Alright, this is working now. I have rec'd a message stating that the recovery console is installed and that on reboot a black screen appears, but for normal use to not this. Combofix is now continuing to scan for malware. Once it reboots, is there any specific instructions on what to do? should I link the resulting log file from after the reboot?
Computer infected, can't run AV or Spybot S&D
- Thread starter sucosam
- Start date
Hi,
Go Start > Run and copy/paste the following single-line command into the Run box and click OK:
cmd /c PEV -l %systemdrive%\eventlog.dll >Log.txt&Log.txt&del Log.txt
A Notepad file will open. Post the contents of Log.txt in your next reply.
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
cacls c:\windows\system32\svchost.exe >>c:\Logit.txt
del %0
Double-click on fixes.bat file to execute it. Post contents of c:\Logit.txt file.
Go Start > Run and copy/paste the following single-line command into the Run box and click OK:
cmd /c PEV -l %systemdrive%\eventlog.dll >Log.txt&Log.txt&del Log.txt
A Notepad file will open. Post the contents of Log.txt in your next reply.
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
cacls c:\windows\system32\svchost.exe >>c:\Logit.txt
del %0
Double-click on fixes.bat file to execute it. Post contents of c:\Logit.txt file.
Contents of Log.txt:
-c----w- 55,808 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
------w- 56,320 2008-04-14 00:11:53 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 112,128 Blocks: 219
Contents of Logit.txt
c:\windows\system32\svchost.exe Everyone
NP)(special access
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
STANDARD_RIGHTS_REQUIRED
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
-c----w- 55,808 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
------w- 56,320 2008-04-14 00:11:53 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 112,128 Blocks: 219
Contents of Logit.txt
c:\windows\system32\svchost.exe Everyone
NP)(special accessDELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
STANDARD_RIGHTS_REQUIRED
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Hi,
One more query for you to run.
Go Start > Run and copy/paste the following single-line command into the Run box and click OK:
cmd /c PEV -l %systemdrive%\svchost.exe >Log.txt&Log.txt&del Log.txt
A Notepad file will open. Post the contents of Log.txt in your next reply.
One more query for you to run.
Go Start > Run and copy/paste the following single-line command into the Run box and click OK:
cmd /c PEV -l %systemdrive%\svchost.exe >Log.txt&Log.txt&del Log.txt
A Notepad file will open. Post the contents of Log.txt in your next reply.
Contents of log:
-c----w- 14,336 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
------w- 14,336 2008-04-14 00:12:36 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
----a-w- 14,336 2008-04-14 00:12:36 C:\WINDOWS\system32\svchost.exe
Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 43,008 Blocks: 84
-c----w- 14,336 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
------w- 14,336 2008-04-14 00:12:36 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
----a-w- 14,336 2008-04-14 00:12:36 C:\WINDOWS\system32\svchost.exe
Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 43,008 Blocks: 84
Hi,
Open notepad and copy/paste the text in the quotebox below into it:
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Open notepad and copy/paste the text in the quotebox below into it:
Code:
FCopy::
C:\WINDOWS\ServicePackFiles\i386\svchost.exe|C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\svchost.exe|C:\WINDOWS\system32\dllcache\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\dllcache\eventlog.dllSave this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Hi,
You had the script file named in wrong way. It has to be .txt file.
Use this command ensuring that both ComboFix.exe and CFScript.txt with proper contents are on your desktop:
You had the script file named in wrong way. It has to be .txt file.
Use this command ensuring that both ComboFix.exe and CFScript.txt with proper contents are on your desktop:
Code:
"c:\documents and settings\colin\desktop\ComboFix.exe" "c:\documents and settings\colin\desktop\CFScript.txt"Hi,
Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Archive it into zip file and attach to your post.
"%userprofile%\desktop\win32kdiag.exe" -f -r
Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Archive it into zip file and attach to your post.
"%userprofile%\desktop\win32kdiag.exe" -f -r
Hi,
Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.
Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.
Uninstall this vulnerable Java:
Java(TM) 6 Update 13
* Go here to run an online scanner from ESET.
Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.
Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.
Uninstall this vulnerable Java:
Java(TM) 6 Update 13
* Go here to run an online scanner from ESET.
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- Make sure that the option Remove found threats is UNchecked.
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic, along with a new dds.txt log & a description of any remaining problems
ESET log contents:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=ca3d58eabbc7aa4e99e9902958a679ee
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-20 09:14:27
# local_time=2009-10-20 05:14:27 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=78265
# found=0
# cleaned=0
# scan_time=2131
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=ca3d58eabbc7aa4e99e9902958a679ee
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-20 09:14:27
# local_time=2009-10-20 05:14:27 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=78265
# found=0
# cleaned=0
# scan_time=2131
Here is the resulting DDS log and I posted the new Attach log also just in case. So far everything seems to be working very well. The response time for actions seems better than prior to when the issues started, and so far none of my browser windows have been hijacked, nor have I had any issues with any of my everyday tasks.