Need to review logs just want to double check

By xxdanielxx
Jun 3, 2008
  1. Hey I have ran everything to remove viruses & spyware i wanted to double check to see if someone could review my log to let me know if i got everything i think i did thanks
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Some disturbing entries in the combofix log

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder


    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
  3. xxdanielxx

    xxdanielxx TS Rookie Topic Starter Posts: 1,069

    I am running it right now will post as soon as it is done also can you show me in what part of combofix did you find some problems. I like to learn so that i can better help people. Thanks
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    well there are some entries in the top section for last months files

    then if the log was posted on a forum vs. attached you would see this as it's bbcode to show up in red, under 3m

    C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
    577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
    578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
    577,536 2008-05-25 06:15:41 C:\WINDOWS\system32\user32.DLL
    577,536 2008-05-25 06:15:41 C:\WINDOWS\system32\dllcache\user32.dll
  5. xxdanielxx

    xxdanielxx TS Rookie Topic Starter Posts: 1,069

    it is almost done i have rebooted the computer. You know i saw the red code in the text log i also saw that it said it was infected but i thought that combofix would delete it or that it did delete it. So unless it says that it deleted it i should not assume that it did
  6. xxdanielxx

    xxdanielxx TS Rookie Topic Starter Posts: 1,069

    ok i attached the log
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You have a very complex infection. It opens a backdoor on the infected computer to use as an email relay to route spam messages. So the writer of the malware can spam people from your address. There is a lot of money involved in this, they don't just install the malware to annoy people. Apart from this, the Trojan could also open a backdoor port, which it uses to receive instructions from the attacker. Instructions sent could include sending mass emails to a list of pre-defined email addresses. Basically it will open port 80 on your computer so that you now serve as a proxy for them. If you don't have a firewall I suggest getting ZoneAlarm or Comodo ASAP.

    However, almost every major Antivirus company has definitions on these 2 infections. I suggest that you uninstall your AV and install Avira Antivir, unless you have the paid version Avira Free

    Download it, Update it, Close it, Run it from safe mode
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

  9. xxdanielxx

    xxdanielxx TS Rookie Topic Starter Posts: 1,069

    ok i think it is best to reformat and reinstall but on what log did you find out what type of virus it was.
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    All of it in the combofix log.

    Look at drivers/services - those are all malicious and related to the same family of trojans. And the corrupt system files. Basically combofix checked the system files for size/hash mark and they have obviously been replaced with bad files.

    Also I didn't research all these but they all look bad

    2008-05-24 23:15 . 2008-05-25 13:06 96,256 --a------ C:\WINDOWS\7ujkn.exe
    2008-05-24 23:15 . 2008-05-24 23:15 66,048 --a------ C:\WINDOWS\system32\ntpl.bin
    2008-05-24 23:15 . 2008-05-24 23:15 63,488 --a------ C:\WINDOWS\system32\ho.ln
    2008-05-24 23:15 . 2008-05-24 23:15 28,672 --a------ C:\WINDOWS\system32\ko.o
    2008-05-24 23:14 . 2008-05-24 23:29 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
    2008-05-24 23:14 . 2008-05-24 23:29 160,256 --a------ C:\WINDOWS\system32\blackster.scr


    Should you need any help with backing up/formatting/reinstalling let us know as there is somebody here that I know is good at walking people through it.

  11. xxdanielxx

    xxdanielxx TS Rookie Topic Starter Posts: 1,069

    Hey thanks for the help I wanted to know if you could direct me to any place were i can learn how to better use combofix I know how to use hijackthis but not combofix
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You have to be a member of certain sites that teach you from step 1 how to clean infected systems. After you have the basics down then they will give you access to full information on special programs like combofix.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...