View Single Post
  #11  
Old January 7th, 2008, 01:21 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
That first larger log wasn't an indicator of bad, but this ComboFix log unfortunately is. Malware has added some entries and services that I cannot be sure how removal of these will impact the system. Just a caution, as this new infection variant has embedded itself there in some sensitive system areas, and both that and the repair of that may still lead to a need to reformat/reinstall XP. Should something go wrong after this next however, ComboFix has a built-in recovery option to use to meet immediate needs. Too keep others from repeating the same mistakes as here, if you do know the source please feel free to PM me the location that brought the download that started this infection, so perhaps it can be shut down by concerned experts.


Be very sure any protective software is disabled.

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
KillAll::
Driver:
NATServices
File::
C:\WINDOWS\SYSTEM32\snhuqt.DRV
C:\WINDOWS\SYSTEM32\arsneo.DRV
C:\WINDOWS\SYSTEM32\gxobza.KEY
C:\WINDOWS\SYSTEM32\Down(6).exe
C:\WINDOWS\SYSTEM32\Down(5).exe
C:\WINDOWS\SYSTEM32\Down(4).exe
C:\WINDOWS\SYSTEM32\Down(3).exe
C:\WINDOWS\SYSTEM32\Down(2).exe
C:\WINDOWS\SYSTEM32\0004c49d.inf
C:\WINDOWS\SYSTEM32\Down(1).exe
C:\WINDOWS\SYSTEM32\Down(0).exe
C:\WINDOWS\SYSTEM32\svchst.exe
C:\test.exe
C:\WINDOWS\SYSTEM32\Flower.dll
C:\WINDOWS\SYSTEM32\Flower.exe
C:\WINDOWS\SYSTEM32\Down(31).exe
C:\WINDOWS\SYSTEM32\Down(30).exe
C:\WINDOWS\SYSTEM32\Down(29).exe
C:\WINDOWS\SYSTEM32\Down(28).exe
C:\WINDOWS\SYSTEM32\Down(27).exe
C:\WINDOWS\SYSTEM32\Down(26).exe
C:\WINDOWS\SYSTEM32\Down(25).exe
C:\WINDOWS\SYSTEM32\Down(24).exe
C:\WINDOWS\SYSTEM32\Down(23).exe
C:\WINDOWS\SYSTEM32\Down(22).exe
C:\WINDOWS\SYSTEM32\Down(21).exe
C:\WINDOWS\SYSTEM32\Down(20).exe
C:\WINDOWS\SYSTEM32\Down(19).exe
C:\WINDOWS\SYSTEM32\Down(18).exe
C:\WINDOWS\SYSTEM32\Down(17).exe
C:\WINDOWS\SYSTEM32\azftzw.KEY
C:\WINDOWS\SYSTEM32\Down(16).exe
C:\WINDOWS\SYSTEM32\Down(15).exe
C:\WINDOWS\SYSTEM32\Down(14).exe
C:\WINDOWS\SYSTEM32\Down(13).exe
C:\WINDOWS\SYSTEM32\00044f77.inf
C:\WINDOWS\SYSTEM32\Down(11).exe
C:\WINDOWS\SYSTEM32\Down(10).exe
C:\WINDOWS\SYSTEM32\Down(9).exe
C:\WINDOWS\SYSTEM32\Down(8).exe
C:\WINDOWS\SYSTEM32\Down(7).exe
C:\WINDOWS\SYSTEM32\a.jpg
C:\WINDOWS\SYSTEM32\IE_ASSII.exe
C:\HTGD0003.exe
C:\HTGD0005.exe
C:\HTGD0002.bmp
C:\HTGD0006.ini
c:\windows\system32\azftzw.dll
C:\Program Files\Internet Explorer\3776.EXE
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mschkdsk.exe"=
"GoogleUpdate"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\auto.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ShuiNiu.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\svch0st.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Systom.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UFO.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XP.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"roawiy"=-
"snhuqt"=-
"arsneo"=-
"NATServices"=-
Save this as "CFScript"

(include the "quotation marks" with the name)




Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

For now just post back that log please.


Also these files being removed need to be included in security updates. If you would, just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.

C:\Qoobox\Quarantine\C <-- the entire "C" folder

You DO NOT need to be a member to upload, anybody can upload the files.