Can someone analyze my Combofix log for analysis?

Mezzo4Ever
Mezzo4Ever used Ask the Experts™
on
I have followed this thread and used JeremySBrown's solution of using Combofix for my PC's infection. I can now get back onto Explorer, but all is not perfect. I've attached my Combofix log for analysis if anyone is willing to take a look at it. Thanks so much for this help! (FYI: I am on a PC with Windows XP Professional.)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Sure can, but I think you forgot to attach the log ;)

Author

Commented:
Sorry!  Here it is.

Thank you for the help!
Combofixlogv2.txt
Can you do quick scan(s) with SuperAntiSpyware and MalwareBytes Anti-Malware which you already have installed on the PC and see if it finds anything to clean?

Do that and report back wth findings.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Okay. I will later today and will report back. FYI: I did scans with CCleaner and with Super AntiSpyware before I ran Combofix.

Author

Commented:
I ran MalwareBytes and Super AntiSpyware. The logs are attached. Thanks for looking at them all.
SUPERAntiSpyware-Scan-Log---02-0.log
mbam-log-2010-02-02--17-53-31-.txt
mbam-log-2010-02-02--17-53-43-.txt
Thanks for sending the logs. What kind of problems did you see on this PC? I also suggest not to do any online banking or any kind of shopping on this PC, until its completely cleaned.

This PC had BackDoor.bot which means it was probably accessed or used by hackers.

Please upload the following on www.virustotal.com for a scan:

c:\windows\system32\drivers\qtij.sys
c:\docume~1\Austin\LOCALS~1\Temp\pnicml.sys
C:\CTX.DAT
Can you also do a Kaspersky scan online? Its located here:

http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

This scan will create a report, that you can 'save as' and upload here. This scan will not remove anything, but its very thorough and should let us know of any possible threats that are still left inside the PC.

Author

Commented:
I did not find the qtij.sys or pnicml.sys files. The C:/CTX.DAT was found, so I ran a scan on that file. I also ran the Kaspersky scan. I've attached both reports. Thank you for your help!
KaspReport.txt
VirusTotal-Log.doc

Author

Commented:
OK.  I deleted the infected file Kaspersky found.  The other files are all gone.  I am starting an ESET online scan in a moment to check to make sure we got it all.

I'll let you know tomorrow!

Thanks!
OK, sounds good!

Author

Commented:
I have run eSet and Combofix again. Attached are the logs. Can you read them for me?
ESet-Log.txt

Author

Commented:
Here is the combofix log.
Combofixlog-2-4-10.txt
Those files that I suggested before to upload to www.virustotal.com are still in there. I think a Live CD scan might be really good in this situation. It seems that these files are part of a rootkit, which has hidden itself from explorer, but from a Live CD, these files won't be hidden.

Download the ISO from here:

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

Burn the iso file as an image on a blank CD and boot your computer from it. Connect this computer to an ethernet/LAN connection (wired connection) to update the definitions and then run the scan. Let it finish and it should give a list of all infections and remove them as well.

It could take sometime, but it should be very effective.

Author

Commented:
Okay. I've burned the ISO to a CD. How do I boot my computer from the CD drive? This computer is not working wirelessly, so I am using an ethernet connection, right?

Author

Commented:
I was able to figure out how to boot my computer from the CD. Kaspersky didn't seem to find anything. The scan took less than 30 seconds. I clicked around the menus but couldn't see if I'd done something wrong. It told me to update it which I did.
Sorry for my late reply, I am based in UK, so its daytime now :-).

Hmm.. thats strange. Can you try to scan without updating the definitions this time. Lets see if it works this time. 30 seconds is not the time that I would have expected for a full scan lol.

Author

Commented:
I'll try again. In the meantime, I ran another malwarebytes scan. It found 2 trojans. I've attached the log.
mbam-log-2010-02-05--07-39-25-.txt

Author

Commented:
I just ran the ISO again and the same thing happened. I chose to scan C: and it ran for only seconds. "Fix It Now" was highlighted in red so I clicked it. I got the message that the "Databases are obsolete. Update now." I went ahead and clicked that button. The Status tab said "No threats detected. Databases release date 2/5/10 12:30pm." I went back and selected to scan C: and diskboot sectors. Nothing. When I get home from work (I'm in the US), I'll rerun Combofix to see if those files are by chance now gone. Anything else you can recommend? I wonder if I'm not running Kaspersky correctly somehow.
Try to not update the Kasperky definitions this time and ignore the 'databases are obsolete' message and run the scanner anyways. See if it works then.

Author

Commented:
Hi Warturtle. I did run the Kaspersky scan before I got the 'databases are obsolete' message. I don't see anything that tells me it is updating definitions so I don't know how to keep this from happening. When I booted from the CD this morning, it launched right into the scanner window and I clicked the green scan button at the lower right. My PC is not wireless, so I'm running through an ethernet connection like you recommended, correct?
Yes, you are running through ethernet / LAN, if its a wired connection (could be USB as well, if its wired though). But you are doing the things correctly. Is it still doing the scan for 30 seconds or so and then quitting?

The internet connection was required only to update its definitions. Otherwise this CD can run without internet as a standalone tool.
Are you selecting all hard drives for scanning? or only C drive or D drive? You should select all drives for scanning.

Author

Commented:
It gives me the option of "diskboot sectors," C:, and D:. I'll select them all and rerun.
Yes, thats perfect!!

Author

Commented:
Hi warturtle. Srry I haven't responded. No Internet service due to 30" of snow. Power has been out. Kaspersky scan successful. Took 7 hours. Can't attach the log until Internet is back up. Deleted "hoax.win32.renos.kd," "Trojan.win32.fraudpack.akps," Trojan-downloaded.win32.fraudload.wxvk." what next?
Wow, that is a lot of snow. I am glad it stopped snowing before some days in UK :-).

Run ComboFix one more time, this will allow us to see if there is anything else left in there.

Author

Commented:
Ok. Will do when we have Internet connection.

Author

Commented:
Here is my Kaspersky scan log. I will run Combofix again later tonight. Finally have internet again!! Yay! But we're expecting another 20" of snow tomorrow. Hope our cable company can hold it together.
Kaspscanlog.txt

Author

Commented:
I just ran Combofix one last time (I hope!). Attached is the log. Please tell me it's clean!
Combofixlog2-8-10.txt
Hello,

I had a look at the logs, it seems that there are still infections hanging around. Is it convinient for you to do a Windows re-install?

Author

Commented:
Well, if that's what's needed, I'll have to do it. Just now, logging onto experts-exchange.com, I got another ransomeware!!! Popups holding me hostage all over the place. It's added a silver shield in my systems tray and won't let me close any of the windows. I'm going to reboot now and start to cry. Should I run combofix right away?

Author

Commented:
I thought running Combofix would be prudent with all these pop-ups, but when I went into Start, Run, cmd, the computer gave me a message that the application is infected and can't run. *#&#*$&%&!!!!! NOw I have a popup that says cvchost.exe has encountered a problem. I'm shutting down.
Top Expert 2009
Commented:
Try this if you want:
Restart machine and download these, if you don't already have them.
If you cant download them in Normal mode, restart machine and keep tapping "F8" at machine power on to select "safe mode with networking", to download them

>>Run these in Normal mode

1-Run Process Explorer.
Look for that "shield" icon and right click and suspend it
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

2-Run FixPolicies
It will install into its own folder and run Fix_policies
http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe

3-Run HitmanPro
It should repair the rogue proxy entry and hopefully detect other "baddies"
http://www.surfright.nl/en/hitmanpro

4-Malwarebytes-Select "update" tab and update database
Run quick scan

5-Delete Combofix download and download new version
Run again

Author

Commented:
I downloaded Process Explorer, but the virus won't let me run any executables. It tells me the application is infected. Is there a way to rename it so the ransomeware won't recognize it?
Top Expert 2009
Commented:
Boot into safe mode with networking and run these

1-Run Disk cleanup and Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25

2-Run Exehelper http://raktor.net/exeHelper/exeHelper.com

Reboot into normal mode and try the other steps.

Author

Commented:
Thank you all so much. Unfortunately, the rogue won. I'm having my drive wiped clean. When I get it back, I will award full points. I appreciate the education!
I see, sorry for not being able to help. I could see that we could have spent longer in removing the infection, and because it seemed to be getting re-infected after every removal as well, so I asked you about re-install. Sometimes the last option, is the best option!



Author

Commented:
Warturtle was EXCELLENT! I learned so much. Optoma came in at the end to give really excellent help as well. I highly recommend both these folks. Rootkits are tricky and they both are very knowledgable.
Top Expert 2009

Commented:
:)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial