105 replies to this topic

[oldman960]

Hi Alantb,

Thanks

There was a problem with combofix, it's been corrected now. Delete the copy of combofix (renamed to jgh.exe) you have now and download a new one.

Please download ComboFix from Link 1or Link 2 .

• If you are using Firefox, make sure that your download settings are as follows:
  -Tools->Options->Main tab
  -Set to "Always ask me where to Save the files".
  
• During the download, before you download it, rename Combofix to jgh.exe

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

Boot the infected computer to Safe Mode.

Transfer the renamed combofix to the infected computer's desktop and run it by double clicking on it.

[Alantb]

Hi Oldman - Herewith the log - I take it that's what you want.......... finally got it to run by pretending that I had the console installed and letting CF find it wasn't - if you see what I mean . . . . Raining like the Flood here, how you? Cheers, Alan

Attached Files

•  combofix_log_11_11_2010.txt   8.91KB   200 downloads

Edited by Alantb, 11 November 2010 - 07:01 AM.

[oldman960]

Hi Alantb,

No rain here.

We'll use SystemLook, you have it on the infected computer. It's located at C:\SystemLook.exe

On the clean computer

• Open a new Notepad session
• Click the Start button, click run
• in the run box type notepad
• click ok
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
• Note the scritp starts with :
  
  

  :filefind
  * .exe
  Reader_sl.*
  avgtray.*
  NeroCheck.*
  realsched .*
  SSBkgdupdate.*
  PDVDServ.*
  Language.*
  jusched.*
  PicasaMediaDetector.*
  OpAgent.*
  Opware15.*
  Ereg.*
  TeaTimer.*
  enunum.exe

Save the notepad and transfer it to your infected computer.

On the infected computer

• Open SystemLook
• copy and paste the text from the notepad into the white field
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan.

Please post the SystemLook log.

Thanks

[Alantb]

Hi Oldman, here you go, sorry about the delay. (How many hours are you after us? Might help if I know the best GMT time to post) - Cheers, Alan SystemLook 04.09.10 by jpshortstuff Log created at 10:28 on 12/11/2010 by Alan Administrator - Elevation successful ========== filefind ========== Searching for "* .exe" C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe --a---- 39792 bytes [01:04 15/10/2008] [01:04 15/10/2008] 392845E8D49B5F0E81AAC4D795000A8C C:\Program Files\AVG\AVG9\avgtray .exe --a---- 2065760 bytes [13:51 21/07/2010] [13:51 21/07/2010] E9B04FD2921ACE22CA17FA7D5131F491 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe --a---- 153136 bytes [15:57 01/03/2007] [15:57 01/03/2007] 8112D0DACAE746290FC87B3A980FA719 C:\Program Files\Common Files\Real\Update_OB\realsched .exe --a---- 185896 bytes [14:17 15/01/2009] [14:17 15/01/2009] 8F99A4B8C3B1E13CF00D57FCE61C030D C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe --a---- 210472 bytes [08:03 25/10/2006] [08:03 25/10/2006] 846965AE55A2662B1576C0F392DD1D6E C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe --a---- 56928 bytes [10:21 10/06/2008] [14:10 23/11/2006] 56F676060D70BA066459478824510BEA C:\Program Files\CyberLink\PowerDVD\Language\Language .exe --a---- 54832 bytes [10:21 10/06/2008] [21:55 05/12/2006] 405D6C6C1D5D255CB4EF1BFD1CE305E8 C:\Program Files\Java\jre6\bin\jusched .exe --a---- 149280 bytes [11:20 02/08/2009] [04:23 25/07/2009] 90E0F7FDCAC66FB50C1CE1A1C7396642 C:\Program Files\Picasa2\PicasaMediaDetector .exe --a---- 443968 bytes [21:18 23/10/2007] [21:18 23/10/2007] 429C00E25AFA42015311C092E49BFD07 C:\Program Files\ScanSoft\OmniPage15\OpAgent .exe --a---- 943656 bytes [08:26 08/01/2007] [08:26 08/01/2007] B6D0669597FA01B29BA4229CFF920171 C:\Program Files\ScanSoft\OmniPage15\Opware15 .exe --a---- 79400 bytes [08:27 08/01/2007] [08:27 08/01/2007] 800763B7190986476242DA680CE23EEF C:\Program Files\ScanSoft\OmniPage15\Ereg\Ereg .exe --a---- 255528 bytes [09:25 27/11/2006] [09:25 27/11/2006] AD951D5090D54B82859249768FA94168 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe -rahs-- 2260480 bytes [20:43 12/09/2010] [15:07 05/03/2009] 390679F7A217A5E73D756276C40AE887 Searching for "Reader_sl.*" No files found. Searching for "avgtray.*" No files found. Searching for "NeroCheck.*" No files found. Searching for "realsched .*" C:\Program Files\Common Files\Real\Update_OB\realsched .exe --a---- 185896 bytes [14:17 15/01/2009] [14:17 15/01/2009] 8F99A4B8C3B1E13CF00D57FCE61C030D Searching for "SSBkgdupdate.*" C:\Documents and Settings\All Users\Application Data\ScanSoft\SSBkgdUpdate\SSBkgdUpdate.ini --a---- 0 bytes [14:32 04/10/2006] [14:32 04/10/2006] D41D8CD98F00B204E9800998ECF8427E Searching for "PDVDServ.*" No files found. Searching for "Language.*" C:\Program Files\CyberLink\PowerDVD\Language\Language.ini ------- 7284 bytes [10:22 10/06/2008] [11:12 30/11/2006] 6806B741564D0E6716819450D78E2CAD C:\Program Files\Mozilla Firefox\res\language.properties --a--c- 5490 bytes [19:11 06/06/2008] [11:25 28/03/2010] 4CB0ADE6B7BC05D6B9989A07B6352E2D C:\Program Files\Mozilla Thunderbird\res\language.properties --a---- 5528 bytes [13:57 13/09/2010] [20:44 25/08/2010] 417CBD69D28CC5D69DC8B36EE0F48043 C:\Program Files\TextBridge Pro 9.0\Bin\Language.ini --a--c- 17947 bytes [17:20 02/12/2008] [17:20 02/12/2008] F7F261EE99EC3CE1BCC2DBA7D4E9D8CB Searching for "jusched.*" No files found. Searching for "PicasaMediaDetector.*" No files found. Searching for "OpAgent.*" No files found. Searching for "Opware15.*" No files found. Searching for "Ereg.*" C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage15.0\Ereg\Ereg.ini --a---- 354 bytes [15:09 05/05/2010] [07:01 12/09/2010] 88B8BC0A24B8932BF42DC04B737A8B6C C:\Program Files\ScanSoft\OmniPage15\Ereg\Ereg.ini --a---- 228 bytes [15:09 05/05/2010] [15:09 05/05/2010] 5582B0A2D5CFA957B5C85BCC54831517 Searching for "TeaTimer.*" No files found. Searching for "enunum.exe" C:\Documents and Settings\Default User\Start Menu\Programs\Startup\enunum.exe --a---- 156160 bytes [11:41 04/11/2010] [11:41 04/11/2010] 3D5D8AA6D19380921C7DA8EB1CCDFABF -= EOF =-

[oldman960]

Hi Alantb,

If you have DST it would be GMT-7 otherwise it's GMT-8.

2 fixes to do. They must be done in the order posted. After these fixes please connect the computer to the internet and follow the rest of the instruction. Do not use this computer for anything else except for downloading tools and this thread. This includes email.

On the clean computer

Open a new Notepad session

• Click the Start button, click run
• in the run box type notepad
• click ok
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
• Copy and paste all the text in the code box below into the Notepad.

Do Not copy the word CODE Note the script starts with :

:Services

:Reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Gnecihutafuzaca"=-

:Files
c:\windows\system32\drivers\sst9.sys
c:\windows\system32\Spool\prtprocs\w32x86\sst8.tmp
c:\windows\system32\drivers\sst9.tmp
c:\temp\tidyup.exe
ipconfig /flushdns /c

:Commands
[emptytemp]
[createrestorepoint]
[Reboot]

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
• In the filename box, type (including quotation marks) as the filename: "fix2.txt"
• Click save

Next, create this batch file.

Open a new Notepad session

• Click the Start button, click run
• in the run box type notepad
• click ok
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
• Copy and paste all the text in the code box below into the Notepad.

