Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Please review ComboFix and HijackThis logs for any Virus/Malware.

Posted on 2008-10-06
Medium Priority
Last Modified: 2013-12-06
I have a computer that is continuously having trouble with Virus and Malware.  I ran ComboFix and it seems to have solved alot of the problems but I have a feeling that there is more to it.  For example when I look at the logs I see something called bloghorse.exe.  I think that is a problem.  Plus it never fails to have calc.exe and two notepad.exe  running in the background when nothing is seemingly open.  It also kept attempting to download from yxxqqb.3322.org website (ever since I ran ComboFix it stopped that) but after I ran ComboFix it hit two sites blog.sina.com and fei349966796.w13.08host.com/blogupdate.txt.   That is why I think there is more to it.  If someone could review the logs and help me out on cleaning this thing from the PC I would appreciate it.  
Question by:nkirkus
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 47

Expert Comment

ID: 22657574

I think if this was mine I would think of reformatting and changing all passwords.

Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

C:\Program Files\_20088.exe
C:\Program Files\_rejoice072.exe

C:\Program Files\NetMeeting\NetMeetingsysw
C:\Program Files\WinRAR\WinRARsystem

Windows Storage Service v2.0
NetMeeting winsoshsi
disk manager service
Event propagation and logging
Portable Media Serial
Proteoted Storage
remotes Access Auto Connection Managers to
MICRO Windows Management Instrumentasws

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetMeeting winsoshsi]
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Can you please submit these files for a virus check at http://virusscan.jotti.org/

Also run SDFix and DrWebCureIt.
1.  Download SDFix and save it to your desktop.

Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

2.  Download Dr.Web CureIt to the desktop:

*  Doubleclick the drweb-cureit.exe file and Allow to run the express scan
*  This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
*  Once the short scan has finished, mark the drives that you want to scan.
*  Select all drives. A red dot shows which drives have been chosen.
*  Click the green arrow at the right, and the scan will start.
*  Click 'Yes to all' if it asks if you want to cure/move the file.
*  When the scan has finished, in the menu, click file and choose save report list
*  Save the report to your desktop. The report will be called DrWeb.csv
*  Close Dr.Web Cureit.

Author Comment

ID: 22660203
Thanks for your response and taking a look at everything.  Here are the results of what you told me to do (I just copied the DrWeb express and full scans to one txt file).  

I used the website to scan the files you requested and this is what they came up with.

Svchost.com - **A-Squared Found Trojan.Loader.AK!K**Ikarus Found Trojan.Loader.AK
Calc.exe -**Found Nothing**
Notepad.exe-**ArcaVir Found Trojan.Small.Fb**
Explorer.exe-**Found Nothing**


Author Comment

ID: 22686891
If you can let me know what I should do about the viruses found in the svchost.com file and the notepad.exe file and just take a quick peek at the combofix and hijackthis log to make sure it is clean I would appreciate it.  If it looks clean, then I'm cool with it but if there is more to it then I will probably wipe the system clean and start over.  We have this one user that has gotten a hold of something on this machine but we can't find out where they have been to to get this mess.  
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

LVL 47

Accepted Solution

rpggamergirl earned 2000 total points
ID: 22697722

I'm so sorry, please forgive me for not replying promptly, I missed the email alert on this one.

C:\Program Files\Common Files\Microsoft Shared\MSInfo\20088.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice072.exe
the above files are showing in SDFix log so we'll add them to teh script.

O23 - Service: ccwiz - Unknown owner - C:\WINDOWS\system32\ccproxy.exe (file missing)
O23 - Service: Symantec AntiVirus. (Event propagation and logging ) - Unknown owner - C:\Program.exe (file missing)

The above services doesn't look like legit services, they don't belong to Symantec and their files are already gone, so I suggest removing them as it is unwise to have an orphaned services because malware dropper can make use of these. You seem to have so many fake services there.

Most of  DrWebCureit found were in the System Restore folder(which were harmless while in that folder) and some are also already in CF quarantine.

>>>If you can let me know what I should do about the viruses found in the svchost.com file <<<

You would need to delete the svchost.com, was it in the system32 folder? I'll add it to the script, how about the svchost.exe was it clean?
the notepad.exe, you would need to replace it with a clean one.
You can get a copy from another clean pc, or download one, or replace from windows CD(incase other notepad.exes in other location are corrupt.)

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
C:\Program Files\Common Files\Microsoft Shared\MSInfo\20088.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice072.exe

Event propagation and logging
COM+ Event Systemn
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Author Comment

ID: 22770918
I had to give the computer back to the user in order for them to get some information off of it.  I am waiting on them to return it.  If I do not get it back within the next couple of days then I will close this topic giving full points to you, rpggamergirl.  I will do what you stated in your post and above and open a new one if I have any questions.  

If I do get it back within the next couple of days then I will do what you said here and post logs.  To answer your question about the svchost.com file, it was in the system32 folder.  

Thanks again for your help.

Author Comment

ID: 22789033
Got the computer back.  Here are the logs after I ran the script.  I had told you wrong on the svchost.com file.  The .com in that post was supposed to be .exe.  I was able to find a clean copy of svchost.exe and notepad.exe and get them onto this PC.  I scanned the files after a reboot from the website http://virusscan.jotti.org/ and they came up clean.  

I think I am good if you think the logs are clean.  
LVL 47

Expert Comment

ID: 22829045
Sorry for my very late reply.

Hijacthis log is clean, the combofix log is still showing some of those redundant services that I input in the script, those are redundant as their files no longer exist.
Anyway, if things are fine now that's good.
You can then uninstall Combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question