57 replies to this topic

[VanDavies]

Yes I dragged it into Inherit, still no joy. Trying it in normal mode now, it still won't let me open it- Security Tool still stopping it. It says "Combo.com.exe is infected with a worm"

[CatByte]

Hi,

Please do the following:

Please download OTM by OldTimer.

• Save it to your desktop.
• Please click OTM and then click >> run.
• Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"69947237"=-
"a0655570"=-
"yomutujav"=-

:Files
c:\programdata\69947237\69947237.exe
c:\programdata\bebojori\bebojori.dll
c:\progra~2\jojejure\jojejure.dll
c:\programdata\yibuleko
c:\programdata\jojejure
c:\programdata\zedokupa
c:\programdata\yowajaka
c:\programdata\69947237
c:\programdata\zuhoboku
c:\programdata\metuyuli
c:\programdata\jehiyile
c:\programdata\bebojori
c:\programdata\pojevejo
c:\programdata\gehazoze
c:\programdata\dakabedu
c:\programdata\holusiti
c:\programdata\figimeje
c:\programdata\wonutego
c:\programdata\hawupula
c:\programdata\wufajeda
c:\programdata\sakiweto
c:\programdata\kepuzuli
c:\programdata\jahasuri

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[VanDavies]

Downloaded OTM. Again, it won't work in normal mode (Security Tool is stopping it from opening) So I'll try it in Safe Mode and get back to you.

[CatByte]

Hi,

If it wont work in safe mode:

Look for the following file:

Drag it to your desktop (don't delete it) then see if OTM and ComboFix will run:

c:\programdata\69947237\69947237.exe


you may need to show hidden files and folders to find it:

• Close all programs so that you are at your desktop.
• Open the Control Panel menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.

[VanDavies]

Hi I managed to run OTM in safe mode and navigated to the log file; it comes back with this: All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== REGISTRY ========== Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\69947237 deleted successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\a0655570 deleted successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yomutujav deleted successfully. ========== FILES ========== c:\programdata\69947237\69947237.exe moved successfully. DllUnregisterServer procedure not found in c:\programdata\bebojori\bebojori.dll c:\programdata\bebojori\bebojori.dll moved successfully. DllUnregisterServer procedure not found in c:\progra~2\jojejure\jojejure.dll c:\progra~2\jojejure\jojejure.dll moved successfully. c:\programdata\yibuleko folder moved successfully. c:\programdata\jojejure folder moved successfully. c:\programdata\zedokupa folder moved successfully. c:\programdata\yowajaka folder moved successfully. c:\programdata\69947237 folder moved successfully. c:\programdata\zuhoboku folder moved successfully. c:\programdata\metuyuli folder moved successfully. c:\programdata\jehiyile folder moved successfully. c:\programdata\bebojori folder moved successfully. c:\programdata\pojevejo folder moved successfully. c:\programdata\gehazoze folder moved successfully. c:\programdata\dakabedu folder moved successfully. c:\programdata\holusiti folder moved successfully. c:\programdata\figimeje folder moved successfully. c:\programdata\wonutego folder moved successfully. c:\programdata\hawupula folder moved successfully. c:\programdata\wufajeda folder moved successfully. c:\programdata\sakiweto folder moved successfully. c:\programdata\kepuzuli folder moved successfully. c:\programdata\jahasuri folder moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Keymar ->Temp folder emptied: 546190415 bytes ->Temporary Internet Files folder emptied: 97009819 bytes ->Java cache emptied: 50991261 bytes ->FireFox cache emptied: 36119426 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes Windows Temp folder emptied: 70131284 bytes %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 520028 bytes RecycleBin emptied: 748156414 bytes Total Files Cleaned = 1477.39 mb OTM by OldTimer - Version 3.1.1.0 log created on 11132009_231646

[CatByte]

delete the combofix you have on your desktop...download a fresh copy and run it

[VanDavies]

OK a lot of things just happened!! It went through to Stage 50 completed or something like that, then said saving log. I can't seem to find the log now though to post on here. Any suggestions? Thanks

[CatByte]

The log should be located at C:\Combofixt.txt or C:\Qoobox\Combofix2.txt

[VanDavies]

OK I think I found it: ComboFix 09-11-14.01 - Keymar 14/11/2009 0:54:24..1 - FAT32x86 NETWORK Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.894.453 [GMT 0:00] Running from: C:\Users\Keymar\Desktop\ComboFix.exe Command switches used :: C:\Users\Keymar\Desktop\ComboFix.exe AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A} SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\$RECYCLE.BIN\S-1-5-21-2365545147-1999384947-2466353664-500 C:\$RECYCLE.BIN\S-1-5-21-2393766080-3187394018-3383541026-500 C:\$RECYCLE.BIN\S-1-5-21-899496415-1834721142-2599837188-500 C:\ProgramData\91415146.ini C:\ProgramData\CrucialSoft Ltd C:\ProgramData\tuwezune\tuwezune.dll C:\Users\Keymar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.lnk C:\Users\Keymar\Desktop\Security Tool.lnk C:\Windows\system32\AutoRun.inf C:\Windows\system32\nsprs.dll C:\Windows\system32\serauth1.dll C:\Windows\system32\serauth2.dll C:\Windows\system32\ssprs.dll C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

[CatByte]

Hi, that's a teeny tiny bit of the log...can you see if there is more of it and post the rest thanks

[VanDavies]

That's the whole lot I'm afraid. There are other .txt files in the ComboFix folder though- want me to try these?

[VanDavies]

The only text files in the ComboFix folder are: ComboFix.txt mbr.txt OsId.txt pend.txt Resident.txt Version.txt

[CatByte]

If that was all there was to the ComboFix.txt then i need you to please run it again - see if we can get a proper log

[VanDavies]

Hey!! I've just run my laptop on normal mode and Security Tool is gone!! Plus I can open up .exe files!! Thank you so much! My background is still black however. What do you suggest?

[CatByte]

I need to see a ComboFix log...there is likely a lot more work to do yet...it seldom gets fixed in one pass