Solved

Please review ComboFix and HijackThis logs for any Virus/Malware.

Posted on 2008-10-06
7
640 Views
Last Modified: 2013-12-06
I have a computer that is continuously having trouble with Virus and Malware.  I ran ComboFix and it seems to have solved alot of the problems but I have a feeling that there is more to it.  For example when I look at the logs I see something called bloghorse.exe.  I think that is a problem.  Plus it never fails to have calc.exe and two notepad.exe  running in the background when nothing is seemingly open.  It also kept attempting to download from yxxqqb.3322.org website (ever since I ran ComboFix it stopped that) but after I ran ComboFix it hit two sites blog.sina.com and fei349966796.w13.08host.com/blogupdate.txt.   That is why I think there is more to it.  If someone could review the logs and help me out on cleaning this thing from the PC I would appreciate it.  
ComboFix-log.txt
hijackthis.log
0
Comment
Question by:nkirkus
  • 4
  • 3
7 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22657574

I think if this was mine I would think of reformatting and changing all passwords.

Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Extra::

File::
C:\Program Files\_20088.exe
C:\WINDOWS\bloghorse.exe
C:\WINDOWS\hideproc.dll
C:\WINDOWS\152.1642.bat
C:\WINDOWS\blogsys.ini
C:\WINDOWS\_lovemymm.ini
C:\WINDOWS\UPsutup.exe
C:\Program Files\_rejoice072.exe
C:\sym.exe

Folder::
C:\Program Files\NetMeeting\NetMeetingsysw
C:\Program Files\WinRAR\WinRARsystem

Driver::
Windows Storage Service v2.0
NetMeeting winsoshsi
20088.exe
disk manager service
Event propagation and logging
help
Portable Media Serial
Proteoted Storage
remotes Access Auto Connection Managers to
MICRO Windows Management Instrumentasws
Remote_Server_2008
Windows_rejoice2008_722

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlogSys"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetMeeting winsoshsi]
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

 
Can you please submit these files for a virus check at http://virusscan.jotti.org/
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\notepad.exe

 
Also run SDFix and DrWebCureIt.
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back


2.  Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

*  Doubleclick the drweb-cureit.exe file and Allow to run the express scan
*  This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
*  Once the short scan has finished, mark the drives that you want to scan.
*  Select all drives. A red dot shows which drives have been chosen.
*  Click the green arrow at the right, and the scan will start.
*  Click 'Yes to all' if it asks if you want to cure/move the file.
*  When the scan has finished, in the menu, click file and choose save report list
*  Save the report to your desktop. The report will be called DrWeb.csv
*  Close Dr.Web Cureit.
0
 

Author Comment

by:nkirkus
ID: 22660203
Thanks for your response and taking a look at everything.  Here are the results of what you told me to do (I just copied the DrWeb express and full scans to one txt file).  

I used the website to scan the files you requested and this is what they came up with.

Svchost.com - **A-Squared Found Trojan.Loader.AK!K**Ikarus Found Trojan.Loader.AK
Calc.exe -**Found Nothing**
Notepad.exe-**ArcaVir Found Trojan.Small.Fb**
Explorer.exe-**Found Nothing**




SDFix-report-10-07-08.txt
ComboFix-log-10-07-08.txt
hijackthis-10-07-08.log
DrWeb-Express-and-Full-Scan-10-0.txt
0
 

Author Comment

by:nkirkus
ID: 22686891
If you can let me know what I should do about the viruses found in the svchost.com file and the notepad.exe file and just take a quick peek at the combofix and hijackthis log to make sure it is clean I would appreciate it.  If it looks clean, then I'm cool with it but if there is more to it then I will probably wipe the system clean and start over.  We have this one user that has gotten a hold of something on this machine but we can't find out where they have been to to get this mess.  
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 22697722

I'm so sorry, please forgive me for not replying promptly, I missed the email alert on this one.

C:\Program Files\Common Files\Microsoft Shared\MSInfo\20088.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice072.exe
the above files are showing in SDFix log so we'll add them to teh script.

O23 - Service: ccwiz - Unknown owner - C:\WINDOWS\system32\ccproxy.exe (file missing)
O23 - Service: Symantec AntiVirus. (Event propagation and logging ) - Unknown owner - C:\Program.exe (file missing)

The above services doesn't look like legit services, they don't belong to Symantec and their files are already gone, so I suggest removing them as it is unwise to have an orphaned services because malware dropper can make use of these. You seem to have so many fake services there.

Most of  DrWebCureit found were in the System Restore folder(which were harmless while in that folder) and some are also already in CF quarantine.


>>>If you can let me know what I should do about the viruses found in the svchost.com file <<<

You would need to delete the svchost.com, was it in the system32 folder? I'll add it to the script, how about the svchost.exe was it clean?
the notepad.exe, you would need to replace it with a clean one.
You can get a copy from another clean pc, or download one, or replace from windows CD(incase other notepad.exes in other location are corrupt.)

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\Program Files\Common Files\Microsoft Shared\MSInfo\20088.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice072.exe
C:\WINDOWS\System32\svchost.com

Driver::
ccwiz
Event propagation and logging
MSDTCSERVEsss
COM+ Event Systemn
kthsjfERVEsss
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

 
0
 

Author Comment

by:nkirkus
ID: 22770918
I had to give the computer back to the user in order for them to get some information off of it.  I am waiting on them to return it.  If I do not get it back within the next couple of days then I will close this topic giving full points to you, rpggamergirl.  I will do what you stated in your post and above and open a new one if I have any questions.  

If I do get it back within the next couple of days then I will do what you said here and post logs.  To answer your question about the svchost.com file, it was in the system32 folder.  

Thanks again for your help.
0
 

Author Comment

by:nkirkus
ID: 22789033
Got the computer back.  Here are the logs after I ran the script.  I had told you wrong on the svchost.com file.  The .com in that post was supposed to be .exe.  I was able to find a clean copy of svchost.exe and notepad.exe and get them onto this PC.  I scanned the files after a reboot from the website http://virusscan.jotti.org/ and they came up clean.  

I think I am good if you think the logs are clean.  
hijackthis10-23-08.log
ComboFix-log-10-23-08.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22829045
Sorry for my very late reply.

Hijacthis log is clean, the combofix log is still showing some of those redundant services that I input in the script, those are redundant as their files no longer exist.
Anyway, if things are fine now that's good.
You can then uninstall Combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.
Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

12 Steps to a more secure Internet experience (http://tekblog.teksquisite.com/) Everyone who is a licensed driver initially had to pass a driving test that consisted of taking:    1. a written test    2. a road test    3. a vision test Le…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now