TechSpot

8 steps completed, here's my logs

By nb1106
Jan 26, 2009
  1. mflynn

    mflynn TS Rookie Posts: 2,793

    Nolan we seem to be loosing ground

    COMBOFIX-Script
    Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    Code:
    File::
    c:\windows\mqcd.dbt
    c:\windows\system32\rkoq.pxf
    c:\windows\system32\odjan.wa
    c:\windows\system32\kei1w.an
    c:\windows\system32\kdoqmn.sr
    c:\windows\system32\doqkm.zt
    c:\windows\system32\drivers\cmudaxu.sys.bak
    c:\windows\adobe.bat
    c:\windows\DUMP856c.tmp
    c:\documents and settings\Nolan Brassard\Application Data\ipomoqeb.reg
    c:\program files\Common Files\sazunep.inf
    c:\documents and settings\Nolan Brassard\Application Data\awelifu.sys
    c:\documents and settings\Nolan Brassard\Application Data\kixad.pif
    c:\program files\Common Files\ymuko.dll
    c:\documents and settings\Nolan Brassard\Application Data\ovusov.bat
    c:\documents and settings\Nolan Brassard\Application Data\ozej.pif
    c:\program files\Common Files\ovahawaj.sys
    c:\documents and settings\Nolan Brassard\Application Data\kyfykeb.com
    c:\program files\Common Files\ajab.com
    c:\documents and settings\Nolan Brassard\Application Data\imaxuda.com
    c:\documents and settings\Nolan Brassard\Application Data\wagehi.dat
    c:\program files\Common Files\elupepiw.dat
    c:\program files\Common Files\kabos.dat
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
    "Debugger"=c:\windows\system32\alg.exe
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
    "Debugger"=c:\windows\system32\alg.exe
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
    "Debugger"=c:\windows\system32\alg.exe
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
    "Debugger"=c:\windows\system32\alg.exe
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
    "Debugger"=c:\windows\system32\alg.exe
    
    Then drag this script and drop on top of ComboFix.

    ComboFix will now run a scan on your system.

    It may reboot your system when it finishes. This is normal.

    When finished, it will create a log. Attach the log back to us.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Post its log followed by another ComboFix without the Script!

    No reboot!

    Then go back we you got Norman and DrWeb and do Kaspersky.

    After this if not successful, I hate to say, we may be looking at a format!

    Mike
     
  2. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Here's the combo logs. I am leaving class now I will run the scans when I get home. Is there a possibility that I have a hardware problem that is causing that blue screen? Although it only appears on scans. It appeared on my first attempt at applying that script to Combofix as well. Then rebooted and it worked fine the second time.
     
  3. mflynn

    mflynn TS Rookie Posts: 2,793

    This may be our last shot!

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt.

    Code:
    @echo off
    cd\windows
    md save
    
    copy /v /y c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe c:\windows\save
    copy /v /y c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe c:\windows\save
    
    exit
    exit
    Then immediately reboot to recovery console

    Then print the below as it has to be manually typed into the recovery Console.

    copy save\svchost.exe system32
    copy save\svchost.exe system32\dllcache
    copy save\explorer.exe system32
    copy save\explorer.exe system32\dllcache
    ren system32 spoolsv.exe spoolsv.exz

    Overwrite answer yes
    Then type exit to reboot

    The run ComboFix attach log!

    Mike
     
  4. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Gonna reformat. Net's gone again seems we're back to the start. Also both are still infected according to combo scan. Would you suggest a specific way for reformat or no? And for future reference of this issue be sure to tell people to not go online. Seems it got significantly worse rather quickly when going back online. It's all good though very good learning process for both of us and others. Thanks for all the help. Also the last line of that recovery console did not work.
     
  5. mflynn

    mflynn TS Rookie Posts: 2,793

    I agree it is time!

    Back up all important files emails etc to a portable or Flash drive but scan them well before putting them back.

    Full Format not quick. Get it installed and on the net! Add nothing else but Avira and Threatfire before even downloading windows updates.

    Once under the protection of the 2 above then Scan your backed up data on the other drive before putting it back! Actually scan entire backup drive.

    Good luck you went way beyond and I hope others can learn from this.

    Mike
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  7. nb1106

    nb1106 TS Rookie Topic Starter Posts: 56

    Reformat went good, finished installing all needed programs, updates, and drivers. Thanks for all the help during that. I found some information today actually saying that the file uses an exploit in XP to spread itself as well. There is actually a windows update to fix the exploit. Found the link today I'll see if I can find it again it was on my brothers computer.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.