TechSpot

Abebot Virus Scan Logs after Combofix

By Jaumer
Apr 8, 2008
  1. Blind Dragon,

    A few days ago i posted and the thread got closed before i could post my follow up logs. I am pasting your response to my initial post as well as the three log files.

    "Hi and welcome to TS,

    First off what can you tell me about this DomainName = towson.local

    Also I see you have some CA products for anti-virus do you also have an active firewall through them?


    Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to
    Update Malwarebytes' Anti-Malware
    and Launch Malwarebytes' Anti-Malware
    then click Finish.
    If an update is found, it will download and install the latest version.
    Once the program has loaded, select Perform full scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad. please copy and paste the log into your next reply
    If you accidently close it, the log file is saved here and will be named like this:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Combofix
    Download Combofix to your desktop.
    Double click combofix.exe & follow the prompts.
    A window will open with a warning.
    Type "1" (and Enter) to start the fix.
    When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt


    Here are the three log files.
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Any idea as to why the thread was closed? I was curious about that.

    I will have a look and post back shortley
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word KILLALL:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.




    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.




    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  4. Jaumer

    Jaumer TS Rookie Topic Starter

    Here are the latest log files for Combofix and HJT

    Here are the log files for combofix and the new HJT after the combofix was run. I am getting ready to do the ATF Cleaner and Kaspari Online AV Scanner.
     
  5. Jaumer

    Jaumer TS Rookie Topic Starter

    Sorry the new Combofix will not load

    it is telling me that i already posted to you. It will not let me reattach the new combofix file.
     
  6. Jaumer

    Jaumer TS Rookie Topic Starter

    Question

    When i drag the cfscript.txt file onto the combofix it asks to open with and i click it then the blue box only appears for a second and disappears. It is not taking the time it did the first time to run. Is that right? And it will not let me attach the new log file because it says i did already in my last thread.

    Confused....OK running those other programs

    Thanks for all your help
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Go up to the top, in the blue cross bar, click edit profile

    Scroll down the left pane and select Attachments, remove all that are there and try again

    And for combofix make sure all programs/other windows (including this one) are closed
     
  8. Jaumer

    Jaumer TS Rookie Topic Starter

    OK Got rid of attachements

    But I still cannot get combofix to run by dragging the cfscript.txt file onto it. I opens a Run windo opens and I click run then a blue box appears for a split second and closes. When I look at the Combofix.txt log file it is still dated yesterday so it is not running. Not sure what to do here?

    Thanks
    jeff
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Combofix needs to be installed to your desktop. If it is not please go to Start -> run -> type combofix /u

    Download through the previous link and make sure to install it to your desktop
     
  10. Jaumer

    Jaumer TS Rookie Topic Starter

    Combofix

    It is installed on the desktop and when i type the combofix /u in the run window it does the same thing opens and a blue box flashes then goes away. I even used the old link you provided to combofix and it asks me to install it and when i do to the desktop it asks if i want to replace the existing combofix.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Launch Hijackthis -> Select do a system scan and save a log

    attach it here

    We need to make sure anti-scripting is disabled with you anti-virus.
     
  12. Jaumer

    Jaumer TS Rookie Topic Starter

    OK

    I installed combofix and dragged the cfscript.txt onto it and it finally ran.
    Attached is that log file and also the new HJthis log file.

    I will now run the ATF cleaner and Kaspari AV Scan
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    ok, one more time

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  14. Jaumer

    Jaumer TS Rookie Topic Starter

    Encounter another problem

    Ok when I drag this script onto combofix it runs like normal the blue box appears with the warning about the clock setting and stating it could take up to 20 minutes. It never finishes. the blue box just hangs there and i have to reboot.

    Any suggestions?

    Thanks again
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Through the control panel

    Open Windows Defender
    Click on Tools, General Settings.
    Scroll down and uncheck Turn on real-time protection (recommended).
    After you uncheck this, click on the Save button and close Windows Defender.

    retry the cfscript

    if it doesn't work we will move on, with different instructions altogether
     
  16. Jaumer

    Jaumer TS Rookie Topic Starter

    OK finally ComboFix worked

    I di not have to do the Windows Defender instructions above. I ran the combofix with the latest CFScript file again and let the ComboFix window stay open over night and it finished at some point. I have attached that log file and the new Hijackthislog file to this email.

    Thanks again
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O4 - HKLM\..\Policies\Explorer\Run: [p7mMhwqPB7] C:\Documents and Settings\All Users\Application Data\dqtmnoby\vsxkzuxm.exe

    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files or folders:

    Folders:
    C:\Documents and Settings\All Users\Application Data\dqtmnoby <-This folder only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log



    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  18. Jaumer

    Jaumer TS Rookie Topic Starter

    Latest Tests

    OK Here is the Hijackthis logfile. and the Kasery scan log file.

    A few things. When I booted into safe mode I had to boot into safe mode with networking.....otherwise It would not let me log onto the computer said bad domain.

    So i booted into safe mode with networking logged in did the hijack this and fixed the file you stated.....

    Also under Windows Explorer I looked for the folder C:\Documents and Settings\All Users\Application Data\dqtmnoby in order to delete it. I could not find it and ran a complete search of C:\ to see if it were there. Nothing found

    So I rebooted to normal mode and ran Hijack this and Kaspery Online AV Scanner.

    Attached are the files
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Everything looks good! Just need to clean up a bit. Are you having any more symptoms/problems with the computer?

    Run a scan with Hijackthis, check this entry, close all other windows and select fix checked
    O21 - SSODL: AvpSys - {2ea11fd0-0d77-4d7c-b952-cdefce498e81} - (no file)


    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    ---------------------------------------------------------------------------
    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

    For Spybot you can download the latest version from HERE.

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
     
  20. Jaumer

    Jaumer TS Rookie Topic Starter

    OK

    Blind Dragon,

    Should I remove the other programs such as, ATF Cleaner, and HijackThis? I did install Spybot S&D and still have Malwarebytes on this PC.

    I really appreciate all your help....And to answer your first question in the last post....

    I have not seen anymore symptoms/problems on the PC.

    Thanks Again
    Jeff
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You can remove Hijackthis from add/remove programs in the control panel.

    I would keep ATF cleaner and MBAM for as long as you want. They are great tools and are safe for day to day use without experience. If you have questions about either feel free to ask anytime.

    Should you have any more problems please let me know through this thread.

    Regards,

    Blind Dragon

    THE INSTRUCTIONS IN THE ABOVE THREAD ARE FOR THE ORIGINAL POSTER ONLY SHOULD YOU HAVE SIMILAR PROBLEMS PLEASE START YOUR OWN THREAD IN OUR SECURITY SECTION FOUND http://www.techspot.com/vb/menu28.html
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...