8 steps completed, here's my logs

Status
Not open for further replies.
Nolan we seem to be loosing ground

COMBOFIX-Script
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Code: 
File::
c:\windows\mqcd.dbt
c:\windows\system32\rkoq.pxf
c:\windows\system32\odjan.wa
c:\windows\system32\kei1w.an
c:\windows\system32\kdoqmn.sr
c:\windows\system32\doqkm.zt
c:\windows\system32\drivers\cmudaxu.sys.bak
c:\windows\adobe.bat
c:\windows\DUMP856c.tmp
c:\documents and settings\Nolan Brassard\Application Data\ipomoqeb.reg
c:\program files\Common Files\sazunep.inf
c:\documents and settings\Nolan Brassard\Application Data\awelifu.sys
c:\documents and settings\Nolan Brassard\Application Data\kixad.pif
c:\program files\Common Files\ymuko.dll
c:\documents and settings\Nolan Brassard\Application Data\ovusov.bat
c:\documents and settings\Nolan Brassard\Application Data\ozej.pif
c:\program files\Common Files\ovahawaj.sys
c:\documents and settings\Nolan Brassard\Application Data\kyfykeb.com
c:\program files\Common Files\ajab.com
c:\documents and settings\Nolan Brassard\Application Data\imaxuda.com
c:\documents and settings\Nolan Brassard\Application Data\wagehi.dat
c:\program files\Common Files\elupepiw.dat
c:\program files\Common Files\kabos.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe
Then drag this script and drop on top of ComboFix.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

When finished, it will create a log. Attach the log back to us.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Post its log followed by another ComboFix without the Script!

No reboot!

Then go back we you got Norman and DrWeb and do Kaspersky.

After this if not successful, I hate to say, we may be looking at a format!

Mike
 
Here's the combo logs. I am leaving class now I will run the scans when I get home. Is there a possibility that I have a hardware problem that is causing that blue screen? Although it only appears on scans. It appeared on my first attempt at applying that script to Combofix as well. Then rebooted and it worked fine the second time.
 
This may be our last shot!

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.

Code: 
@echo off
cd\windows
md save

copy /v /y c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe c:\windows\save
copy /v /y c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe c:\windows\save

exit
exit

Then immediately reboot to recovery console

Then print the below as it has to be manually typed into the recovery Console.

copy save\svchost.exe system32
copy save\svchost.exe system32\dllcache
copy save\explorer.exe system32
copy save\explorer.exe system32\dllcache
ren system32 spoolsv.exe spoolsv.exz

Overwrite answer yes
Then type exit to reboot

The run ComboFix attach log!

Mike
 
Gonna reformat. Net's gone again seems we're back to the start. Also both are still infected according to combo scan. Would you suggest a specific way for reformat or no? And for future reference of this issue be sure to tell people to not go online. Seems it got significantly worse rather quickly when going back online. It's all good though very good learning process for both of us and others. Thanks for all the help. Also the last line of that recovery console did not work.
 
I agree it is time!

Back up all important files emails etc to a portable or Flash drive but scan them well before putting them back.

Full Format not quick. Get it installed and on the net! Add nothing else but Avira and Threatfire before even downloading windows updates.

Once under the protection of the 2 above then Scan your backed up data on the other drive before putting it back! Actually scan entire backup drive.

Good luck you went way beyond and I hope others can learn from this.

Mike
 
Reformat went good, finished installing all needed programs, updates, and drivers. Thanks for all the help during that. I found some information today actually saying that the file uses an exploit in XP to spread itself as well. There is actually a windows update to fix the exploit. Found the link today I'll see if I can find it again it was on my brothers computer.
 
Status
Not open for further replies.

Similar threads

Shawn Knight
Charles Martinet steps down as the voice of Mario after three decades
Replies
1
Views
409
stewi0001
stewi0001
midian182
Plex update raises concerns over potential sharing of porn viewing habits
Replies
24
Views
649
m4a4
m4a4
Daniel Sims
Overwatch 1 will shut down permanently 27 hours before Overwatch 2 launch
Replies
7
Views
2K
Bamda
Bamda

Latest posts

Back