Help please analysing HiJack This and Combifix logs

Someone opened an email joke attachment that appeared to come from a trusted source, but one click and all sorts of spyware programs started running. He immediately disconnected the PC ethernet cable and replaced the registry with a clean copy, and did a full scan with Symantec.

Mbam says everything is ok, but could someone please check the other 2 logs for any remaining infections?

Thanks,

Mike
ComboFix-log.txt
hijackthis.log
mbam-log-2008-11-05--16-18-38-.txt
mikeabc27Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
Can you have him check the properties of these files and look what it says, also submit them at http://virusscan.jotti.org/ for a virus check.

c:\windows\system\ws32ntfl.dat
c:\windows\system32\12C4917A3C.sys
c:\windows\system32\CdI5T.drv
c:\windows\system32\flfnlf.sys
c:\windows\system32\rlfnlf.sys
c:\windows\system32\TMailRL.sys


Also an online scan with kaspersky is a good idea as it's a thorough scanner.
http://www.kaspersky.com/virusscanner

 
He can also fix these entries in Hijackthis:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.eversoft.co.kr/vmpinstaller/installer/components/MTSInstallers/MetaStream3.cab?url=http://www.samsung.com/uk/products/printsolutions/multifunctionproducts/web3d/scx_4521fxeu/page_scx_4521f.html
O16 - DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} (pmjpegcam Class) - http://80.176.233.112/JpegInst.cab
0
mikeabc27Author Commented:
Thanks, he was off yesterday, so doing on Monday.
0
mikeabc27Author Commented:
> rpggamergirl - I got this email this morning:

Hi Mike,
 
I have run Hijackthis again but only one key was listed so I have deleted that.
 
I ran Virisscan.jotti but none of the files listed appear to be on within my windows folder?
 
Any suggestions?
 
Cheers
 
Tony

I checked the Combofix log and see the Combifix and all 6 files you mention are in the "Find 3M Report." Should he be able to find them?
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

rpggamergirlCommented:

Hi Mike,

Sorry for the delay in my reply.
Those files are hidden, so he would need to show hidden files and folders first, and find them via explorer.

IF he uses Search companion, he would need to reconfigure "Search" function to search for hidden files, by default it is not, even if explorer is already showing hidden files.
Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type the file and click Search.

 
Run combofix again using this script and we'll see if it can tell us something.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
FileLook::
c:\windows\system\ws32ntfl.dat
c:\windows\system32\12C4917A3C.sys
c:\windows\system32\CdI5T.drv
c:\windows\system32\flfnlf.sys
c:\windows\system32\rlfnlf.sys
c:\windows\system32\TMailRL.sys
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

 
0
mikeabc27Author Commented:
No problem - thanks for the update.
The machine is slow locally, but I logged on remotely and that is really slow, although the CPU is only running between 0% and 4% without any apps running, which is strange as I thought something nasty was grabbing the CPU.
I checked in Explorer and it is set to "show hidden files." I was going to run the CF changes remotely but it was impossibly slow - so going to clients tomorrow afternoon (UK time). Do you think the CFscript.txt changes fix the problem and do we need to do anything after this?
Thanks,
Mike  
0
rpggamergirlCommented:
>>>). Do you think the CFscript.txt changes fix the problem?<<<
The script above with the "FileLook" directive will not delete those files, the script will tell combofix to look/get the infos on those files.

If you want combofix to delete those files then the script would be like below:
File::
c:\windows\system\ws32ntfl.dat
c:\windows\system32\12C4917A3C.sys
c:\windows\system32\CdI5T.drv
c:\windows\system32\flfnlf.sys
c:\windows\system32\rlfnlf.sys
c:\windows\system32\TMailRL.sys


While you're there, maybe also do an online scan with Kaspersky and see if it finds anything.
0
mikeabc27Author Commented:
Thanks - I've noticed that if Mbam takes a long time on a PC, it's the same time with Kaspersky Online and the Mbam scan took 5 hours on this PC, so not something I would choose to do unless you feel it's really necessary.
Should I run CF with FileLook script, then run the files through virusscan/jotti, then let Kaspersky run over the weekend?
What if the FileLook fails to allow us to see the files, should I run the File :: script or could I risk deleting a required file?
Thanks,
Mike
 
 
 
 
0
rpggamergirlCommented:

I just realized Combofix may not give us infos on those files, if so, try and check the properties manually.

You can have those files renamed or let combofix delete them, we can always restore them if something breaks after you delete them, as long as combofix is still in the system.
Once you uninstall combofix there's no way of getting back the files that it deleted.
C:\Qoobox\Quarantine <-- backup of deleted files are stored.
Kaspersky is also a good idea, also check for rootkits.

Download (Download the GUI) version of BlackLight, and save it to your desktop.
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.


Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
Download GMER Rootkit Scanner. Unzip it to your Desktop.
http://www.gmer.net/gmer.zip 
0
mikeabc27Author Commented:
Sorry for delay, all tests just finished doing remotely.
Kasperksy online scan done and appears ok.
F-Secure Blacklight runs from fsbl.exe, I assume this has now replaced blbeta.exe. Log attached.
I ran RKR several times and it found a few items, but crashed on trying to produce a report. 0k report attached anyway.
Gmer scan done and log attached.
Thanks for your help.
Mike
 
 
 

kaspersky.txt
fsbl-20081115161936.log
RootkitReveal.txt
gmer.log
0
rpggamergirlCommented:
I don't know why RKR couldn't produced a logfile.
Kaspersky, Blacklight, and Gmer logs didn't show anything suspicious.
How did the CFScript run on those files? Did he rename them or deleted them?

0
mikeabc27Author Commented:
Sorry, put CF to one side and forgot about it. Done now and attached with the FileLook script.
Thanks.

ComboFix-with-CFScript.txt
0
rpggamergirlCommented:

Sorry, Combofix couldn't give us info on those files, apparently it only does it for PE files.

These services/drivers below that Combofix couldn't find the files you may removed as it's not a good idea to leave a redundant services as malware/ trojan downloader may use them for their own purpose.

Driver::
SCSIChanger  <-- non existent file it seems, as well as the 3 below.
BWTD
TNSXWNWHZ
VYHZG
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikeabc27Author Commented:
I used Fix Checked in HiJack this to remove:
BWTD
TNSXWNWHZ
VYHZG
These all showed file missing.
Didn't see a reference to the SCSIChanger (scsichng.sys) in HiJack This and I couldn't see it in system32/drivers folder.
0
mikeabc27Author Commented:
Sorry, forgot to attach HJT log after deletions.
hijackthis.log
0
mikeabc27Author Commented:
Does the HiJack This log look ok now?
0
rpggamergirlCommented:
Yes, the Hijackthis log looks clean!
0
mikeabc27Author Commented:
Many thanks
0
rpggamergirlCommented:
To uninstall Combofix:
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore and a new restore point will be created.


Thanks for the points and the grade!
0
mikeabc27Author Commented:
Thanks for the reminder.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.