Thread: combofix for friend
View Single Post
Old 04-30-2008, 11:18 AM   #3 (permalink)
ceewi1
Moderator
 
ceewi1's Avatar
 
Join Date: Dec 2005
Location: Melbourne, Australia
Age: 21
Posts: 5,187
Default
This system is very badly infected.

Your log reveals a backdoor trojan. These can severely compromise personal information which could lead to identity theft.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC may already be compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If this were my PC, I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

If you wish to proceed with the disinfection, I strongly suggest you install the Recovery Console, as removing malware from a system this badly infected may have unforeseen consequences. Please see the guide at http://www.bleepingcomputer.com/tuto...torial117.html for detailed instructions.

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Paste the contents of the Report.txt back on the forum in your next reply


  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Documents and Settings\Chris Scanlon\Application Data\nuupo .exe
C:\info.exe
C:\Documents and Settings\Chris Scanlon\installer.exe
C:\Documents and Settings\Chris Scanlon\Application Data\yuj.exe
C:\Documents and Settings\Chris Scanlon\Application Data\qbdsqxfkb.exe
C:\Documents and Settings\Chris Scanlon\Application Data\hsqt.exe
C:\Program Files\wt3d.ini
C:\Program Files\Internet Explorer\5384 .EXE
C:\WINDOWS\system32\ieupdates .exe
C:\WINDOWS\system32\9092929A94969A9.exe
C:\WINDOWS\system32\drivers\beepp.sys
c:\windows\system32\znntzs.dll
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager .exe
C:\Program Files\BellSouth Internet Tools\blsloader .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Creative\VoiceCenter\AndreaVC .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
C:\Program Files\NCH Swift Sound\RecordPad\recordpad .exe
C:\Program Files\Support.com\BellSouth\hcenter .exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\LVCOMSX .EXE
C:\WINDOWS\system32\hdfile.sys
C:\WINDOWS\system32\hdport.sys

Folder::
C:\Temp\tn3
C:\WINDOWS\Fonts
C:\WINDOWS\system32\updater
C:\Program Files\QuickTime\bak
C:\Program Files\SUPERAntiSpyware\bak
C:\Program Files\QdrModule
C:\Program Files\Dot1XCfg
C:\Program Files\Router

RenV::
C:\Documents and Settings\Chris Scanlon\Shared\MPEG AVI to DVD VCD SVCD Converter Pro Full Version Cucusoft\Cucusoft Apple TV Video Converter .exe
C:\Program Files\AOL 9.1\AOL .EXE
C:\Program Files\Common Files\AOL\1149387323\ee\AOLSoftware .exe
C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Logitech\Video\ManifestEngine .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Zune\ZuneLauncher .exe

AWF::
C:\Program Files\BellSouth\Alert Manager\bak\BellSouthAlertManager.exe
C:\Program Files\BellSouth Internet Tools\bak\blsloader.exe
C:\Program Files\Common Files\AOL\1149387323\ee\bak\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Video\bak\ISStart.exe
C:\Program Files\Logitech\Video\bak\LogiTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe
C:\Program Files\NCH Swift Sound\RecordPad\bak\recordpad.exe
C:\Program Files\Support.com\BellSouth\bak\hcenter.exe
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\bak\LVCOMSX.EXE

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C835EC2A-1D13-43A9-4CAB-69D5BC5B0D5A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cxnqs"=-
"QdrModule9"=-
"Dot1XCfg"=-
"Router"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"A8AAAAB2ACAEB2B7B"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8fPfHq5]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A8AAAAB2ACAEB2B7B]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
qzbjwn=-
znntzs=-

Driver::
beepp
CKVC
hdfile
hdport
znntzs
DISK_DRIVE32
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please post
  • The SDFix log
  • The ComboFix log
  • A new HijackThis log
__________________

CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870
RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W

Cheap PSUs - 2% of system costs, responsible for 28% of system deaths
As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity.
- The "Warranty void if removed" sticker on numerous CoolerMaster PSUs.

Last edited by ceewi1; 04-30-2008 at 11:20 AM.
ceewi1 is offline   Reply With Quote