xxdanielxx
Posts: 1,069 +0
Hey I have ran everything to remove viruses & spyware i wanted to double check to see if someone could review my log to let me know if i got everything i think i did thanks
Need to review logs just want to double check
- Thread starter xxdanielxx
- Start date
- Status
Blind Dragon
Posts: 3,774 +4
Some disturbing entries in the combofix log
Update your Java Runtime Environment
-----------------------------------------------------
Download and Install SDFix
Boot into Safe Mode
Run SDFix
Update your Java Runtime Environment
- Click the following link
Java Runtime Environment 6 Update 6 - The 5th option down is the one you want (click Download)
- Check the box to agree to terms of service
- Check the box for your operating system and click 'Download selected'at the bottom
- After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
- Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder
-----------------------------------------------------
Download and Install SDFix
- Download SDFix and save it to your Desktop.
- Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Boot into Safe Mode
- Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run SDFix
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
- Attach Report.txt back here
xxdanielxx
Posts: 1,069 +0
I am running it right now will post as soon as it is done also can you show me in what part of combofix did you find some problems. I like to learn so that i can better help people. Thanks
Blind Dragon
Posts: 3,774 +4
well there are some entries in the top section for last months files
then if the log was posted on a forum vs. attached you would see this as it's bbcode to show up in red, under 3m
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2008-05-25 06:15:41 C:\WINDOWS\system32\user32.DLL
577,536 2008-05-25 06:15:41 C:\WINDOWS\system32\dllcache\user32.dll
then if the log was posted on a forum vs. attached you would see this as it's bbcode to show up in red, under 3m
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2008-05-25 06:15:41 C:\WINDOWS\system32\user32.DLL
577,536 2008-05-25 06:15:41 C:\WINDOWS\system32\dllcache\user32.dll
xxdanielxx
Posts: 1,069 +0
it is almost done i have rebooted the computer. You know i saw the red code in the text log i also saw that it said it was infected but i thought that combofix would delete it or that it did delete it. So unless it says that it deleted it i should not assume that it did
xxdanielxx
Posts: 1,069 +0
ok i attached the log
Blind Dragon
Posts: 3,774 +4
You have a very complex infection. It opens a backdoor on the infected computer to use as an email relay to route spam messages. So the writer of the malware can spam people from your address. There is a lot of money involved in this, they don't just install the malware to annoy people. Apart from this, the Trojan could also open a backdoor port, which it uses to receive instructions from the attacker. Instructions sent could include sending mass emails to a list of pre-defined email addresses. Basically it will open port 80 on your computer so that you now serve as a proxy for them. If you don't have a firewall I suggest getting ZoneAlarm or Comodo ASAP.
However, almost every major Antivirus company has definitions on these 2 infections. I suggest that you uninstall your AV and install Avira Antivir, unless you have the paid version Avira Free
Download it, Update it, Close it, Run it from safe mode
However, almost every major Antivirus company has definitions on these 2 infections. I suggest that you uninstall your AV and install Avira Antivir, unless you have the paid version Avira Free
Download it, Update it, Close it, Run it from safe mode
Blind Dragon
Posts: 3,774 +4
Additional info:
http://www.threatexpert.com/report.aspx?uid=cda49a10-7c01-42f6-8872-965141571a66
If you do online banking, it may be a good idea to change your passwords, and reformat the system. If the computer is mainly used for gaming and music, ect. then we can most likely clean it up.
http://www.threatexpert.com/report.aspx?uid=cda49a10-7c01-42f6-8872-965141571a66
If you do online banking, it may be a good idea to change your passwords, and reformat the system. If the computer is mainly used for gaming and music, ect. then we can most likely clean it up.
xxdanielxx
Posts: 1,069 +0
ok i think it is best to reformat and reinstall but on what log did you find out what type of virus it was.
Blind Dragon
Posts: 3,774 +4
All of it in the combofix log.
Look at drivers/services - those are all malicious and related to the same family of trojans. And the corrupt system files. Basically combofix checked the system files for size/hash mark and they have obviously been replaced with bad files.
Also I didn't research all these but they all look bad
2008-05-24 23:15 . 2008-05-25 13:06 96,256 --a------ C:\WINDOWS\7ujkn.exe
2008-05-24 23:15 . 2008-05-24 23:15 66,048 --a------ C:\WINDOWS\system32\ntpl.bin
2008-05-24 23:15 . 2008-05-24 23:15 63,488 --a------ C:\WINDOWS\system32\ho.ln
2008-05-24 23:15 . 2008-05-24 23:15 28,672 --a------ C:\WINDOWS\system32\ko.o
2008-05-24 23:14 . 2008-05-24 23:29 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-24 23:14 . 2008-05-24 23:29 160,256 --a------ C:\WINDOWS\system32\blackster.scr
--------------------------------
Should you need any help with backing up/formatting/reinstalling let us know as there is somebody here that I know is good at walking people through it.
--------------------------------
Look at drivers/services - those are all malicious and related to the same family of trojans. And the corrupt system files. Basically combofix checked the system files for size/hash mark and they have obviously been replaced with bad files.
Also I didn't research all these but they all look bad
2008-05-24 23:15 . 2008-05-25 13:06 96,256 --a------ C:\WINDOWS\7ujkn.exe
2008-05-24 23:15 . 2008-05-24 23:15 66,048 --a------ C:\WINDOWS\system32\ntpl.bin
2008-05-24 23:15 . 2008-05-24 23:15 63,488 --a------ C:\WINDOWS\system32\ho.ln
2008-05-24 23:15 . 2008-05-24 23:15 28,672 --a------ C:\WINDOWS\system32\ko.o
2008-05-24 23:14 . 2008-05-24 23:29 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-24 23:14 . 2008-05-24 23:29 160,256 --a------ C:\WINDOWS\system32\blackster.scr
--------------------------------
Should you need any help with backing up/formatting/reinstalling let us know as there is somebody here that I know is good at walking people through it.
--------------------------------
xxdanielxx
Posts: 1,069 +0
Hey thanks for the help I wanted to know if you could direct me to any place were i can learn how to better use combofix I know how to use hijackthis but not combofix
Blind Dragon
Posts: 3,774 +4
You have to be a member of certain sites that teach you from step 1 how to clean infected systems. After you have the basics down then they will give you access to full information on special programs like combofix.
- Status
Similar threads
