Author Topic: Is combofix safe to use now?  (Read 16641 times)

0 Members and 1 Guest are viewing this topic.

Offline Darth.Mikey

  • Super Poster
  • ***
  • Posts: 1586
  • You are unwise to lower your defenses!
Re: Is combofix safe to use now?
« Reply #15 on: January 14, 2008, 11:22:23 AM »
You can save the log into a .txt file and attach it to your next post, under additional options click attach select browse and select your log file.

Or you can split the log into multiple posts.

Offline rassel

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 468
  • Avast always the best choice
    • www.avast.com
Re: Is combofix safe to use now?
« Reply #16 on: January 15, 2008, 09:47:01 AM »
Sry i cant post the log on here so i did this an this the log you want.....

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Is combofix safe to use now?
« Reply #17 on: January 15, 2008, 09:05:48 PM »
Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
R3 - URLSearchHook: (no name) - {BAB1AC41-6FF7-4F2E-A04E-5C592CCFEA7D} - (no file)
O4 - HKCU\..\Run: [waitdead] C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1\Joybeep.exe
O4 - HKLM\..\Run: [eggs joy math type] C:\Documents and Settings\All Users\Application Data\Bind army eggs joy\two plan.exe
O8 - Extra context menu item: ·¢ËÍͼƬµ½ÊÖ»ú - C:\Program Files\P4P\cx.htm


Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
Folder::
C:\Documents and Settings\All Users\Application Data\Bind Army Eggs Jo
C:\Documents and Settings\Administrator\Application Data\Greatonline


3. Save the above as all files CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Offline rassel

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 468
  • Avast always the best choice
    • www.avast.com
Re: Is combofix safe to use now?
« Reply #18 on: January 16, 2008, 10:21:52 AM »
OK thanks and here is the post but im not sure weather i did it correctly or not. ;D
Oh ya and you said that about CFScript.txt is from where i have no idea so what i did is go to the folder that you give me (C:\Documents and Settings\All Users\Application Data\Bind Army Eggs Jo) and (C:\Documents and Settings\Administrator\Application Data\Greatonline) and i extract the files into the notepad.txt. Is that correct?
« Last Edit: January 16, 2008, 10:28:31 AM by rassel »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Is combofix safe to use now?
« Reply #19 on: January 17, 2008, 08:22:13 PM »
No what you needed to do was copy the text in the quote box to a notepad file and then save it as cfscript, then drag and drop that on the combofix icon

Then it would have deleted these two folders and any associated files

C:\Documents and Settings\All Users\Application Data\Bind army eggs joy
C:\Documents and Settings\Administrator\Application Data\GreatOnline


They are both LOP folders which are not good

Also you do not appear to have removed these lines from Hijackthis

R3 - URLSearchHook: (no name) - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - (no file)
R3 - URLSearchHook: (no name) - {BAB1AC41-6FF7-4F2E-A04E-5C592CCFEA7D} - (no file)
O4 - HKCU\..\Run: [waitdead] C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1\Joybeep.exe
O4 - HKLM\..\Run: [eggs joy math type] C:\Documents and Settings\All Users\Application Data\Bind army eggs joy\Type Scr.exe
O8 - Extra context menu item: ·¢ËÍͼƬµ½ÊÖ»ú - C:\Program Files\P4P\cx.htm
O8 - Extra context menu item: ʹÓÃËѹ·Ö±Í¨³µÏÂÔØ - C:\Program Files\P4P\dl.htm


Until you remove them you are still infected


Offline rassel

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 468
  • Avast always the best choice
    • www.avast.com
Re: Is combofix safe to use now?
« Reply #20 on: January 18, 2008, 10:06:46 AM »
Ok  ;) im very thanks for your help to my laptop and here is the newest post you want it and if anything wrong tell me. :P and i have follow what you have said

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Is combofix safe to use now?
« Reply #21 on: January 18, 2008, 08:31:47 PM »
Can you manually delete these two folders

C:\Documents and Settings\All Users\Application Data\Bind army eggs joy
C:\Documents and Settings\Administrator\Application Data\GreatOnline

Once they are gone you look to be clean

Offline rassel

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 468
  • Avast always the best choice
    • www.avast.com
Re: Is combofix safe to use now?
« Reply #22 on: January 19, 2008, 06:06:20 AM »
Wow thats really dangerous when i open this file C:\Documents and Settings\Administrator\Application Data\GreatOnline avast suddenly pop up and said that there is trojan. Thanks a lot essexboy and i cant delete this folder C:\Documents and Settings\All Users\Application Data\Bind army eggs joy and it says that
it is begin use by another person or other program so how can i delete it?

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Is combofix safe to use now?
« Reply #23 on: January 19, 2008, 06:23:57 AM »
rassel

Please boot to safe mode and try to delete it from there. Remember to empty the recycle bin when you are done.

Offline rassel

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 468
  • Avast always the best choice
    • www.avast.com
Re: Is combofix safe to use now?
« Reply #24 on: January 21, 2008, 09:35:32 AM »
ok thanks a lot from you all :) and i there is another problem which is i deleted this folder (C:\Documents and Settings\Administrator\Application Data\GreatOnline) and its not over there and after the next day i go check and the folder is over there so i deleted it again and today is appear at (C:\Documents and Settings\Administrator\Application Data )this folder again. How to avoid it from my laptop ???

« Last Edit: January 21, 2008, 09:42:58 AM by rassel »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Is combofix safe to use now?
« Reply #25 on: January 21, 2008, 11:13:57 PM »
Rerun combofix again and I will have a look see

Offline rassel

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 468
  • Avast always the best choice
    • www.avast.com
Re: Is combofix safe to use now?
« Reply #26 on: January 23, 2008, 05:40:59 AM »
Ok and sry for the late reply  :P  :D
And do u need hijackthis log ? If u want than tell me.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Is combofix safe to use now?
« Reply #27 on: January 23, 2008, 10:15:42 PM »
LOP is still there if this does not work I will have to use a different hammer

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]
C:\WINDOWS\Tasks\AED442E7918FFD47.job

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: [Select]
    C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1
    c:\docume~1\admini~1\applic~1\greato~1\heck peak bone.exe
    • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.

    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Offline rassel

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 468
  • Avast always the best choice
    • www.avast.com
Re: Is combofix safe to use now?
« Reply #28 on: January 24, 2008, 10:01:47 AM »
This is the post 8)


C:\WINDOWS\Tasks\AED442E7918FFD47.job moved successfully.
[Custom Input]
< C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1 >
File/Folder C:\DOCUME~1\ADMINI~1\APPLIC~1\GREATO~1 not found.
< c:\docume~1\admini~1\applic~1\greato~1\heck peak bone.exe >
File/Folder c:\docume~1\admini~1\applic~1\greato~1\heck peak bone.exe not found.
 
OTMoveIt2 v1.0.14 log created on 01242008_165934

Offline rassel

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 468
  • Avast always the best choice
    • www.avast.com
Re: Is combofix safe to use now?
« Reply #29 on: January 24, 2008, 10:03:25 AM »
OH ya i forget to tell u that the greatonline have been removed from my computer and not in there anymore

Thanks essexboy