Options
ComboFix log
Hello everyone,
Can someone, please, help me with instructions on what I have to do next to clean my computer, because I don't understand much in the log generated by ComboFix.
Also, I only found the thread "WARNING: Do NOT run ComboFix" after I had already run the program. If that's true what can I do to save my computer data? At the current time I can see that nothing bad happens to my computer after running ComboFix, and I am not sure of what to do next.. Also, the link to ComboScan in some other thread turned out to be broken, so I failed to download that program too.
ComboFix log:
Dennis.
Can someone, please, help me with instructions on what I have to do next to clean my computer, because I don't understand much in the log generated by ComboFix.
Also, I only found the thread "WARNING: Do NOT run ComboFix" after I had already run the program. If that's true what can I do to save my computer data? At the current time I can see that nothing bad happens to my computer after running ComboFix, and I am not sure of what to do next.. Also, the link to ComboScan in some other thread turned out to be broken, so I failed to download that program too.
ComboFix log:
Thanks much in advance,ComboFix 08-04-04.1 - User 2008-04-06 18:42:27.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.114 [GMT 4:00]
Running from: D:\BACKUP\DISTRIBUTIVE\AntiVirus\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\kmd.exe
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.
2008-04-05 13:55 . 2008-04-05 13:55 <DIR> d
C:\Program Files\Yahoo!
2008-04-01 16:26 . 2008-04-01 16:25 103,182 -r-hs---- C:\mvxm.cmd
2008-03-28 20:57 . 2008-03-28 19:57 103,953 -r-hs---- C:\gjn2pjlw.exe
2008-03-28 09:51 . 2008-03-28 09:51 <DIR> d
C:\Documents and Settings\User\Application Data\QQ Games Plugin
2008-03-28 09:45 . 2008-03-28 09:45 <DIR> d
C:\Documents and Settings\User\Application Data\acccore
2008-03-28 09:37 . 2008-03-28 09:37 <DIR> d
C:\Program Files\Tencent
2008-03-28 09:26 . 2008-03-28 09:26 <DIR> d
C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-28 09:26 . 2008-03-28 09:26 21 --a
C:\WINDOWS\atid.ini
2008-03-28 09:22 . 2008-03-28 09:22 <DIR> d
C:\Program Files\Viewpoint
2008-03-28 09:22 . 2008-03-28 09:22 <DIR> d
C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-28 09:21 . 2008-03-28 09:21 <DIR> d
C:\Program Files\Common Files\AOL
2008-03-28 09:21 . 2008-03-28 09:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-28 09:21 . 2008-03-28 09:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\AOL
2008-03-28 09:18 . 2008-03-28 09:18 <DIR> d
C:\Program Files\AIM6
2008-03-28 09:18 . 2008-03-28 09:38 870 --ah
C:\IPH.PH
2008-03-23 23:10 . 2003-08-18 02:00 15,360 -r-hs---- C:\aub0wb8.cmd
2008-03-20 17:26 . 2008-03-20 17:27 100,031 -r-hs---- C:\n2de.cmd
2008-03-17 10:31 . 2008-03-17 10:31 <DIR> d
C:\Documents and Settings\User\Application Data\skypePM
2008-03-17 10:31 . 2008-03-17 10:31 32 --a
C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-17 10:24 . 2008-03-17 10:24 <DIR> d
C:\Documents and Settings\User\Application Data\Skype
2008-03-17 10:22 . 2008-03-17 10:22 <DIR> d
C:\Program Files\Skype
2008-03-17 10:22 . 2008-03-17 10:22 <DIR> d
C:\Program Files\Common Files\Skype
2008-03-17 10:21 . 2008-03-17 10:21 <DIR> d
C:\Documents and Settings\All Users\Application Data\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 14:35 31,052 --sh--r C:\WINDOWS\SYSTEM32\avpo0.dll
2008-03-24 00:17 101,081 ----a-w C:\WINDOWS\SYSTEM32\help.exe.tmp
2008-03-03 04:49 107,132 ----a-w C:\WINDOWS\UninstallFirefox.exe
2008-03-01 17:20 106,572 --sh--r C:\oufddh.exe
2008-02-19 15:25 107,052 --sh--r C:\gumkrhf.bat
2008-02-18 05:38 104,946 --sh--r C:\0hct8ybw.bat
2008-02-14 05:24
d
w C:\Program Files\VstPlugins
2008-02-14 05:23
d
w C:\Program Files\Image-Line
2008-02-14 03:51 102,211 --sh--r C:\x.com
2008-01-12 20:34 105,506 --sh--r C:\d.com
2007-11-16 05:47 266 --sh--w C:\Program Files\desktop.ini
2007-11-16 05:47 11,196 ---h--w C:\Program Files\folder.htt
2007-11-17 17:01 91,744 --sh--r C:\WINDOWS\SYSTEM32\avpo.exe
2007-12-18 18:49 44,608 --sh--r C:\WINDOWS\SYSTEM32\amvo2.dll
2007-05-09 07:12 30,001 --sha-r C:\WINDOWS\SYSTEM32\DRIVERS\spo0lsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}]
2008-03-10 07:47 454144 --a
C:\Program Files\ConnectionServices\ConnectionServices.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2003-08-18 02:00 15360]
"SuperCopier2.exe"="D:\BACKUP\DISTRIBUTIVE\SuperCopier2\SuperCopier2.exe" [2006-07-07 19:45 1052672]
"avpa"="C:\WINDOWS\system32\avpo.exe" [2007-11-17 21:01 91744]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-06-20 06:28 43008]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-07-15 13:43 3259904]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-06 23:51 50528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="D:\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2003-08-18 02:00 15360]
C:\Documents and Settings\User\ѓ« ў*®Ґ ¬Ґ*о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
WinMySQLadmin.lnk - D:\mysql\bin\winmysqladmin.exe [2007-10-05 02:07:47 1158656]
C:\Documents and Settings\All Users\ѓ« ў*®Ґ ¬Ґ*о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
Monitor Apache Servers.lnk - D:\Apache Group\Apache2\bin\ApacheMonitor.exe [2005-04-16 14:26:08 41042]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-04 20:27:36 113664]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\FileZilla Client\\filezilla.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 MySQL5;MySQL5;"D:\mysql\bin\mysqld-nt" --defaults-file="D:\mysql\my.ini" MySQL5 []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-05 00:38]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b26c2f2e-a302-11dc-b47b-0030840fe6e7}]
\Shell\AutoRun\command - F:\ntde1ect.com
\Shell\explore\Command - F:\ntde1ect.com
\Shell\open\Command - F:\ntde1ect.com
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 18:44:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/mysql/bin/mysqld-nt.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\User\LOCALS~1\Temp\mc22.tmp"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="D:/mysql/bin/mysqld-nt.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"D:\mysql\bin\mysqld-nt\" --defaults-file=\"D:\mysql\my.ini\" MySQL5"
.