Do Not copy the word CODE

ren "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe" "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
ren "c:\program files\AVG\AVG9\avgtray .exe" "c:\program files\AVG\AVG9\avgtray.exe"
ren "c:\program files\Common Files\Ahead\Lib\NeroCheck .exe" "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe"
ren "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\enunum.exe" "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\enunum.old"
ren "c:\program files\CyberLink\PowerDVD\Language\Language .exe" "c:\program files\CyberLink\PowerDVD\Language\Language.exe"
ren "c:\program files\Java\jre6\bin\jusched .exe" "c:\program files\Java\jre6\bin\jusched.exe"
ren "c:\program files\Picasa2\PicasaMediaDetector .exe" "c:\program files\Picasa2\PicasaMediaDetector.exe"
ren "c:\program files\ScanSoft\OmniPage15\OpAgent .exe" "c:\program files\ScanSoft\OmniPage15\OpAgent.exe"
ren "c:\program files\ScanSoft\OmniPage15\Opware15 .exe" "c:\program files\ScanSoft\OmniPage15\Opware15.exe"
ren "c:\program files\ScanSoft\OmniPage15\Ereg\Ereg .exe" "c:\program files\ScanSoft\OmniPage15\Ereg\Ereg .exe"
ren "c:\program files\Spybot - Search & Destroy\TeaTimer .exe" "c:\program files\Spybot - Search & Destroy\TeaTimer.exe"
ren "c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe" "c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
ren "c:\program files\CyberLink\PowerDVD\PDVDServ .exe" "c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
• In the filename box, type (including quotation marks) as the filename: "myfix.bat"
• Click save

You will have a new file on your desktop called myfix.bat with an icon that looks like this


Transfer both files, fix2.txt and myfix.bat, to your infected computer's desktop.


On the infected computer

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the contents of the notepad,fix2.txt.

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.

Please post the OTL fix log


Next

Double click myfix.bat to run it. A black window may briefly flash on your screen, that's normal.

Next

We need some file informantion

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  C:\Documents and Settings\Default User\Start Menu\Programs\Startup\enunum.old
  
  
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Next

• Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output
• UNCheck the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window. OTL.Txt . Please post it's contents

Please post back with

• OTL fix log
• Virscan results
• OTL.txt

Thanks

[Alantb]

Hi Oldman; The system couldn't find the file you wanted to scan (enunum.old) so I did a search but still couldn't find it.... Herewith the files: The log is as a txt file Cheers, Alan

Attached Files

•  11162010_094501.txt   4.33KB   143 downloads
•  OTL.Txt   42.81KB   161 downloads

[oldman960]

Hi Alantb,

Did you do this part of the instructions?

Next

Double click myfix.bat to run it. A black window may briefly flash on your screen, that's normal.

[Alantb]

Hi Oldman - yes I did it all, but I'll go back and do it again, just in case I made a boob somewhere. Watch this space! I did try again. When OTL stopped it asked for a reboot "to finish removing files" - was this expected? Also after the reboot - there seemed no way to stop this - there was a system hang with a black screen but the pointer working. I powered off to clear this condition (only way) and the system came up as usual Cheers, Alan

Edited by Alantb, 16 November 2010 - 10:18 AM.

[oldman960]

Hi Alantb,

The reboot was normal for OTL.

The myfix.bat didn't seem to do what it was suppposed to. Can you attach the copy that you have on your desktop?

[Alantb]

Hi Oldman :- here you go:- ren "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe" "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" ren "c:\program files\AVG\AVG9\avgtray .exe" "c:\program files\AVG\AVG9\avgtray.exe" ren "c:\program files\Common Files\Ahead\Lib\NeroCheck .exe" "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" ren "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\enunum.exe" "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\enunum.old" ren "c:\program files\CyberLink\PowerDVD\Language\Language .exe" "c:\program files\CyberLink\PowerDVD\Language\Language.exe" ren "c:\program files\Java\jre6\bin\jusched .exe" "c:\program files\Java\jre6\bin\jusched.exe" ren "c:\program files\Picasa2\PicasaMediaDetector .exe" "c:\program files\Picasa2\PicasaMediaDetector.exe" ren "c:\program files\ScanSoft\OmniPage15\OpAgent .exe" "c:\program files\ScanSoft\OmniPage15\OpAgent.exe" ren "c:\program files\ScanSoft\OmniPage15\Opware15 .exe" "c:\program files\ScanSoft\OmniPage15\Opware15.exe" ren "c:\program files\ScanSoft\OmniPage15\Ereg\Ereg .exe" "c:\program files\ScanSoft\OmniPage15\Ereg\Ereg .exe" ren "c:\program files\Spybot - Search & Destroy\TeaTimer .exe" "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" ren "c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe" "c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" ren "c:\program files\CyberLink\PowerDVD\PDVDServ .exe" "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" _ That's it - I think that it's what you sent me . . . Cheers, Alan

[oldman960]

Hi Alantb,

Yeah that's what I posted.

Let's do this again. I take it you are using the infected computer?

From your desktop please delete myfix.bat.

