Please review ComboFix and HijackThis logs for any Virus/Malware.

Posted on 2008-10-06
Medium Priority
Last Modified: 2013-12-06
I have a computer that is continuously having trouble with Virus and Malware.  I ran ComboFix and it seems to have solved alot of the problems but I have a feeling that there is more to it.  For example when I look at the logs I see something called bloghorse.exe.  I think that is a problem.  Plus it never fails to have calc.exe and two notepad.exe  running in the background when nothing is seemingly open.  It also kept attempting to download from yxxqqb.3322.org website (ever since I ran ComboFix it stopped that) but after I ran ComboFix it hit two sites blog.sina.com and fei349966796.w13.08host.com/blogupdate.txt.   That is why I think there is more to it.  If someone could review the logs and help me out on cleaning this thing from the PC I would appreciate it.  
Question by:nkirkus
  • 4
  • 3
LVL 47

Expert Comment

ID: 22657574

I think if this was mine I would think of reformatting and changing all passwords.

Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

C:\Program Files\_20088.exe
C:\Program Files\_rejoice072.exe

C:\Program Files\NetMeeting\NetMeetingsysw
C:\Program Files\WinRAR\WinRARsystem

Windows Storage Service v2.0
NetMeeting winsoshsi
disk manager service
Event propagation and logging
Portable Media Serial
Proteoted Storage
remotes Access Auto Connection Managers to
MICRO Windows Management Instrumentasws

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetMeeting winsoshsi]
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Can you please submit these files for a virus check at http://virusscan.jotti.org/

Also run SDFix and DrWebCureIt.
1.  Download SDFix and save it to your desktop.

Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

2.  Download Dr.Web CureIt to the desktop:

*  Doubleclick the drweb-cureit.exe file and Allow to run the express scan
*  This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
*  Once the short scan has finished, mark the drives that you want to scan.
*  Select all drives. A red dot shows which drives have been chosen.
*  Click the green arrow at the right, and the scan will start.
*  Click 'Yes to all' if it asks if you want to cure/move the file.
*  When the scan has finished, in the menu, click file and choose save report list
*  Save the report to your desktop. The report will be called DrWeb.csv
*  Close Dr.Web Cureit.

Author Comment

ID: 22660203
Thanks for your response and taking a look at everything.  Here are the results of what you told me to do (I just copied the DrWeb express and full scans to one txt file).  

I used the website to scan the files you requested and this is what they came up with.

Svchost.com - **A-Squared Found Trojan.Loader.AK!K**Ikarus Found Trojan.Loader.AK
Calc.exe -**Found Nothing**
Notepad.exe-**ArcaVir Found Trojan.Small.Fb**
Explorer.exe-**Found Nothing**


Author Comment

ID: 22686891
If you can let me know what I should do about the viruses found in the svchost.com file and the notepad.exe file and just take a quick peek at the combofix and hijackthis log to make sure it is clean I would appreciate it.  If it looks clean, then I'm cool with it but if there is more to it then I will probably wipe the system clean and start over.  We have this one user that has gotten a hold of something on this machine but we can't find out where they have been to to get this mess.  
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LVL 47

Accepted Solution

rpggamergirl earned 2000 total points
ID: 22697722

I'm so sorry, please forgive me for not replying promptly, I missed the email alert on this one.

C:\Program Files\Common Files\Microsoft Shared\MSInfo\20088.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice072.exe
the above files are showing in SDFix log so we'll add them to teh script.

O23 - Service: ccwiz - Unknown owner - C:\WINDOWS\system32\ccproxy.exe (file missing)
O23 - Service: Symantec AntiVirus. (Event propagation and logging ) - Unknown owner - C:\Program.exe (file missing)

The above services doesn't look like legit services, they don't belong to Symantec and their files are already gone, so I suggest removing them as it is unwise to have an orphaned services because malware dropper can make use of these. You seem to have so many fake services there.

Most of  DrWebCureit found were in the System Restore folder(which were harmless while in that folder) and some are also already in CF quarantine.

>>>If you can let me know what I should do about the viruses found in the svchost.com file <<<

You would need to delete the svchost.com, was it in the system32 folder? I'll add it to the script, how about the svchost.exe was it clean?
the notepad.exe, you would need to replace it with a clean one.
You can get a copy from another clean pc, or download one, or replace from windows CD(incase other notepad.exes in other location are corrupt.)

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
C:\Program Files\Common Files\Microsoft Shared\MSInfo\20088.exe
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice072.exe

Event propagation and logging
COM+ Event Systemn
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Author Comment

ID: 22770918
I had to give the computer back to the user in order for them to get some information off of it.  I am waiting on them to return it.  If I do not get it back within the next couple of days then I will close this topic giving full points to you, rpggamergirl.  I will do what you stated in your post and above and open a new one if I have any questions.  

If I do get it back within the next couple of days then I will do what you said here and post logs.  To answer your question about the svchost.com file, it was in the system32 folder.  

Thanks again for your help.

Author Comment

ID: 22789033
Got the computer back.  Here are the logs after I ran the script.  I had told you wrong on the svchost.com file.  The .com in that post was supposed to be .exe.  I was able to find a clean copy of svchost.exe and notepad.exe and get them onto this PC.  I scanned the files after a reboot from the website http://virusscan.jotti.org/ and they came up clean.  

I think I am good if you think the logs are clean.  
LVL 47

Expert Comment

ID: 22829045
Sorry for my very late reply.

Hijacthis log is clean, the combofix log is still showing some of those redundant services that I input in the script, those are redundant as their files no longer exist.
Anyway, if things are fine now that's good.
You can then uninstall Combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

586 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question