TechSpot

Need help with log files, already done all steps

By basilisk92
Jul 30, 2008
  1. I've read and followed all instructions on preliminary virus/malware/spyware removal.

    Attached is log, please help!! Thanks.
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you run combofix or DSS if so please attach the log and also

    [​IMG]Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware from from Here or Here
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
     
  3. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    combofix log attached

    I did run combofix, log is attached.

    Please review, and thanks!
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Combofix should be installed to the desktop not the program files folder

    That is not a complete log - Please let me know once it is moved
     
  5. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    I moved Combofix to desktop, however, I found 2 other copies of Combofix and some assiciated files.

    Should I delete those?
     
  6. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    I also ran malwarebytes being I saw it in your first reply, I've attached the log.

    I didn't know if you wanted me to run the program so if you need to me to do the steps
    over again I will.

    Thanks,
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    First of all look at the names in the MBAM log - those are a giveaway that you are infected with Backdoor Trojans and Info stealing viruses - That means if you do any online banking - use your credit card online ect. - you should have a read Is your system infected? Read this before Cleaning or Formatting

    -----------------------------------------------------------------------------------------

    If you decide to clean your system -> Delete the old versions of combofix we only want the most recent version on there

    Go to Microsoft's website here --> http://support.microsoft.com/kb/310994
    Select the download that's appropriate for your Operating System

    Windows XP SP2
    [​IMG]

    Download the file and save it as it's original name to your desktop

    Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please attach that log here.

    [​IMG]

    Attach CF_RC.txt here
     
  8. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    Please let me ask you a question, my primary concern are gigs of photos saved on the hard drive and some word type documents. But based on your link, it looks like
    I need to format/reinstall. I check my various accounts almost daily and nothing has thus happened so far. I have already changed most user names and passwords on my various accounts. So far I have seen nothing funky there yet, fortunately.

    Given this information, is it worth the risks you speak of to save the photos and word documents?

    I would really appreciate your advice.

    Thank you
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Though I would recommend backing up those types of files regularly - I am not suggesting a format or reinstall - we are simply installing a recovery console as precaution in the event that something were to go wrong we could recover the system
     
  10. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    I followed your last instructions and deleted old versions, downloaded and opened recovery file with combofix and it produced a log which is attached.

    However, when it popped up, it popped up as "log" so I saved it that way.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Are the files you were concerned about installed directly in C:\program files

    And did you purposely install movies ect. there?
     
  12. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    Yes, I put them there. No, I do not care about those. I can certainly remove them.
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  14. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    Attached are both logs requested.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    launch hijackthis

    check all those 018 entries

    close all windows except hijackthis

    select fix checked

    ============================================================

    empty your recycle bin

    ============================================================

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  16. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    Attached, took a while to scan.
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Not good - you had this same info stealing rootkit that is going around - it logs keystrokes and can steal account information ect. It also has stealth capabilities. Combofix quarantined the main part of it, but there may be left overs that I cant see. All I can suggest is that we scan for it.

    -----------------------------------------------

    I'll go ahead and work up the next set of instructions - but I have to ask do you use outlook often? It appears there are some viruses in your inbox
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Please download Qoofix by Rubber Ducky to your desktop.
    • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
    • Close all windows and programs, including internet windows.
    • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
    • Click Begin Removal and wait for the scan to finish
    • If Qoofix finds an infection, select yes to restart your computer
    • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt
      Attach this log here for me

    ------------------------------------------------------------------------------

    OTMoveit2 by OldTimer
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b][kill explorer]
      C:\Program Files\anonymousfriend.exe
      C:\WINDOWS\CouponBarIE.dll
      C:\Documents and Settings\Owner\Desktop\installer.exe
      purity
      [start explorer][/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and attach its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    -----------------------------------------------------------------------------------------------

    Update Mcafee and if it has an email scanner I would use that otherwise time to delete emails that might be shady.


    Attach both logs here for me
     
  19. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    Attached are both logs. I deleted all emails from outlook. Tried updating Mcafee but was up to date.
     
  20. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    whoops, attached is the correct log for qoofix
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    what about the C:\Qoofix\Qoofix Logfile.txt
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    [​IMG]ATF Cleaner by Atribune

    • Please download ATF Cleaner to your desktop from HERE
    • Double-click ATF Cleaner.exe to open it. Vista users: Right Click and Select Run as Administrator

    • Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Cookies
      Temporary Internet Files
      Prefetch
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.

    • Firefox or Opera installed:
      Click Firefox or Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program.

    ----------------------------------------------------------------------

    Let's run one more scan with kaspersky just like before it should be a lot faster
     
  23. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    The qoofix log I posted is the only qoofix log I could find. I looked up C:\Qoofix\Qoofix Logfile.txt but it would not let me search with \ in the search field.

    I completed instruction for ATF cleaner.

    I am running the Kaspersky scan now. It is downloading definitions which takes like an hour. Hopefully like you said the actual scan will take less.

    I will post log as soon as it's done.
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    k, good work, I asked for the qoofix log at the same time you posted it
     
  25. basilisk92

    basilisk92 TS Rookie Topic Starter Posts: 18

    Took 5 1/2 hours but completed.

    Attached is log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...