Completion time: 2008-04-06 18:44:52
ComboFix-quarantined-files.txt 2008-04-06 14:44:50
ComboFix2.txt 2008-02-11 07:37:50
11 папок 313,638,912 байт свободно
14 папок 305,000,448 байт свободно
.
2008-02-14 00:01:28 --- E O F ---
Dennis.
0
Comments
Actually, you do know that when starting ComboFix also caused your internal speakers there to sound off two loud beeps, and then posted a large banner stating you should not be running it this way. With an option to say No at that time. However, so far I have not seen a single person ever post saying they stopped at that point, and awaited advice in a thread here. Ah, I just noticed you also ran it from a drive other than the root drive there.
And it did not take out the infection. Regroup time. Make no other changes now please unless we discuss them here. First let's get a different detailed view, then do repairs from that. Do not run ComboFix anymore, but make no other changes related to it.
Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Options, place a check next to the following:
Backup Registry Hives
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)
Sorry for the delay!!
I ran DSS and here are logs it generated. I hope these contain some important information on what's wrong with computer. Unfortunately, I have a Russian version of Window XP installed, thus some messages in the logs were generated in Russian, but I hope those errors and messages are common and could be easily recognized by professional, if not just let me know and I will translate them into English and publish again.
Thanks much in advance!
Dennis.
main.txt: extra.txt:
I will review some options before just applying the standard approaches I would use, since I cannot provide steps when I myself am not sure of the outcomes. The system has no security software I can see - did you recently uninstall that?
While I review the tools we can use safely here (and I would suggest not running ComboFix any more now) you can start repairs by going to Add/Remove Programs and uninstalling this undesirable BHO, if it provides the option:
ConnectionServices
D: is Fixed (FAT32) - 30.87 GiB total, 1.48 GiB free.
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - ST360021A - 55.9 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 25.01 GiB - C:
\PARTITION1 - Расшир. Win95/98 c расшир. IRQ13 - 30.89 GiB - D:
The root drive for this XP install there is nearly maxed out on space, to a point where you will not be able to do common tasks that require temp space while operating. This would include installing the missing antivirus/security software, since it needs to be installed to the root drive to function properly. Not a promising arrangement. What is the D drive used for primarily?
Dennis.
:smiles: If we need one of those fellows I will surely see if one is available.
Given the MS core system default setups if we stay away from repair scans that might target the wrong items we should be okay, and we can use Russian sourced scans as well to be sure here. The ComboFix scan created it's own ERDNT backup if needed, but I admit I cannot guarantee some language glitch might leave you to call upon that at some point.
Go here and download Flash_Disinfector.exe and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well, and leave them installed for the remainder of all repairs here.
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
Download The Avenger by Swandog from here and save it to your Desktop.
Disconnect from net access, close all open programs and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.
Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.
Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt. You may also get "missing file" errors on reboot, but we will address these after as well.
Then reconnect to net access and Download Dr.Web CureIt! from here to your Desktop.
When you have done this, boot into safe mode (restart your computer and tap F8 continuously as it restarts)
Doubleclick the drweb-cureit.exe file. Click on Start and Ok and allow it to run the express scan. This is a short scan and will scan all files currently running in memory. If something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, click on Custom Scan and choose the drives that you want to scan. Click on the drive to select it. A red dot shows which drives have been chosen. Click the green arrow > to the right and the scan will begin. At the first sign of infection, Select 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, click the "Select all" button and then click on the Move button. This will move any infected files to the %userprofile%\DoctorWeb\quarantine folder.
Next and this is important, from the main Dr.Web CureIt menu (top left), click File and choose save report list and save the report to your desktop. The report will be called DrWeb.csv and it can be opened in Notepad.
Close Cureit and restart your computer to completely remove any stubborn files. You may get a message saying "No operations performed with some objects in list. Exit program". If so, click "Yes" (You may get a popup offering you a discount if you purchase DrWeb AntiVirus. You may or may not wish to take advantage of this offer later but for now, just close the popup wait for the scan to finish).
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post back the that log along with the CureIt log and the avenger.txt log please.
If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead