« previous next »
Pages: 1 [2]   Go Down

Author Topic: ComboFix and HijackThis log  (Read 24496 times)

0 Members and 1 Guest are viewing this topic.

mauserme

  • Guest
Re: ComboFix and HijackThis log
« Reply #15 on: August 12, 2007, 03:15:36 PM »
Quote from: jrudesh on August 12, 2007, 10:52:37 AM
Did this happen after you plugged in your flash drive?
Of course, as i describe at the very top ...
Ok.

But I saw that you have a VPN and wanted to make sure that wasn't the source of reinfection.  Or a downloader.

For now you should turn off autoplay on your external drives, then post the logs.  We should be able to get this cleared up.
Logged

jrudesh

  • Guest
Re: ComboFix and HijackThis log
« Reply #16 on: August 12, 2007, 03:56:44 PM »
I did a norton online scan.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.
 

C:\_OTMoveIt\MovedFiles\WINDOWS\system32\scvhost.exe is infected with W32.Imaut.AA 
C:\virus\fduqd.exe is infected with Downloader  I have no idea about how these came here.But I can identify they were in my flash.
C:\virus\scvhost.VI0 is infected with W32.Imaut.AA 
C:\virus\scvhost.VI1 is infected with W32.Imaut.AA 
C:\virus\scvvhost.exe~ is infected with Spyware.Perfect 
C:\virus\Skin.VI0 is infected with W32.Imaut.AA 
C:\virus\scvhost.exe is infected with W32.Imaut.AA 
C:\virus\1.exe is infected with W32.Imaut.AA 
C:\virus\untitled folder.exe is infected with W32.Imaut.AA 
C:\virus\Prabhashwari.exe is infected with W32.Imaut.AA 
C:\virus\BackBoard.exe is infected with W32.Imaut.AA 
C:\virus\2.exe is infected with W32.Imaut.AA 
C:\virus\images.exe is infected with W32.Imaut.AA 
C:\virus\akka.exe is infected with W32.Imaut.AA 
C:\virus\Model.exe is infected with W32.Imaut.AA 
C:\virus\fonts.exe is infected with W32.Imaut.AA 
C:\virus\hand written.exe is infected with W32.Imaut.AA 
C:\virus\Tower Hall.exe is infected with W32.Imaut.AA 
C:\virus\Prabhashvari 2007.exe is infected with W32.Imaut.AA 
C:\virus\Prabhashvari 01.exe is infected with W32.Imaut.AA 
C:\virus\Prabhashvari 03.exe is infected with W32.Imaut.AA 
C:\virus\Prabhashvari 02.exe is infected with W32.Imaut.AA 
C:\virus\Advertisements.exe is infected with W32.Imaut.AA 
C:\virus\Code.exe is infected with W32.Imaut.AA 
C:\virus\VCD_Centre_v1.2.exe is infected with W32.Imaut.AA 
C:\virus\VCD Center v 1.2_source.exe is infected with W32.Imaut.AA 
C:\virus\Data.exe is infected with W32.Imaut.AA 
C:\virus\Images.VI0 is infected with W32.Imaut.AA 
C:\virus\Back.exe is infected with W32.Imaut.AA 
C:\virus\Customer.exe is infected with W32.Imaut.AA 
C:\virus\VCD Center v 1.2.exe is infected with W32.Imaut.AA 
C:\virus\Images.VI1 is infected with W32.Imaut.AA 
C:\virus\Training.exe is infected with W32.Imaut.AA 
C:\virus\Ministry of Petroleum and Petroleum Resources Development - Sri Lanka_files.exe is infected with W32.Imaut.AA 
C:\virus\fire wood.exe is infected with W32.Imaut.AA 
C:\virus\chapter4_files.exe is infected with W32.Imaut.AA 
C:\virus\Review of literature on residential firewood use, wood-smoke and air toxics - International Literature_files.exe is infected with W32.Imaut.AA 
C:\virus\Membrane.exe is infected with W32.Imaut.AA 
C:\virus\JTYUE%123GGJGS.exe is infected with W32.Imaut.AA 
C:\virus\Folder Settings.exe is infected with W32.Imaut.AA 
C:\WINDOWS\hinhem.scr is infected with W32.Imaut.AA 
C:\WINDOWS\system32\blastclnnn.exe is infected with W32.Imaut.AA 
C:\WINDOWS\system32\isass.dll is infected with W32.SillyFDC 
C:\WINDOWS\system32\scvvhost.exe~ is infected with Spyware.Perfect 


Logged

jrudesh

  • Guest
Re: ComboFix and HijackThis log
« Reply #17 on: August 12, 2007, 04:02:22 PM »
WinPFind3.txt attached.
Logged

mauserme

  • Guest
Re: ComboFix and HijackThis log
« Reply #18 on: August 12, 2007, 04:09:07 PM »
Give me some time with the log ...
Logged

mauserme

  • Guest
Re: ComboFix and HijackThis log
« Reply #19 on: August 12, 2007, 05:14:55 PM »
Sorry to take so long - it looks like you reinstalled the OS on 27 June and, with a 60 day log, there are quite a few files to look at.  Your worm installed on 28 June with Vundo appearing more recently.

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Files/Folders - Created Within 60 days]
NY -> hinhem.scr -> %SystemRoot%\hinhem.scr
NY -> ffhkj.ini -> %System32%\ffhkj.ini
NY -> blastclnnn.exe -> %System32%\blastclnnn.exe
NY -> isass.dll -> %System32%\isass.dll
NY -> ffhkj.tmp -> %System32%\ffhkj.tmp
NY -> ffhkj.ini2 -> %System32%\ffhkj.ini2
NY -> ffhkj.bak1 -> %System32%\ffhkj.bak1
[Files/Folders - Modified Within 60 days]
NY -> srchasst -> %SystemRoot%\srchasst
NY -> hinhem.scr -> %SystemRoot%\hinhem.scr
NY -> ffhkj.ini -> %System32%\ffhkj.ini
NY -> isass.dll -> %System32%\isass.dll
NY -> ffhkj.tmp -> %System32%\ffhkj.tmp
NY -> ffhkj.ini2 -> %System32%\ffhkj.ini2
NY -> ffhkj.bak1 -> %System32%\ffhkj.bak1


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.  Its OK if some of the files are not found.

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.


Now, if Combofix will run, do that and post its log.

Then, whether or not ComboFix ran successfully post a new WinPFind3u3Find log but this time change the options to 30 day rather than 60 day.
Logged

jrudesh

  • Guest
Re: ComboFix and HijackThis log
« Reply #20 on: August 12, 2007, 08:08:49 PM »
[Files/Folders - Created Within 60 days]
C:\WINDOWS\hinhem.scr moved successfully.
C:\WINDOWS\SYSTEM32\ffhkj.ini moved successfully.
C:\WINDOWS\SYSTEM32\blastclnnn.exe moved successfully.
C:\WINDOWS\SYSTEM32\isass.dll moved successfully.
C:\WINDOWS\SYSTEM32\ffhkj.tmp moved successfully.
C:\WINDOWS\SYSTEM32\ffhkj.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\ffhkj.bak1 moved successfully.
[Files/Folders - Modified Within 60 days]
C:\WINDOWS\srchasst\mui\0409 moved successfully.
C:\WINDOWS\srchasst\mui moved successfully.
C:\WINDOWS\srchasst\chars moved successfully.
Folder cleanup  failed. C:\WINDOWS\srchasst scheduled to be deleted on reboot.
File C:\WINDOWS\hinhem.scr not found!
File C:\WINDOWS\SYSTEM32\ffhkj.ini not found!
File C:\WINDOWS\SYSTEM32\isass.dll not found!
File C:\WINDOWS\SYSTEM32\ffhkj.tmp not found!
File C:\WINDOWS\SYSTEM32\ffhkj.ini2 not found!
File C:\WINDOWS\SYSTEM32\ffhkj.bak1 not found!
< End of log >
Created on 08/12/2007 21:25:05

It asked for a reboot

ComboFix log in file attached.
WinPFind3U log attached

Logged

mauserme

  • Guest
Re: ComboFix and HijackThis log
« Reply #21 on: August 13, 2007, 09:41:21 PM »
Its time to get rid of those registry entries  you mentioned for MntDrCore.exe and svch0st.exe (note this has a numeric 0 in the 5th position).  We'll also take of killVBS.vbs while we're at it.

Download ERUNT from here and back up your entire registry

http://www.snapfiles.com/get/erunt.html

Next we'll create a registry fix. Copy and paste ALL of the information below in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE > ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

Quote
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08ef52f9-313f-11dc-b644-00167675b7f3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ea80f37-2868-11dc-b61f-00167675b7f3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59f2db76-313e-11dc-b643-00167675b7f3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f59142c-2f9d-11dc-b639-00167675b7f3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b2273dc-2be9-11dc-b62e-00167675b7f3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90805d17-30f9-11dc-b640-00167675b7f3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c29761e-2a1b-11dc-b623-00167675b7f3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba03a77c-2539-11dc-9e59-00167675b7f3}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c393d5ae-2a1c-11dc-b624-00167675b7f3}]

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.



Now open OTMoveIt and paste in this path


c:\virus
c:\windows\system32\killvbs.vbs

Click the move button and post the results (killvbs.vbs may not be found but I would like to make sure it is gone).



Your L: and M: drives both also carried the infection.  You should now mount each of them and delete any of these files if found in the root


MntDrCore.exe
SSCVIIHOST.exe
Svch0st.exe                   <  - Again, this has a numeric 0 in the 5th position

You must also empty the recycle bin for all drives as a fake ctfmon.exe  located in the recycle bin on the M: drive was being run from the registry.


After doing all of the above please post fresh ComboFix and HJT logs.


EDIT:   added a path to the OTMoveIT list

Did you create a file named C:\virus.zip on 8 August?  Possibly to upload a sample to avast, or is this file unknown to you?
« Last Edit: August 13, 2007, 10:21:03 PM by mauserme »
Logged
Pages: 1 [2]   Go Up
« previous next »