TechSpot

Combofix log.

By maize
Apr 5, 2007
  1. Hi Howard,

    Here is my fresh combofix file.

    Are they clean?

    Thanks
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I have moved your post to it`s own thread.

    There are several entries in your Combofix log that are either nasty or suspicious.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. maize

    maize TS Rookie Topic Starter Posts: 19

    Thank you very very very much.

    STEP11:


    Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

    Run the programme and click the "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path" Do not fix anything yet. Let me know what is found in your reply and I`ll instruct you on how to proceed. Reconnect to the net.

    First of all, i want to thank you very much.
    After following your step1~step11, the AVG Anti-Rootkit scan result is:
    No rootkits found.
    BTW, the tool4 does not work. I mean that they can not star to scanning my computer.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s ok, no worries. Please post the requested log files.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. maize

    maize TS Rookie Topic Starter Posts: 19

    Thanks again!

    Hello, Howard

    First of all, i want to thank you very much.
    After following your step1~step11, the AVG Anti-Rootkit scan result is:
    "No rootkits found".
    BTW, the tool4 does not work. I mean that they can not star to scanning my computer.



    Howard, i have finished this step below.
    My questions are,
    How to "Reboot into normal mode and rehide your protected OS files?
    and,
    After saving the report to my desktop, did i need to remove all reports?

    ps,
    How can i do now?

    Best Regards,

    maize
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You reboot into normal mode, simply by rebooting your computer.

    You rehide your protected OS files by doing the reverse of these instructions.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    You need to post the requested logfiles as attachments. See HERE for instructions.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. maize

    maize TS Rookie Topic Starter Posts: 19

    Howard,
    Thanks again.
    I see.
    BTW, before rebooting into normal mode and rehide my protected os files, do i need to remove all reports first(After saving the report to my desktop)?

    Edited by Moderator: Removed quote. There`s no need to quote the post directly above your own, unless you`re only replying to a specific section, in which case you would only quote that section. ;)
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, you don`t need to remove the reports, they`ll still be on your desktop after you have rebooted into normal mode. Then, you need to attach them into your next reply.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. maize

    maize TS Rookie Topic Starter Posts: 19

    I mean to delete all these(618) virus files?

    all right. i see.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Which report says you have 618 virus files?

    Regards Howard :)
     
  11. maize

    maize TS Rookie Topic Starter Posts: 19

    After running AVG Antispyware, the report said that there are more than 619
    high risk txx.. files.
    Did i misunderstand something?

    Just like this,

    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP113\A0008654.dll -> Adware.BHO : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP116\A0008933.dll -> Adware.BHO : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP112\A0008624.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP113\A0008673.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP116\A0008940.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP116\A0008953.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP116\A0009167.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP120\A0009432.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP122\A0009517.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP122\A0009547.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP123\A0009631.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP125\A0013915.DLL -> Backdoor.Hupigon.emb : No action taken.
    C:\System Volume Information\_restore{B64D3591-7AD5-4427-AA63-AF739FCEC00A}\RP125\A0013925.DLL -> Backdoor.Hupigon.emb : No action taken.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All you need to do, is attach the requested logfiles to your next reply. I`ll then tell you how to proceed.

    The log files I need to see are as follows.

    HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    You must post them as attachments.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. maize

    maize TS Rookie Topic Starter Posts: 19

    Here is my HijackThis.log & combofix.txt attachment

    Here is my HijackThis.log & combofix.txt attachment.

    About the AVG Antispyware scan report txt can not be upload.
    Because they said,
    "Report-Scan-20070406-204154.txt:
    Your file of 167.1 KB bytes exceeds the forum's limit of 100.0 KB for this filetype."
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    A7F4835

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    A7F4835.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: A7F4835 - Unknown owner - C:\WINDOWS\system32\A7F4835.EXE (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\A7F4835.EXE

    Reboot into normal mode and rehide your protected OS files.

