Abebot Virus Scan Logs after Combofix

[Jaumer]

Blind Dragon,

A few days ago i posted and the thread got closed before i could post my follow up logs. I am pasting your response to my initial post as well as the three log files.

"Hi and welcome to TS,

First off what can you tell me about this DomainName = towson.local

Also I see you have some CA products for anti-virus do you also have an active firewall through them?


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Combofix
Download Combofix to your desktop.
Double click combofix.exe & follow the prompts.
A window will open with a warning.
Type "1" (and Enter) to start the fix.
When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Here are the three log files.

 

[Blind Dragon]

Any idea as to why the thread was closed? I was curious about that.

I will have a look and post back shortley

 

[Blind Dragon]

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word KILLALL:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

KILLALL::

File::
C:\WINDOWS\system32\jezoxsfs.exe

DirLook::
C:\Documents and Settings\All Users\Application Data\inybrsdr
C:\Documents and Settings\All Users\Application Data\dqtmnoby

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dspctxwc"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"p7mMhwqPB7"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.




Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.




Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Jaumer]

Here are the latest log files for Combofix and HJT

Here are the log files for combofix and the new HJT after the combofix was run. I am getting ready to do the ATF Cleaner and Kaspari Online AV Scanner.

 

[Jaumer]

Sorry the new Combofix will not load

it is telling me that i already posted to you. It will not let me reattach the new combofix file.

 

[Jaumer]

Question

When i drag the cfscript.txt file onto the combofix it asks to open with and i click it then the blue box only appears for a second and disappears. It is not taking the time it did the first time to run. Is that right? And it will not let me attach the new log file because it says i did already in my last thread.

Confused....OK running those other programs

Thanks for all your help

 

[Blind Dragon]

Go up to the top, in the blue cross bar, click edit profile

Scroll down the left pane and select Attachments, remove all that are there and try again

And for combofix make sure all programs/other windows (including this one) are closed

 

[Jaumer]

OK Got rid of attachements

But I still cannot get combofix to run by dragging the cfscript.txt file onto it. I opens a Run windo opens and I click run then a blue box appears for a split second and closes. When I look at the Combofix.txt log file it is still dated yesterday so it is not running. Not sure what to do here?

Thanks
jeff

 

[Blind Dragon]

Combofix needs to be installed to your desktop. If it is not please go to Start -> run -> type combofix /u

Download through the previous link and make sure to install it to your desktop

 

[Jaumer]

Combofix

It is installed on the desktop and when i type the combofix /u in the run window it does the same thing opens and a blue box flashes then goes away. I even used the old link you provided to combofix and it asks me to install it and when i do to the desktop it asks if i want to replace the existing combofix.

 

[Blind Dragon]

Launch Hijackthis -> Select do a system scan and save a log

attach it here

We need to make sure anti-scripting is disabled with you anti-virus.

 

[Jaumer]

OK

I installed combofix and dragged the cfscript.txt onto it and it finally ran.
Attached is that log file and also the new HJthis log file.

I will now run the ATF cleaner and Kaspari AV Scan

 

[Blind Dragon]

ok, one more time

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\Documents and Settings\All Users\Application Data\dqtmnoby\vsxkzuxm.exe

Folder::
C:\Documents and Settings\All Users\Application Data\inybrsdr
C:\Documents and Settings\All Users\Application Data\dqtmnoby

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"p7mMhwqPB7"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dspctxwc"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[Jaumer]

Encounter another problem

Ok when I drag this script onto combofix it runs like normal the blue box appears with the warning about the clock setting and stating it could take up to 20 minutes. It never finishes. the blue box just hangs there and i have to reboot.

Any suggestions?

Thanks again

 

[Blind Dragon]

Through the control panel

Open Windows Defender
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

retry the cfscript

if it doesn't work we will move on, with different instructions altogether

 

[Jaumer]

OK finally ComboFix worked

I di not have to do the Windows Defender instructions above. I ran the combofix with the latest CFScript file again and let the ComboFix window stay open over night and it finished at some point. I have attached that log file and the new Hijackthislog file to this email.

Thanks again

 

[Blind Dragon]

You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O4 - HKLM\..\Policies\Explorer\Run: [p7mMhwqPB7] C:\Documents and Settings\All Users\Application Data\dqtmnoby\vsxkzuxm.exe

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following files or folders:

Folders:
C:\Documents and Settings\All Users\Application Data\dqtmnoby <-This folder only

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log



Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Jaumer]

Latest Tests

OK Here is the Hijackthis logfile. and the Kasery scan log file.

A few things. When I booted into safe mode I had to boot into safe mode with networking.....otherwise It would not let me log onto the computer said bad domain.

So i booted into safe mode with networking logged in did the hijack this and fixed the file you stated.....

Also under Windows Explorer I looked for the folder C:\Documents and Settings\All Users\Application Data\dqtmnoby in order to delete it. I could not find it and ran a complete search of C:\ to see if it were there. Nothing found

So I rebooted to normal mode and ran Hijack this and Kaspery Online AV Scanner.

Attached are the files

 

[Blind Dragon]

Everything looks good! Just need to clean up a bit. Are you having any more symptoms/problems with the computer?

Run a scan with Hijackthis, check this entry, close all other windows and select fix checked
O21 - SSODL: AvpSys - {2ea11fd0-0d77-4d7c-b952-cdefce498e81} - (no file)


Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[Jaumer]

OK

Blind Dragon,

Should I remove the other programs such as, ATF Cleaner, and HijackThis? I did install Spybot S&D and still have Malwarebytes on this PC.

I really appreciate all your help....And to answer your first question in the last post....

I have not seen anymore symptoms/problems on the PC.

Thanks Again
Jeff

 

[Blind Dragon]

You can remove Hijackthis from add/remove programs in the control panel.

I would keep ATF cleaner and MBAM for as long as you want. They are great tools and are safe for day to day use without experience. If you have questions about either feel free to ask anytime.

Should you have any more problems please let me know through this thread.

Regards,

Blind Dragon

THE INSTRUCTIONS IN THE ABOVE THREAD ARE FOR THE ORIGINAL POSTER ONLY SHOULD YOU HAVE SIMILAR PROBLEMS PLEASE START YOUR OWN THREAD IN OUR SECURITY SECTION FOUND https://www.techspot.com/vb/menu28.html