Open a new Notepad session

• Click the Start button, click run
• in the run box type notepad
• click ok
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
• Copy and paste all the text in the code box below into the Notepad.

Do Not copy the word CODE

ren "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe" "Reader_sl.exe"
ren "c:\program files\AVG\AVG9\avgtray .exe" "avgtray.exe"
ren "c:\program files\Common Files\Ahead\Lib\NeroCheck .exe" "NeroCheck.exe"
ren "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\enunum.exe" "enunum.old"
ren "c:\program files\CyberLink\PowerDVD\Language\Language .exe" "Language.exe"
ren "c:\program files\Java\jre6\bin\jusched .exe" "jusched.exe"
ren "c:\program files\Picasa2\PicasaMediaDetector .exe" "PicasaMediaDetector.exe"
ren "c:\program files\ScanSoft\OmniPage15\OpAgent .exe" "OpAgent.exe"
ren "c:\program files\ScanSoft\OmniPage15\Opware15 .exe" "Opware15.exe"
ren "c:\program files\ScanSoft\OmniPage15\Ereg\Ereg .exe" "Ereg .exe"
ren "c:\program files\Spybot - Search & Destroy\TeaTimer .exe" "TeaTimer.exe"
ren "c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe" "SSBkgdupdate.exe"
ren "c:\program files\CyberLink\PowerDVD\PDVDServ .exe" "PowerDVD\PDVDServ.exe"

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
• In the filename box, type (including quotation marks) as the filename: "myfix1.bat"
• Click save

You will have a new file on your desktop called myfix1.bat with an icon that looks like

Next

Double click myfix1.bat to run it. A black window may briefly flash on your screen, that's normal.

Next

We need some file informantion

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  C:\Documents and Settings\Default User\Start Menu\Programs\Startup\enunum.old
  
  
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Next

• Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output
• UNCheck the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window. OTL.Txt . Please post it's contents

Please post back with

• Virscan results
• OTL.txt

Thanks

[Alantb]

Hi Oldman
I did as you asked, ran MyFix, and before I tried the upload into Virscan I looked for the "enunum" file and couldn't find it.
Also, while I was online I got a pornographic popup which I deleted. The popup got in of course because I've killed the malware prevention programs so that they don't interfere while this investigation is going on.
Now I have a file [86,989 bytes] with no suffix in the startup menu - called 'jlkprcla'. I'm sure this shouldn't be there but when I try to delete it the deletion is refused saying that it is in use by another program . I presume this is malware.
I've pulled the internet connection as a safeguard but it's looking as if we are back to square one.
I daren't close down the PC because I don't want this 'jlkprcla' thing to run - I've looked at the properties (which may not have been wise) and it then produced a shortcut to a DOS function - which I didn't like either. So I killed that. Then I looked at Windows PIF Settings and the 'Autoexec filename is " %SystemRoot%\SYSTEM32\ AUTOEXEC.NT" and the Config filename is "%SystemRoot%\SYSTEM32\CONFIG.NT"
Which is very suspicious. Incidentally I tried to run Virscan against THIS file and it was unable to upload it.

Your advice please!
Gloom and despondancy setting in.
Cheers, Alan

Edited by Alantb, 19 November 2010 - 09:02 AM.

[Alantb]

Hi Oldman; I rebooted in safe mode and deleted the jlkprcla file. Also a DOS application that it apparently created. Which may be an improvement. A search doesn't find it but of course if it is malware it could have replicated itself in some malicious fashion. Should I run combofix again? Or what? Cheers, Alan

[oldman960]

Hi Alantb,

Incidentally I tried to run Virscan against THIS file and it was unable to upload it.

What error message did you recieve?

I wish you hadn't have deleted the file, I would have liked to have a look at it as it may have given clues as to what we are dealing with.

Please post the OTL scan log I asked for.

Thanks

[Alantb]

Hi Oldman; Sorry about deleting that file, but it only appeared after I got this porno popup when I went online so I assumed that it was part of that. It certainly wasn't in the startup folder before then because I looked to see if the enunum file was there and the only files were ones for starting Lotus Smart Suite - which is normal. But; now I have more trouble. Then pendrive that I used to transfer the files to the infected computer has itself become infected with a virus, fortunately picked up by AVG on the clean PC. The virus check left an exec file behind on the pendrive. I hesitate to say this but if you think it would be a good idea I might be able to send it to you - but personally I feel very nervous about this. The detected virus is in the 'virus vault'. I'm doing a complete scan of the clean machine to see if there is any more damage. More to follow. Cheers, Alan