Jump to content

Ran Malwarebytes and Combofix - Still Infected


timwcjb

Recommended Posts

Hi-

My computer was infected with some trojan viruses, I ran Malawarebytes several times but after the last time it said the computer was still infected with rootkit.agent.

Based on advice to another person on the forums I downloaded and ran Combofix. It seems the computer is still infected though. The last time the PC rebooted Malawarebytes started and caused the Combofix to hang as Malwarebytes had been running and was trying to quarantine a virus. I clicked quarantine and Combofix completed running. I've pasted the log.txt contents below.

Any advice would be GREATLY appreciated!!

Thanks!!

Tim

ComboFix 10-09-16.04 - thoskinson 09/16/2010 17:45:32.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1622 [GMT -4:00]

Running from: G:\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\eanglehart\.COMMgr

c:\documents and settings\eanglehart\Application Data\74A86F89091A158AC5B5A8B6C57E64B9

c:\documents and settings\eanglehart\Application Data\74A86F89091A158AC5B5A8B6C57E64B9\enemies-names.txt

c:\documents and settings\eanglehart\Application Data\74A86F89091A158AC5B5A8B6C57E64B9\local.ini

c:\documents and settings\eanglehart\Application Data\74A86F89091A158AC5B5A8B6C57E64B9\lsrslt.ini

c:\documents and settings\eanglehart\Desktop\Antivirus Support.lnk

c:\documents and settings\eanglehart\Desktop\installer.bat

c:\documents and settings\eanglehart\Start Menu\Programs\Antimalware Doctor

c:\documents and settings\eanglehart\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk

c:\documents and settings\eanglehart\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

c:\documents and settings\thoskinson.WCJB-TV\GoToAssistDownloadHelper.exe

c:\documents and settings\thoskinson.WCJB-TV\My Documents\Readiris.DUS

c:\documents and settings\thoskinson.WCJB-TV\yblxrhoj .exe

c:\windows\Fonts\mlog

c:\windows\system32\0wt2bt.log

c:\windows\system32\9bjxy.log

c:\windows\system32\AutoRun.inf

c:\windows\system32\drivers\dmfhspny.sys

c:\windows\system32\Install.txt

c:\windows\system32\nwcwks.dll

c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe

c:\windows\system32\szetyj67v.txt

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\clipsrv.exe . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ATAPIDRV

-------\Legacy_PROTECT

-------\Legacy_NWCWorkstation

-------\Legacy_umedqb

-------\Service_NWCWorkstation

-------\Service_umedqb

((((((((((((((((((((((((( Files Created from 2010-08-16 to 2010-09-16 )))))))))))))))))))))))))))))))

.

2010-09-16 22:05 . 2010-09-16 22:05 59392 ----a-w- c:\windows\system32\yblxrhojD.exe

2010-09-16 22:05 . 2010-09-16 22:05 34560 ----a-w- c:\documents and settings\thoskinson.WCJB-TV\wuaucldt.exe

2010-09-16 22:05 . 2010-09-16 22:05 34560 ----a-w- c:\windows\system32\wuaucldt.exe

2010-09-16 13:51 . 2010-09-16 22:05 59392 ----a-w- c:\documents and settings\thoskinson.WCJB-TV\yblxrhoj.exe

2010-09-16 13:50 . 2010-09-16 13:50 59392 ----a-w- c:\windows\system32\yblxrhoj .exe

2010-09-15 20:40 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-15 20:40 . 2010-09-15 20:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-15 20:40 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-15 20:30 . 2010-09-15 20:30 59392 ----a-w- c:\windows\system32\yblxrhoj.exe

2010-09-15 20:13 . 2010-09-16 22:04 211072 ----a-w- c:\windows\system32\dllcache\ndis.sys

2010-09-15 12:24 . 2010-09-15 12:24 58880 ----a-w- c:\documents and settings\thoskinson.WCJB-TV\yblxrhoj

Link to post
Share on other sites

Hi welcome to Mbam.

Combofix is not to be used unless some one has specifically asked you to use it.

So in the future seek assistance before running it because certain infection that Combofix targets can cause the machine to be unbootable when Combofix removes them.

Please submit the following files to one of these online file scanners.

(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\windows\system32\userinit.exe

c:\windows\system32\spoolsv.exe

c:\windows\system32\clipsrv.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Link to post
Share on other sites

Hi welcome to Mbam.

Combofix is not to be used unless some one has specifically asked you to use it.

So in the future seek assistance before running it because certain infection that Combofix targets can cause the machine to be unbootable when Combofix removes them.

Please submit the following files to one of these online file scanners.

(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\windows\system32\userinit.exe

c:\windows\system32\spoolsv.exe

c:\windows\system32\clipsrv.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Thank you!

Tim

Here are the results:

Jotti's malware scan

This file has been scanned before. The results for this previous scan are listed below.

--------------------------------------------------------------------------------

Filename: spoolsv.exe

Status: Scan finished. 16 out of 19 scanners reported malware.

Scan taken on: Fri 17 Sep 2010 22:59:39 (CET) Permalink

--------------------------------------------------------------------------------

Additional info

File size: 85504 bytes

Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: d66cdc2a1ce9659eaa3bf0ed3ca594df

SHA1: 3d76c9486783696e7ba123f5457f0ea1c1d18c18

Scanners

2010-09-17 Found nothing 2010-09-17 Win32.Virtob.Gen.12

2010-09-17 Win32:Vitro 2010-09-17 Virus.Win32.SdBot

2010-09-17 Win32/Virut 2010-09-17 Virus.Win32.Virut.ce

2010-09-17 W32/Virut.Gen 2010-09-17 Win32/Virut.NCF

2010-09-17 Win32.Virtob.Gen.12 2010-09-17 W32/Sality.AO

2010-09-17 Found nothing 2010-09-17 W32.Virut.G

2010-09-17 Found nothing 2010-09-17 W32/Scribble-B

2010-09-17 Win32.Virut.56 2010-09-17 Virus.Win32.Virut.X5

2010-09-17 W32/Virut.AL!Generic 2010-09-17 Win32.Virut.AB.Gen

2010-09-17 Win32.Virtob.Gen.12

--------------------------------------------------------------------------------

Scan a file - Hash search - Frequently Asked Questions - Privacy policy

Link to post
Share on other sites

You are welcome unfortunately I have some bad news.

Your System is infected with Virut!!

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:

https://forums2.symantec.com/t5/Malicious-C...age/ba-p/388834

http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.

It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:

Immediately before the encrypted code at the end of the last section

At the end of the code section of the infected host in 'slack-space' (assuming there is any)

At the original entry point of the host (overwriting the original host code)

What this means is we cannot proceed with any sort of fix as your legitimate files have already been corrupted and this action is, unfortunately, irreversible. I apologize but there is nothing else I can do or advise to completely clear your machine. You must reformat your pc to rid yourself of this deadly virus.

Link to post
Share on other sites

Thanks again for your advice, Ran. At least I know what the bottom line is.

Tim

You are welcome unfortunately I have some bad news.

Your System is infected with Virut!!

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:

https://forums2.symantec.com/t5/Malicious-C...age/ba-p/388834

http://free.avg.com/66558

http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

What this means is we cannot proceed with any sort of fix as your legitimate files have already been corrupted and this action is, unfortunately, irreversible. I apologize but there is nothing else I can do or advise to completely clear your machine. You must reformat your pc to rid yourself of this deadly virus.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.