?
Solved

Help please analysing HiJack This and Combifix logs

Posted on 2008-11-06
19
Medium Priority
?
479 Views
Last Modified: 2013-12-09
Someone opened an email joke attachment that appeared to come from a trusted source, but one click and all sorts of spyware programs started running. He immediately disconnected the PC ethernet cable and replaced the registry with a clean copy, and did a full scan with Symantec.

Mbam says everything is ok, but could someone please check the other 2 logs for any remaining infections?

Thanks,

Mike
ComboFix-log.txt
hijackthis.log
mbam-log-2008-11-05--16-18-38-.txt
0
Comment
Question by:mikeabc27
  • 11
  • 8
19 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22903624
Can you have him check the properties of these files and look what it says, also submit them at http://virusscan.jotti.org/ for a virus check.

c:\windows\system\ws32ntfl.dat
c:\windows\system32\12C4917A3C.sys
c:\windows\system32\CdI5T.drv
c:\windows\system32\flfnlf.sys
c:\windows\system32\rlfnlf.sys
c:\windows\system32\TMailRL.sys


Also an online scan with kaspersky is a good idea as it's a thorough scanner.
http://www.kaspersky.com/virusscanner

 
He can also fix these entries in Hijackthis:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.eversoft.co.kr/vmpinstaller/installer/components/MTSInstallers/MetaStream3.cab?url=http://www.samsung.com/uk/products/printsolutions/multifunctionproducts/web3d/scx_4521fxeu/page_scx_4521f.html
O16 - DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} (pmjpegcam Class) - http://80.176.233.112/JpegInst.cab
0
 

Author Comment

by:mikeabc27
ID: 22911614
Thanks, he was off yesterday, so doing on Monday.
0
 

Author Comment

by:mikeabc27
ID: 22923850
> rpggamergirl - I got this email this morning:

Hi Mike,
 
I have run Hijackthis again but only one key was listed so I have deleted that.
 
I ran Virisscan.jotti but none of the files listed appear to be on within my windows folder?
 
Any suggestions?
 
Cheers
 
Tony

I checked the Combofix log and see the Combifix and all 6 files you mention are in the "Find 3M Report." Should he be able to find them?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22938489

Hi Mike,

Sorry for the delay in my reply.
Those files are hidden, so he would need to show hidden files and folders first, and find them via explorer.

IF he uses Search companion, he would need to reconfigure "Search" function to search for hidden files, by default it is not, even if explorer is already showing hidden files.
Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type the file and click Search.

 
Run combofix again using this script and we'll see if it can tell us something.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
FileLook::
c:\windows\system\ws32ntfl.dat
c:\windows\system32\12C4917A3C.sys
c:\windows\system32\CdI5T.drv
c:\windows\system32\flfnlf.sys
c:\windows\system32\rlfnlf.sys
c:\windows\system32\TMailRL.sys
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

 
0
 

Author Comment

by:mikeabc27
ID: 22947721
No problem - thanks for the update.
The machine is slow locally, but I logged on remotely and that is really slow, although the CPU is only running between 0% and 4% without any apps running, which is strange as I thought something nasty was grabbing the CPU.
I checked in Explorer and it is set to "show hidden files." I was going to run the CF changes remotely but it was impossibly slow - so going to clients tomorrow afternoon (UK time). Do you think the CFscript.txt changes fix the problem and do we need to do anything after this?
Thanks,
Mike  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22949680
>>>). Do you think the CFscript.txt changes fix the problem?<<<
The script above with the "FileLook" directive will not delete those files, the script will tell combofix to look/get the infos on those files.

If you want combofix to delete those files then the script would be like below:
File::
c:\windows\system\ws32ntfl.dat
c:\windows\system32\12C4917A3C.sys
c:\windows\system32\CdI5T.drv
c:\windows\system32\flfnlf.sys
c:\windows\system32\rlfnlf.sys
c:\windows\system32\TMailRL.sys


While you're there, maybe also do an online scan with Kaspersky and see if it finds anything.
0
 

Author Comment

by:mikeabc27
ID: 22951296
Thanks - I've noticed that if Mbam takes a long time on a PC, it's the same time with Kaspersky Online and the Mbam scan took 5 hours on this PC, so not something I would choose to do unless you feel it's really necessary.
Should I run CF with FileLook script, then run the files through virusscan/jotti, then let Kaspersky run over the weekend?
What if the FileLook fails to allow us to see the files, should I run the File :: script or could I risk deleting a required file?
Thanks,
Mike
 
 
 
 
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22955428

I just realized Combofix may not give us infos on those files, if so, try and check the properties manually.

You can have those files renamed or let combofix delete them, we can always restore them if something breaks after you delete them, as long as combofix is still in the system.
Once you uninstall combofix there's no way of getting back the files that it deleted.
C:\Qoobox\Quarantine <-- backup of deleted files are stored.
Kaspersky is also a good idea, also check for rootkits.

Download (Download the GUI) version of BlackLight, and save it to your desktop.
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.


Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
Download GMER Rootkit Scanner. Unzip it to your Desktop.
http://www.gmer.net/gmer.zip 
0
 

Author Comment

by:mikeabc27
ID: 22970101
Sorry for delay, all tests just finished doing remotely.
Kasperksy online scan done and appears ok.
F-Secure Blacklight runs from fsbl.exe, I assume this has now replaced blbeta.exe. Log attached.
I ran RKR several times and it found a few items, but crashed on trying to produce a report. 0k report attached anyway.
Gmer scan done and log attached.
Thanks for your help.
Mike
 
 
 

kaspersky.txt
fsbl-20081115161936.log
RootkitReveal.txt
gmer.log
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22975004
I don't know why RKR couldn't produced a logfile.
Kaspersky, Blacklight, and Gmer logs didn't show anything suspicious.
How did the CFScript run on those files? Did he rename them or deleted them?

0
 

Author Comment

by:mikeabc27
ID: 22976079
Sorry, put CF to one side and forgot about it. Done now and attached with the FileLook script.
Thanks.

ComboFix-with-CFScript.txt
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 22980827

Sorry, Combofix couldn't give us info on those files, apparently it only does it for PE files.

These services/drivers below that Combofix couldn't find the files you may removed as it's not a good idea to leave a redundant services as malware/ trojan downloader may use them for their own purpose.

Driver::
SCSIChanger  <-- non existent file it seems, as well as the 3 below.
BWTD
TNSXWNWHZ
VYHZG
0
 

Author Comment

by:mikeabc27
ID: 22982703
I used Fix Checked in HiJack this to remove:
BWTD
TNSXWNWHZ
VYHZG
These all showed file missing.
Didn't see a reference to the SCSIChanger (scsichng.sys) in HiJack This and I couldn't see it in system32/drivers folder.
0
 

Author Comment

by:mikeabc27
ID: 22982798
Sorry, forgot to attach HJT log after deletions.
hijackthis.log
0
 

Author Comment

by:mikeabc27
ID: 23001801
Does the HiJack This log look ok now?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23002616
Yes, the Hijackthis log looks clean!
0
 

Author Closing Comment

by:mikeabc27
ID: 31514159
Many thanks
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23002673
To uninstall Combofix:
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore and a new restore point will be created.


Thanks for the points and the grade!
0
 

Author Comment

by:mikeabc27
ID: 23002736
Thanks for the reminder.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is a common problem that often server suffers from the lack of space on system volume. Old servers or new ones from vendors come with preformatted small volume - 5-6GB in total and after installing updates or applications the free space on system…
I originally wrote this article to compare SARDU and YUMI, but have now added Easy2Boot, since that is the one I currently use and find the easiest to create and alter.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question