    Run the Ccleaner programme as per step9 of these instructions.

    Then, run another AVG Antispyware scan and save the report.

    Attach the AVG Antispyware report as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. maize

    maize TS Rookie Topic Starter Posts: 19

    Report-Scan-20070406-204154_part1.txt

    Here is AVG scan report

    Report-Scan-20070406-204154_part1.txt
    &
    Report-Scan-20070406-204154_part2.txt
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All items in your AVG Antispyware log say "No Action Taken". This is because you didn`t follow the instructions properly for AVG Antispyware. You need to tell AVG Antispyware to quarantine to results. See this guide HERE.

    Follow the instructions in my post above, then post a fresh HJT log as well as a fresh AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. maize

    maize TS Rookie Topic Starter Posts: 19

    Howard,

    You are so nice and friendly. Thanks again.

    I do follow your instructions above.

    Here is the result.

    "When the window appears, maximise it. Double click on the following services(if there) "=>yes


    "Click on the processes tab and end process for(if there)."=>no


    "Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there)."=>no

    Edited by Moderator: Removed quote. There`s no need to quote the post directly above your own, unless you`re only replying to a specific section, in which case you would only quote that section. ;)
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    However, your AVG Antispyware log still says all results have no action taken.

    Please do the following.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    Then, follow the instructions below very carefully.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    This is taken from HERE.

    Reboot your system and attach the AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. maize

    maize TS Rookie Topic Starter Posts: 19

    Howard,

    About into safe mode, under my normal user name account.

    Actually, i seprate my normal user name to two user account.
    One is call "Matrix", another is call "Emily".
    So, after using the F8 Method or using the running "msconfing",
    no matter what method i using, in safe mode, i only just can use
    "Emily" this normal user name account to operate. I mean i can not
    find my Matrix normal user name account in safe mode.

    Below logfile is under Emily account.

    Here is under Matrix user name account.
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You just don`t get it do you?

    I told you to turn system restore off and on, it appears you haven`t done this.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    I`ve also told you several times how to use AVG Antispyware. Yet it still appears you don`t know how to do this, as all the results in your AVG Antispyware log say No Action Taken.

    So, let`s have one last try. Copy and paste these instructions into a notepad file, then you can have the file open so you can follow the instructions easier.

    Make sure all windows are closed, except notepad.. Run AVG Antispyware from normal mode.
    Click Scanner, then the Settings tab and under where it says How to Act, make sure you set it to QUARANTINE results. Then click the scan tab and click Complete System Scan to begin scanning.

    Once finished, click the save scan report button, followed by the Save report as button and save it to your desktop.

    Post the AVG Antispyware log and nothing else.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. maize

    maize TS Rookie Topic Starter Posts: 19

    I appreciate your great patient

    After deleting my another "Emily" normal user name account,
    i boot into safe mode under my normal use name finally.

    I do print your instructions out and follow them carefully.

    Now, here is the result below. They are less than before.
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your AVG Antispyware log still says "No Action Taken" for all items. I keep telling you, you need to tell AVG Antispyware to quarantine it`s results.

    See this pictorial guide to AVG Antispyware.

    Post a fresh AVG Antispyware log as well as a fresh HJT log, after you`ve run AVG Antispyware.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. maize

    maize TS Rookie Topic Starter Posts: 19

    I run AVG Antispyware in normal mode.
    After running, i clicked the "apply all actions" tab, i saved the report to my desktop.


    Best Regards Maize
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s correct now lol.

    Run AVG Antispyware and click on the infections tab. Click the select all button, followed by the remove finally button. This will delete all files in AVG Antispyware quarantine.

    Reboot your system and post what hopefully should be a final HJT log.

    Regards Howard :)

    This thread is for the use of maize only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. maize

    maize TS Rookie Topic Starter Posts: 19

    I did hopefully it should be a final HJT log.

    Many Thanks!



    Best Regards Maize
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...