty

The following files were in the guest folder (C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies):

• guest@updates.digitalpersona[2].txt
• index.dat
• a folder named "Low" that contained another file named index.dat

The default folder was empty (C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies).

I believe that the DigitalPersona files are associated with the fingerprint reader on my laptop (which I keep disabled), so they may be legitimate.

On one hand, I wonder if there is hidden malware that generates tracking cookies when I "delete" them, particularly because the Firefox cookies list seemed longer than last time (though I am not 100% sure of that).

On the other hand, I wonder if the tracking cookies are simply hidden and designed to be stubborn when faced with removal attempts, without the aid of cookie-generating malware.

Either way, I've exhausted my computer knowledge and don't know how to proceed aside from a system restore.

I don't know where the malware and/or tracking cookies are located, how to find them, or how to get rid of them.

 

I followed your advice and posted in the Software Forum because something still seems fishy, even if it's not malware related. As far as I know, cookies shouldn't be able to reappear after deletion while in safe mode without an internet connection! Hopefully we'll be able to figure it out in that forum.

Thanks so much for taking the time to help me out over the past two weeks. I really appreciate it and would have been lost without you.